For years now, we’ve treated shadow IT as next month's problem. Our perception of the term “shadow IT” brings up visions of servers running under desks with some development tool an engineer really wanted. But this has changed—and it has changed a lot. Our new reality of shadow IT is one defined by the user-focused go-to-market models of modern enterprise SaaS companies. And recently, the world’s keen focus on the explosion of generative AI tools has shed harsh new light on the reality of modern shadow IT: that employees are creating new SaaS accounts all the time.
I have commonly heard people reflect the traditional prioritization of shadow IT by remarking that they are more concerned with locking down computers or deploying EDR. I would never argue with the importance of those tasks, but I would suggest that the priority has changed over the last couple of years. Today, most of us could throw our devices in a bucket of water and be back up and running in a few hours. That’s thanks to the powerful mesh of SaaS apps that are responsible for most of our day-to-day work. Our code is in Github, our sales contacts in Salesforce, our files in Google Drive (realistically, probably also in Box.com, Dropbox, and OneDrive!), and there’s not much we work with on a daily basis that isn’t just a local copy of the data we are managing in SaaS. Without a clear understanding of the total scope of SaaS apps and accounts in use, what do you actually know about your data? Not much.
Knowing the full scope of SaaS apps in use is the foundation of a modern data governance program. Simply focusing on the places you think your data resides doesn’t cut it in today’s technology landscape. Without an understanding of your entire SaaS footprint, you can not say with confidence where your corporate IP is stored (Did someone sync their desktop to Dropbox? Integrate an app into GitHub?), you cannot make assumptions about your customer data (Did someone upload your customer list to the latest martech app?), and you certainly can’t make strong assertions about your production data (Did someone clone their environment into a new AWS account to recreate a support issue?).
With a full inventory of SaaS apps in use and accounts created, you can create an informed scope for your data security program. Knowing what potential data stores are out there is merely the beginning of the prioritization conversation—it’s not the end. Many data security vendors trumpet their “AI-powered data classification engine” that will help you find all of your sensitive data. But of course, that process requires API keys and data access to the stores they are going to analyze. By contrast, starting with a full inventory of apps in use, it’s far easier to prioritize your next step. Worried about corporate IP? Start with file sharing services, collaboration apps, and development tools. Worried about customer data? Take a look at your customer success tools, and your infrastructure services. Scoping and focusing your effort to high-risk data stores is going to yield far better results than starting with the easy ones.
Understanding the scope of SaaS technology in use by your organization is not a “nice-to-have” that you can circle back to next month—this knowledge defines the very core of your security program. Whether it’s your data security program, your workforce security program, or your threat detection and response program, an accurate and continuous understanding of what’s in use (and by whom) is the critical first step toward ensuring that you won’t have blind spots and wake up with an unwelcome surprise.