Shadow IT is not a new term; it’s a growing pain that keeps evolving alongside the changes in modern work environments. Traditionally, Shadow IT referred to devices and services that were introduced to the organization without the IT department’s involvement or approval. This naturally posed a major challenge for IT, but more importantly, this was a security risk for the organization. That said, it was manageable. In years past, it was a relatively small problem pertaining to a few employees.
Unfortunately, this is no longer the case. Today’s Shadow IT does not stop at devices and services; it includes software. With the introduction of Software as a Service (SaaS) products in the late 90s, the Shadow IT challenge expanded and deepened even further, creating a new security challenge in the form of SaaS-Shadow IT. According to Gartner, SaaS remains the largest public cloud services market segment and is forecasted to reach $208 billion in end-user spending in 2023.
The reason behind SaaS’s popularity lies in its decentralized nature. Anyone, anywhere, can search the web for a solution to almost any business problem and voilà – there’s a SaaS application to solve it. That, coupled with ease of use, easy onboarding, and oftentimes a free or free version of SaaS products, make them a natural choice. SaaS-Shadow IT refers not to the larger, known SaaS applications that normally abide by company policies but to those random esoteric applications that were granted permissions to company data by an unaware employee.
Three major risks of overlooking SaaS shadow IT
The obvious challenge in Shadow IT is that you cannot control what you don’t know. IT and security teams’ lack of visibility into which SaaS is being used results in a natural lack of insights as to the magnitude and depth of the problem at hand. I see this time and time again with companies that I work with when asked the seemingly basic question of: “How many SaaS applications are being used in your organization?” Most teams do not know or are completely off. So how can they be expected to protect their organization’s sensitive data?
After examining over 450 companies, these are the top risks of SaaS-Shadow IT:
1. Recently breached SaaS applications are being used. Using a SaaS application requires some set of permissions. When these are read permissions only, there is less of a risk. Trouble is, most SaaS applications require write permissions, granting them the ability to not only view but also edit company data. We found that 84% of employees are unknowingly using SaaS applications that were recently breached.
This number is even more concerning when learning that 76% of applications are not actively being used, yet have access to company assets. Knowing which SaaS applications are or were being used, and how secure these applications are, is vital to ensuring data safety. This is especially true in light of the fact that SaaS applications are becoming more of a target for malicious players.
2. SaaS applications are great for lateral movement. SaaS applications are interconnected. It makes sense – it helps them provide a better, streamlined service. On the downside, even if you have a sense of control over your SaaS usage thanks to IAM systems or company policies, third-party applications can completely bypass that.
Think of all the times modern companies leverage interconnectedness on a daily basis – whether it is Zoom connecting to a calendar, Slack connecting to Google Drive, or Hubspot’s integration with Salesforce. Not to mention all those random applications that are available online, oftentimes not even requiring a credit card to use. This interconnectedness creates a SaaS shadow network that is enough to compromise any organization
3. It is nearly impossible to analyze all the SaaS in use. The average SMB uses hundreds of SaaS applications. In enterprises, the numbers rise to thousands. Solving SaaS Shadow IT is not just about knowing what is in use, but also what can and should be done with all these applications. When looking at the 450+ companies, they all had risky applications in their SaaS stack, often a few dozen.
These are not only the recently breached but also those that do not have proper security and/or privacy compliances, or don’t offer any public application programming interface (API). There are several ways to calculate the security of a SaaS application, but manually going over the ever-changing and growing SaaS layer is not a feasible task for the thinly-stretched modern security teams.
Shedding a light on SaaS shadow IT
IT and security teams have been fighting various forms of Shadow IT for decades now, and SaaS, in many ways, is the rebirth of Shadow IT in its new, more complex form. SaaS applications are not going anywhere, and we must face the fact that they have access to our company’s most sensitive data. Yet, using the term “Shadow IT” to describe the loss of control over SaaS pretty much spells out the solution: shedding light.
This vast and complex attack layer actually has an almost annoyingly simple solution – SaaS discovery. It is clear that with the increasingly growing use of SaaS, coupled with the lack of security and IT control, organizations today simply must have visibility into their company’s SaaS attack layer. We have EDR systems in place to protect our endpoints, we have Cloud Security solutions to protect our cloud usage, and we have AST to ensure our applications’ security. Without knowing our endpoints, cloud usage, and applications – how would we have protected them? SaaS is no different.