23rd February, 2022
TABLE OF CONTENTS
The proliferation of shadow IT introduces various security gaps. These unsanctioned apps don't undergo security protocols and lack governance measures that are enforced on an IT Sanctioned app.
I'm not saying that all of these unsupported SaaS applications are a threat, but those that encourage sharing sensitive data are what you need to watch out for. File sharing and collaboration apps like Dropbox and Google Docs can lead to data leaks.
Security gaps related to employees. If employees store and use data from multiple locations, especially outside the company network and firewall, the IT department can't plan for data security across these hidden cloud applications.
When the IT department loses control over the SaaS applications deployed, it makes the entire company's data vulnerable. It also makes confidential information unprotected and susceptible to all kinds of security breaches.
The breach could be even by a former employee whose access hasn't been terminated.
Another problem with shadow apps is employees store credentials for their cloud apps in their browsers, spreadsheets, or consumer vaults. These are the risky practices that lead to credential theft.
The worst is the practice of using the same credentials for multiple accounts and using the same credentials to access the shadow IT softwares.
For cybercriminals, it is a goldmine because the returns for a successful attack are much higher than when an employee uses different credentials for different accounts.
Security gaps from the vendors' end. Due to shadow apps, your data can be shared with third-party vendors by employees, increasing the risk of data theft.
You never know who has access to which data, making it difficult for the IT department to take control.
Baseline security is also not enforced from the vendor's end on these apps, such as multi-factor authentication and password strength. These vendors may be given Edit access to company data where only View access is required, thus breaking the least privileged role-based access controls.
Shadow apps lack central account management where they can be set up, rotated, and monitored appropriately.
Data loss. In modern organizations that run on data, the consequences of data loss are severe. Organizations can lose access to data, mainly when an employee who owns a set of information leaves the company.
It often happens in companies that have BYOD (bring your own device) policy.
A simple example could be an employee storing information in a personal Dropbox or a Google Drive account. In such a case, it would be difficult to get back the critical data stored in the user's personal account. It is almost impossible if the employee leaves.
No Governance Over How Data Is Managed After Termination
When an employee manages apps of their own, it is not uncommon to forget to pay for renewals. These software services usually get terminated when there is a failure or delay in the payment of bills. So companies have no way of recovering data once lost.
The IT must know what apps are in use to mitigate these risks associated with shadow apps.
Companies need to be compliant either because there are government regulations in industries, such as healthcare or fintech or because the clients' requirements are growing in this area. If you are selling to enterprises, the minimum they will ask you to be SOC 2 compliant.
There are other regulations from the government end that companies need to follow, such as GDPR, CCPA, PCI DSS, HIPAA, ISO 27001, etc.
Damage your company's brand reputation. To comply with these regulations, companies internally have IT governance guidelines. Software Asset Management (SAM) guides businesses in the procurement of software, but with shadow IT, there is no scope for proper documentation and approval of such apps.
Shadow IT brings the possibility of violating regulations like HIPAA, GDPR, PCI DSS, ISO 27001, or SOC 2 because most of these regulations are based on data flows and storage.
So when an employee signs up for a shadow IT application, they store data in an unknown and unauthorized location. This lack of security can lead to compliance violations, data breaches, and ultimately fines.
During audits by regulators, it could lead to hefty fines, lawsuits, or in a worst-case scenario, even jail.
This damages your company's brand reputation in the market.
A mismatch between plans and reality. When employees buy applications independently, it consumes the budget at the department and business unit levels. Since IT is unaware of the buying process, it leads to a mismatch between the plan and execution.
For example, your company's CMO has plans to utilize a marketing budget of $1.5M. But if the marketing executives end up purchasing apps worth $150,000, wouldn't it impact the plan made by the CMO?
Here, the main thing to note is top-down procurement doesn't work. Procuring apps without employee feedback gives rise to 'shadow IT.'
Suppose employees are uncomfortable with a particular application and feel that the UI is difficult to understand. In that case, they will switch to apps with ease of use without the consent of the IT department to do their work.
Collaboration inefficiencies. When employees across departments use different applications for the same function, it leads to collaboration inefficiencies. The whole process becomes inefficient when there are multiple versions of data existing in different locations.
For example, one department uses Slack for communication, and another department uses Microsoft Teams. When they both need to work on a project together, it gets complicated. In the remote work scenario, effective communication is a must.
No technical support. If you need help doing a particular task in a shadow application or require some training, the IT department wouldn't be able to assist you as they would lack knowledge and documentation. If there is a time-bound project dependent on shadow IT software, then the consequences would be severe.
IT budget wastage. Shadow apps lead to redundant applications, lapsed subscriptions, and data silos. Beyond just the data risks, it also causes wastage of resources as there will be different duplicate solutions that different departments use.
10% of company revenue is spent on SaaS. It’s a staggering metric, and a high percentage of income is wasted inefficiently on business tools. In comparison, companies spend, on average, 15% on employees annually.
With this explosion of SaaS at companies, there arise SaaS challenges caused by apps getting out of your control. These SaaS challenges varies in three dimension: spend management, security and complance risks, and various SaaS operations tasks like automating SaaS procurments, renewals, employees onboarding and offboarding.
‘Muda’ is used to describe any activity that uses resources but doesn't generate value. It is the Toyota system for identifying and eliminating waste in all forms. It is the same thing that helps Toyota sell more cars than Ford, General Motors, and Honda at a higher margin.
An obese SaaS stack leads to SaaS wastage. It's a disease! It not only causes financial issues but also gives you security and compliance problems. That's why you must keep tight control on your SaaS stack. And it begins with managing your SaaS vendors.
In this post, we've discussed 7 symptoms of an unoptimized SaaS stack and solutions to optimize the same.
Zluri makes a backup of the data in those apps while canceling the user's licenses so that the admin can transfer it to the newly hired owner.
An SMP gives a central place to discover SaaS apps in use throughout the organization automatically. It helps to manage and secure users, apps, data, files, folders, and user interactions within SaaS apps.
Security and privacy frameworks provide a structure where you can manage procedures, rules, and other administrative tasks needed in your organization.