How Reco Discovers Shadow SaaS and Shadow AI

The explosion of SaaS and AI tools has transformed the way organizations operate, boosting productivity, collaboration, and innovation. However, alongside these benefits comes a growing security concern: Shadow SaaS and Shadow AI—unapproved tools that bypass IT oversight, creating serious security, compliance, and operational risks.

‍

What Are Shadow SaaS and Shadow AI?

‍

• Shadow SaaS: SaaS applications adopted by employees or departments without approval or oversight from IT or Security teams.
  Example: Employees using unauthorized tools like Trello, Dropbox, or Slack to manage tasks or share data.
• Shadow AI: AI tools or platforms adopted without IT oversight, often integrating with existing apps or systems.
  Example: An employee using AI tools like ChatGPT, MidJourney, or unapproved AI-based analytics tools to process sensitive company data.

‍

How Shadow SaaS and Shadow AI Put Data at Risk

‍

Shadow SaaS and shadow AI operate outside of IT and security oversight, leading to unvetted permissions, data access, or data processing. These tools often integrate with sanctioned applications through insecure APIs, creating potential backdoors for attackers. Additionally, employees often input confidential data into AI tools, with one study pointing to as much as 15% of employees posting company data in AI tools. This could result in data leaks, compliance violations, or misuse by third-party providers, increasing an organization’s exposure to breaches.

‍

Why Traditional Discovery Tools Fall Short with Shadow AI

Traditional tools weren't designed for the GenAI era and fail to adequately detect shadow AI for several reasons:

‍

CASB Limitations

CASBs monitor network traffic but miss new SaaS tools not yet in their catalogs. They're blind to off-VPN usage on personal devices and can't evaluate data being entered into services. Most critically, they can't distinguish embedded AI copilots that share domains with approved apps.

‍

DLP Shortcomings

While DLPs scan for sensitive data patterns leaving your organization, they need to be fine-tuned and are difficult to establish and maintain. An employee sharing intellectual property via an AI assistant might be missed if it doesn't match a specific DLP patterns. DLP also doesn’t tell you which new app the data went to – it might just alert “possible data exposure” without the full context. And like CASB, if the usage happens from an unmanaged device or encrypted channel, DLP might not see it at all.

‍

Browser Extension Risks

Browser extension tools require dangerous permissions (browsing history access, web content modification, keystroke monitoring) that create serious vulnerabilities. The 2024 Cyberhaven incident proved even trusted extensions can be hijacked. They also suffer from coverage gaps - they only work on specific browsers, can't monitor mobile devices, and rarely achieve full deployment across an organization.

‍

How Reco Discovers Shadow SaaS and Shadow AI

‍

The first step to securing shadow SaaS and shadow AI is understanding and documenting all third-party tools that are active in your environment. Reco’s shadow SaaS discovery solution employs a comprehensive approach:

1. Active Directory Integration: First, Reco connects with your organization's Active Directory, such as Microsoft Azure AD or Okta, to import a list of known applications.
2. Email Metadata Analysis: By analyzing email header metadata from platforms like Gmail and Outlook, Reco identifies potential shadow applications, filtering out internal applications and marketing emails to focus on genuine usage indicators. By not reading the email body, we don't introduce unnecesary security risks.
3. GenAI Module Consolidation: The GenAI module consolidates this information, matching senders with corresponding SaaS applications and determining their authentication methods.
4. Shadow Application Identification: By subtracting known applications from the list, Reco identifies shadow applications that may pose security risks and produces a final list.

What Reco Can Tell You About Shadow Apps

Reco can help you answer questions like:

• Which shadow apps and AI tools are being used in my environment?
• Who is using them and when were they used?
• What actions have these users taken? Any potentially risky uploads?
• How are users authenticating? Are the apps secured with MFA?
• Are these shadow SaaS tools connected to any other SaaS tools in my environment via API or OAuth token?

‍

How Reco Continuously Secures SaaS After Discovery

‍

Once the shadow applications are identified and catalogued, Reco provides continuous intelligence to help organizations manage risks. Via our AI-based graph technology, Reco provides visibility into every app, identity, and their actions. That way, security teams can monitor those applications, remediate risks, or choose to block applications that are too risky. They can also work with the business teams to deploy safer applications that support the same needs.

‍

After the discovery phase, Reco’s continuous SaaS security provides:

‍

1. Posture Management: Reco evaluates each app's security posture and identifies misconfigurations, such as overpermissioned roles, stale accounts, and expired access keys. It provides actionable intelligence on how to clean up risks, and ranks alerts so you can prioritize.
2. Continuous Monitoring: Reco keeps tabs on any updates that could introduce vulnerabilities and monitors for configuration changes that could increase data exposure via SaaS Security Posture Management (SSPM). It continuously monitors for newly added shadow applications, so you can respond in real time (Figure 2).
3. Identities and Access Governance: Reco consolidates identities from across all your SaaS applications and allows you to manage permissions and roles from a single console. Understand critical exposure gaps from user permission level and behavior in your SaaS ecosystem that can lead to a breach.
4. User Behavior and Entity Analytics: Reco provides real-time notifications when something unusual happens that could signify malicious intent, like impossible travel, unusual downloads, suspicious permission changes, or failed login attempts. It integrates with your SIEM or SOAR so your organization can detect and respond within existing workflows.

Get Started with Reco Today

‍

As organizations increase their usage of SaaS and AI tools, shadow SaaS and shadow AI risks are steadily increasing. Protect your organization from data exposure and unauthorized access with Reco. Schedule a demo today.