Shadow SaaS | The risks of employee software purchases

Confidential information – personally identifiable data, customer data, trade secrets – circulates like a bloodstream through enterprise applications. With security breaches making daily news and regulations like GDPR and Sarbanes-Oxley proliferating, bad data security practices can land organisations in court and ruin reputations.

Hidden Risk: Employee SaaS Purchases

While a chief security officer’s most important responsibility is making sure corporate data is safe and kept out of the wrong hands, that’s difficult to do when it’s unclear how many SaaS apps are running in the environment and who’s accessing them.

A hidden risk that creates this gap is called Shadow SaaS – the ability for employees to pay for and start using SaaS apps easily, whether or not the apps are officially sanctioned. In fact, companies often have 15 times the number of SaaS apps in their environment than IT knows about. For example, a telecommunications company discovered $10 million worth of Shadow SaaS in its environment, including 295 unsanctioned products from 266 different vendors. According to Gartner, by 2020, a third of successful attacks experienced by enterprises will be on their Shadow IT resources.

Why? Easy to purchase

Today’s employees are used to simply purchasing what they need online, especially if it’s fast and helps get things done. They may choose this easy and convenient route instead of going through a lengthy IT and purchasing process, often without an understanding of the bigger picture issues including security, volume discounts, licensing agreements and more. For example, a developer may purchase Elastic Compute Cloud (EC2) right from Amazon with a company or personal credit card. Employees commonly use free applications such as Google Docs and Dropbox to easily and quickly share information across their teams. The result is Shadow SaaS, where cloud accounts are used across the organisation and not managed from a safety and overall corporate view. In addition to breach vulnerability, costs (which includes staff time) can quickly head out of control.

How to Prevent the Risk of Shadow SaaS

As with most business challenges, a “block and tackle” approach of setting up a process and taking advantage of IT asset automation can dramatically lower potential problems from Shadow SaaS.

The following six steps offer a path to control, not only for Shadow SaaS but also for hidden vulnerabilities across the company:

  • Start with a SaaS inventory. The old saying “you can’t manage what you don’t measure” applies so well here. The first step is taking Shadow SaaS out of the shadows and creating a formal inventory.
  • Discover the risks. Using today’s vulnerability risk technology, you can uncover exactly where the risks exist. This insight enables you to apply precious resources and time to the right spots.
  • Find the threats that matter. Another advantage of modern vulnerability risk technology is that it can do more than tell you where the risks are. You’ll discover what risks are most important to help security and IT teams create a highly targeted plan of attack.
  • Review proper licensing. If the SaaS purchase didn’t go through formal company processes, that also means you may not be on top of licensing. It’s possible to integrate a software licensing solution with your IT asset management system to bring to light important issues to proactively maintain license compliance.
  • Know your usage. In addition to licensing details, it’s important to gain insight into actual usage of any Shadow SaaS. You may discover a tool widely used in the organisation that could benefit from a multiple-user subscription. Duplicate tools may emerge that could be combined.
  • Ask employees what they need. Since your employees live the day-to-day reality of what it takes to get projects done, they are a natural and great source of information about important technology needs. By checking in with different teams, you’ll uncover information that can guide technology purchases.

Don’t Say No, Empower Employees

Many companies have chosen a new programme: setting up an employee app store. It’s the best of both worlds. When you create an enterprise app store of approved software and services, you provide wins for employees and the company. An app store enables rapid access to important tools keeping productivity high, and employees empowered. And it also protects the organisation in multiple ways. IT can vet technology, formally inventory its existence and track vulnerabilities. Procurement can explore volume purchases, manage licensing and more. Employees win. The company wins.

While the “shadow” in SaaS may sound scary, it actually provides all sorts of opportunities to apply the latest technology – creating a more agile, action-oriented culture. You’ll also minimize security breaches while creating all the documentation you need to support compliance. Bringing SaaS out of the shadows means saying goodbye to risk, and hello to protection and opportunity.

+ posts

Newsletter

Related articles

Don’t lose sight of SAP on Cloud operational excellence

Digital transformation projects can often become complex with twists and turns, which can lead organisations to focus solely on the migration itself.

Need to reduce software TCO? Focus on people

Investing in software is undoubtedly important for enterprises to stay ahead. However, the process is rarely a simple task for CIOs and IT leaders.

The future of cloud and edge optimisation

As more enterprises use multi-cloud and hybrid infrastructures, the danger of cost overruns and loss of control increases.

Here is how to stage a public cloud migration

As the relationships between CSPs and cloud providers are deepening, CSPs need to develop a clear strategy on how they add value to customer relationships.

The future of work is collaborative

As hybrid work models continue to gain traction, businesses will need to start implementing collaborative tools and processes to meet the needs and expectations of the upcoming workforce, seamlessly integrating them into existing workflows to enhance productivity and performance. Innovations in technology, including AI and machine learning, mean that organisations are in a better position than ever to shape the collaborative future of work – and with the right support in place, they can ensure that these digital tools continue to bring out the best in their workforce for years to come.

Subscribe to our Newsletter