Uncovering the Impact of Shadow SaaS in the Digital Workplace

Introduction

As corporate workers increasingly rely on Software-as-a-Service (SaaS) applications, including GenAI tools such as ChatGPT, there is a pressing need to gain comprehensive insights into their use to proactively manage and mitigate data exposure risks. Using unauthorized SaaS apps, or Shadow SaaS, puts data at greater risk because your security teams are unaware which applications are being used, no less what data is going into them.

While using Shadow SaaS can seem benign, it carries hidden risks that can undermine an organization's security, compliance, and data integrity. Using real-world data from hundreds of companies using the Reveal Platform by Next DLP in January 2024, this post aims to shed light on these often misunderstood risks, providing insights into Shadow SaaS usage and how Shadow SaaS is being used to exfiltrate company owned data, either inadvertently or maliciously. As part of this study, we first analyzed the top exfiltration Tactics, Techniques and Procedures across the platform, aligned with the MITRE ATT&CK framework and summarized our findings ‎in an earlier blog post.

In this blog post, we focus specifically on file uploads through web-based SaaS applications.

How prevalent is Shadow SaaS?

It is up to the organization alone to discern if an app used by an employee is sanctioned or not. Shadow SaaS is considered as such if the application is not sanctioned for use by the IT team. So Google Workspace, for example, could be Shadow SaaS for one organization and a sanctioned coworking platform for another.

Cross referencing the sites that users uploaded data to with some of the most popular knowledge worker apps, we saw many of the business applications you’d expect:  

• Microsoft applications including 365, Sharepoint, OneDrive, Office, Teams
• Amazon Web Services
• Google Workspace
• Salesforce
• Zoom
• Atlassian product suite
• Slack
• DocuSign
• KnowBe4
• Trello
• SuccessFactors
• GoTo Meeting
• GitHub
• Autodesk
• WeTransfer
• Workday
• Concur
• LinkedIn
• Netsuite
• Service Now
• Dropbox
• Canva
• Smartsheet
• Figma

While using a company managed endpoint, there may also be a risk of users uploading data to popular sites and apps that may not pertain to their primary day job, such as: 

• Messaging services: Signal, Facebook, WhatsApp, Telegram
• Social Networking: Instagram, Facebook
• eCommerce: Shopify

In addition, we saw: 

• Among the top 300 sites with the most uploads, there are 15 distinct PDF conversion platforms and 9 separate image conversion sites.
• A prevalence of visits, downloads and uploads to the SaaS apps for different pieces of niche hardware e.g. Paper Tablets and USB Pens.  
• Uploads to the translation service site DeepL. 
• Our researchers noted multiple instances where a single user in an organization was the only user of a given application, making it unlikely the security team was aware of its application or use case. 

Messaging Apps

WhatsApp

Across all the sites and applications that users uploaded data to, WhatsApp had the 3rd most uploads. This is surprising in that WhatApp isn’t well known as a business application in the geographies where most of Reveal’s users work: US and UK. But at the same time it’s not surprising given how easy the WhatsApp application makes it to copy, paste, and share. All that’s needed is a recipient phone number to transfer data. 

WhatsApp isn’t the only messaging app that is being used to share data from managed devices; Facebook had the 28th most uploads and Telegram, an app known to be used by criminals, whistle-blowers, terrorists and hackers, was the 107th most uploaded-to site. 

GenAI / ChatGPT Update

As part of the investigation, we were interested to see how GenAI and ChatGPT usage has changed since our last report. 

Users are uploading data to ChatGPT from their managed endpoints. ChatGPT accepts all common file extensions for text files, spreadsheets, presentations, and documents. In terms of upload count, ChatGPT has the 25th highest.

While not GenAI, we also see access to and uploads to services like Stack Overflow. These are messaging boards where tech people ask questions of the community and get advice on coding / config etc. It’s a similar use case as GPT in a lot of ways and has the same risks of employees posting proprietary code or disclosing technical information that is sensitive.

iCloud - the Silent Exfil vector?

iCloud, given its seamless integration with the wide array of Apple devices prevalent in both personal and professional spaces, presents a potential malicious or negligent vector for data exfiltration from companies. Our researchers noted that iCloud is the 15th most downloaded-from site and the 33rd most uploaded-to. 

