Lurking in the Shadows: Why Shadow IT and ‘SaaS Sprawl’ is Creating a Headache for Organizations


The real problem with shadow IT’s use of SaaS is not whether employees should have the right to invest in SaaS applications, but how data traffic is handled.

The cloud is synonymous with business. Some businesses are born in the cloud, some move their workloads there and rely on cloud servers for day-to-day operations, and some leverage cloud applications or Software-as-a-Service (SaaS) for productivity. Whichever way you cut it, businesses in 2023 can’t function effectively without some level of dependence on cloud technology.

According to a recent survey, 7 in 10 organizations default to cloud-based services when considering new tools. Cloud-based services’ cost-saving, scalability, ease of access, and overall flexibility are too good to ignore. However, this convenience comes at a cost. The more cloud services a business uses to manage its everyday operations, the more vulnerable it becomes to data loss, leakage, theft, ransomware, and other threats. This risk needs to be addressed and mitigated with tight oversight and governance policies over which cloud services are adopted – but cloud services are so ubiquitous and easily accessible that in a large organization, this is much easier said than done.

The sheer volume of cloud services available, combined with a very low barrier to entry, has created a problem known as “Shadow IT.” Shadow IT occurs when departments use third-party services without IT authorization, undermining the company’s IT policies. It’s rarely intentional, but with so many services to choose from and virtually any employee able to download and start using a third-party cloud service, Shadow IT is beginning to cause a real headache for security teams. With Shadow IT, data is usually routed through the public Internet rather than secured clouds, and there is no control over the pathways the data takes. This throws up all sorts of issues around data security, particularly in organizations that handle sensitive customer information such as healthcare or financial data.

The problem with “SaaS sprawl”

To put the problem of Shadow IT into perspective, consider that 65% of experienced remote workers currently use some form of Shadow IT in their daily work. Nearly half of all employees also use unapproved email accounts for work-related purposes; even 58% of IT managers report using unapproved tools to collaborate and communicate with other team members. The pandemic and the shift to remote and hybrid working environments exacerbate this cultural problem. A 2022 study revealed that 69% of technology executives say Shadow IT is now a “top security concern,” and 59% say they struggle with “SaaS sprawl” – employees using unauthorized third-party applications for work, collaboration, and communication.  

This is costly for businesses, not just regarding the security risks posed. According to Gartner, Shadow IT currently accounts for 30-40% of IT spending in enterprise organizations, and the average company wastes $135,000 on unnecessary software licenses. This may be because employees aren’t satisfied with their existing tools and setups, so they need to “DIY” with third-party services. All it takes is one or two employees to use a “better” tool, and the SaaS sprawl begins.

The primary motivators for using Shadow IT appear innocuous. Often, it’s down to employees purchasing SaaS applications such as Slack, Asana, or Trello to help increase their productivity and better manage their workloads. Sometimes it might be a simple case of leveraging tools like Google Drive or Dropbox to store and organize data. The allure of WhatsApp as an easy messaging platform is another example of how easy it is to start using shadow IT.

See also: Fundamentals for an Effective SaaS Platform Experience

Stepping into the light

The use of third-party applications to facilitate productivity isn’t inherently a bad thing. Banning third-party tools and mandating that employees only use authorized software does superficially fix the problem of Shadow IT. Still, it also closes the door to innovation. If an employee finds a better way of working or a more efficient tool, a process should be in place to enable that software to be “authorized” and used securely if it is deemed beneficial to the business. The problem here isn’t necessarily Shadow IT but its visibility and governance. With suitable systems and policies, we can remove the “Shadow” element of “Shadow IT” and embrace employee initiative. Network visibility, improved detection, and robust cybersecurity policies can all help to minimize the risks posed by Shadow IT. Still, there is something more that businesses can do to ensure their data is protected.

When we talk about the risks posed by Shadow IT, we’re not necessarily referring to the use of third-party cloud services. Granted, there are business arguments to be made for how software is purchased and whether employees should have the right to invest in SaaS applications and start using them, but the real problem lies with how data traffic is handled.

When third-party applications are used without controls, critical data is routed to the cloud services through the public Internet, with all the risks it entails. The Internet was conceived as a “best effort” communication tool, which is insufficient for securing sensitive customer data. Therefore, rather than banning Shadow IT, companies should be looking to govern it better while seeking to bypass the public Internet, thus maintaining control and oversight of their data. With typical data traffic, the only option is to place the traffic into the hands of a transit provider, who, in turn, announces the packet requests back to the global Internet – to various recipients and senders that the company does not and cannot know, and cannot control. This anonymity is where the real danger lies.

Companies can circumvent the public Internet with direct connectivity to clouds or “peering” – direct interconnection between two networks – on an Internet Exchange or IX. By interconnecting via an IX, it is possible to know which network is sending traffic and which is receiving it, removing anonymous threats from the equation. It also has the added benefit of reduced latency because the data has fewer touchpoints and doesn’t have to travel as far, with the pathway the data takes under the company’s control.

Shadow IT might be giving enterprises a headache. Still, rather than close the door on innovation and try to ban the use of third-party cloud services, companies should be seeking to embrace and govern Shadow IT to bring it into the light.

Dr. Thomas King

About Dr. Thomas King

Dr. Thomas King has been Chief Technology Officer (CTO) at DE-CIX since 2018, and a Member of the DE-CIX Group AG Board since 2022. Before this, King was Chief Innovation Officer (CIO) at DE-CIX, starting in 2016. He has been instrumental in his role at keeping DE-CIX at the forefront of technological development of Internet Exchanges, establishing DE-CIX as a neutral Cloud Exchange, pushing the boundaries of what is possible in terms of high-bandwidth access technology and security solutions for IX platforms, and trailblazing the automation of IX services with the implementation of patch robots, the development of the DE-CIX API, and overseeing the DE-CIX self-service customer portal. Thomas King has also overseen the technical implementation of the international expansion in markets spanning from North America to Europe, the Middle East, India, Southeast Asia and most recently Africa.

Leave a Reply

Your email address will not be published. Required fields are marked *