An Enterprise Case Study: How Widespread is Shadow SaaS

Shadow SaaS is a bigger problem than you think.  We did a proof of value with a company, and the results were eye opening.  We found almost 7X more SaaS applications being used and even former employees who still had access.  

How widespread is shadow SaaS in enterprise environments? We recently conducted a proof-of-value (POV) with a company that thought they had a handle on the problem. The findings were eye-opening—the POV discovered 165 SaaS applications being used that the security team did not know about. We also found active accounts belonging to former employees. This engagement illustrates just how widespread shadow SaaS has become for enterprises and how little visibility they have into this growing problem.  

The security team was curious to see what Grip’s platform would find, as they were already aware of unsanctioned SaaS application use.  However, they were unaware of who was using these unauthorized applications and the full extent of the problem. Already numbering over 300 employees, the company was growing quickly and wished to get ahead of the risk these unknowns posed. Together, we uncovered a very large number of shadow SaaS applications. Though the POV was only run on 100 random employees, the results indicate how the actual problem extends far beyond them–clearly demonstrating how shadow SaaS continues to pose an enormous risk to enterprises. After all, we can’t monitor what we don’t know exists.

POV Results

100 Employees in POV

194 SaaS Apps Discovered

29 SaaS in SSO

11 Apps Accessible by Former Employees

We ran our POV on a sample of 100 employees and were sure to include the security leaders working with Grip. They were excellent sports, and fully transparent about their uneasiness over what we might find.  Candidly, they shared how they struggled to confirm whether their current SaaS security program was working, as well as how to implement a SaaS procurement process that wouldn’t hinder employee productivity or business objectives.  

When asked how many applications they were aware of, they defaulted to those already in their SSO, which was 29 applications. After the Grip platform performed the initial analysis, the actual number of SaaS applications being used was 194–165 more than what the security team was aware of. Having discovered the extent of their shadow SaaS problem, we used the Grip platform to help them understand the risk associated with their shadow SaaS applications.

Reviewing the Results

The trajectory of SaaS risk was a cause of concern. This POV took place with less than a third of the total employees.  The company was growing quickly, onboarding 15 people a week since the start of the year. We discovered that, as the employee base grew, the number of SaaS applications being used grew even faster. This is a known phenomenon that stems from new employees often preferring already-familiar SaaS applications to those sanctioned by their companies. Extrapolating the results from this sample of employees, the total number of SaaS applications being used was likely 500 or more, almost all of which would be invisible to the security team.

Grip’s platform also discovered employees that had not been properly offboarded and still had access to SaaS applications. Enterprises face two problems when deprovisioning SaaS access for employees outside of SSO. The security team cannot deprovision employees from applications they don’t know about. Moreover, whatever is not already in SSO requires manual processes that are tedious, time-consuming, and rarely carried out. They’re moreover prone to errors that are also difficult to track and correct.

The POV showed what the security team suspected but had no way to confirm. The team acknowledged that the Grip analysis provided them with a solid baseline of a problem, as well as actionable results that can be measured on an ongoing basis. Based on the POV results alone, the security team completely deprovisioned the six former employees and was able to generate a more complete list of the SaaS applications being used in their company.

Visibility, Prioritization and Automation

The POV with this company is very similar to almost all the POVs we’ve conducted thus far. It’s worth noting that despite differing company sizes and levels of maturity, results rarely vary.  Most have solutions in place, and correspondingly feel as though they have control over their SaaS problem. They tend to suspect only a small amount of shadow SaaS, at most. However, we’re usually able to demonstrate that the true number of unsanctioned SaaS is often much higher than expected.

The POV excelled in demonstrating Grip’s value in providing the following three capabilities:  

Visibility: The Grip platform provides the most complete discovery of SaaS applications.  The data is summarized on a single dashboard that notes whether applications are sanctioned or unsanctioned. The dashboard also shows each application’s authentication method and access frequency.  

Prioritization: With so many applications, security teams need to understand which ones are the greatest risk and where they should focus their resources.  By showing which SaaS applications are being used by the most users, as well as the frequency of usage, the Grip platform helps teams address the most widely used applications first.  

Automation: Grip’s platform can automatically revoke access to all of an employee’s SaaS applications for offboarding.  Access control is the first step in securing a SaaS application, and it is often a manual and time-consuming process.  Grip revokes access to the application itself, which immediately cuts it off from all managed and unmanaged devices. Grip can also notify administrators on when to change a user’s access privileges, such as when the data needs to be saved or transferred.  

Conclusion

Shadow SaaS is prolific and growing quickly in almost every company. The outcome from this POV is very common from Grip’s other forays into enterprise environments.  Security teams either feel they have control of the problem or drastically underestimate the extent of the problem. Unfortunately, today’s security products, such as SSO, CASB and password managers, cannot provide the information required to quantify and measure the problem on an ongoing basis. Time and time again, we find that an enterprise has hundreds of applications that are completely unknown to security teams. The Grip POV process helped this company understand its shadow SaaS problem and address it in an unobtrusive way, enabling users to continue leveraging SaaS applications necessary for productivity.  

The Grip platform can be deployed in 15 minutes.  The solution requires no endpoint agent or network devices. For a demo and free shadow SaaS assessment, contact us.

‍