Shadow IT – three things we learned when we got the flashlight out
Sep 21 | 6 mins read
Topics: Business-led IT, SaaS Discovery, Shadow IT
Tackling Shadow IT can feel like a huge undertaking. Whilst technology to support discovery can certainly help, it isn’t a silver bullet. To implement a holistic solution, IT teams need to prepare to respond to what they discover lurking in the shadows -- in our experience that’s an opportunity for you to be an enabler and not just an enforcer. To give you a head start on that preparation, here’s what we’ve learned from helping our users with SaaS discovery.
1. The label 'shadow' might be misleading
The word ‘shadow’ conjures up images of covert activity, suggesting a certain amount of stealthiness and intent. That’s not the reality. Employees aren’t actively hiding their activity – they’re happily using ‘social logins’ (Google / Microsoft Sign-in) to access apps and are putting small subscriptions on their corporate credit cards. It’s as much a failure to look as it is a result of users successfully evading the IT team.
A lot of information on SaaS usage is available, but it’s inconvenient to access and hard to unify. That’s good news, as it means you can make quick progress with the right tools.
2. There are gems to be found. You’ll discover use of apps that help you rethink your IT strategy
SaaS discovery is an excellent source of technology insights for your IT team. Here are three common categories of app usage insight you’re likely to find:
- Innovators – apps solving a new or previously unidentified problem e.g. collaborative whiteboarding tools, such as Miro and Whimsical, that are helping newly remote teams work efficiently
- Gap Fillers – generic, flexible data management apps like Airtable and Smartsheet that are being used selectively to support specific processes, or to bridge gaps between systems. This can help flag business functions that would benefit from new or upgraded technology, either in the form of consolidated and secured use of Airtable / Smartsheet, or through the implementation of a more specialist solution
- Competitors – apps that appear to duplicate functionality on offer from an existing, sanctioned app. Classic examples being project management tools such as Trello and Asana. It could mean it’s time for an upgrade of your enterprise project management app and now you’ve got some great data on other options already in use, plus a user panel to gather feedback from.
3. Risky app usage
Risk can be significant but tends to be concentrated and too easily masked by the ‘noise’ of other shadow activity that’s comparatively harmless. For G Suite users, a good proxy is use of ‘Google Sign In’ by employees (for context, check out our post on ‘social logins’). This kind of access comes with different types of risk, which can be scored – from simply logging the user in, through to full access to their emails.
- Expect 40-50% of G Suite connected apps discovered to be low risk and in use by just one or two users
- This leaves moderate and high risk apps that fall into two broad categories – strictly personal use apps and those with a plausible business use
- We consistently find at least half a dozen personal use apps with high risk access e.g. access to email inboxes, read/write Google Drive access
- A core of lightly used business apps and scripts with very risky permissions e.g. ability to see and modify all G Suite users on your domain. It may not surprise you to see they’re being used, but seeing the extent of the permissions and the user base can be revealing – particularly when these informal tools tend to fall outside the scope of compliance controls such as user access reviews
What does this mean for the modern IT team?
Review your policies
Update (or create) your shadow IT policy and make sure it reflects the way your users actually work today. Invariably that’s going to involve far more remote working. The policy should be practical and enforceable. Blanket bans are hard to enforce, cut off an invaluable source of technology insights and are likely to be ultimately futile anyway (the Harvey Nash / KPMG 2019 CIO Survey revealed that 62% of companies that forbid non-sanctioned IT report it still exists.)
Making decisions about what you’re comfortable with is the first step. We often find that after initial discovery IT teams don’t immediately know what to do with the results. It’s no surprise users feel unconstrained if the IT team doesn’t know what rules to apply. Getting clarity requires collaboration with other teams that have a vested interest in responsible SaaS usage: InfoSec, Finance, Compliance, Privacy, Procurement. But don’t let perfection be the enemy of progress – it’s important to start somewhere, so pick the area you can make the most headway on quickly. From this foundation you can incrementally mature your policies and SaaS management program to address multiple concerns.
If you have a CASB in place and want to get very fine-grained you have the option to go ‘belt and braces’. CASBs remain expensive and can be complex to implement, so it’s still not an option for a lot of companies. For many, the solution will need to be more agile. G Suite and Azure AD users should take advantage of the benefits of ‘social login’ – our experience suggests that if it’s available, users will use it (for almost anything!). The key thing is to look at the OAuth permissions that are granted by users when accessing third party apps with social logins. With hundreds of ‘scopes’ ranging from ‘ability to view and modify users on your domain’ to ‘ability to view your calendar settings’ you can’t assume all apps are equal. The great news is that once you define the rules, SaaS management tools like Trelica can help track what’s in use and (courtesy of a new G Suite admin feature) enforce app blocking selectively.
Don’t guess, ask your users!
There is no quicker way to alienate users than to unilaterally block access to an app with a generic ‘you’ve been naughty’ message. Make your response proportional – if it’s an app with a legitimate business use but some risky permissions, you need to engage with the users to understand more.
Don’t assume that because Trello is being used widely that it’s ‘better’ than your enterprise project management tool. It could be a simple awareness and engagement issue. The quickest way to find out is to ask users.
Be selective when contacting users about an app. A blanket email to all users might yield more responses, but coordinating with Team Leads will establish a lasting relationship that will pay dividends later if you want to partner with a ‘business owner’ when managing the app.
Cultivating this kind of IT / business dialogue generates trust and makes your job easier. It also provides the foundation for ‘Business-led IT’, where your team defines strategy and provides a structure for the business to make technology decisions with your support.
Expect things to change
Unlike a traditional software asset management inventory, SaaS management is very dynamic. Users will constantly be accessing (and sometimes paying for) new apps, whilst dropping others. To keep on top of the risks and opportunities described above you will need to track these changes and keep applying your policies to the continual stream of newly discovered apps.
SaaS management tools like Trelica can help out by connecting to your IDP and finance system to automate ongoing discovery. That’s a fantastic starting point but keep in mind that you will need some amount of resource dedicated to keeping your inventory up to date. The right person will be able to apply your policies and make judgements on what’s being discovered. Ideally they will have connections to the right teams, to share insights such as unexpected spend, risky activity or exciting new apps gaining popularity.
In summary, taking a look at what’s in the shadows is just the start of a process. The right mix of policies and supporting technology will be necessary to manage what you find and to operationalize this effort moving forward.