When addressing the problem of so-called "shadow" IT – the use of unauthorized business applications, a trend facilitated by the popularity of software-as-a-service (SaaS) – companies usually view their IT organizations as a kind of "app police," responsible for detecting and discouraging this under-the-radar activity.
Yet a recent study by Frost & Sullivan's Stratecast division found that IT professionals are actually more likely than their business peers to use non-approved SaaS apps. According to the study, which was commissioned by McAfee, 20 percent of IT respondents said six to 10 such apps were used in their department, compared to 5 percent of business users. The numbers were similar for apps used personally by the respondents.
"Stratecast suspects that this is a case of IT employees’ overconfidence in their ability to assess risks, as well as their greater familiarity with a range of SaaS solutions," notes the report, adding that IT employees also have administrative rights and tools that make it relatively easy for them to circumvent attempts to rein in rogue software usage.
Given the ease of purchasing and deploying SaaS, few companies could expect to have no non-authorized apps. But Stratecast believes that slightly more than a third of enterprise apps are procured without approval and used without formal oversight. More than 80 percent of respondents admitted using unauthorized SaaS apps.
The most popular shadow applications are productivity apps Microsoft Office 365 and Google Apps, used by 15 percent of employees, followed by social media apps LinkedIn and Facebook and file-sharing apps like Dropbox.
The problem, of course, is that shadow apps may pose security risks and/or not meet a company's regulatory requirements. And employees are aware of these issues. For example, 45 percent of IT users and 41 percent of LOB users worry that sensitive corporate or personal data could be accidentally exposed to unauthorized users.
The report highlights a lack of consistent policies governing SaaS usage and employee awareness of policies as contributing factors to the problem. Eighteen percent of LOB respondents said employers either had no policies regarding SaaS usage or they weren't sure if there were any policies in place.
Reducing SaaS Risks
Establishing a SaaS policy that aligns with business objectives is one of six recommendations in the report for addressing shadow IT. But companies must take care not to be too restrictive. An overly restrictive policy "will likely backfire," it reads. "You will not only be at a competitive disadvantage in hiring and retaining younger workers, who expect freedom in selecting applications, but you will squelch the kind of innovative thinking that characterizes successful companies."
Another recommendation is to get buy-in for the policy by introducing it throughout the company, starting with the IT department and then sharing with other departments. In addition, it advises IT personnel to maintain an ongoing dialogue with LOB leaders and invite them to help evaluate potential SaaS options, and to share reports showing threats that have been deflected by the SaaS policy.
Not surprisingly, given McAfee's sponsorship of the report, it also suggests investing in security solutions that provide protection against malware, block undesirable URLs and help contain other application-related risks. In particular, it advocates using a product that offers policy-based control over some functions of commercial software so, for example, companies can allow workers to access Facebook but not use the chat function.
Another product that can help reduce SaaS-related risks is an identity and access management solution that offers a single sign-on for SaaS applications so passwords are less likely to be stored in an unprotected manner, says the report.