Discover and secure all SaaS and cloud apps, accounts, and assets with a full inventory of all accounts ever created in your organization—by anyone, anywhere, on any device.
The days of rogue hardware installs are fading, but shadow IT persists in a new form. Unsanctioned SaaS applications, unmanaged cloud accounts, and rogue dev tools pose serious risks—even when well-intentioned.
Where do today’s shadow IT risks lurk?
It’s not always malicious. Unlike cyberattacks, shadow IT often stems from convenience or a need for flexible solutions. Employees might use Zoom when facing issues with WebEx, or spin up a free trial to test out a new app before kicking off a formal approval and purchasing process.
Why it matters: Even unintentional shadow IT breaches data security protocols and compliance standards. This leaves organizations vulnerable.
The driving force behind the increase in shadow SaaS is the necessity for fast, flexible, and unencumbered access to different cloud-based tools and applications. And, with more and more employees working remotely vs. in an office, it’s more difficult for centralized IT teams to retain visibility (and control) over which applications are used.
Those creating shadow IT by adopting new technology do it because it’s beneficial to them: they get faster access to needed resources, they avoid burdening a small IT team, and they improve communication and collaboration with the latest tools. Granted, all these advantages enhance efficiency and drive innovation. However, shadow IT also presents significant risks to an organization.
The stats are sobering. According to a 2023 Gartner predictions report, 41% of employees acquired, modified, or created technology outside of IT’s visibility in 2022, and that number is expected to climb to 75% by 2027. Capterra’s 2023 shadow IT and project management survey reported a majority (57%) of small and midsize businesses have experienced significant shadow IT growth happening under their noses.
Shadow IT is more than a minor nuisance; it greatly affects the security posture of an organization. Capterra’s 2023 study mentioned above also found that 76% of respondents perceived shadow IT as a “moderate to severe cybersecurity threat to the business.”
Shadow IT presents several tangible risks, including:
One of the key intangible risks is the lack of visibility and control, as shadow IT often escapes the scrutiny of the IT security team. Vulnerabilities, misconfigurations, and policy violations might remain undetected, increasing data breach and non-compliance risks.
Perhaps even more concerning, shadow IT can lead to data loss, since data stored in an unmanaged account might not be accessible for the company. When employees resign or are terminated, the business could lose access to those cloud-stored assets.
Each instance of shadow IT expands the organization's attack surface. These unprotected assets could serve as entry points for a cybercriminal attack. Other indirect costs that shadow IT can introduce outside of noncompliance penalties include reputational damage following a data breach, and intense workloads if the SaaS service experiences a breach, needs to be migrated or decommissioned.
Think shadow IT isn’t happening at your company? According to Nudge Security data, a new SaaS asset is created roughly every 20 minutes per 1,000 people in an organization. This frequency underscores the urgent need for businesses to address and manage shadow IT effectively, especially in the realm of SaaS applications.
Digital transformation, cloud migration, and the hybrid workforce have combined to introduce unique blind spots and vulnerabilities for shadow IT. Most notable is through free trials and OAuth grants, which organizations must navigate to safeguard their digital assets.
Consider the allure of SaaS applications: their ease of access, the promise of increased productivity, and the autonomy they offer to individual users and departments. However, this allure often leads to the unchecked proliferation of accounts and data.
A few examples: A company uses Google Docs, but an employee needs the formatting capabilities in Word, so they sign up for a free trial of Office 365. Or the marketing team uses Asana to track projects, but prefers the card layout of Trello, and decides to try it for themselves. Or the sales team uses Salesforce, but prefers the email marketing functionality of MailChimp, and secretly subscribes.
These incidents highlight the critical blind spots in shadow IT, where even well-intentioned actions can lead to significant security breaches.
OAuth grants have become a double-edged sword. Designed to streamline user experience by allowing third-party applications access to user data without sharing login credentials,
OAuth (Open Authorization) grants are widely used online to allow users to log into a new web service using their existing account details from another service (for example, “Login with Google” or “Login with Facebook”), or to enable app-to-app integrations.
This permission-granting process works by using “tokens.” Instead of revealing the username and password credentials to the third-party service, the service is given a unique token. This token is generated by the resource provider (let's say Google), and can be read by the third-party application to confirm that the user has allowed access to their data.
Remember, these types of OAuth grants have both benefits and significant potential security risks involved. While they offer a streamlined user experience, they can create opportunities for attackers to circumvent traditional security measures and gain “back door” access to accounts.
To combat the risks associated with shadow SaaS, organizations must adopt a multifaceted approach. The strategy should include:
Enhanced visibility and control: As employees adopt newSaaS applications for their tasks, new SaaS security risks are introduced. Adding visibility means establishing mechanisms to discover and report on the organization’s software ecosystem. Software solutions like Nudge Security offer this functionality to discover all SaaS accounts, who is using them, and how they're being used. Once IT teams have this information, they gain control over the SaaS environment to manage applications better—including removing redundant software, reallocating licenses, or identifying unauthorized app usage.
Robust security measures: Given the potential security and compliance risks associated with shadow IT, it's critical that organizations adopt strong security measures, like implementing a Cloud Access Security Brokers (CASBs). CASBs reside between the organization's on-premises infrastructure and the cloud provider's infrastructure, allowing the company to extend its security policies beyond its own network. While CASBs have been the preferred solution for controlling shadow IT in the past, with more work happening outside of the corporate network, their effectiveness is declining.
It’s important to note that unlike a CASB or SASE solution, Nudge Security does not touch the corporate network or endpoints. It does not require your employees to be on a VPN or corporate network to work, nor does it require you to do an enterprise roll-out of an agent. It just works no matter what device the employee is using or where they are using it from.
Employee education and awareness: One of the leading causes of shadow IT is the lack of awareness among employees about the risks associated with the unsanctioned use of software. Remember, productivity often trumps security. Regular training sessions should be conducted frequently to educate employees about these risks. But security awareness training can only go so far; employees need relevant and accurate guidance in real time, at the moment when it’s most valuable (i.e. security nudges). Awareness campaigns should also emphasize the significance of adhering to the organization's approved SaaS applications and protocols to minimize the emergence of shadow IT.
Governance in SaaS use: Clear policies are the foundation of any organization's software use; however, their mere existence is not sufficient. A continuous, governance-oriented approach is crucial, which involves identifying which SaaS applications are approved for use in the organization, the specific circumstances under which employees can use them, and assigning authorization for software installation and usage. This kind of approach to SaaS governance would also provide guidance (best if enforced autonomously with a nudge) when an employee encounters a need for a SaaS application outside of the approved list. Key elements of this approach include regular audit trails for SaaS usage, with automatic alerts for unusual or unapproved use patterns. Governance is also best when these policies are up-to-date with evolving organizational SaaS needs, relevant legal changes, and preparing for new SaaS platforms catering to business needs. The focus is not to punish, but to guide, enabling an overall environment of policy adherence and enhanced security.
As organizations continue to navigate the complexities of digital transformation, managing shadow IT—especially within SaaS applications—remains a monumental challenge. By understanding the unique risks and implementing strategic measures to address them, businesses can safeguard their digital assets against the vulnerabilities introduced by shadow IT.
Embracing a proactive and informed approach is essential. That’s why there’s so much power in platforms like Nudge Security. With Nudge Security, you can work with employees, not against them, to:
Learn more about how Nudge Security works to control shadow IT and try it free today to discover what cloud and SaaS applications are currently in use at your organization.