SaaS adoption multiplies the security risks of shadow IT
Shadow IT has long posed ongoing security threats for IT teams and network administrators, such as the good old days when employees brought in unapproved external software on USB sticks. Back then, IT teams would use policies to lock down endpoints across a dedicated network perimeter.
Today, the problem of shadow IT is more fluid, with employees directly accessing software-as-a-service (SaaS) applications to do their jobs without first getting approval from the IT department. With more SaaS applications being delivered via the browser to a remote workforce, IT teams now struggle to get clear visibility into their levels of risk.
Recently, the explosive cultural phenomenon around the AI chatbot ChatGPT has only accelerated this trend for shadow IT. Countless intrigued employees have downloaded ChatGPT and other smart apps to experiment with AI for such diverse tasks as writing marketing copy, reviewing contracts, building websites, creating graphic designs, writing code, and much more.
A recent wave of artificial intelligence breakthroughs has introduced a number of other new AI applications to the workforce too, often deployed as shadow IT. For instance, AirTable is a popular AI-based platform to build next-generation apps with no code required, making it easy for non-developers to spin up new software instances beyond the control of IT.
In turn, this widespread unauthorized use of SaaS is making it harder for central IT to monitor all those shadow apps to enforce cybersecurity protections and regulatory compliance. The business problem here is that IT does not know where it has been exposed to risk. Yet there is no turning back now. Businesses are rapidly devouring more SaaS applications all the time, both for AI bots and general productivity tools. Gartner estimates that global adoption of SaaS applications will grow 16.8 percent this year to $195 billion.
Based on the post-pandemic model of remote offices and work-from-home, SaaS apps are becoming even more critical to maintain employee convenience and accessibility. SaaS solutions can be accessed from anywhere with an internet connection, making it easier for remote employees to collaborate and use the tools they need to do their jobs. From an administrative viewpoint, SaaS apps are typically simple to set up and use, which helps reduce the burden on IT departments.
Despite the rise of remote and hybrid work, many businesses remain unaware about the dangers created by shadow IT. Consider that 86 percent of IT teams today support a workforce that is either fully or partially remote, but only half are performing SaaS management or cloud monitoring, according to the Auvik 2023 Network Management Report.
Furthermore, 20 percent to 40 percent of all IT spending at a typical company takes place outside the IT department, according to an estimate by G2, an online software marketplace. The irony here is that organizations adopt SaaS apps to solve business problems, but in doing so they create new control problems due to a lack of centralized SaaS discovery management solutions. Undetected shadow IT can create real burdens for critical areas of the business, including budgets, operations, and security.
A great example is right here at Auvik, where we pride ourselves on using the leading business technology to secure our business and client data. But when we recently did an initial SaaS scan internally, we found nearly 100 more applications than we had in our manually tracked inventory. Fortunately, these shadow IT applications were benign and imposed no direct risk. However, this exercise highlighted the criticality of a proper shadow IT management tool. Almost all businesses forget to document business applications, such as online banking portals, third-party SaaS, and simple productivity tools. While these applications may not impose immediate business risk, documenting them is essential for day-to-day IT ops, such as employee off-boarding, inventory auditing, and compliance management.
Lifting the Dark Shadows That Surround Shadow IT
Shadow IT adoption can also result in a lot of unnecessary duplications. Unwitting employees may subscribe to paid SaaS services that overlap with solutions which already exist within their organizations by just signing up with the corporate credit card. This causes the company to pay for more licenses or services than it needs. In addition, free SaaS services such as third-party portals and file transfer solutions make it harder to monitor shadow IT because those apps do not appear on any budget line items. Employees should know that every SaaS application houses critical business data, and once adopted, those apps are exposed to sensitive company data without IT having any visibility into their use.
Another concern involves operational constraints when different departments use different SaaS solutions for the same tasks, which can lead to confusion and impede collaboration. Lacking any centralized app discovery tools, IT teams may be further hamstrung by compatibility issues and operational disruptions, resulting in more wasted time and effort as employees struggle to work together.
Any review of shadow IT should also consider what data resides within each solution, and whether that data is consistent across the entire infrastructure stack. In an operational sense, it is essential to consider how the data flows from core SaaS solutions -- such as from CRM or ERP systems -- to any other SaaS applications. When users resort to shadow IT, they make copies of those data sets within the SaaS apps, thus introducing new challenges for data management.
Another big concern involves the threats to security from shadow IT. Approved software applications must pass a rigorous review process to meet a company’s security requirements. Yet shadow IT introduces the employee use of apps that do not meet those standards, creating vulnerabilities for data breaches and other security risks.
The ways that teams access their shadow apps should also be scrutinized. Most compliant organizations enforce requirements for secure access, including Single-Sign-On (SSO), Multi-Factor Authentication (MFA), and individual accounts. Yet access to non-centralized shadow IT often does not meet those organizational requirements, posing new risks for insurance and compliance. This lack of compliance also tends to complicate the offboarding of key employees, many of whom leave their organizations with ongoing access to their SaaS apps.
In summary, shadow IT creates unnecessary network blind spots that can lead to outages and downtime, performance glitches, security vulnerabilities, and constant reactive firefighting. IT teams require better network visibility to understand what devices and applications are being accessed on their networks.
Modern network management tools use machine learning to integrate device data with other metadata about related sources and geographies. In this way, network admins and IT teams can get a better handle on what applications and protocols are contributing to network traffic, especially when employees engage in shadow IT by using unauthorized SaaS applications.
With the growing reliance on SaaS solutions in the new hybrid world of work-from-home, businesses need to guard against the dangers of shadow IT. By using automated platforms for discovery and SaaS application management, businesses can avoid unnecessary costs, reduce operational issues, and decrease security risks, all while ensuring employees have access to the tools that they need to do their jobs and enjoy a smooth end user experience.
Photo Credit: Hans-Joachim Roy/Shutterstock
Alex Hoff is Auvik Founder & Chief Strategy Officer.