Why mining expense reports won’t find Shadow IT

In a world of remote teams and freemium offers, the tools of the past can’t curb SaaS sprawl.

As we describe in our article about Nudge Security’s discovery method, SaaS is the boon of our time—a magic wand that turns weeks of work into hours. Never have we had more purpose-built tools so readily at our fingertips to make us more productive. But with this massive gain in productivity, we’ve also lost a major point of control used by security teams. Centralized teams no longer have consistent access to—or even awareness of—all the systems being used to run their critical processes. Even at a mid-sized enterprise of 1,000 employees, a new SaaS account is created roughly every 20 minutes, according to Nudge Security data.

When thinking about discovering these unknown accounts and systems, or “Shadow IT,” people often reach for the tools of the past—monitoring the network and mining expense reports. Essentially, forensic approaches where we take a mass of data and try to extract meaningful signals from it—days, weeks or months after we need it. But the basic premise of these approaches is difficult to accept in our modern work environment, where SaaS apps can be added without detection by either method. 

Using expense reports to determine the technology used within your organization is like using LinkedIn to figure out which of your employees is looking for a new job. There are some easy wins, but the approach isn’t remotely scalable. When you’re monitoring expense reports, a handful of challenges quickly emerge. First, you can only see the person who expensed the software. Take the following example from a particularly good expense system:

  • 11/09/22, 5:58 AM
  • Albert Tross
  • Zapier
  • Software & apps
  • $399.99 

This system already categorized Zapier as an app, which is a big step forward—otherwise we’d have only the name and the amount to start our investigation. From there, I can attribute this expense to Albert, but nothing helps me to understand that this is a license for a team, and nothing to help me identify who else is using Zapier, or what systems it’s integrated into.

The more pernicious example is the SaaS app that does not show up in the expense report—the “freemium” offer. It is now well understood that procurement and expense management are hurdles for enterprise adoption. As such, SaaS providers have structured pricing models to encourage broad utilization across the organization, even before the first bill is ever sent. (Dropbox and Slack are good examples of this approach—before your IT team is even aware of the app, everybody relies on it to get their job done.) The intent here is to get the organizational behavior to adopt the tooling such that to not pay for it would incur transitional cost for your employees. In these scenarios, the apps you want to know about the most are the hardest to detect.

In thorny cases like these, where we’re faced with immutable obstacles, we need what’s called a “side-channel attack.” And there is indeed one consistent side effect of every SaaS account: email. That’s right, the one universal communication tool on the internet is reliably used by every SaaS provider to communicate with its customers. At Nudge Security, we figured out that with a simple integration into your corporate email account, you can access the history of all of your SaaS accounts. 

Read more about Nudge Security’s approach to discovering SaaS sprawl.

Related posts


Debunking the "stupid user" myth
in security

Exploring the influence of employees’ perception
and emotions on security behaviors