The right approach in controlling the Shadow SaaS sprawl today
With nearly 500 SaaS applications utilised on average, and less than half formally approved by IT, how can this shadow usage be managed?
Published on 7th May 2025
If an employee is defined as someone who has knowledge of your enterprise, then organisations should brace themselves for thousands of anonymous “employees” on the internet as web applications.
Today’s Shadow SaaS problem has exploded to unprecedented levels. Organisations now use an average of nearly 500 SaaS applications—with less than half officially authorised by IT departments. What are organisations doing wrong in their Shadow SaaS discovery and control measures? What would the most efficient and cost effective solution look like?
The shortcomings of current solutions
Cloud Access Security Brokers (CASBs), even as part of broader Secure Access Service Edge (SASE) frameworks, only help with a limited, pre-catalogued subset of web applications—typically around 30,000 for the leading vendors. In comparison, there are an estimated 200 million active web applications today. These represent applications that have undergone formal risk assessments with appropriate risk scores generated.
For the vast majority of web applications, security teams face a binary choice: allow or block entirely. This all-or-nothing approach leaves no middle ground for nuanced access control. There’s simply no practical way for enterprises to monitor what’s happening within these uncatalogued web applications or determine whether they should be allowed with restrictions or blocked partially. Administrators must rely on Security SaaS Posture Management (SSPM) risk scoring to make blocking decisions without any real understanding of actual usage patterns or data exchange within their organisation.
Many SaaS Management Platforms (SMPs) claim to address CASB gaps in shadow SaaS identification. Some even provide greater visibility into authentication methods and MFA implementation across SaaS apps. However, SaaS management shouldn’t exist as a standalone function isolated from your broader security infrastructure.
With CASB solutions that integrate into SASE frameworks, security teams benefit from shared data pools that web security gateways also contribute to, providing deeper visibility into data exchanges. In contrast, SMPs introduce yet another product category into enterprise environments with questionable return on investment. Without visibility into exactly how shadow applications are used in practice, there’s no foundation for informed decision-making about allowing or restricting these apps.
Both CASBs and SMPs rely heavily on API integrations to gather critical data points. These are expensive operations limited to applications that support API integrations and the restricted range of actions those APIs expose. They generate tremendous costs while providing incomplete Shadow SaaS management coverage.
Additionally, neither solution adequately addresses today’s expanded shadow IT landscape, which must include browser extensions from official stores and side-loaded/developmental ones. This blind spot leaves organisations vulnerable to risks from seemingly innocuous browser add-ons that can access sensitive data.
The right approach to Shadow SaaS control
What’s the most effective and cost-efficient solution to today’s Shadow SaaS sprawl? First, we need a solution built around continuous feedback loops—one that can collect comprehensive data from employee browsing patterns across the entire web and understand what information is being exchanged, all in a more complete and cost-effective manner than constant API polling.
Shadow SaaS cannot, by definition, be detected based on a limited subset of supported applications. Every URL visited by employees—whether a recognised enterprise application or a simple HTML-only site—must be discovered. The solution needs to record, process, and derive insights from all data exchange vectors including clipboard operations, form inputs, file transfers, and more. It must then build a comprehensive shadow SaaS repository, empowering administrators to make truly informed decisions about which apps to allow, restrict, or block.
Today, Browser Detection and Response (BDR) solutions represent the only category capable of providing this holistic shadow SaaS discovery. These security tools operate within the browser context itself, tracking user behaviour, interactions, DOM changes, network requests, authentication attempts, and extension installations in real-time. By maintaining this continuous visibility, BDR solutions can identify shadow SaaS usage the moment it occurs, providing security teams with immediate insights rather than discovering unauthorised applications months after they’ve been integrated into critical workflows.
In mathematics, to disprove a theory, we only need to show one case of it failing. The same principle applies to security approaches that rely on predefined catalogues – a single SaaS application outside the scope of your catalogue can compromise the entire data security of your organisation. This fundamental vulnerability means catalogue-based approaches are mathematically destined to fail in a world of rapidly proliferating web applications.
Browser Detection and Response solutions offer a zero-trust approach where domains are not the basis of trust. By operating where the action happens—directly in the browser—these solutions provide comprehensive visibility across the entire web application landscape, enable data-driven decision making about application governance, and help security teams move from reactive to proactive shadow SaaS management.
Source
Image Credit
Hasan As Ari via Vecteezy
