People who don’t have the tool to get a job done will find one that works. That’s why shadow IT, software or services that are unaccounted for and unauthorized, exists. It may even underlie important business processes, which is why it’s extremely important to discover what’s really out there.
Shadow IT creates security concerns, can impact operations, and easily becomes a roadblock on the path to digital transformation. The overall impact is that it makes managing your infrastructure a lot more complicated from onboarding new hires to supporting business needs.
This article will assist you in your efforts to identify shadow IT and make it possible using the fewest resources. It also compares JumpCloud’s open directory platform and Microsoft Intune for auditing application usage and provides additional resources to help you along the way.
Techniques to Discover Shadow IT
Discovering and managing shadow IT requires a multipronged approach. You can’t just buy a secure, compliant, and efficient IT environment. By implementing these strategies, you’ll gain better visibility into your IT environment and mitigate the risks associated with shadow IT.
Check out this article on shadow IT statistics and solutions.
Talk to Your People
Do you have any specific concerns or areas where you suspect shadow IT might be occurring? Conduct surveys and interviews with employees to understand what tools they are using and why. Even still, there’s no substitute for walking the floor: you’ll be amazed at what you uncover.
For instance, employees may use macros in word processing apps for reporting. Policy baselines can impact that workflow, which may prevent work from happening. The person in charge of reporting can tell you how important the macros are to their job, if you’re willing to go to them and ask the right questions. Try to remember to actively listen and avoid punishing people for using unauthorized apps, especially if they were in place before your time.
Cloud Access Security Brokers (CASBs)
CASBs can help you discover and manage shadow IT by monitoring cloud app usage and identifying unsanctioned apps. You’ll gain greater visibility and be able to perform a risk assessment on any discovered SaaS apps. CASBs are often used for data loss prevention and control and enforcement of policies for compliance and security purposes. Note that a small- to medium-sized enterprise (SME) may not require all of the capabilities that a CASB provides.
Network Monitoring
Image credit: WireShark
Network monitoring includes using tools to track unusual data patterns or irregularities, which can indicate the use of unapproved applications or services. There are numerous free and open source network monitoring tools available to use; however, it can be challenging work. Some free and open source tools include Cacti, Prometheus, WireShark, and Zabbix.
Some of the challenges of using network monitoring are:
- Volume of data: Network monitoring generates a large amount of data, which can be overwhelming to analyze without the right tools and expertise. It can be resource intensive.
- Encryption: Many modern applications use encryption, making it difficult to inspect the traffic content directly. However, metadata and traffic patterns can still provide useful insights.
- False positives: There is a risk of false positives, where legitimate applications are flagged as shadow IT, leading to unnecessary investigations. It’s easy for IT to lose track of other priorities.
Regular Audits
Conduct regular audits that focus on software and application usage. This can help uncover instances of shadow IT and usage patterns that show how widespread it is. Schedule regular audits to ensure ongoing compliance and to address any new risks that may arise.
Spend Management Solutions
Follow the money by using spend management solutions to track purchases of software and services that may not have gone through the official IT procurement process. Expense reports will help identify what’s really out there, especially on mobile devices.
Employee Education and Engagement
Educate employees about the risks of shadow IT and encourage them to use approved tools and services. Engaging with departments to understand their needs can also help reduce the temptation to use unapproved solutions. Be approachable and collaborative.
SaaS Management Platforms
Utilize SaaS management platforms to discover and manage unauthorized software usage. Some single sign-on (SSO) platforms will offer this capability without the need to use point solutions.
SaaS management falls under the wider umbrella of IT asset management. It provides visibility into all SaaS applications used within an organization, monitors usage, assesses risks, manages costs, and enforces IT policies to ensure security and compliance. It helps identify and control shadow IT, optimizing software spending and improving overall efficiency.
Check out this free resource: The MSP’s Guide to Combating Shadow IT.
