[Discussion] For those who killed Shadow IT: How did you actually find all the tools?
Posted by Capital-Job-3592@reddit | sysadmin | View on Reddit | 19 comments
Need advice from people who've been through this.
We’re 120 people. Spreadsheet me 100+ SaaS tools hain. Finance kehta hai aur bhi hain jo expense me nahi dikhte. Leadership wants a full audit.
**Problem:** SSO logs se sirf managed apps dikhte hain. Personal Notion, free Figma, dev ka side tool — ye sab miss ho jata hai.
**Maine kya try kiya:**
-
Okta app report nikala - 40 apps mile
-
Finance se expense CSV liya - 25 aur mile
-
Phir bhi lagta hai 20-30 tools abhi bhi hidden hain
**Question for you all:**
-
100-200 person companies me complete SaaS inventory kaise banate ho?
-
Expense + SSO ke alawa kaunsa data source use karte ho?
-
Browser extension ya CASB use kiya kya? Worth it tha?
I’m thinking of manually auditing 3-4 companies for free to test if expense+SSO+interviews combo works. Agar kisi ne already kiya ho toh batao kya results mile.
Not selling anything. Just stuck and need to know if I’m missing something obvious.
What worked for you?
sambodia85@reddit
Some security platforms have CASB built in, like Microsoft Cloud App security in the Defender for Endpoint.
So if they are office 365 users, they may already have the data, or be able to opt in and get it.
I’ve also looked at standalone tools like Torii SaaS Management, which I think gleans info from browser extensions, but also tried to find Shadow IT purchases in your financial records. But I never got far into researching it, so unsure of how useful it would’ve been or actual costing.
Capital-Job-3592@reddit (OP)
Thanks, didn't know Defender for Endpoint had CASB built in. That's huge if clients already have O365.
On Torii - I looked at them too. Pricing was $4/user/mo which kills it for 100-person companies. Did you ever get a quote?
Also, did Defender actually catch shadow IT for you or just give traffic logs? I'm wondering if it flags "Personal Gmail used for Notion" type stuff or only corporate domains.
The financial records part is interesting. Did Torii need credit card feed access or just expense CSV uploads?
sambodia85@reddit
It’s been years since I looked. Ultimately it was something I suggested to our finance team, because they were trying to reconcile the number of subscriptions of tool with the number of actual users.
I think Torii can inject Concur data, which we used at the time.
I dont know too much about the Defender tool, we use other tools.
dat510geek@reddit
Get credit card statementsbone by one. Particularly high points earning staff. Thats where you'll find random charges and the apps.
tarvijron@reddit
There are two types of IT teams: Teams that think they've eliminated unauthorized purchases and teams that know they have not.
Check the three F's. Firewalls, Finance and F(ph)ones. Seems like you have gotten two of the three.
Ssakaa@reddit
That's not the 3 F's I learned when I was growing up...
Capital-Job-3592@reddit (OP)
This is the hard truth I needed to hear 😅
You're right - I only have Finance + SSO covered.
For Firewalls: What do you actually pull? DNS logs for SaaS domains? Or full traffic inspection? We have Palo Alto but IT isn't sure what to export.
For F(ph)ones: This is the nightmare. No MDM here. Any way to catch personal phone usage without going full surveillance mode? Or do you just accept that's the 10% you'll never see?
Also 100% agree on the two types of teams. I'm trying to move from type 1 to type 2.
Mind if I DM you? Want to understand your "three F's" checklist if you have one.
OkEmployment4437@reddit
What finally worked for us was treating shadow IT as a process failure before a policy failure. Most of the time people went around us because the approved path was slow, vague, or took three meetings to get a yes.
We fixed that by creating a very fast intake path: tell us what problem you're trying to solve, the data involved, and the timeline. Then we triaged it into simple risk tiers and either approved a known-good option from a small supported stack, or gave a quick explanation of what had to change to make it workable. The big shift was making the safe path faster than the workaround. You still need guardrails, but if IT is the team that helps people get to yes quickly, the random SaaS signups drop a lot.
Speeddymon@reddit
This is great. Covers 99% of cases. The thing we run into a lot is developers pulling in new dependencies. They inevitably pull from open source repos somewhere along the line.
We now block ssh git pulls completely and send all https traffic either through our firewalls with inspection, or to zscaler which inspects, and block requests to pull packages from open source repos. Everything they want to use has to go through our dependency proxy service (similar to an artifacthub instance) so that it's auditable and if needed we can block the caching and pulling of specific known compromised package versions
Capital-Job-3592@reddit (OP)
This is gold. "Make the safe path faster than the workaround" - I'm stealing this line.
Quick q: What was your SLA for the intake path? 24hrs? 48hrs?
And how did you handle risk tiers - was it just Low/Med/High or did you have specific criteria like "data leaves company = auto High"?
We're struggling because leadership wants control but also speed. Your approach sounds like the right balance.
Also, did you build this intake in Jira/ServiceNow or just Google Form + spreadsheet?
BananaSacks@reddit
DPIA (if you are near GDPR) for EVERY new product, purchase, or project. That gets the right people in early, scares away those looking to shirk the rules, and is quick for legit asks.
One desk to manage all purchases.
Absolutely NO personal purchases allowed, or credit cards. Everything goes through the purchase desk.
Just this alone will give your mgmt a level of visibility they would have never thought possible.
mcc011ins@reddit
U having a stroke ?
simask234@reddit
I'm guessing it's because of Reddits new auto-translate feature. People see English posts translated to their native language, so they reply in that language as well
pdp10@reddit
As an Old Reddit user, I had no idea. I've apparently been doing this the insufficiently-mentally-lazy way.
DavWanna@reddit
Also using old for as long as it goes, and it's been pretty crazy to see people have conversations in multiple languages in a single thread. Must be some mobile-only auto-translate thing.
InitHello@reddit
I've met a lot of people from India who carry on conversations with each other 40% in English, 60% in Hindi or their state's main language.
Also if you, like me, have zero understanding of the other language, this is probably a good example of what technical language sounds like to a non-expert.
RoseRoja@reddit
Thought the same thing, but probably we're dumb and didn't realize that this simply isn't English and it is another language
The_Snot_Rocket@reddit
We are having a stroke together apparently.
longmountain@reddit
What?