Shadow Tech

Are your business systems under control and are you in control of your Shadow SaaS?

In a previous blog post we commented on the emerging evolution of the hybrid business application environment.  In this article we focus on the concept of control over your business systems in relation to SaaS systems.


There is an old term called ‘shadow IT‘ that relates to the use of technology based processes that emerge in organisations without the formal oversight of the technology department.  The most common being Excel and MS Access databases.  If this is not familiar to you – then you are one of the lucky ones, or living in blissful ignorance of the reality.

So what’s the big deal with Shadow IT?  The same considerations should be given to all software operating within your business.  

  • Availability.  Will the system run 24x7x365 or is there expected down time?
  • Robustness.  When – not if – an outage occurs:  What is the impact to your business, what is the SLA for a return to operations and does this align with your business continuity planning?  
  • Scalability. If more users adopt the system will it still perform?  
  • Support.  What support contract do you have in place – if any?
  • Security.   All new software introduced should go through some rigour and should be put through security testing as well as functional security considerations.
  • Compliance.  Particularly with data protection – such as GDPR in the EU needs to be given proper consideration during development.
Whilst having someone put together a quick application using Excel to help a process and save time is a fantastic solution to a real problem – a business must take a wider view on such things and look to solve the problem in a more robust way.

So far nothing new to a lot of people.  Shadow IT has been a challenge for decades.  However, we now have the addition of Shadow SaaS to contend with.  It is probably not a stretch to assume that EVERY organisation has a degree of Shadow SaaS happening right now today – or at least they used to have…. or they will have!!  Does anyone in your organisation use the Free versions of Slack, Calendly, Zoom, Trello, Mailchimp, or Box for example?  How about Zapier?  Has the Sales or Marketing team started using a CRM product like Salesforce or Zoho or Pipedrive in order to get away from using Excel?  Great – the right thing to do!!  Have they started using these tools with the full knowledge and guidance by the technology team?  No?  Not so great!!

A lot of companies are out sourcing their ‘IT’ which commonly includes PCs/Laptops, printers, a domain controller and LAN and a degree of security with a Firewall.   A lot of IT contracts do not include business applications.  Particularly when SaaS products are in use – as there are direct agreements with the SaaS providers.

As a business you must acknowledge the use of SaaS systems – and assume the unauthorised use of some SaaS systems.  Particularly in a regulated industry or where the data you manage is sensitive.

You may decide that some are permissible to use without the ownership of your IT team.  But at the very least there should be a process to assess each SaaS application that is used.  Have a strong policy about Free versions also as sensitive business data can end up on free SaaS platforms without any governance.

The key thing is – DON’T FIGHT IT!  SaaS is not going away and the vast majority of businesses will need to use some SaaS systems to operate.  Have a policy, educate your colleagues, include SaaS within the technology governance frameworks of security, data protection and business continuity.