By 2024, Shadow IT is mostly used by businesses to denote the uncontrolled proliferation of SaaS - also known as SaaS Sprawl.
In simple terms, each employee has the capacity to install online-accessible software. However, they may not always fully understand the implications in terms of data security and confidentiality.
Historically, Shadow IT has posed a significant challenge to large businesses (>1000 employees) where IT teams manage a broad range of software and hardware licenses.
However, with the widespread adoption of cloud-based technologies, even smaller businesses (starting from 50 employees) are exposed to this issue. Predictably, SaaS subscriptions accumulate without any traceability.
And it's not just about traceability: the budget for these apps and online tools has also grown substantially!
So how can we control this burgeoning SaaS budget? What are some instances of Shadow IT that may impact businesses? And what potential risks could they be exposed to?
Here are 6 examples of Shadow IT that LicenceOne has identified amongst its clients, along with the solutions that have been implemented to mitigate these risks.
The subscription model of SaaS offers an appealingly low entry cost. Hence, the initial expenses for online tools often feel inconsequential.
As a result, employees' requests to their supervisors for new software are often quickly approved, with the justification that it's "only a few tens of euros/dollars per month".
This situation becomes a case of Shadow IT when no procedures are in place to prevent, share, and internally track this information - particularly by those in charge of security.
Even within the same team, employees may subscribe to multiple software solutions that accomplish similar tasks (resulting in feature overlap). In some cases, they may even subscribe to identical SaaS platforms, unknowingly duplicating tools that are already in use within the company (!)
Many SaaS pricing models scale with the number of users. The more seats required, the higher the cost.
It can be tempting to share a generic email address and its associated password, thereby allowing the company to pay for only one seat.
It often occurs that an entire department, like marketing, uses the same account associated with a common address, such as "communication@company.com".
However, the associated issue is that control over access is lost! There's even a risk that individuals outside the company might gain access to the software.
Addressing a budget issue by creating a security risk is certainly not a good practice.
Email attachments are often swiftly limited by their volume.
To circumvent this limitation, employees often resort to third-party solutions with expirable public links, such as WeTransfer, Smash, etc.
Another common practice is granting access to the company's storage tools. This could be a Digital Asset Management (DAM) system, a Dropbox account, or a Google Drive.
The risks associated with these practices are numerous due to the fact that once company data is transmitted, its traceability is lost.
Indeed, some of the tools mentioned above offer options like access rights controls, watermarking, and tracking; but it's crucial to know who is using these tools, and particularly whether they are adhering to these best practices.
Many SaaS solutions are primarily utilized to store, organize, or publish data for the company. Examples of such tools include CRM systems, accounting software, or design tools.
In most use cases, SaaS will need to access corporate data. These data accesses require authorization and - in the case of third-party personal data - are regulated by legal frameworks like the GDPR's data processing agreement.
In other words, some company data is made available within the SaaS tools used by various teams and individuals.
Similar to the previous example, the underlying risk emerges when the IT department lacks information about who has access and what rights they have over these software tools.
An integration between various standalone applications allows them to communicate, share, and process data.
The addition or updating of information in a database can then trigger updates, routines, and automated events within other company SaaS solutions.
Not all these integrations necessitate technical skills. Administrator access is often sufficient for a SaaS that provides native integrations.
To verify the destination of the data being shared, SaaS solutions request identification keys (API keys), which are accessible in the settings.
So, what are the risks in this scenario?
Once an integration is established, data can be transferred, with tasks continuing to run even after the account of the person who set up the integration is deleted.
Besides being difficult to trace, these data flows no longer require any intervention or a specific user status.
In summary, this creates a potential trap through which sensitive data could leak.
Software versions continually evolve through regular updates. These updates frequently offer new features to users, but also address errors (bugs), or security vulnerabilities.
These issues are identified either when users report them, and/or by deliberately testing protection and security mechanisms.
With each successive version, thanks to these updates, the software publisher assures an increasingly higher level of security.
IT services are typically well aware of this theme and the associated risk of hacking. However, not all users instinctively apply these updates.
Consequently, when software isn't up-to-date, there's an escalating risk of security breaches.
Despite the risks highlighted above, a policy that's too stringent for all employees might also bear its own negative effects.
The utilization of SaaS solutions has also enabled employees to enhance productivity, and in some instances, even boost sales.
The key is to strike a balance between:
Your task is to establish a framework around software subscriptions, a policy for the company's SaaS Management.
It's not a one-size-fits-all recipe. You'll need to tailor it to your company's context. We share with you broad guidelines, serving as starting points to establish an internal policy for SaaS management.
For further assistance, consider these two free resources:
Let's break this down into 4 main steps:
It's your responsibility to create an internal policy that fits your company's context. It's pivotal to define best practices and engage teams.
Employees should understand the financial, regulatory, and security implications. This understanding will influence their choices of online applications and their usage patterns.
In a regularly updated dedicated article, we have gathered the 23 best SaaS Management solutions.
In summary, we identify 3 types of platforms based on different needs: