Phin Security

The Evolution of SaaS and Shadow IT

In this episode of Gone Phishing, host Connor Swarm and guest John Harden discuss the concept of shadow IT, defining it as any unsanctioned hardware or software used by employees without the knowledge of internal IT teams, highlighting its risks and prevalence in SaaS management.

Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Conor Swam, CEO of Fin Security, and welcome to Gone Phishing.


Connor Swarm:

Hey, everyone. Welcome back to another episode of Gone. I'm your host, Connor, the CEO at Finn. And today I am joined by not only a great friend of mine, but the founder of SaaS, Leo, John Harden who was then acquired by Aubic, and he's now the senior product marketing manager for SaaS at Avic. How are you, John?

John Harden:

I am good. Appreciate you having me here, Connor. I'm excited to talk about our topic today. We've got a lot of good things coming up.

Connor Swarm:

So for those of you who don't know about all of SaaS management, shadow IT, shadow SaaS comes to mind.

I think what would be really valuable, John, is what is in your mind, what is shadow IT?

John Harden:

Shadow IT by definition is any IT not known by the IT managers or the internal IT team. For example, I bought this nice colorful mouse on my own. My IT team doesn't have it in inventory. They don't know about it. It could be considered shadow IT. It's something I'm using to get my job done that the IT team hasn't sanctioned. But shadow IT can also appear in worse forms such as file sharing tools, third-party platforms that aren't supposed to be used, or even things like a key jiggler—someone installs an automated key or mouse jiggler to make it look like they're working.

So, really just anything that the IT team doesn't know about.

Connor Swarm:

Does that include not just hardware, but software as well? What does shadow IT include?

John Harden:

It's any IT asset, really, to get your job done. There's a more prescriptive term, but I always say it's anything to get your job done. It can range from hardware to software, physical or virtual. For example, an employee might put a little switch under their desk to connect more peripherals, or sign up in the cloud to share data to get around company policy. It could be a compute cluster up in Amazon. If the IT team is unaware of it, then it becomes shadow IT.

My theory is that shadow IT is not inherently good or bad. It's really just unknown. It has no negative or positive outlook—it's just something the IT team doesn't know about.

Connor Swarm:

So the holy grail of shadow IT would be an employee who buys a computer, signs up for accounts, and starts using software on that computer, all to get their job done, either at home or on the company's network.

John Harden:

Exactly. Shadow IT comes in lots of forms. I've seen some egregious examples, but in general, shadow IT really only comes into companies in a couple of forms. One, it's just an employee getting their job done. That same employee breaking every IT policy at the company is just trying to get their job done. Maybe their laptop breaks, so they procure something or use old home equipment.

They don't have malicious intent, they're just trying to get their job done. The second form is educational gaps. It's the same employee who went online to share a file with a prospect, not knowing there was a sanctioned process internally. There are so many SaaS tools and software tools that employees are just trying to get their job done and don't know all the features or functionality, so they solve their own problems.

Connor Swarm:

So for most employees, it's not only knowing that they shouldn't do that, but also the IT company, if they're aware of it, should enforce the proper way to do things.

John Harden:

Yes. We try not to slap people's wrists around shadow IT because it only creates the "department of no." We want our IT administrators to avoid being the department of no.

I call it entrepreneurship—people are solving their own business problems by signing up for their own software or using their own hardware. It's innovation. It's trying to get their job done. IT should look at that as a bed of opportunity. People aren't using a tool because they want to take the time to sign up and use it—they're using it because it's better or more efficient.

Connor Swarm:

That actually feels like a really interesting use case. Maybe as a decision maker at an organization, you'd like to know what tools your employees are using, even if you haven't bought them, because they believe them to be more effective. Maybe you should stop paying for one software and start buying another.

John Harden:

There's a metric out there: about 25% of SaaS is considered waste. The license goes underutilized or they're oversubscribed. Duplicity of applications is a key indicator of waste. There are so many ways to collaborate, communicate, or manage projects. The three Trojan horses for shadow IT are file sharing tools, collaboration and communication tools, and productivity tools. There are so many options, and people tend to lean into those types of tools to get their job done.

Connor Swarm:

I can't tell you how many times I've gotten a Word doc and instead of trying to do anything with it, I just go straight to Google Docs. If you didn't know about the shortcut, docs.new opens up a brand new Google Doc. It's free and convenient.

John Harden:

Is docs.new a Google feature or just a website?

Connor Swarm:

It's a Google thing that opens up a new Google document. You can do sheets.new, slides.new, etc. It's a hidden feature of Google.

John Harden:

One of the large things we see in shadow IT is employees doing similar things—transforming data. For example, converting a PDF to PNG online. Everyone's used those online converters. But this gets to the heart of shadow IT: nobody actually cares about shadow IT, what they care about is the data going into the shadow IT. Every cybersecurity program is built around the data. Maybe it's just a white paper being converted, but maybe it's a customer list in an Excel spreadsheet. Those systems may take a copy of the data, analyze it, and that's the heart of shadow IT—business data. People are worried about the data you're putting into the tool, especially sensitive company data.

Connor Swarm:

A lot of people are talking about this now with ChatGPT being used by employees when it's not sanctioned by the company. Who knows where that data is going? In theory, could someone prompt ChatGPT and get your data back out of it? The fact that the question can be asked is scary.

John Harden:

We've looked at the data. Across our base, and validated with others, 8% of the US workforce has tried ChatGPT. Half of those people put sensitive company data into it. The Samsung case is a pillar example where employees put data into ChatGPT, leading to data exfiltration. With shadow IT, every time you use these tools, you're leaving a droplet of data all over the cloud. You don't know how much data a SaaS tool gets when you sign in with Google or Microsoft. These breadcrumbs can be attacked by bad actors. Compound that by a company with thousands of employees, and you've got shards of data all over the internet that can be used as entry points for attacks, like supply chain attacks.

Connor Swarm:

A really interesting example is Brian Colangelo's burner Twitter account. The general manager of the Philadelphia 76ers got caught talking badly about his team on Twitter through an anonymous account because the phone number used to sign up was his. Someone found that information and connected it to him. That's the world we live in now.

John Harden:

That trail of data can look bad for individuals, but it can be worse if used to escalate internally in an organization. People compromise personal applications and use that data to escalate their way up. Be cautious of these tools—SaaS vendors are not trying to take less data about users.

Connor Swarm:

I've heard vendors say they need more data to make things streamlined and effective. But let's not pretend we're not trading off security for convenience.

John Harden:

It's about convenience. Employees take the path of least resistance. The job is already tough enough. Over 50% of IT admins have admitted to using shadow IT to get business outcomes because of pressure. That pressure continues for every employee. At the end of the day, they put IT policy aside to get their job done. Getting control of shadow IT is an IT job, not an employee's task.

Connor Swarm:

Why is shadow SaaS, shadow IT, more important now?

John Harden:

Go back to 2008, the "no software" logo from Salesforce—that was the start of SaaS. Since then, every metric about SaaS has gone up: users, apps, data, usage. 62% of employee time is spent in the web browser. That's why it's more important—because that's where all the data is.

Connor Swarm:

Not only are businesses using more SaaS software, but COVID created more opportunities for remote work. When you're not on a company network or device, there's a good chance you'll do things that are more convenient, even if you shouldn't. We've seen a lot of looseness since the digital transformation that COVID brought.

Connor Swarm:

This was a wonderful conversation. I'd love to have you back to talk more about the impacts on cybersecurity programs and what IT folks should do in response. Should they crack down or have an open-door policy? Can't wait to hear your thoughts next time. Thanks for joining, John.

John Harden:

Reach out on LinkedIn or go to olvic.com and click SaaS management for more info.

Connor Swarm:

Thanks for tuning in to Gone Phishing. If you want to find out more about high quality security awareness training campaigns, check us out at Phinsec IO. Thanks for phishing with me today and we'll see you next time.