What is Shadow IT discovery and why do you need it to mitigate the Shadow IT risks?

Let’s start by defining what Shadow IT means with an explanation of what Shadow IT is in the context of SaaS and cloud web apps. Shadow IT refers to websites, services, and applications used by employees without the oversight of the IT department. For the most part, Shadow IT is used by employees legitimately. They need tools to get the job done. Usually, they use these services in an ad-hoc manner and the use of these SaaS cloud apps is short-lived.

The problem is that this approach can result in serious IT security risks (and compliance issues even), called the Shadow IT risks. Since these accounts are created by the employees themselves, using corporate email addresses (and often reusing corporate passwords), they are usually the only ones to know about their existence. Moreover, there are no additional security checks performed on these accounts, such as password hygiene checks, password reuse detection, and password breach verifications. If an employee leaves the company, they usually still have access to these third-party online accounts. On average, companies use hundreds of SaaS apps. Each employee has many individual SaaS accounts. This results in thousands of self-serviced, unmanaged accounts. This is the result of Shadow IT in a typical organization.

Read our blog post: Shadow IT: What It Is and Why It Is a Security Concern for Every Organization.

Can you use your existing IT security infrastructure to detect and manage Shadow IT?

Unfortunately, for the most part, the answer is no. Web traffic is usually monitored in an enterprise environment. However, the visibility is very limited as only the domain and URL are logged for the most part. But visiting a SaaS app and having an account there and actively using it are two completely different things. Even with these logs and reports, you still need to know what to look for. Considering that 250,000 new domains are registered every day, and in the category of e-commerce alone, there are 23M apps, it’s a challenge to keep track of this. Web filters, proxies, and firewalls lack deep visibility into the traffic so having account-level information is impossible to obtain using these tools. This information is essential to effectively handle the problem of Shadow IT and to mitigate the risks of unmanaged third-party web accounts.

Does using a Cloud Access Security Broker (CASB) solve this problem?

CASBs will not solve the problem of Shadow IT. CASBs excel in providing deep integration with some major PaaS, IaaS, and SaaS platforms, such as AWS, Azure, GCP, and Salesforce. Usually, they focus on a handful of these big players. This is effective as usually these services are the main parts of the IT infrastructure, and having extra controls can enhance the security of such services. When it comes to Shadow IT and the long tail of the SaaS and cloud web apps, CASBs don’t excel. They might have a database of a couple of thousands of well-known business SaaS apps, but that only covers a very tiny fraction of what’s being used by employees in a typical work environment. This information is limited to domain-based information. CASBs won’t provide account-level information or advanced password hygiene checks for Shadow IT applications.

CASBs might also provide integration with SSO providers, such as Okta, to detect web app usage and provide some additional authorization controls. This again has nothing to do with Shadow IT, as giving authorizations to users using an SSO provider implicitly means that these accounts are under central management and control. This will only cover SaaS and cloud web apps that have SSO integration capabilities and that the IT department is aware of in the first place. And that by definition is not Shadow IT.

Read our Cloud Visibility Gap datasheet for a detailed comparison of cloud visibility with existing approaches.

It’s worth mentioning that it’s not usually these enterprise-level web apps that get breached. Those incidents happen much more frequently with the long-tail smaller web apps used by the thousands in an enterprise environment due to Shadow IT. Password hygiene, corporate password reuse (Active Directory password reuse), and such issues can quickly create huge problems for organizations as, according to industry reports, 80% of successful cyber attacks start with stolen credentials.

Scirge focuses on and provides complete visibility into Shadow IT with unparalleled app-, account, and user-level inventories using centrally managed policies (Shadow IT discovery policies). Scirge reveals unknown web apps and manages password hygiene issues such as shared accounts, weak passwords, or account reuse for employees using corporate email addresses as credentials. Scirge enables you to have control and visibility over your company’s SaaS usage to help you reduce the IT operational overhead and cost caused by unsanctioned Shadow IT usage.

Read our related blog posts: