Shadow IT Governance: How to Discover, Monitor, and Control

When your business is expanding, so will your employees and their need to try new solutions to simplify work. While you cannot completely stop them from exploring new solutions, you can mitigate the risks of shadow IT. 


This simple thought cloud of 👇 employee can tell you how shadow IT is born.

Shadow IT can be a boon or bane in your IT environment. It's all about how you manage it. It presents you with a risk as well as an opportunity, and if you understand why your employees are bound to use a particular solution, you learn what they need.

You need to find ways to get a job done while keeping your IT standards in place. You should bridge the gap between following the rules of IT and the flexibility to adapt to new solutions. 

What Can You Do?

Regain the lost visibility? But how? 

How can you view or manage something which you don't even know exists? 

You can't! 

Instead of coming up with defense mechanisms, you should first know how big the problem is in your organization. But that's easier said than done.

Your IT guidelines shouldn't be a set of strict rules and regulations drawn from IT's perspective. Instead, it should consist of open communication and innovation that empowers employees to collaborate with IT to find user-friendly, safe, and secure solutions. 

The Art of Managing Shadow IT Without Banning it

The Mindset

If your goal is to eradicate shadow IT from your organization completely, I bet it's not going to work

Instead of punishing your employees for trying out new solutions, appreciate their exploration. 

This way, you get to discover solutions that your employees love to use. So it's a win-win! 


Shadow IT sprouted from what users perceived as a 'Culture of No' on the part of IT organizations. IT is seen as a roadblock to business, so people found a way around it.

Phil Hagen, SANS Certified Instructor, and Course Author


Beware of the Risks. By appreciating, it doesn't mean you accept every new app an employee tries. Every app they sign up for might or might not be good for your company. 

While giving them the freedom to choose, you also need to assess the risks of each of these applications. And then standardize the safe ones.

Prepare a List of Approved Services & Practices

In the process of vetting the shadow SaaS apps, make a list of approved and unapproved apps and make it visible to the employees to remind them of what is accepted within the company. 

Also, when they ask for approvals, it's common for IT departments to take their own sweet time in deciding. In the meanwhile, these employees get tired of waiting and start using them without approval. 

It is the responsibility of IT to speed up the response time and reduce the evaluation period for tech requests. In addition, by fast-tracking the decision-making process, you make it visible that you respect their freedom. 

Here are some ways to fast track the clearance: 

  • Create a portal with the approved solutions that the users can download and use as they need. It'll prevent them from waiting for a long time. They can select apps from the portal and start using them immediately. 

  • IT should communicate with the departments often and update them regularly on the procurement status. Keep in mind that a particular application has been requested to complete a set of work.

Engage and Educate Your Employees

First, understand that your employees are using the app ( the shadow app) to get the work done much faster and effectively. But they might not be aware of the risks it can post. 

So rather than banning the app, educate them about the dangers of using unapproved software. 

Teach them what is safe and what is not. 

Lack of awareness of authorized solutions may also drive employees to select unauthorized ones. In some cases, they don't know that the solution they need is already offered. So they find their own solutions. 

If you have already procured the licenses of tools your employees need, inform them about it. Make them aware of the tools' availability and their functionality.

Build Partnership with Business Units

Many businesses have a central IT department, so there would be no governance over the business units. 

These business units bring in a lot of shadow apps. So build partnerships with these business units that lie outside the IT department.

You can also use SaaS management software, such as Zluri, to discover all the apps used at each of your business units.

Vendor Management Should be IT's Task

Though employees sign up for many applications, when it comes to building and managing relationships with vendors, they lack the skills. 

Employees tend to forget the vendor agreements they signed for, the SLA state, and the fine prints. 

These kinds of essential tasks, like vendor management, can be given to the IT departments as they have a better understanding of the process.

Use this checklist to deploy your vendor management strategy:

  • Apps from each category used by your employees and business units.

  • Popular services that the whole enterprise should adopt.

  • Effectiveness of firewalls and proxies.

  • The redundant apps in use.

  • Which of these solutions store sensitive data?

  • How secure are these apps?

Create a Rapport with SaaS Buyers

Employees and business units that procure SaaS applications for the growth of the business overlook the risks of shadow IT

So, it is imperative to talk to them and build relationships with these SaaS buyers. This way, you get to know their needs, remove communication barriers, and empower them. 

Only when IT actively collaborates with other business units and works harmoniously can they identify the business goals and come up with solutions that will support the growth.

To keep yourself informed on the spend-related data, value, and security, you can sign up for a SaaS management software like Zluri

Zluri gives you visibility of your SaaS stack—keeping you in the loop of what's happening. 

SaaS Governance: A Framework to Catch Shadow IT in its Tracks

Find How Deep-Rooted is the Shadow IT

Instead of panicking and trying to stop shadow IT, find how extensive it is and its causes. Whether your employees are using company-issued or personal devices, you need to know where all the data resides. 

