Shadow IT.
An Ever-Growing Concern for Organizations.
Businesses rely heavily on third-party web-based apps and services. Countless online accounts are created and used by employees each day on SaaS (Software-as-a-Service) cloud platforms to tackle each task that the business requires.
For instance, the marketing team has access to newsletter services, online creative tools, and social media tools; HR has access to job portals and HR software; the sales team utilizes CRMs and lead generation tools.
Most of these accounts are created ad-hoc by employees, which means that they are unmanaged and unknown, creating a tremendous amount of risk and IT management overhead.
Did you know?
On average, companies use hundreds of SaaS apps. Each employee has tens of individual SaaS accounts. This results in thousands of self-serviced, unmanaged accounts.
Read our blog post: Shadow IT: What It Is And Why It Is An Alarming Security Concern For Every Organization.
Shadow IT refers to resources utilized without the knowledge of the company's IT department. This can include hardware and software, though it mainly refers to cloud-based SaaS applications. Shadow IT is a hotbed for malicious activity against corporate resources. Attack techniques such as credential stuffing, password spraying, and account takeover are mainly successful due to Shadow IT and password reuse.
Unlike corporate accounts—such as Active Directory (AD)—these are mostly unknown to IT.
If employees leave the company, they may still have access to these accounts.
Users don't like passwords—they tend to either use weak ones or reuse corporate credentials.
According to reports, billions of accounts are breached every year ending up in combo lists.
Leaked credentials can be used to gain unauthorized access to corporate resources (credential stuffing).
Breaches and password reuse are the main culprits for account takeover attacks.
These accounts are often shared among employees, creating ownership issues.
If an audit is required, it's almost impossible to manually collect the usage data of web accounts.
The vast majority of such accounts are used for short periods, left unused and unmonitored forever.
Overlapping and orphaned accounts can result in unnecessary expenses.
Shadow IT Readiness Assessment.
With our Shadow IT Readiness Assessment, you can easily evaluate where your organization stands at the moment. It's quick and anonymous, with instant results.
Meet Scirge.
The word Scirge is originated from the Old English word scirgerefa, which was the predecessor for the word sheriff. Scirgerefa meant "local official of a shire", scir meaning "shire" and gerefa meaning "officer".
Scirge: Your Online Business Web App Account Officer
Scirge provides a unique approach to unveiling and gaining control of unmanaged third-party web applications used by employees or business units, without the oversight of IT or security departments. It reveals unknown web apps and manages password hygiene issues such as shared accounts, weak passwords or account reuse for employees using corporate email addresses as credentials. Scirge enables you to have control and visibility over your company’s SaaS usage to help you reduce the IT operational overhead and cost relating to unsanctioned Shadow IT usage.
Scirge - Explained in Two Minutes
Download our Datasheet
Shadow IT Discovery.
Scirge helps to track corporate cloud web app usage in order to create a full inventory of SaaS and cloud apps that account for costly Shadow IT spending and operational overheads. Scirge enumerates accounts for each web app and helps IT administration to understand the who, what, when and where of Shadow IT for the first time.
Trends of application usage and indicators of risky websites are tagged for visibility into Shadow IT.
Cloud Consumption Trends
Configurable tags with custom thresholds give you insight into application usage trends amongst all employees. Underutilized or abandoned applications will unveil the need for changes in business requirements or unnecessary subscriptions. Discovering overlapping subscriptions and widely adopted applications help your C-level executives understand the progress and potential flaws of cloud adoption and digital transformation.
Deep Visibility into Shadow IT
Inventories include deep insights of applications, including metadata collected directly from browsers, such as privacy policies, terms and conditions, and social links. HCI provides intelligence, including domain reputation, country of origin, as well as revealing potential phishing or unwanted sites. Scirge also correlates usage trends to discover which services have been popular, trending, or abandoned by your employees, enabling decision-makers to figure out what tools users are missing or if users prefer a better digital experience.
Key Features
- Automatic Cloud Web App and SaaS Inventory
- Detect Any Web App
- Automatic Metadata Collection
- Person-level App and Account Inventory
- Abandoned App and Account Detection
- Underutilized App and Account Detection
- Trending and Popular App Tagging
- Application Usage Intelligence
- Web App Reputation
Download our The Cloud Visibility Gap Datasheet
Account and Password Protection.
The Scirge Endpoint can perform password hygiene checks, allowing it to discover if passwords have been reused from other cloud apps or your Active Directory. Red flag events are pinpointed, and alerts to users and security administrations or third-party APIs can be configured. Scirge also tags shared accounts that are used by more than one employee, as well as accounts that seem to be abandoned by users.
