Indeed, there are some great alternatives for discovering Shadow IT, some with more or less overhead (i.e. browser extensions that nobody wants to install).
The biggest challenge is that there's an abundance of SaaS tools that are free to use or have extensive free trials. This often lures employee's in "just trying" a platform and ending up importing critical company data.
Slack and Loom are great examples of SaaS that profited from being "Shadow IT". They gained traction by employee's quickly self-onboarding onto the free-plan, without their IT or Security knowing what data is being shared.
If you block marketing from using the tools they want, they will do it anyway but using personal email addresses like Gmail or something like that especially with the generous free tiers.
Which makes it even worse because you cannot detect that then :/
Shouldn't people just be able to try out new things? How can a company be innovative otherwise?
And at a specific point (e.g. putting customer data into it), they need to start a proper vendor assessment process.
People can absolutely try new things, but time and time again you cannot trust people to not put sensitive data into those platforms and they continually do.
It's always a balance of information security awareness, culture and technological solutions within an organisation.
We talked to lots of CISOs, InfoSec managers and IT admins about that issue.
There's basically two camps: Actively block any new tool vs. not block but educate so people don't do anything stupid.
I feel not blocking makes most sense. Employee's want to be treated like adults, especially in tech savvy companies. If they feel like they are unnecessarily blocked they will just find a workaround (i.e. non-work email or device).
However, you definitely want to keep track of people are signing up for - that's where the Shadow IT scanner comes in handy. In case you see something that's against policy it's often enough to just explain why it's a risk for the company. No employee means harm and just wants to be treated like an adult.
Agree it isn't practical to block everything while still allowing software engineers to do their job. An online regex tester is super useful or could be a big risk is an employee uses it incorrectly.
But it is helpful to block certain things that are just too common outside of work so people just don't think twice. Things like ChatGPT, Grammerly, Pastebin, etc. should be manually blocked.
Another interesting approach I learned from the Director of IT at Intercom (Emanuele Sparvoli): They pay for a single seat in each of the typical "Shadow IT" SaaS apps. Then they block within the SaaS app the ability to sign up with email/password coming from their domain.
It's pretty drastic since you literally pay for a seat in a tool you don't want to use. But it stops anybody from quickly signing up and instead will guide them to the IT team. They then have the chance to explain what the official alternatives are.
What's important is that the employee's understand the reason why certain apps are not allowed - whether that's cost, security or something else.
Indeed, when I learned about it I felt stupid for not having somebody run a regular report. Everybody talks about Shadow IT but most companies have a decent option to uncover a large chunk of it quite easily
Hmm audit compliance? Google gives you a log of who logged in where, doesn't it?
And with "proper RBAC" you mean that you can put somebody into the "Developer" role, hence he gets AWS, GCP, Datadog, right?
I don't know how extensive Google's logging is - heck, didn't even know they offered Enterprise SSO until a few days ago (every organization I know uses either Okta or M365/AD) :)
Proper RBAC is as granular as necessary, but no more
Proper RBAC also links everything needed by a certain role together
Merely knowing who logged-in where and when, though, is not enough - you also need to know what they did while there (and that they did not do anything they were not supposed to be able to do (which links back to proper RBAC'ing))
CIS, HIPAA, FISMA, SOX, STIG and all the other alphabet soup compliance rules, frameworks, etc are a lot more extensive than just "who logged in where" :)
