top | item 41118468

Show HN: Shadow IT Scan – Uncover SaaS Apps, Users and Risky OAuth Scopes

69 points| mathiasn | 1 year ago |accessowl.io

Hey HN,

TL;DR: We’ve launched a free version of our Shadow IT scanner to identify which SaaS apps are used in your company, who uses them, and if they have high-risk OAuth scopes.

Philip and I went through YC with AccessOwl in 2022. We started the company because, in our previous roles, we struggled to track all the SaaS apps, users, and granted OAuth scopes. The Shadow IT scanner started as a small feature within AccessOwl, which manages SaaS vendors and user accounts centrally. But a standalone scanner would have made our lives so much easier in our previous roles. So, we thought, why not release it?

And here it is: a free, standalone Shadow IT scanner!

Hope you find it useful :) The Shadow IT scan helps with:

1. Offboarding: Employees often don’t report all the apps they sign up for, making it tough to track and secure these accounts when they leave, especially with the common SSO tax.

2. Security: OAuth scopes are quickly granted but rarely reviewed or removed, leading to organizations unknowingly spreading their data.

3. Compliance: Auditors need a list of SaaS vendors, which is hard to compile when employees sign up for tools independently.

Any surprises in your scan? What features would you like to see in the next version? Looking forward to your feedback!

FAQ

What’s Shadow IT? Unauthorized SaaS apps within an organization not centrally managed, posing security and compliance risks.

How does it work? Our tool connects to your Google Workspace or M365 instance, identifies OAuth tokens granted, and maps them to known SaaS tools. Note: In this v1 version, it only detects apps using the “Sign in with Google/Microsoft” button.

Who is this for? Typically IT and InfoSec teams, but in smaller companies, it may fall under the CTO.

Is it safe to use? Yes, reading OAuth tokens is standard for SaaS management tools. Data extraction only occurs when you initiate a scan. AccessOwl is SOC 2 Type II audited and GDPR compliant.

36 comments

neilv|1 year ago

What do people think about companies (even small startups) having a rule against random employees signing up for SaaSes?

On the one hand, such a rule sounds like stodgy company friction to "getting it done".

On the other hand, I see employees putting crucial information across seemingly every SaaS they'd heard of, except for the official place it's actually supposed to go. Making it inaccessible to the people who needed it, and often eventually losing the information entirely.

I've also seen (to pick one anecdote) newer software developers pasting the data of a very sensitive proprietary engineering model into some random developer's Web site that provided a visualization. This random Web site then spread around engineering as the standard way you visualize that model.

And I've seen third-party service dependencies that made no sense at all, but people were just following tutorials and StackOverflow answers they found.

NoPicklez|1 year ago

Having also worked with many corps around this area for many years

It also comes down to appropriate procurement processes. Employees should not be able to buy or procure anything without requiring them to assess the inherent risks that service will introduce. Those risks include the cyber/information security related risks of that service including SaaS platforms.

You should not be able to purchase an use any technology service without a risk assessment and that includes SaaS platforms, to identify if the information you're providing to that platform is secure.

PhLR|1 year ago

We talked to lots of CISOs, InfoSec managers and IT admins about that issue. There's basically two camps: Actively block any new tool vs. not block but educate so people don't do anything stupid.

I feel not blocking makes most sense. Employee's want to be treated like adults, especially in tech savvy companies. If they feel like they are unnecessarily blocked they will just find a workaround (i.e. non-work email or device).

However, you definitely want to keep track of people are signing up for - that's where the Shadow IT scanner comes in handy. In case you see something that's against policy it's often enough to just explain why it's a risk for the company. No employee means harm and just wants to be treated like an adult.

jabroni_salad|1 year ago

To a lot of computer users, any window on the screen is as good as any other and they just don't have the concept of "I am uploading a file to an external computer that I do not control."