You can obtain the log data from firewalls and proxies to track the cloud services that are used outside the IT's purview. This can tell you what services are used.

  • Set up Training Sessions for Employees. If you think cutting off access to a particular application is going to prevent shadow IT, then you need to re-think. If you cut the access for one solution, they will get another one, and it goes on. 

In the experimentation culture, it's equally important to provide security training to teach your employees how to protect data and accounts from getting compromised.

This will help your employees exercise a sense of caution while signing up for an app.

  • Set up an Employee Feedback Channel. Lack of communication leads to the existence of shadow apps. You can create an employee feedback channel where they can regularly express tech needs, concerns, and ideas. 

    This can make the efforts of IT more welcoming, collaborative, and informed, knowing the needs of business and employees. 

  • Data Migration from Shadow Apps to a Standard App. After standardizing an application, you need to migrate the data from shadow apps to prevent data silos. 

    Data silos make it difficult for IT to manage, monitor, and protect. 

    When data is siloed, it equals buried data that your business can no longer use. Therefore, there are chances of data loss in this process.

  • Restrict Access to Unapproved Apps. Restricting and blocking access to third-party applications should never be the first option for IT.

    Instead, come up with an IT policy that states certain services are not permitted and provides your employees sufficient training. 

    However, blocking is never going to be a long-term solution. You need to identify users who access shadow apps, help them understand their risk, and offer them low-risk alternatives.

  • Monitor all Apps and Their Usage in the Company. To get a hold of shadow IT, you need to monitor all the apps and their usage. You can't trace shadow IT if you are stuck in spreadsheets for managing your SaaS stack. 

Zluri (that's us) identifies SaaS apps present in your organization and gives you detailed information on who uses them, how often they are used, how much is spent on them, how secure they are, and whether they are approved or not. 

You can restrict risky apps with this information. Zluri's discovery engine takes input from your SSO provider like Okta, spend management apps like Quickbooks & Xero, desktop and browser agents, and surfaces your SaaS landscape with 100% accuracy. The whole process takes less than 5 minutes. 

Tools for Detection & Preventing Shadow IT 

  • Cloud Access Security Broker (CASB). The battle against shadow apps can only be successful if you regain the lost visibility. A cloud access security broker (CASB) is a good solution for monitoring all the activities between cloud users and cloud service providers and enforcing all the security policies. It is capable of addressing security gaps across SaaS apps by governing the usage of third-party applications. CASB can be integrated with a SIEM ( Security information and event management) to streamline log collection and combine cloud usage with other activities. While you do so, you get real-time security alerts, giving organizations useful insights into what's happening in the IT environment. 

    Though CASB offers good visibility, it doesn't solve all the issues it highlights. 

    Tim Prendergast, founder, and CEO of Evident.io describes CASB as a doctor telling a patient they have several problems, but he cannot fix them. This makes you think about whether you could invest those funds to hire a better talent to identify and resolve issues.

  • Employee Surveys. You can conduct quarterly employee surveys where employees can fill up on how satisfied they are with current tools and what they need. 

    Include a field where they can inform you about any application they have signed up for without IT's knowledge. This survey can be kept anonymous so that employees could tell you the truth. 

    At the same time, you'll also learn what they need. Again, it depends on the nature of employees. If they feel the truth may lead to blocking the tool they presently use, they wouldn't wish to expose it. 

    Though a survey is a good solution, it's not reliable.

  • Monitor Your Network. Continuously monitor your network to find out new and unknown devices and compare the list to know when new devices are connected. 

    Though a tiring process, it is considered one of the best security practices by CTOs like Dwayne Melancon. Melancon, CTO of Tripwire, suggests that this method carried out in routine can help you find out if there are new devices in your network and what kind of devices they are.

    The log data can be processed from current firewalls, proxies, SIEMS, and MDM to identify the shadow IT that are used, their users, the frequency of usage, and how much data is uploaded or downloaded.

    It requires high technical expertise to use such solutions. If you don't have existing talents, it is time-consuming to develop because of its steep learning curve.

SaaS Management Platform: Built to Eliminate Shadow IT

With employees having the key to the SaaS stack, you never know when an employee signs up for an app. You wouldn't want to go around daily asking them what apps they have signed up for recently to update it in the spreadsheet. It is tiring and time-consuming!

You need to have a SaaS management platform that identifies all the applications in your SaaS landscape. Unlike the tiring chore of updating the spreadsheets, Zluri automatically updates the app list whenever employees sign up for a new SaaS app.

Zluri's user-friendly dashboard provides all the information you need to keep track of your organization's SaaS stack. 

It gives you detailed information on SaaS apps being used, who uses them, how often they are used, how much is spent on them, if they are SOC-2 compliant, and whether they're approved. You can un-provision risky apps with this information. 

Zluri is intelligent enough to point out how safe or risky an application is, helping you discard the high-threat ones immediately. You also get recommendations on alternative apps that are safe as well as cost-effective.