How Pervasive is Shadow SaaS: A Business Case Study

How Pervasive is Shadow SaaS: A Business Case Study

Shadow SaaS is a bigger problem than you think. We did a value test with a company and the results were revealing. We found nearly 7 times as many SaaS apps in use and even former employees who still had access.

How widespread is Shadow SaaS in enterprise environments? We recently ran a proof of value (POV) with a company that thought they had a solution to the problem. The findings were revealing: POV discovered that 165 SaaS applications were being used that the security team did not know about. We also found active accounts belonging to former employees. This engagement illustrates how pervasive Shadow SaaS has become for businesses and how little visibility they have into this growing problem.

The security team was curious to see what the Grip platform would find, as they were already aware of unauthorized use of SaaS applications. However, they were unaware of who was using these rogue apps and the full extent of the problem. The company, which already had more than 300 employees, was growing rapidly and wanted to get ahead of the risk posed by these unknowns. Together, we discovered a large number of Shadow SaaS applications. Although the POV was only run on 100 random employees, the results indicate how the real problem extends far beyond them, clearly demonstrating how Shadow SaaS continues to pose a huge risk to businesses. After all, we can’t monitor what we don’t know exists.

POS Results

100 employees in point of view

194 SaaS applications discovered

29 SaaS on SSO

11 accessible apps for former employees

We ran our POV on a sample of 100 employees and were sure to include security leaders who work with Grip. They were excellent athletes and totally transparent about their concerns about what we might find. Candidly, they shared how they struggled to confirm if their current SaaS security program was working, as well as how to implement a SaaS procurement process that wouldn’t hamper employee productivity or business goals.

When asked how many apps they knew about, they defaulted to the ones already in their SSO, which was 29 apps. After the Grip platform performed the initial analysis, the actual number of SaaS applications being used was 194 to 165 more than the security team knew. Having discovered the scope of their shadow SaaS problem, we used the Grip platform to help them understand the risk associated with their shadow SaaS applications.

Review of the results

The SaaS risk trajectory was cause for concern. This POV was carried out with less than a third of the total number of employees. The company was growing rapidly, adding 15 people a week since the beginning of the year. We found that as the employee base grew, the number of SaaS applications being used grew even faster. This is a known phenomenon because new hires often prefer SaaS apps they already know over ones sanctioned by their companies. Extrapolating the results from this sample of employees, the total number of SaaS applications used was likely 500 or more, almost all of which were invisible to the security team.

Grip’s platform also discovered employees who had not been properly terminated and still had access to SaaS applications. Companies face two issues when deprovisioning SaaS access for employees outside of SSO. The security team can’t deprovision employees from apps they don’t know about. Additionally, anything that isn’t already in SSO requires manual processes that are tedious, time-consuming, and rarely performed. Furthermore, they are prone to bugs that are also difficult to track down and fix.

The POV showed what the security team suspected but had no way of confirming. The team recognized that Grip’s analysis provided them with a solid foundation of a problem, as well as practical results that can be measured on an ongoing basis. Based solely on the POV results, the security team completely de-provisioned the six former employees and was able to generate a more complete list of SaaS applications used in their company.

Visibility, Prioritization and Automation

The POV with this company is very similar to almost every POV we’ve done so far. It is worth noting that, despite the different sizes and maturity levels of the companies, the results rarely vary. Most have solutions in place and therefore feel they have control over their SaaS problem. They tend to only suspect a small amount of Shadow SaaS, at most. However, we can generally show that the actual amount of unauthorized SaaS is often much higher than expected.

The POV stood out in demonstrating the value of the Grip by providing the following three capabilities:

Visibility: The Grip platform provides the most comprehensive discovery of SaaS applications. The data is summarized in a single panel that indicates whether the applications are authorized or not. The dashboard also displays the authentication method and access frequency for each app.

Prioritization: With so many applications, security teams need to understand which ones are at the highest risk and where to focus their resources. By showing which SaaS applications are used by the most users, as well as the frequency of use, the Grip platform helps teams tackle the most used applications first.

Automation: The Grip platform can automatically revoke access to all SaaS applications from an employee upon termination. Access control is the first step in securing a SaaS application and is often a time-consuming, manual process. Grip revokes access to the app itself, immediately disconnecting it from all managed and unmanaged devices. Grip can also notify administrators when a user’s access privileges change, such as when data needs to be saved or transferred.

Conclution

Shadow SaaS is prolific and growing rapidly in almost every company. The result of this point of view is very common in other Grip forays into business environments. Security teams feel they are in control of the problem or drastically underestimate the scope of the problem. Unfortunately, current security products such as SSO, CASB, and password managers cannot provide the information needed to quantify and measure the problem on an ongoing basis. Time and time again, we find that a company has hundreds of applications that are completely unknown to security teams. The Grip POV process helped this company understand its shadow SaaS problem and address it discreetly, allowing users to continue leveraging SaaS applications needed for productivity.

The Grip platform can be deployed in 15 minutes. The solution requires no endpoint agent or network devices. For a free Shadow SaaS demo and evaluation, contact us at https://www.grip.security/

Leave a Comment