These tags reveal when unsecure passwords are created, or when accounts are misused from a security or compliance perspective.
Password Hygiene
According to NCSC, "Passwords need to be protected within your system, even if the information on the protected system is relatively unimportant." The number one challenge for this is controlling employee-created accounts on third-party websites. This is why each password entered into a browser is rigorously checked for weaknesses by Scirge. Custom password complexity rules are available to match regulatory requirements, and the algorithmic password strength is also calculated at the endpoints. Passwords are hashed locally on the endpoint, so their cleartext form is never sent or stored anywhere else—only industry standard secure hashes are stored at the Central Server database, so password reuse, password sharing, or the use of already breached passwords can become visible to your security departments.
Active Directory Password Protection
In-browser user authentication enables AD/LDAP passwords to go through the same hygiene process, enabling compliance requirements that are often heavier than what AD and other directory services' configurations allow. Identifying Active Directory passwords that are reused in third-party web applications is a red flag indicator of account security, because stolen Active Directory accounts allow seemingly legitimate access to local networks and other integrated cloud services. Protecting your Active Directory accounts should be your top priority, as industry analysts agree that stolen credentials are used in 80% of successful attacks.
Key Features
Centrally-managed policies based on:
- Corporate Email Domains
- Corporate Email Addresses
- Target URLs
Password Hygiene Checks:
- Password Complexity Validation
- Password Strength Metering
- Password Reuse Detection (AD/Web)
- Password Autofill Detection
- Password Expiration Tracking
- Password Breach Verification
- Custom Password Blacklist
Download our 4 Steps to Conquer Shadow IT Flyer
Employee Education and Awareness.
Password complexity and privacy regulations can be challenging to manage without proper education. Employee awareness of phishing sites and risky applications should be improved every day, across all business departments and all levels of access. Scirge provides a one-of-a-kind awareness channel that shows messages at the right place and time.
In-browser Messaging
Scirge provides feedback and notifications to employees through the top real estate of their attention, their browser. Research shows that people tend to adopt best practices and security behaviors from their own research and directly from the applications they work with. Scirge allows you to insert these messages precisely at the right time, when employees are registering and authenticating to business applications, providing constant and relevant education.
Continuous Learning
Based on employees' long-term behaviors and actions (or lack of actions), messaging may be extended via emails, SMS, or any other API connected channel. Targeted templates may include the specifics of the account or application where action or attention is required. Content will always stay relevant and tailor-made to each individual, avoiding mass campaigns of repeated and ineffective communications. Rules may also be set up based on LDAP group membership to focus selected audiences based on department, business roles, or privileges.
Key Features
- Popup Message
- Banner Message
- Browser Redirection
- Multiple Trigger Rules
- Email, Syslog and API-based Alerting
Want to Test It Yourself?
Governance, Risk Management, and Compliance (GRC).
Shadow IT applications should be embraced, because they serve legitimate and valuable purposes for employees and business departments. Without visibility into these services, however, your organization cannot assess privacy requirements, delegate data ownership, plan business continuity, or conduct business impact analysis. Scirge’s automatic app data collection includes the privacy terms from each web application accessed by users. Privacy and compliance managers have the ability to review the terms of heavily-used apps to include them in risk assessments, business continuity and other policies, ensuring that they comply with GDPR, CCPA, ISO, NIST or other regulations and frameworks.
Logins on risky websites, usage of weak or shared passwords, and impersonating other employees are all indicators of misconduct and violation of regulations.
Risk Assessment
Scirge detects when the accounts of VIP users, ex-employees, or otherwise important users' accounts are being accessed by others, unveiling potential impersonation and insider threats. When multiple employees are using the same credentials, conflicts over the segregation of duties arise in the breach of several regulatory requirements. These shared accounts are highly relevant for internal web applications, as well – especially in the financial and HR departments, but also for high-privilege users and IT staff. Users accessing an unusually high number of apps or providing a lower-than-required password strength may also be flagged, either for review of conduct or assignment to further training.
Automatic Terms Collection
Scirge collects privacy policies and T&Cs from all applications that employees access which are monitored via policies. By combining usage trends, such as popularity, with geographic data and reputation, compliance departments can identify which services are potentially critical or risky. Terms of these services may then be evaluated and integrated with existing corporate policies, while users may be warned and educated for proper use. Illuminating shadow IT turns it into a controlled and manageable part of your technological ecosystem, lowering your regulatory exposure.