It’s possible to begin the audit process without purchasing any new tools. You can leverage what you already “own” to account for shadow IT. For example, device management platforms like Intune and JumpCloud have features that audit devices for their app inventories, and more.
Using Intune to Discover Shadow IT
Microsoft Intune is a cross-OS device management platform that’s optimized for Windows. It’s an add-on to Azure AD (now known as Entra ID), but they’re often bundled together. Azure AD won’t discover shadow IT: it’s a pure play identity and access management (IAM) solution.
Intune will inventory which apps are present on enrolled devices. Select Apps > Monitor > Discovered apps to see which apps are installed among managed devices.
You may also examine installed apps by device. It will return a listing of discovered apps with app names and versioning information. The list is exportable on a per-device basis and differs by OS. This is how that report looks for a Windows PC in the devices blade:
Note: Don’t be confused with app monitoring and assignments that are managed under Apps > All apps. That feature is used to deploy apps throughout your fleet.
These reports are focused on locally installed apps; Intune won’t audit your users’ SaaS apps. Microsoft’s Defender for Cloud Apps is a CASB that’s billed and managed separately from Intune. Other options include extending Active Directory with SSO and IT asset management.
Using JumpCloud to Discover Shadow IT
The next section examines JumpCloud, an open directory platform that provides unified IAM and device management. The open directory provides similar app reporting to Intune, and more.
JumpCloud admins can select Devices > Insights > Software to generate a report on programs that are installed on a particular device that includes names, installation dates, and versioning. It will also inventory any browser extensions that are present for Chrome and Microsoft browsers.
It’s also possible to use JumpCloud’s PowerShell module to create a custom report fleetwide.
This is also helpful when apps are mandatory or may have unused/underutilized licenses. Integrated app lifecycle management is also available though the device console.
Admins may also monitor SaaS app usage using the built-in User to SSO Applications report without purchasing a separate subscription. It returns all user attributes and SSO application associations for each user. The capacity to discover unauthorized SSO apps is coming soon.
JumpCloud acquired Resmo, an asset management and SaaS security solution, to provide a unified solution of SaaS, IT security, and asset management. Its all-in-one approach will assist with eliminating shadow IT through full visibility into apps and cloud infrastructure.
Differences Between Intune and JumpCloud
Intune and JumpCloud have similar features to discover locally installed apps. The actual differences are slight: for instance, Intune provides a GUI for fleet-wide app management; JumpCloud offers PowerShell or JumpCloud will look out for installed browser extensions.
The overall product architectures, optionality, and how the services are bundled differ.
- Architecture: JumpCloud offers a unified console for IT simplification; Intune is just one part of a broader suite of Microsoft platform and security services that are licensed and integrated.
- Optionality: Intune works through Azure AD. It’s bundled with Microsoft 365 (M365) services, and is the de facto device management platform for Microsoft shops. JumpCloud delivers on optionality — i.e., the freedom to use best-of-breed solutions. Device management features are available for organizations that use JumpCloud as their identity provider (IdP) or another IdP like Okta.
- Bundling: Intune is priced separately from AAD or as part of an M365 bundle. JumpCloud has workflow-based pricing, enabling organizations to option for a device-only SKU.
Learn how IdP federation works with JumpCloud.
Demo JumpCloud
JumpCloud offers IAM and cross-OS device management in an open directory platform that serves as either the core IdP or federates with other IdPs like Active Directory integration, Okta, and Google. It features cloud LDAP, RADIUS, SSO, and multi-factor authentication (MFA) with passwordless modern authentication that’s phishing-resistant for better security.
The platform also includes optional conditional access, remote assist, privilege management, and cross-OS patch management to grant users secure, Frictionless Access™ to everything they need to do their work however they choose. IT admins get centralized user, system, and non-system resource management across their entire environment.
If you would like to learn more about JumpCloud, please reach out to us. Try JumpCloud for free and find out if it’s the right option to help your organization to eliminate shadow IT.