People who don鈥檛 have the tool to get a job done will find one that works. That鈥檚 why shadow IT, software or services that are unaccounted for and unauthorized, exists. It may even underlie important business processes, which is why it鈥檚 extremely important to discover what鈥檚 really out there.
Shadow IT creates security concerns, can impact operations, and easily becomes a roadblock on the path to digital transformation. The overall impact is that it makes managing your infrastructure a lot more complicated from onboarding new hires to supporting business needs.
This article will assist you in your efforts to identify shadow IT and make it possible using the fewest resources. It also compares 黑料海角91入口’s open directory platform and Microsoft Intune for auditing application usage and provides additional resources to help you along the way.
Techniques to Discover Shadow IT
Discovering and managing shadow IT requires a multipronged approach. You can鈥檛 just buy a secure, compliant, and efficient IT environment. By implementing these strategies, you鈥檒l gain better visibility into your IT environment and mitigate the risks associated with shadow IT.
Check out this article on shadow IT statistics and solutions.
Talk to Your People
Do you have any specific concerns or areas where you suspect shadow IT might be occurring? Conduct surveys and interviews with employees to understand what tools they are using and why. Even still, there鈥檚 no substitute for walking the floor: you鈥檒l be amazed at what you uncover.
For instance, employees may use macros in word processing apps for reporting. Policy baselines can impact that workflow, which may prevent work from happening. The person in charge of reporting can tell you how important the macros are to their job, if you鈥檙e willing to go to them and ask the right questions. Try to remember to actively listen and avoid punishing people for using unauthorized apps, especially if they were in place before your time.
Cloud Access Security Brokers (CASBs)
CASBs can help you discover and manage shadow IT by monitoring cloud app usage and identifying unsanctioned apps. You鈥檒l gain greater visibility and be able to perform a risk assessment on any discovered SaaS apps. CASBs are often used for data loss prevention and control and enforcement of policies for compliance and security purposes. Note that a small- to medium-sized enterprise (SME) may not require all of the capabilities that a CASB provides.
Network Monitoring
Image credit:
Network monitoring includes using tools to track unusual data patterns or irregularities, which can indicate the use of unapproved applications or services. There are numerous free and open source available to use; however, it can be challenging work. Some free and open source tools include Cacti, Prometheus, WireShark, and Zabbix.
Some of the challenges of using network monitoring are:
- Volume of data: Network monitoring generates a large amount of data, which can be overwhelming to analyze without the right tools and expertise. It can be resource intensive.
- Encryption: Many modern applications use encryption, making it difficult to inspect the traffic content directly. However, metadata and traffic patterns can still provide useful insights.
- False positives: There is a risk of false positives, where legitimate applications are flagged as shadow IT, leading to unnecessary investigations. It鈥檚 easy for IT to lose track of other priorities.
Regular Audits
Conduct regular audits that focus on software and application usage. This can help uncover instances of shadow IT and usage patterns that show how widespread it is. Schedule regular audits to ensure ongoing compliance and to address any new risks that may arise.
Casting IT Into the Shadows
What you can鈥檛 see CAN hurt you when it comes to shadow IT. Learn six key shadow IT risks and how to address them proactively.
Spend Management Solutions
Follow the money by using spend management solutions to track purchases of software and services that may not have gone through the official IT procurement process. Expense reports will help identify what鈥檚 really out there, especially on mobile devices.
Employee Education and Engagement
Educate employees about the risks of shadow IT and encourage them to use approved tools and services. Engaging with departments to understand their needs can also help reduce the temptation to use unapproved solutions. Be approachable and collaborative.
SaaS Management Platforms
Utilize SaaS management platforms to discover and manage unauthorized software usage. Some single sign-on (SSO) platforms will offer this capability without the need to use point solutions.
SaaS management falls under the wider umbrella of IT asset management. It provides visibility into all SaaS applications used within an organization, monitors usage, assesses risks, manages costs, and enforces IT policies to ensure security and compliance. It helps identify and control shadow IT, optimizing software spending and improving overall efficiency.
Check out this free resource: The MSP鈥檚 Guide to Combating Shadow IT.