Any company that is reigning in SaaSes is doing so because they have had a bad experience. If you have this privilege, that's cool, but be smart about it. Make a unique account for your business use rather than comingling your personal data, and choose SaaS companies who you would actually be okay having a relationship with, because the relationship WILL get escalated and wouldn't it be nice if it were a cool HN person making the pitch instead of Oracle mailing you an extortion letter?

One of my clients, we had been trying to sell them on corporate groupware instead of personal dropboxes and gmails. The hammer dropped when they got sued and guess what got specified in the evidence search? Not only was executing that search deeply unpleasant for everyone involved, but it also cost a lot more consulting hours than searching a proper groupware would.

galdosdi|1 year ago

Jesus I've seen "newer developers" do dumb shit like need a damn website to pretty-print JSON or change something all to lower case or something instead of just learning to use their tools. In the absence of real mentorship and supervision, guardrails are necessary.

It's not like you have to have a lot of red tape around signing up for SaaSes. "Any employee can sign up for one, you just have to notify us" or "Approval is practically a rubber stamp" is waaaay better than "who knows what they're doing" -- at least you know what's happening and can deal with it later

Every company bigger than 100 people I've been at covers this in the corporate training on the first week. You can't just put the company's data into random textboxes on the internet. And you can't pretend you weren't told. This is how to get fired immediately anywhere with a clue.

Even at a startup, the process could be reaching out to the "CTO" on Slack for 30 seconds. Nobody should just be doing stuff like this with zero oversight, ever, anywhere, unless just none of it really matters, like some sort of complete joke app like something to rate the attractiveness of your college classmates or something

throwaway48540|1 year ago

Nobody without the power to sign contracts in company name can legally register and use a SaaS at work. They can make a personal account and using it amounts to extracting data out of the company.

bdno86|1 year ago

This is really cool!! Always excited about increased accessibility of security tools. This used to require jumping through a bunch of hoops in the past to find out, so most companies don’t even know this is possible and therefore and even fewer made the effort to do it.

PhLR|1 year ago

Indeed, when I learned about it I felt stupid for not having somebody run a regular report. Everybody talks about Shadow IT but most companies have a decent option to uncover a large chunk of it quite easily

moxli|1 year ago

> AccessOwl calculates billing based on the number of active Slack users, excluding Single-Channel Guests and service accounts, as this is usually the closest measure to your number of active employees. The billing amount is updated prorata each month and before each payment, based on the number of users in your Slack workspace.

https://www.accessowl.io/pricing

How does pricing work if Slack is not used?

jorams|1 year ago

I don't think that's possible, the "Start Trial" button immediately redirects to Slack.

This does seem like a weird restriction. Nothing about the product otherwise seems Slack-specific.

mathiasn|1 year ago

Slack is required for AccessOwl. It's used for things like approval workflows, task management and notifications in general.

What do you use instead?

NoPicklez|1 year ago

In a previous role many years ago I used a tool called Netskope which monitored Firewall traffic and it was excellent at identifying almost every web related service being used.

This was helpful because it would detect SaaS platforms being used that were not integrated into SSO, like PDF converters etc

But I really like how simple this looks to use and it looks powerful

PhLR|1 year ago

Indeed, there are some great alternatives for discovering Shadow IT, some with more or less overhead (i.e. browser extensions that nobody wants to install).

650REDHAIR|1 year ago

This is very, very cool!

Great work guys!

PhLR|1 year ago

Thanks!

ctippett|1 year ago

Seeing the logo made me wonder if this was a project spun out of Tripadvisor, they're very similar.

3np|1 year ago

Even more confusable with especially the previous logo (but also current branding) of sendowl.com.

https://www.courseplatformsreview.com/wp-content/uploads/202...

PhLR|1 year ago

Good eye, but no, not related at all

antonmi|1 year ago

Very interesting, gonna check it!

PhLR|1 year ago

Thanks! Any interesting findings?

throwaway290232|1 year ago

[deleted]