Next DLP Blog

Understanding and Managing the Risks of Shadow SaaS and GenAI: Insights from Next DLP's Latest Survey

Written by Georgina Stockley | Jul 9, 2024 12:45:00 PM

Understanding and Managing the Risks of Shadow SaaS and GenAI: Insights from Next DLP's Latest Survey

Software as a Service (SaaS) applications and Generative AI (GenAI) tools have revolutionized the way many organizations operate today. While these technologies offer significant benefits in terms of scalability, efficiency, and innovation, they also introduce complex challenges. Easy access to SaaS applications (such as M365, Google Workspace, Slack, Zoom, Shopify etc.) means that employees are able to adopt new tools without proper oversight, leading to "Shadow SaaS" — the use of unsanctioned applications that IT departments are unaware of. This unauthorized use can lead to serious data security breaches, loss of sensitive information, and failure to comply with required industry regulations. Similarly, the integration of GenAI into business processes (ChatGPT, DALL.E, Hugging Face, GitHub Copilot etc.), while beneficial, raises concerns about intellectual property theft, misuse of AI, and inadvertent generation of non-compliant data. These issues underscore the urgent need for companies to enforce robust data governance and control mechanisms to mitigate risks and ensure regulatory compliance.

Next DLP recently conducted a survey of over 250 global security professionals to explore the new challenges in data security and compliance that SaaS applications and Generative AI have introduced. The results revealed critical insights into the unauthorized use of these technologies and the associated risks.

Survey Methodology

The survey of 253 global security professionals was conducted at RSA Conference 2024 and Infosecurity Europe 2024. Each respondent was asked the same ten questions* surrounding Shadow SaaS and Shadow AI usage within their organization, the implied security risks, and the policies and security tools their company has in place. 

Survey Highlights

The survey revealed a surprising trend: nearly three quarters (73%) of security professionals admitted to using SaaS applications that had not been provided by their company’s IT team in the past year. This is despite their own acute awareness of the risks, with respondents naming data loss (65%), lack of visibility and control (62%) and data breaches (52%) as the top risks of using unauthorized tools. Adding to this, one in ten admitted they were certain their organization had suffered a data breach or data loss as a result.


A laissez-faire attitude towards Shadow SaaS was also uncovered in the survey results, while security professionals have taken a more cautious approach to GenAI usage. Half of the respondents highlighted that AI use had been restricted to certain job functions and roles in their organization, while 16% had banned the technology completely. Adding to this, 46% of organizations have implemented tools and policies to control employees’ use of GenAI.

The research also provided a snapshot of how security professionals view their organization’s training and overall understanding of the risks of Shadow SaaS:

  • 40% of security professionals do not think employees properly understand the data security risks associated with Shadow SaaS and AI. 
  • Yet, they are doing little to combat this risk. Only 37% of security professionals had developed clear policies and consequences for using these tools, with even less (28%) promoting approved alternatives to combat usage.
  • Only half had received guidance and updated policies on Shadow SaaS and AI in the past six months, with one in five admitting to never receiving this. 
  • Additionally, nearly one-fifth of security professionals were unaware of whether their company had updated policies or provided training on these risks, indicating a need for further awareness and education.

Visualizing the Impact



The Reveal Platform: A Strategic Response 

In response to these challenges, Next DLP’s Reveal Platform offers a comprehensive solution designed to provide full visibility into SaaS application usage. Here’s how the Reveal Platform addresses the issues highlighted by the survey:

Shadow SaaS Detection and Control

  • Visibility: Reveal's SaaS App Security provides full visibility into both authorized and unsanctioned SaaS applications utilized across an organization (including unmanaged endpoints) and also fortifies defenses against potential data breaches stemming from business data exposure via unauthorized app usage.
  • Data Tracking: Secure Data Flow monitors data flow to and from all applications, whether they are authorized or not. By tracking and tracing file movement across managed endpoints and sanctioned cloud applications to protect data based on its origin, tracking data transfer and storage, Reveal helps ensure that sensitive information isn't being exposed via unsanctioned software usage.
  • Advanced Policy Control: Reveal takes policy-based controls to the next level. It provides user training at the point of risk and enables quick response to suspicious activity across all the organization's data egress points.

Generative AI (GenAI) Usage Management

  • Content Analysis: The Reveal Platform can analyze the content generated by GenAI tools to ensure that sensitive data isn’t being inadvertently exposed. This is increasingly important as GenAI tools become capable of producing detailed and contextually relevant outputs that might include proprietary or confidential information.
  • Integration with AI APIs: By integrating with APIs of popular GenAI platforms, Reveal can directly monitor the input and output data, ensuring compliance with data protection regulations and internal policies.
  • Behavioral Analytics: The Reveal Platform employs behavioral analytics to understand normal and anomalous behaviors concerning GenAI usage. This helps in identifying potentially malicious or non-compliant use of GenAI applications.