The ubiquity of Apple products across various levels of an organization's hierarchy allows iCloud to act as an inconspicuous conduit for unauthorized data transfer. Apple's aim to integrate everything and help users have a "cross device" and "data rich experience" could have the effect of putting data into employees’ personal accounts and making it out of reach of organizations governance and control. Employees, intentionally or inadvertently, might sync sensitive corporate data to their personal iCloud accounts, thereby bypassing traditional security measures and making it accessible outside the company's controlled environment. 

What about Downloads? 

Looking at where users are downloading files from, we see that sourceforge.com is the 100th most popular site for downloads to company managed endpoints. SourceForge.com and other download sites like it could be a source of shadow IT for several reasons:

1. Unsanctioned Software: SourceForge is a repository that hosts a wide range of open-source software projects. Employees might download and use software from SourceForge without the knowledge or approval of their IT department, leading to the use of unsanctioned or unauthorized software within the organization. This can create security vulnerabilities, compliance issues, and compatibility problems.
2. Custom Applications: Developers within an organization might use SourceForge to find libraries or code snippets for use in custom applications they're developing. If these custom applications are developed outside the IT department's oversight, they could introduce security risks, especially if the code is not properly vetted.
3. Software Updates and Patches: Software sourced from SourceForge might not always follow the same update and patch management processes as software procured through official channels. This can lead to outdated software with known vulnerabilities being used within the organization, increasing the risk of security breaches.
4. Lack of Standardization: When employees independently download and use tools from SourceForge, it can lead to a lack of standardization within the organization. This makes it difficult for IT to support and manage the diverse set of tools and software, leading to increased costs and inefficiencies.
5. Compliance and Licensing Risks: Open-source software comes with various licenses that dictate how the software can be used and distributed. Without proper oversight, an organization could inadvertently violate these licenses, leading to legal issues and non-compliance with industry regulations.

Be Ready for What’s Next

Security teams should be asking themselves several critical questions to proactively manage and mitigate the risks associated with Shadow SaaS and potential sensitive data exposure. These include evaluating the extent of unauthorized app usage within their organization, understanding the types of data being transferred to these platforms, and identifying which cloud-based applications are most frequently used for exfiltration purposes. Additionally, they should consider the implications of integrating popular knowledge worker apps with their security protocols and how to better monitor and control data flow to external sites and applications, especially those not directly related to work activities.

Sample questions checklist: 

• Why is this user the only person in the company using such a service? 
• Are workers using their endpoints for non-company business (side hustles)?
• What data is being synced with peripheral providers? 
• Who is paying for these services?
• What credentials are being used? 
• What permissions do Shadow SaaS apps have to our sanctioned applications? 
• What are the tools IT needs to subscribe to so that our users aren’t going to an ad-supported document or image conversion tool of choice? 
• What business documents are being uploaded? 
• If company documents are being uploaded to translation sites, are the General Counsel and Data Protection Officer aware?
• How do we save time preparing for SOC2 and ISO27001 audits? 
• What in-house (human) editors / testers does the SaaS application employ to inspect the apps automated work, and adjust the output as necessary? 

This reflection is essential in crafting a robust security posture that addresses the nuanced challenges of Shadow SaaS in today's digital workplace.

Conclusion

On one hand, Shadow SaaS makes employees more productive by allowing them to use their preferred technologies, which nearly all employees (97%) report increases their productivity. On the other hand, it's well known that Shadow SaaS can pose significant risks by potentially exposing organizations to data breaches, compliance violations, and lack of data governance, as employees use unauthorized software without IT department oversight. 

The exploration of Shadow SaaS usage and its role in data exfiltration within organizations highlights a critical vulnerability in modern IT infrastructure. As the adoption of unauthorized cloud-based applications continues to grow, driven by the convenience and ubiquity of services like iCloud and popular knowledge worker apps, the risk of sensitive data being inadvertently or maliciously leaked outside corporate controls also escalates. 

We hope this blog post underscores the importance of proactive security measures, robust policy enforcement, and continuous monitoring to mitigate these risks. Through detailed insights and real-world examples, it becomes clear that understanding and addressing Shadow SaaS usage is not just about preventing data loss but also about safeguarding the integrity and reputation of organizations in the digital age.