It鈥檚 possible to begin the audit process without purchasing any new tools. You can leverage what you already 鈥渙wn鈥 to account for shadow IT. For example, device management platforms like Intune and 黑料海角91入口 have features that audit devices for their app inventories, and more.
Using Intune to Discover Shadow IT
Microsoft Intune is a cross-OS device management platform that鈥檚 optimized for Windows. It鈥檚 an add-on to Azure AD (now known as Entra ID), but they鈥檙e often bundled together. Azure AD won鈥檛 discover shadow IT: it鈥檚 a pure play identity and access management (IAM) solution.
Intune will inventory which apps are present on enrolled devices. Select Apps > Monitor > Discovered apps to see which apps are installed among managed devices.
You may also examine installed apps by device. It will return a listing of discovered apps with app names and versioning information. The list is exportable on a per-device basis and . This is how that report looks for a Windows PC in the devices blade:
Note: Don’t be confused with app monitoring and assignments that are managed under Apps > All apps. That feature is used to deploy apps throughout your fleet.
These reports are focused on locally installed apps; Intune won鈥檛 audit your users鈥 SaaS apps. Microsoft鈥檚 Defender for Cloud Apps is a CASB that鈥檚 billed and managed separately from Intune. Other options include extending Active Directory with SSO and IT asset management.
Using 黑料海角91入口 to Discover Shadow IT
The next section examines 黑料海角91入口, an open directory platform that provides unified IAM and device management. The open directory provides similar app reporting to Intune, and more.
黑料海角91入口 admins can select Devices > Insights > Software to generate a report on programs that are installed on a particular device that includes names, installation dates, and versioning. It will also inventory any browser extensions that are present for Chrome and Microsoft browsers.
It鈥檚 also possible to use 黑料海角91入口鈥檚 PowerShell module to create a fleetwide.
This is also helpful when apps are mandatory or may have unused/underutilized licenses. Integrated app lifecycle management is also available though the device console.
Admins may also monitor SaaS app usage using the built-in User to SSO Applications report without purchasing a separate subscription. It returns all user attributes and SSO application associations for each user. The capacity to discover unauthorized SSO apps is coming soon.
黑料海角91入口 acquired Resmo, an asset management and SaaS security solution, to provide a unified solution of SaaS, IT security, and asset management. Its all-in-one approach will assist with eliminating shadow IT through full visibility into apps and cloud infrastructure.
Differences Between Intune and 黑料海角91入口
Intune and 黑料海角91入口 have similar features to discover locally installed apps. The actual differences are slight: for instance, Intune provides a GUI for fleet-wide app management; 黑料海角91入口 offers PowerShell or 黑料海角91入口 will look out for installed browser extensions.
The overall product architectures, optionality, and how the services are bundled differ.
- Architecture: 黑料海角91入口 offers a unified console for IT simplification; Intune is just one part of a broader suite of Microsoft platform and security services that are licensed and integrated.
- Optionality: Intune works through Azure AD. It鈥檚 bundled with Microsoft 365 (M365) services, and is the de facto device management platform for Microsoft shops. 黑料海角91入口 delivers on optionality 鈥 i.e., the freedom to use best-of-breed solutions. Device management features are available for organizations that use 黑料海角91入口 as their identity provider (IdP) or like Okta.
- Bundling: Intune is priced separately from AAD or as part of an M365 bundle. 黑料海角91入口 has workflow-based pricing, enabling organizations to option for a device-only SKU.
Learn how works with 黑料海角91入口.
Demo 黑料海角91入口
黑料海角91入口 offers IAM and cross-OS device management in an open directory platform that serves as either the core IdP or federates with other IdPs like Active Directory integration, Okta, and Google. It features cloud LDAP, RADIUS, SSO, and multi-factor authentication (MFA) with passwordless modern authentication that鈥檚 phishing-resistant for better security.
The platform also includes optional conditional access, remote assist, , and cross-OS patch management to grant users secure, Frictionless Access鈩 to everything they need to do their work however they choose. IT admins get centralized user, system, and non-system resource management across their entire environment.
If you would like to learn more about 黑料海角91入口, please reach out to us. and find out if it鈥檚 the right option to help your organization to eliminate shadow IT.