Policy Enforcement and Compliance

  • Automated Policy Application: Reveal automates the enforcement of security policies across all cloud and SaaS applications, including those involving GenAI. This helps in maintaining compliance with industry regulations and internal data protection policies.
  • Real-time Alerts: Real-time alerting mechanisms can notify administrators of potential data leaks or policy violations immediately, allowing for swift remedial action.

Training and Adaptation

  • Machine Learning: Reveal uses machine learning algorithms to adapt to new threats continuously. As new SaaS applications and GenAI uses emerge, the system learns and evolves to keep the organizational data secure.

Bridging the Gap

Despite recognizing the risks themselves, 34% of respondents responded that employees do not fully understand the data security risks associated with Shadow SaaS and Shadow AI. 6% of respondents said employees didn’t understand these risks at all.

The Next DLP survey highlights a critical need for better education around, and management of, Shadow SaaS and GenAI. The Reveal Platform’s capabilities in providing visibility, analytics, and control play a pivotal role in addressing these challenges. Organizations looking to secure their digital environments and comply with regulatory standards would benefit significantly from adopting comprehensive solutions like the Reveal Platform.

The Reveal Platform from Next DLP offers a comprehensive solution to address these pressing challenges. By providing full visibility into SaaS application usage, the platform enables organizations to monitor and manage employee activities effectively. This ensures that any unauthorized use of SaaS tools is quickly identified and addressed, significantly reducing the risk of data breaches and loss. The platform’s advanced analytics capabilities help security teams understand the patterns of Shadow SaaS usage, allowing them to implement targeted policies and training programs that promote the use of approved, secure alternatives.

 

In addition to SaaS management, the Reveal Platform also offers robust controls for GenAI usage. With tools that restrict and monitor AI activities based on job roles and functions, organizations can maintain tight control over how AI technologies are used within their networks. This mitigates the risks associated with unsanctioned AI tools, ensuring that employees adhere to security protocols. Furthermore, the platform's real-time alerts and detailed reporting provide continuous oversight, enabling proactive risk management and enhancing overall data protection efforts.

For further insights into our survey results or to learn more about the Reveal Platform, contact our team for a personalized demonstration.

*Appendix - Survey Questions

This appendix contains the complete list of ten questions that were posed to the respondents in our survey. 

  1. Have you used any SaaS applications in the past 12 months that have not been provided by your company’s IT team?
    1. Yes
    2. No
    3. Don't Know
  2. How confident are you in your organization's ability to detect employees’ use of Shadow SaaS apps?
    1. Very Confident
    2. Confident
    3. Somewhat Confident
    4. Not Very Confident
    5. Not Confident At All
    6. Don't Know
  3. What do you think are the risks associated with the use of Shadow SaaS (choose up to three)
    1. Failure to comply with industry regulations/compliance frameworks

    2. Sensitive/proprietary data loss

    3. Lack of visibility and control over user behavior, as it relates to company data

    4. Expansion of attack surface

    5. Data breach

    6. There Are No Risks
  4. Has your organization suffered a data breach or data loss as a result of Shadow SaaS usage? 
    1. Yes
    2. No
    3. Don't Know
  5. Does your organization allow employees to use Gen AI / LLMs? 

    1. No, AI tool use is not permitted
    2. Yes, but it's restricted to certain job functions and job roles
    3. Yes, it's freely available to all employees
    4. Don't Know
  6. Does your organization have tools or policies in place to control employees’ use of GenAI?
    1. Yes
    2. No
    3. Don't Know
  7. How well do you think employees understand the data security risks associated with Shadow SaaS and Shadow AI?    
    1. Very Well
    2. Somewhat Well
    3. Not Very Well
    4. Not At All
    5. Don't Know
  8. When was the last time your employer provided guidance on the use of Shadow SaaS or Gen AI?
    1. Within the last month
    2. Within the last 6 months
    3. Withing the last 2 years
    4. Never
    5. Don't Know
  9. When was the last time your company provided updated policies around the use of SaaS and/or AI tools?
    1. Within the last month
    2. Within the last 6 months
    3. Withing the last 2 years
    4. Never
    5. Don't Know
  10.  What processes does your employer have in place to mitigate the risks associated with Shadow SaaS and Shadow AI use within your organization? Tick all that apply.
    1. Implementing stricter access controls
    2. Increasing employee training and awareness
    3. Enhancing monitoring and detection capabilities
    4. Developing clear policies and consequencces
    5. Promoting approved alternatives
    6. None of the above
    7. Don't Know