SaaS adoption is growing at a phenomenal pace. According to SaaS Growth trends published by BMC, 73% of organizations worldwide will be using SaaS applications by 2021.
The report provides another interesting insight that companies with more than 250 employees use 100+ SaaS applications on average, whereas companies with up to 50 employees have around 25–50 SaaS tools at a time.
This upward trend in SaaS consumption is a key marker of the utility, convenience, versatility, scalability, and affordability offered by Software-as-a-Service models. SaaS indeed represents a revolutionary shift in how software value delivery began to unlock around the turn of the 21st century.
So, chances are your organization also uses SaaS apps, possibly several hundreds of them without you as an IT manager knowing about their existence.
But is this oversight possible considering the refined IT asset management policies and framework your organization has been using for years?
The answer is yes! The advent of Shadow IT in the SaaS era makes this happen, and it could pose a significant risk to your company’s data security.
This blog post introduces the basics of Shadow IT and how it shapes the data security threats in the SaaS era.
What is Shadow IT?
Simply put, shadow IT is the practice of procuring and using IT systems— namely hardware, software, and cloud services— without the knowledge or approval of the organization’s IT department. Shadow IT is also called fake IT or stealth IT.
Nonetheless, the essence of shadow IT is unknown or unaccounted apps and systems finding their way into the organization’s ecosystem without the knowledge or control of people who are supposed to manage them.
Notably, shadow IT isn’t new, with isolated instances noted since the arrival of traditional (on-premises) IT in organizations with 100+ systems and rudimentary IT governance. A typical legacy scenario involves employees installing prepackaged software on their computer systems through a disc without the IT team’s approval.
Rise of Shadow IT in the SaaS Era
Later, the arrival of the SaaS industry and cloud-based software delivery truly pushed shadow IT to prominence. According to a McAfee report, an average company uses about 108 known cloud services and 975 unknown services that comprise shadow IT! And, about 80% of employees accept using SaaS apps at the workplace and majorly without any IT approvals.
Key Drivers of Shadow IT in the Cloud-First World
So far, we establish the growth of shadow IT and its prominence in the SaaS era. But, what underpins the shadow IT phenomenon and makes it commonplace? Let’s explore.
Traditionally, IT governance and policies are built around protecting the organization’s interests, with a scant focus on making the solutions readily available to the users. Employees need to navigate a tedious (and often complex) requisition and approval process via the department-level authority, and then IT teams to procure any software or hardware.
Depending upon the organization’s size and internal processes, the procurements can take inordinate durations with little scope for efficiency and convenience. The arrival of the SaaS delivery model made it convenient for individuals & teams to subscribe to cloud-based solutions without needing explicit approvals from the IT department.
Imagine your organization’s users, including remote workers using collaboration apps and file hosting services— they can do so independently without keeping IT teams in the loop. This convenience and availability of critical IT services with SaaS results in shadow IT.
Another driver of Shadow IT emerges from the fact that traditional IT isn’t fully prepared to deal with the freedom and convenience made available with SaaS apps. The current IT governance frameworks acknowledge SaaS and the choices it brings to the users, but it is yet to catch up with the policies, practices, and technology that can govern the fragmented SaaS usage within the organization’s framework.
How Does Shadow IT Risk Your Organization?
There can be several repercussions of shadow IT, namely
- Increased chances of cyberattacks
- Data breach (data security risks)
- Data loss
- Operational & architectural inefficiencies
- IT compliance issues
- Increased costs
Here, we focus on the data security risks posed by shadow IT.
We know that shadow IT exists beyond the IT team’s visibility. Therefore, there is no systematic control over who has access to the data being transacted or stored on the shadow IT apps. Further, this data does not have any protection against unauthorized access, cyberattacks, leakage, etc.
This means the enterprise data is at constant risk of exposure and breach by unknown third parties, former employees, hackers, data brokers, etc. The following are some of the typical data threat scenarios:
Employees in your organization use a file-sharing service such as Dropbox or Google Drive to upload and share company data. They use individual accounts to access the service without any involvement of the IT team.
In this scenario, there is no visibility or control over the data being uploaded and shared. Also, anybody with login credentials for the cloud storage service can access the data and misuse it, resulting in a data breach incident.
Another situation could arrive when a file-sharing service used by the employees is not secure and therefore poses inherent risks to the data. Here, the users despite being ethical and responsible cannot save the data from platform-specific vulnerabilities that can ultimately lead to a data breach.
The leaked data may comprise sensitive information such as financial data, customers’ personal data, trade secrets, strategy documents, etc. that can make your organization liable to legal penalties and major losses.
Shadow IT is a default happening in the SaaS age, and it is expected to grow in the future, considering the steep consumption trends and patterns for SaaS apps.
However, shadow IT— despite having its underpinnings in convenience, productivity, scalability, and other benefits afforded by SaaS tools — poses major risks to data security. According to Gartner, “by 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.”
Tapping into the benefits of shadow IT while nullifying its perils remains a challenging need. However, there are best practices and solutions to meet the challenges of shadow IT. And, the time is ripe to transform traditional IT management and prepare it for the SaaS-first world.