How to detect Shadow IT?

Rather than trying to completely eliminate Shadow IT, the process of regaining control begins with identifying unofficial applications used in the company without the agreement of the Information Systems Department (ISD). This approach promotes better governance and helps anticipate potential problems.

Different methods and techniques for detecting the use of unauthorized applications are available, and they can vary depending on the size of the company, the industry sector, and the sensitivity of the information processed.

In this article, we detail these methods, explain how they work, and discuss their advantages and disadvantages to help you choose the best option for your company.

Network Analysis

A technical approach involves meticulously analyzing network flows, specifically HTTP and DNS flows, with the aim of identifying the use of Web applications (SaaS) that are external to the organization.

This analysis is native to certain specific platforms:

• Next-Generation Firewalls (NGFW) perform this analysis and generate associated reports. Certain equipment manufacturers, like Palo-Alto and Fortinet, have distinguished themselves in this field thanks to their performance and expertise. However, in the era of remote work, it is important to note that a company's network flows do not necessarily pass through the corporate Firewall, and it is crucial to take this reality into account when implementing these devices.

• Proxies or CASB (Cloud Access Security Broker) are specifically dedicated to this task. This is particularly true for CASBs which, in addition to possessing functionality for analyzing SaaS application usage, offer features that allow securing access to them. These tools are essential for optimal security of data and sensitive information.

However, network analysis has its limits. For example, it cannot detect applications that are used via VPNs or proxy connections. Furthermore, it may not be able to detect applications that are used on personal devices or outside the corporate network.

SSO Portal

An increasing number of SaaS applications now offer registration and authentication through an identity provider, as demonstrated by the ubiquitous "Sign in with Google/Microsoft" buttons. These identity providers, when associated with a corporate email address, reference the source application in "corporate applications". This is another method for detecting SaaS applications.

This method offers a wide range of opportunities but it also has its limits. The most obvious is that it only allows seeing registrations made by SSO. This means that if a user registers by another means, they will not be detected by this method. Despite this limitation, it remains a valuable tool in our detection arsenal.

Inventory of Installed Programs

Workstation management platforms are particularly useful tools that often allow creating a detailed inventory of software installed on a computer. Thanks to this functionality, it is possible to identify the presence of certain software, which can reveal the use of SaaS applications that offer native clients, like Notion, Slack, among others.

This proves particularly useful for discovering the existence of various services. For example, one can detect:

• File sharing services, which are essential in a collaborative work environment. Notable examples include Google Drive and Dropbox.

• Alternative video conferencing and messaging applications, which allow efficient communication within the company. Popular options include Discord and WhatsApp.

• Productivity tools, which help employees organize their work and increase their efficiency. This includes calendar applications, to-do lists, note-taking tools, and many others.

In a context where such a platform is implemented within the company, Endpoint Detection and Response systems, also known by the acronym EDR, can prove particularly useful. Indeed, these systems can not only detect and respond to various potential threats, but they are also capable of listing applications installed on user devices.

However, the inventory of installed programs has a potentially invasive facet. Indeed, this method requires installing an agent on users' workstations, which can be perceived as an intrusion into their privacy. It is therefore essential to communicate transparently with employees and respect regulations relating to the protection of personal data when implementing this method.

Credit Card Transaction Analysis

Using a SaaS application often implies subscribing to a plan. This step is generally facilitated by the fact that operational teams, who have the autonomy to subscribe to a SaaS solution, can use the corporate credit card to do so. (Indeed, SEPA direct debits require a more significant commitment)

These transactions made by credit card can then be identified in the company's bank statements. There are platforms that exploit this data source to detect SaaS application usage. These platforms, known as SMP (SaaS Management Platform), complement this analysis with financial consolidation and associated recommendations.

Among these recommendations, we can cite:

• Reducing the number of unused "seats" on a subscription

• Rationalizing duplicate subscriptions in the company

However, this method has a major weakness: it does not allow identifying free applications, nor those that were subscribed to with a personal credit card (which can happen, for example, when the employee gets reimbursed through expense reports). This is therefore a limitation to keep in mind when using these platforms.

Example

At Freety, a company of 200 people that uses several SaaS applications for its daily operations. On the credit card statement, a monthly billing of 80 euros is noticed on the Communication team's card.

The description of the credit card entry indicates "Trello Inc." It is a usage of Trello (project management) for 8 users.

Employee Surveys

It is also interesting, even essential, to directly ask the interested parties which applications they use daily in the context of their activities. Far from wanting to conceal this information, they can provide valuable details that will allow completing a pre-existing list (built based on the methods mentioned above) or filling out a open and detailed form.

It is an invaluable opportunity to collect additional and in-depth information, such as the criticality level of the application, their satisfaction level regarding its usage, as well as identifying the application owner.

The survey, to be effective and relevant, can be carried out periodically. An annual basis seems to be a reasonable and manageable timeframe for most organizations. Furthermore, a form can be integrated into a permanent data collection process, thus allowing continuous collection of new applications that business managers declare throughout the year. This will allow maintaining an up-to-date and precise vision of the company's application ecosystem.

Conclusion

To detect Shadow IT, several methods can be used: analyzing network flows via application firewalls or proxies, inventorying programs installed on workstations, analyzing bank transactions, and employee surveys. Each method has its advantages and disadvantages, and the choice depends on the company size, industry sector, and sensitivity of the information processed.