One of the greatest benefits and appeals of SaaS is their ease of use. All it needs is a credit card, a few minutes of registration and you are up-and-running with your app. This advantage is, however, a cause for the risk of shadow SaaS.
Shadow SaaS happens when employees set up SaaS accounts for corporate use without the permission or awareness of the IT/Security departments. For example, a business unit gets frustrated at how long it will take to integrate themselves into the company’s customer relationship management (CRM) system, so it sets up its own CRM.
Or, worse, the business unit sets up its own SaaS-based enterprise resource planning (ERP) system so it can move quickly to achieve its goals—without conforming to security policies. This common practice leads to lack of visibility and control on which applications are being used and what security controls are implemented and enforced.
The lack of security monitoring in shadow SaaS can result in the loss of corporate data on insecure applications, sensitive data leakage, weak or no identity management, and lack of strong authentication methods.