Confidential information – personally identifiable data, customer data, trade secrets – circulates like a bloodstream through enterprise and SaaS applications. With security breaches making daily news and regulations like GDPR and Sarbanes-Oxley proliferating, bad data security practices can land organisations in court and ruin reputations.

Hidden Risk: Employee SaaS Purchases

While a chief security officer’s most important responsibility is making sure corporate data is safe and kept out of the wrong hands, that’s difficult to do when it’s unclear how many SaaS apps are running in the environment and who’s accessing them.

A hidden risk that creates this gap is called Shadow SaaS – the ability for employees to pay for and start using SaaS apps easily, whether or not the apps are officially sanctioned. In fact, companies often have 15 times the number of SaaS apps in their environment than IT knows about. For example, a telecommunications company discovered $10 million worth of Shadow SaaS in its environment, including 295 unsanctioned products from 266 different vendors. According to Gartner, by 2020, a third of successful attacks experienced by enterprises will be on their Shadow IT resources.

Why? Easy to purchase

Today’s employees are used to simply purchasing what they need online, especially if it’s fast and helps get things done. They may choose this easy and convenient route instead of going through a lengthy IT and purchasing process, often without an understanding of the bigger picture issues including security, volume discounts, licensing agreements and more. For example, a developer may purchase Elastic Compute Cloud (EC2) right from Amazon with a company or personal credit card. Employees commonly use free applications such as Google Docs and Dropbox to easily and quickly share information across their teams. The result is Shadow SaaS, where cloud accounts are used across the organisation and not managed from a safety and overall corporate view. In addition to breach vulnerability, costs (which includes staff time) can quickly head out of control.

How to Prevent the Risk of Shadow SaaS

As with most business challenges, a “block and tackle” approach of setting up a process and taking advantage of IT asset automation can dramatically lower potential problems from Shadow SaaS.

The following six steps offer a path to control, not only for Shadow SaaS but also for hidden vulnerabilities across the company:

– Start with a SaaS inventory. The old saying “you can’t manage what you don’t measure” applies so well here. The first step is taking Shadow SaaS out of the shadows and creating a formal inventory.
– Discover the risks. Using today’s vulnerability risk technology, you can uncover exactly where the risks exist. This insight enables you to apply precious resources and time to the right spots.
– Find the threats that matter. Another advantage of modern vulnerability risk technology is that it can do more than tell you where the risks are. You’ll discover what risks are most important to help security and IT teams create a highly targeted plan of attack.
– Review proper licensing. If the SaaS purchase didn’t go through formal company processes, that also means you may not be on top of licensing. It’s possible to integrate a software licensing solution with your IT asset management system to bring to light important issues to proactively maintain license compliance.
– Know your usage. In addition to licensing details, it’s important to gain insight into actual usage of any Shadow SaaS. You may discover a tool widely used in the organisation that could benefit from a multiple-user subscription. Duplicate tools may emerge that could be combined.
– Ask employees what they need. Since your employees live the day-to-day reality of what it takes to get projects done, they are a natural and great source of information about important technology needs. By checking in with different teams, you’ll uncover information that can guide technology purchases.