Shadow IT: Tackling Security and Cloud Spend Management Together 

CASB + CEM_Main blog page

Unsanctioned applications are a problem that has been sharpened by the accessibility of the cloud. The democratization of technology alongside today’s accelerated pace of innovation have both obscured the problematic realities of Shadow IT.  

  • One study showed that IT leaders who thought they had only 30-40 apps running on their network had over 900. Other sources show on average companies have 1,014 apps.  
  • With unknown applications lurking in dark corners, security risks rise and so do costs. Gartner reports that in large enterprises, 30% to 40% of IT spending goes to Shadow IT due to lack of visibility and control.  
  • As analysts at Nemertes explain, companies discover, sometimes because of a major security breach or significant business problem, that their staff and business units are using unsanctioned SaaS, or unsanctioned instances of sanctioned platforms.  

Thanks to the well-publicized cybersecurity risks of Shadow IT, most IT leaders know they need to reveal unknown applications, but far fewer are tackling the issues of Shadow IT and SaaS costs together.  

It’s time for that change. Security and financial management should be working in unison. 

Pairing CASB and Cloud Expense Management Technologies  

Cloud Access Security Broker (CASB) solutions are today’s standard solutions helping companies secure applications in the shadows, and it’s time to partner them with cloud spend management (CCM) solutions to tackle security and SaaS waste in a “one-two punch.” This is a more comprehensive and more accurate approach for addressing all the problems that accompany Shadow IT.  

Money is being spent frivolously — and redundantly — given the availability of cloud applications. Consider that a recent CIO study found 29% of SaaS licenses are either unused entirely or underutilized. Nemertes explains this problem as “enterprise money flowing counter to enterprise goals,” and pairing these two technologies can ensure corporate currents all flow in the same direction. 

Multi-Pronged Approach to Shadow IT Discovery 

Most security executives appreciate that comprehensive security requires a multi-layered approach, and that same best practice should be applied to Shadow IT discovery. Investigation requires a multi-pronged approach. Leaving your investigation to a CASB tool alone means you could potentially miss the applications employees are accessing via the internet without going through the corporate network. 

Typically, CASB solutions use network monitoring techniques — deep packet inspection (DPI) to filter data through logs (network packets, firewall, secure web gateways, endpoints). This is a great strategy for in-office employee monitoring, but not always effective for remote workers and situations where data isn’t flowing through the known corporate network environment. 

This explains why adding a cloud spend management solution helps widen the scope of Shadow IT discovery. 

Cloud cost management tools, also known as cloud spend management tools, offer a multi-source approach, mining multiple sources of information allowing for deeper investigations that result in higher levels of accuracy but also more cost efficiency for the IT budget. They deliver a clearer view for more contextual analysis gathered from a variety of sources including:

  1. Applications: Cloud cost management platforms are directly integrated with and connected to the source — to the applications themselves. They get the data directly from the application, including the usage and access data for each employee across multiple devices and multiple network connections. This is the tool’s preferred source of truth.   
  1. Users & Endpoints: Platforms gather information via integration and connected systems like SSO (single sign on) systems, CASB, IDP (identity providers) services, virtual desktop agents, and browser extensions on local machines 
  1. Expenses: Integrations with corporate financial expense management systems collect invoices and expense and financial management information 

The Takeaway: Why take a single-source approach when you can look at cloud applications from every angle and move beyond just the immediate needs of security protections, also getting a handle on SaaS waste and reducing SaaS costs?  

Yes, executives should prioritize Shadow IT mitigation efforts based on security risk factors associated with each unsanctioned app, but they should also weigh the cost of those unsanctioned apps, so they are tackling risk and financial efficiencies in unison. Amid today’s macroeconomic headwinds and pressures to stretch IT budgets even further, this is of critical importance. 

Here’s What Cloud Cost Management Adds to CASB Solutions

Cloud cost management platforms complete CASB offerings by delivering insight into: 

  • Application spending, including spending outside the IT department 
  • Apps purchased on personal employee credit cards and then expensed to the company 
  • App contracts set to auto-renew 
  • Where there is room to negotiate better deals based on bulk price discounts 
  • Unused app licenses – identifying SaaS waste 
  • Who is using applications and how – which helps decision makers know how many of their Microsoft O365 licenses REALLY need to be upgraded to E5 (as just one example) 
  • Cost allocations, showing which departments/lines of business are being held financially responsible for SaaS and, perhaps more importantly, which ones aren’t 

What CCM Does that CASB Typically Can’t 

Cloud cost management platforms expand traditional CASB capabilities with the ability to: 

  • Directly integrate with/monitor applications, expense management systems, SSO, IDP, virtual agents 
  • Gather granular insights into app usage data for deeper SaaS visibility — the number of licenses, users by application and by role, type of license (E3 vs E5), security risk insights per app, cost and billing cycles 
  • Manage licenses, contracts, and spending 
  • Optimize costs and spending across SaaS 
  • Automate on- and off-boarding to assign/unassign/reassign licenses as employees enter and exit the company 
  • Automate invoice processing, reconciliation, and bill payments  

When it’s time to take a wider approach to Shadow IT discovery tackling SaaS cost management, talk to Tangoe. 

Learn how to better control and manage SaaS with help from Tangoe.