Shadow IT is when employees use software or hardware without the knowledge or oversight of the IT department. Shadow IT evokes a feeling of anxiety and frustration because it represents this notion that there are applications hidden behind the veil of user error and ignorance that you won’t see until it becomes a headache or a liability.

The Rise of Shadow IT: How Did We Get Here?

User error and employee ignorance is nothing new, and neither is the use of unsanctioned IT solutions, so why is Shadow IT even more pervasive than before?

Today, Shadow IT often infiltrates our organizations through browser extensions and freemium productivity software instead of off-the-shelf software and computer hardware. These applications and integrations are designed for frictionless onboarding. As a result, the typical user doesn’t think twice about adding these harmless-sounding applications.

But these harmless applications add up.

The Statistics of Shadow IT

It is estimated that while the average company has over 108 known cloud services, they also have over 975 unknown cloud services. 1

That represents a 10 to 1 ratio of unknown to known cloud services.

And this is reflected in the bottom line. 20%-40% of enterprise technology funding is now spent outside IT’s purview. 2

And there’s a significant security cost as well. For example, 83% of IT professionals reported that employees stored company data on unsanctioned cloud services. And employees regularly recognize Shadow IT as a leading threat to data security. 3

Time for an uncomfortable question; with a problem that is both known and quantifiable, how has it managed to persist?

CASB: The hero in our time of need?

IT teams turned to a set of tools known as Cloud access security broker (CASB).

CASB is software or hardware that functions as an intermediary between users and cloud service providers. CASB’s are one of the tools corporate security teams deploy to manage security across software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) platforms. The appeal of CASB tools is that they allow organizations to extend the reach of security policies into the cloud.

Because of this, CASBs have become a vital part of enterprise security, allowing businesses to use the cloud while protecting sensitive corporate data safely.

CASB solutions are excellent at providing security concerning key use cases such as:

  • Actively blocking access to non-sanctioned cloud services.
  • Identify account takeovers
  • Monitor cloud services for risky behavior
  • Manage configuration settings of cloud platforms
  • Monitoring the flow of sensitive data, so it does not leave sanctioned cloud services. (Cloud DLP)
  • Discovery of Shadow IT
  • Automation of security life cycle – e.g., integrating with SIEM solutions to pass event data – blocking a SaaS app, disconnecting app configurations

So now comes the next uncomfortable question. Why hasn’t the adoption of CASB solutions ended the reign of Shadow IT?

The Shortcomings of CASB

CASB, for all of its strengths, suffers from critical shortcomings around the intelligence it can provide and the action it enables.

The technical architecture of CASB is complicated to deploy with proxy, agent, and API-based approaches to deployment. Unfortunately, many products use a combination of proxy, agent, and API to satisfy the use cases. This complexity means that companies require professional services for CASB deployment.

These limitations also show up with regards to IT’s ability to act on intelligence they might glean. CASB tools do not offer streamlined workflows or administration tools to help IT teams stop security threats before they manifest. This combination of difficulty to set up and limitations to leverage can often mean a CASB tool is ineffectively used within the organization.

SaaS Management: Filling the Gaps

SaaS Management is a way for IT teams to gain full transparency into the state of application use within their organization. It centralizes control so that the entire technology portfolio is organized and cataloged. Rather than waiting for a threat to arise, SaaS Management combines discovery and insight with action and workflows.

It does so by providing lightweight, easy-to-deploy discovery tools that uncover the Shadow IT lurking in plain sight using APIs and integration with endpoint technologies (such as MDM).

This increased discovery reveals Shadow IT to Corporate IT, procurement, and finance so they can save money by:

  • Eliminating redundant applications.
  • Optimizing the usage of underutilized licenses.

Not only is this information useful for reducing spend, but it also provides the ability for organizations to combine insights with action by automating workflows related to:

  • License management
  • Contracts
  • Renewals
  • Application discovery
  • Onboarding
  • Offboarding.


Should you use CASB, SaaS Management, or both?

SaaS Management and CASB solutions solve many of the same issues. However, they do so in very different ways and for different reasons.

Ultimately, it’s essential to understand the requirements within your industry and the capabilities of your team. CASB is excellent for addressing many specific security concerns and corporate use cases. However, the deployment process is much more complex, and often the discovery features do not capture the whole picture.

SaaS Management fills these gaps by providing a lightweight method of capturing a complete picture of the applications within your organization. However, SaaS Management also offers more opportunities for IT to take action with the insights gained and prevent security risks before they develop and reduce application costs.