Key Features
- Shared Account Detection
- Power User Detection
- Active Directory Password Reuse Detection
- Inactive & Disabled AD Account Reuse Detection
- Identity Misuse Detection
- User Authentication
- Automatic Privacy Policy Collection
- Automatic T&C Collection
- Blocking Capability
Want to See It in Action?
How Does It Work?
Scirge is easy to deploy and manage. Corporate SaaS accounts can be tracked down and discovered quickly. The Central Server is responsible for management, while the Endpoints collect information from Chrome, Edge or Firefox browsers. Based on centrally-managed policies, Scirge monitors and collects company-related credentials and all relevant information from the given website to build a local inventory for your cloud security purposes. Users may be alerted or redirected for awareness training when they are at risk of breaching certain policies. Scirge works locally and even offline, building a local app and account directory for organizations based on the actual usage.
-
Endpoint Browser Extension
A browser extension is deployed to endpoints, which can be done manually or centrally (via GPO, for instance). The Endpoint Browser Extension component fetches active configuration and policies and monitors the web account registrations and logins based on those specifications. It might block such action or warn the user; alternatively, it can silently log or ignore the action.
-
Central Server
The browser extension securely communicates with the Central Server to fetch active configuration and policies in order to send logs back. The Central Server collects, stores, and processes the data to provide useful, detailed log entries and analytics. The Central Server is where Administrators and IT Security Officers can create policies to set the behavior of the system.
-
Evaluation and Update
As time goes and data is collected and analyzed, policies can be fine-tuned to match the environment and business needs. There are numerous options to specify the policies—creating exceptions and global catch-all rules is simple.
Architecture
Scirge is easy to deploy and manage. The Central Server—deployed as a local Virtual Appliance—is responsible for the management, while information is collected from Chrome, Edge, or Firefox browsers via our Endpoint Browser Extension (EBE), without needing a full-blown endpoint agent.
Policy-based Workflow
The Scirge EBE monitors and collects company-related credentials and all the relevant information from websites, and it does this based on centrally-managed policies. Users may be warned or redirected to awareness training via in-browser alerts when they are at risk or if they breach policies.
Enriched Inventories
Data collected on the Central Server is enriched with usage-related metadata based on custom threshold values and rules. Accounts and securely hashed passwords are correlated to discover password reuse, account sharing, and indicators of potential internal fraud or misconduct, all without ever storing cleartext passwords. Intelligence comes into play in the form of easy-to-read tags that can be used for correlation and investigation.
Cloud Intelligence
With the help of the Horizon Cloud Intelligence (HCI) service, further metadata enrichment is available, including domain reputation and blacklist checks. HCI also verifies hashed passwords against known database breaches and common password lists or combo lists, further securing your accounts against account takeover attempts and brute-force attacks.
Key Features
- Syslog Integration
- SMTP Integration
- LDAP Integration
- API Integration
- Role Based Access Control
- Two-factor Authentication
- 4-eye Principle
- Audit Logs
- PII Anonymization
- Endpoint Authorization
- Double-Encrypted Communication
On-demand Product Tour
Pricing
Licensing is based on the number of Endpoint Browser Extensions used. There are two different editions of Scirge. Scirge Essentials provides the core features and functionality, which can be further enhanced with Add-ons. Scirge 360 is our bundle edition, which provides access to all features. We also offer Subscription and Perpetual licensing model depending on customer needs.
Partners
Join the Scirge Partner Program
Scirge is a unique solution to help organizations solve the problem of Shadow IT. We invite you to join our Partner Program to grow your business and help your customers secure their digital transformation and cloud app consumption. Scirge is fully committed to its channel partners. Join us and increase the value of your offerings with our unique platform.
Resources
Shadow IT Readiness Assessment
Download our Datasheet
Download our The Cloud Visibility Gap Datasheet
Download our 4 Steps to Conquer Shadow IT Flyer
Download our Understanding Tags Guide
Download our Shadow IT Challenges in the Light of the CIS Security Controls Guide
Check Out our Blog
Glossary
Register for Webinars
On-demand Product Walkthrough
Demo Lab
Book a Demo
Try it for FREE
Our Mission
We founded Scirge to fill a gap in the IT Security and Management field. Scirge specializes in helping modern organizations discover, secure, and manage their cloud footprint.
Our mission is to reduce management overhead, facilitate compliance, and reduce exposure to credential-related threats.
We do that with our innovative, high-quality software and services while remaining agile, fast-moving, and customer-friendly.