How to Manage Your Shadow SaaS Ecosystem, with Reco: 9 Tips

If you think you know all the SaaS apps in your ecosystem, think again. A report from Reco found that organizations have an average of 129 shadow apps. Well, for me it was closer to 1,000!

‍

My journey with Reco started about a year ago when we signed up to help us “get our arms around” our sprawling SaaS environment at Wellstar Health. People download things from the internet, enter their corporate or maybe personal credit cards, and create accounts. Initially, I was trying to get a handle on this by doing financial forensics. I don’t recommend that. Manually analyzing banking statements hunting for suspicious SaaS charges is draining for the soul. Even bankers don’t want to do financial forensics.

‍

That’s when I came upon Reco at an industry event. It had what we were looking for, so we invested, and since then we’ve matured our shadow IT management program. We’re reducing our shadow IT footprint significantly and in the process, I’ve learned a few things about how to effectively do this.

‍

For those of you venturing into the dark underworld of shadow IT management, I offer this blog. Here are 9 things to do to manage your shadow SaaS ecosystem, with Reco.

‍

1. Prioritize by level of risk

‍

When we first deployed Reco we were shocked. I knew shadow apps were a problem, but seeing hundreds of them catalogued on a dashboard over multiple pages that just kept loading was no small  pill to swallow. It felt like it would take months to make a dent! So how do you move past this initial shell shock and get to a place of productive action?

‍

You start with high impact tasks. Here’s what you do:

1. Sort by vendor risk score (Reco provides a score from A through F – F’s being the worst).
2. Look at the number of users. An app rated “D” with 3 users was less urgent than an app rated “D” with 1000 users.
3. Look at apps that involve some type of data repository. Like a Dropbox or a ServiceNow. Apps that require data storage to be useful – those are the ones that warrant a closer look as they have risk of sensitive data exfiltration and regulatory issues.
4. Consider who the users are. At Wellstar we’re dealing with PHI, so if clinicians are using these apps that’s a lot more critical than if someone in Marketing is using them based on the access to data those team members have. 
5. Lastly, look at usage patterns. An app that hasn’t been used in 6 months can be deemed lower priority than something that was just used yesterday.

‍

2. Dig into use cases

‍

Reco gives you the information you need to surveil your SaaS apps, but that’s just the beginning. The real security impact happens when you take decisive, targeted action based on those insights. Don’t be afraid to pick up the phone and call people, ping them on Teams, or even pop by their desk if you’re in office. Ask questions and find out how they’re using these tools to help you take the right actions.

‍

I’ll share a story. When Reco identified that a particular doctor was using Calendly, I knew I had to look into that. We didn’t have a Business Associate Agreement (BAA) with Calendly, which means we could not put sensitive information into their application without letting them know.

‍

I had a talk with that doctor about the risks of putting PHI in unapproved apps. I explained our liability and offered him a safer app that meets the same need. Now, he’s one of the most security conscious physicians we have. It just took gathering the right information for me to implement the right intervention and reduce this risk.

‍

3. Consolidate where you can

‍

One of the best ways to reduce your blast radius is to consolidate apps. Consolidation means both reducing apps by type, (i.e. do we really need five project management tools?) and also consolidating disparate accounts with the same vendor. Both of which can reduce your attack surface and also produce measurable financial ROI.

‍

I’ll share an example. Through Reco, we discovered that we had nine Smartsheet accounts spread out across different teams. So I called up the vendor and I consolidated those accounts into one account. By taking advantage of economies of scale through tiered pricing packages, we were able to save $200K. And that’s just one example of the cost savings we’ve unlocked because of Reco.

‍

4. Put on your “customer service” hat

‍

Nothing will destroy your reputation faster than being “that guy” who kills things that provide value for your users. Don’t be the “No” police, be the “Know” police. I just want to know about it! And that’s what Reco allows me to do.

‍

When you see a new SaaS app show up, go talk to the users. Sometimes, they just signed up for a demo and are exploring it. You may already have a solution that meets their needs that you can offer them instead! This goes back to tip 3, consolidation.

‍

Other times, they’re planning on buying it. Okay, well thanks for letting me know! Let’s get this under IT management. Nobody wants to manage an app if they don’t have to, so people will be happy to give up ownership. Show them that you’re here to enable their use of technology, not stifle it. And let them know if they need anything they can call you!

‍

5. Collaborate with app vendors

‍

It’s not just shadow apps — it’s shadow data. Your users are putting business data in these apps, and it can live up there in perpetuity, if you don’t intervene. I always start with the app owners and app users, but there are cases when those don’t exist. People leave the organization, but their shadow data persists. 

‍

When there’s no app owner or users to work with, the only way to get rid of the data is to work with the vendors. Here’s how I go about working with vendors to remove shadow data.

‍

Step 1: Take ownership of the account.

Call the vendor and find out what you need to do. For some apps, like Dropbox or Box, you need a certain number of users to move to an enterprise account and take over the account. Find out how many you need, and then convert the account. You may need to produce evidence that you tried (and failed) to get ahold of the users. Now you can take over management, start doing forensics, and identify data that isn’t supposed to be there.

‍

Step 2: Leverage liability. 

You’d be surprised how fast vendors will go from, “We don’t purge data” to “How can we help you?” when they understand their regulatory risk. Explain the legal implications of them storing sensitive data in their service that may violate privacy laws in some states in the US and some countries around the world. 

‍

6. Schedule a weekly review window

‍

As busy security professionals, it’s easy for tasks to get lost in the noise. That’s why it's important to schedule things in. I look at the app discovery dashboard in Reco every Monday morning. I use the criteria outlined in Tip 1 of this blog to determine which new apps need to be investigated and which ones can wait.

‍

7. Create an app catalogue

‍

When I worked at GE we had an app catalogue and anyone who wanted to request access to software could check the catalogue to see what was available. If there wasn’t already a solution to meet their needs, they could put in a request. This helps reduce app redundancy and shadow instances, and also empowers technology users to get what they need efficiently.

‍

8. Brace yourself for what you’re about to find!

‍

Go into this with eyes wide open. Resign yourself to the fact that you’re going to uncover some things that you won’t be comfortable with, and are darn right daunting and even a little scary. 

‍

That’s ok. Ignorance is not a solution. It’s better to find out this way, because the alternative could be somebody knocking on your door with news that devastates the business or even your own career.

‍

9. Keep at it, and things will get easier

‍

The last piece of advice I have is to keep pressing on. Know that things will get better. When we first started this journey at Wellstar, Reco was discovering a few hundred new apps every week. But six to eight months into it, it was more like one or two. We’re catching up. It’s manageable now. And it will be for you too, if you stay at it.

‍

Manage Your Shadow SaaS Ecosystem with Reco

‍

Reco has enabled us to transform our shadow IT chaos into a structured and manageable program. The customer success team didn’t just provide a platform – they became partners in our security journey. I recommend Reco for anyone experiencing a similar pain point.

‍

Learn more about my journey with Reco in my other blog. Or connect with me on LinkedIn.

‍

You can schedule a demo here. 

‍