Shadow IT: Definition, risks, and concrete solutions

6 use cases and 9 tools to mitigate shadow IT
illustration of a man searching for rocks with logo on them
What is shadow IT?

Shadow IT involves the use of software or hardware systems within an organization without the explicit approval or knowledge of the IT (or security) department.

This can pose significant risks, including potential data security threats and compliance issues.
Table of contents

By 2024, Shadow IT is mostly used by businesses to denote the uncontrolled proliferation of SaaS - also known as SaaS Sprawl.

In simple terms, each employee has the capacity to install online-accessible software. However, they may not always fully understand the implications in terms of data security and confidentiality.

Historically, Shadow IT has posed a significant challenge to large businesses (>1000 employees) where IT teams manage a broad range of software and hardware licenses.

However, with the widespread adoption of cloud-based technologies, even smaller businesses (starting from 50 employees) are exposed to this issue. Predictably, SaaS subscriptions accumulate without any traceability.

And it's not just about traceability: the budget for these apps and online tools has also grown substantially!

So how can we control this burgeoning SaaS budget? What are some instances of Shadow IT that may impact businesses? And what potential risks could they be exposed to?

Here are 6 examples of Shadow IT that LicenceOne has identified amongst its clients, along with the solutions that have been implemented to mitigate these risks.

Risks of Shadow IT: 6 Examples

1. Non-centralized software purchases

The subscription model of SaaS offers an appealingly low entry cost. Hence, the initial expenses for online tools often feel inconsequential.

As a result, employees' requests to their supervisors for new software are often quickly approved, with the justification that it's "only a few tens of euros/dollars per month".

This situation becomes a case of Shadow IT when no procedures are in place to prevent, share, and internally track this information - particularly by those in charge of security.

Even within the same team, employees may subscribe to multiple software solutions that accomplish similar tasks (resulting in feature overlap). In some cases, they may even subscribe to identical SaaS platforms, unknowingly duplicating tools that are already in use within the company (!)

2. Sharing login information (password/user)

Many SaaS pricing models scale with the number of users. The more seats required, the higher the cost.

It can be tempting to share a generic email address and its associated password, thereby allowing the company to pay for only one seat.

It often occurs that an entire department, like marketing, uses the same account associated with a common address, such as "".

However, the associated issue is that control over access is lost! There's even a risk that individuals outside the company might gain access to the software.

Addressing a budget issue by creating a security risk is certainly not a good practice.

3. Internal and external file sending

Email attachments are often swiftly limited by their volume.

To circumvent this limitation, employees often resort to third-party solutions with expirable public links, such as WeTransfer, Smash, etc.

Another common practice is granting access to the company's storage tools. This could be a Digital Asset Management (DAM) system, a Dropbox account, or a Google Drive.

The risks associated with these practices are numerous due to the fact that once company data is transmitted, its traceability is lost.

Indeed, some of the tools mentioned above offer options like access rights controls, watermarking, and tracking; but it's crucial to know who is using these tools, and particularly whether they are adhering to these best practices.

4. Access to data by software publishers

Many SaaS solutions are primarily utilized to store, organize, or publish data for the company. Examples of such tools include CRM systems, accounting software, or design tools.

In most use cases, SaaS will need to access corporate data. These data accesses require authorization and - in the case of third-party personal data - are regulated by legal frameworks like the GDPR's data processing agreement.

In other words, some company data is made available within the SaaS tools used by various teams and individuals.

Similar to the previous example, the underlying risk emerges when the IT department lacks information about who has access and what rights they have over these software tools.

5. Software integrations

An integration between various standalone applications allows them to communicate, share, and process data.

The addition or updating of information in a database can then trigger updates, routines, and automated events within other company SaaS solutions.

Not all these integrations necessitate technical skills. Administrator access is often sufficient for a SaaS that provides native integrations.

To verify the destination of the data being shared, SaaS solutions request identification keys (API keys), which are accessible in the settings.

