Policies for SaaS Apps, Shadow IT Prove Difficult to Manage

Despite spending up to 10% of their revenue on SaaS applications, organizations lack policies to not only manage them but to manage shadow IT as well.

Nathan Eddy

November 29, 2022

3 Min Read
SaaS written on a technology background
Getty Images

Software-as-a-service (SaaS) apps have been on the rise as organizations seek agility and scalability, but IT teams lack visibility into SaaS apps used in organizations, according to a report from Gartner Peer Insights and Zluri, a SaaS management platform.

The report revealed organizations lack consistent documented policies or processes for managing their SaaS ecosystem, even though most respondents — 58% — said they spend up to 10% of their revenue on SaaS applications.

In addition, 56% of respondents don't have or are not sure if they have a documented shadow IT policy, and just 14% of respondents have a SaaS offboarding process.

Why There's a Need for a Shadow IT Policy

Zluri co-founder Ritish Reddy explained that after conducting the survey, he found it astonishing that more than half of the respondents don't have or aren't even sure if they have a documented shadow IT policy.

"This is alarming for many reasons, including cost and security," he said. "Companies without a shadow IT policy are opening themselves up to multiple security vulnerabilities across their organizations, especially with the growing threat of ransomware."

With SaaS apps accounting for the greatest organizational expense next to payroll and third-party applications being a common "backdoor" for hackers, there will be widespread enterprise security breaches without proper oversight.

Related:How the Cloud Made Computing Harder, Not Easier

The challenge of shadow IT has grown in the past year as companies have adopted hybrid or fully remote work structures.

Additionally, companies are embracing the tenets of digital transformation, allowing more of their workforce to have access to productivity tools.

"In these scenarios, individuals and teams are increasingly relying on new SaaS tools to collaborate and streamline previously manual processes," Reddy explained.

While these initiatives have good intentions, they leave IT teams in the dark about what tools employees are using, what data is being shared externally with third-party vendors, and how the rising costs are measuring up with other tools in their tech stack.

"Companies without a shadow IT policy are opening themselves up to multiple security vulnerabilities across their organizations, especially with the growing threat of ransomware."

— Ritish Reddy, co-founder, Zluri

The report also revealed that the most common way SaaS application accounts are terminated is by exporting the data before closing the account, and less than half of respondents (44%) said they have a documented process or coordinate with the SaaS vendor for this.

Related:Why Security Logging Is Key to Ransomware Response

"Many IT teams don't have a formal, organized plan for battling shadow IT," Reddy noted. "IT teams need to work with financial, procurement, legal, and HR to set policies, achieve greater visibility of all the SaaS applications being utilized, and have a plan for onboarding and offboarding employees."

The Benefits of SaaS Management Platforms

Enterprise SaaS management platforms can help IT teams discover, manage, optimize, and automate their SaaS apps, according to Reddy.

"Ideally, such platforms will offer a single dashboard framework, where IT, finance, and procurement teams can maximize the value and productivity of any subscription-based software solutions," he said.

With organizations continuing to use a variety of SaaS tools, a SaaS management platform must be able to integrate with the most frequently used and popular applications used by today's global companies.

Reddy added that cybersecurity solutions such as Black Kite that focus on third-party risk management are also useful tools on the preventative side.

Getting Shadow IT, SaaS App Visibility Under Control

From Reddy's perspective, the first step for controlling shadow IT and gaining better visibility into SaaS apps is for IT leadership to get a full handle on all the applications being used in their organization.

"Without that insight, personal training will be moot," he said. "However, training plays a crucial role in eliminating shadow IT and mitigating the associated risks."

Companies should establish a security culture and implement security awareness training for all employees, and everyone needs to understand the risks involved in deploying their own software and best practices for engaging with applications and email to avoid risk, he said.

"Work from home only raised these stakes, as people are working on personal devices with little to no central IT oversight," Reddy cautioned.

About the Author(s)

Nathan Eddy

Nathan Eddy is a freelance writer for ITProToday and covers various IT trends and topics across wide variety of industries. A graduate of Northwestern University’s Medill School of Journalism, he is also a documentary filmmaker specializing in architecture and urban planning. He currently lives in Berlin, Germany.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like