So, what are the risks in this scenario?

Once an integration is established, data can be transferred, with tasks continuing to run even after the account of the person who set up the integration is deleted.

Besides being difficult to trace, these data flows no longer require any intervention or a specific user status.

In summary, this creates a potential trap through which sensitive data could leak.

6. Updates / software version

Software versions continually evolve through regular updates. These updates frequently offer new features to users, but also address errors (bugs), or security vulnerabilities.

These issues are identified either when users report them, and/or by deliberately testing protection and security mechanisms.

With each successive version, thanks to these updates, the software publisher assures an increasingly higher level of security.

IT services are typically well aware of this theme and the associated risk of hacking. However, not all users instinctively apply these updates.

Consequently, when software isn't up-to-date, there's an escalating risk of security breaches.

Solutions and Tools to Combat Shadow IT

Despite the risks highlighted above, a policy that's too stringent for all employees might also bear its own negative effects.

The utilization of SaaS solutions has also enabled employees to enhance productivity, and in some instances, even boost sales.

The key is to strike a balance between:

  • Granting employees the freedom to explore new tools,
  • Ensuring that each SaaS is used effectively and expenses are monitored.

Your task is to establish a framework around software subscriptions, a policy for the company's SaaS Management.

The Solution to Shadow IT: A SaaS Management Policy

It's not a one-size-fits-all recipe. You'll need to tailor it to your company's context. We share with you broad guidelines, serving as starting points to establish an internal policy for SaaS management.

For further assistance, consider these two free resources:

Let's break this down into 4 main steps:

  1. Define a single 'source of truth' for tracking expenses

    - A centralized spreadsheet that’s updated regularly
    - A dedicated project management tool
    - A specialized application
  2. Assign tracking responsibilities

    - Tracking invoices (linking with administration, accounting)
    - Anticipating renewals, especially for annual subscriptions
    - Negotiating contracts or adjusting offerings
  3. Manage employee access: onboarding and offboarding

    - Tracking the number of users (particularly if pricing depends on it)
    - Adding, removing, and managing roles
  4. Compliance and regulatory tracking

    - Creating a data map
    - Mapping existing third-party integrations
    - Validating legal aspects with the DPO (Data Processing Agreement)

It's your responsibility to create an internal policy that fits your company's context. It's pivotal to define best practices and engage teams.

Employees should understand the financial, regulatory, and security implications. This understanding will influence their choices of online applications and their usage patterns.

Tools to mitigate Shadow IT

In a regularly updated dedicated article, we have gathered the 23 best SaaS Management solutions.

In summary, we identify 3 types of platforms based on different needs:

  1. SaaS Management and App Discovery:

    The objective is to address the questions "how many apps are being used internally?" and "what is the associated budget?".

    These tools monitor expenditures and track the actual usage of SaaS.

    LicenceOne - All applications, their cost, and usage in less than 15 minutes
    Cledara - Centralizes information via purchase cards to be used to subscribe to SaaS
    Trelica - Provides an internal feedback feature to engage users
  2. SaaS Procurement:

    This category focuses on potential savings through outsourced buyers. They offer a negotiation service with software publishers.

    Vendr - The leader that offers pre-negotiated deals on their marketplace - A French player whose model guarantees savings and ROI
    Sastrify - Whose platform also centralizes contracts with software editors
  3. SaaS Operations

    These solutions are designed for large organizations, with the aim to assist the IT department in managing security and access for a large number of licenses (>1000 employees).

    Torii - Mandatory SSO synchronization to map access
    BetterCloud - An established player, with a risk classification system
    Coreview - For large corporations that use Microsoft

Questions to consider when choosing
a SaaS Management Platform

What Features Should I Prioritize for My Company?
How to calculate the ROI of a SaaS Management platform formy company?
What Data Do SaaS Spend Management Solutions Access via Their Bank Account Integrations?
Should I Invest in a Comprehensive Procurement Management Solution or One Specialized for Software Subscription Expenses?