[neilv]

What do people think about companies (even small startups) having a rule against random employees signing up for SaaSes?

On the one hand, such a rule sounds like stodgy company friction to "getting it done".

On the other hand, I see employees putting crucial information across seemingly every SaaS they'd heard of, except for the official place it's actually supposed to go. Making it inaccessible to the people who needed it, and often eventually losing the information entirely.

I've also seen (to pick one anecdote) newer software developers pasting the data of a very sensitive proprietary engineering model into some random developer's Web site that provided a visualization. This random Web site then spread around engineering as the standard way you visualize that model.

And I've seen third-party service dependencies that made no sense at all, but people were just following tutorials and StackOverflow answers they found.

[NoPicklez]

Having also worked with many corps around this area for many years

It also comes down to appropriate procurement processes. Employees should not be able to buy or procure anything without requiring them to assess the inherent risks that service will introduce. Those risks include the cyber/information security related risks of that service including SaaS platforms.

You should not be able to purchase an use any technology service without a risk assessment and that includes SaaS platforms, to identify if the information you're providing to that platform is secure.

[PhLR]

The biggest challenge is that there's an abundance of SaaS tools that are free to use or have extensive free trials. This often lures employee's in "just trying" a platform and ending up importing critical company data.

Slack and Loom are great examples of SaaS that profited from being "Shadow IT". They gained traction by employee's quickly self-onboarding onto the free-plan, without their IT or Security knowing what data is being shared.

[thanksgiving]

If you block marketing from using the tools they want, they will do it anyway but using personal email addresses like Gmail or something like that especially with the generous free tiers.

[mathiasn]

Which makes it even worse because you cannot detect that then :/

Shouldn't people just be able to try out new things? How can a company be innovative otherwise? And at a specific point (e.g. putting customer data into it), they need to start a proper vendor assessment process.

[NoPicklez]

People can absolutely try new things, but time and time again you cannot trust people to not put sensitive data into those platforms and they continually do.

It's always a balance of information security awareness, culture and technological solutions within an organisation.

[PhLR]

100%. Instead keep track of where they sign up with their business email and explain why they can't use those tools.

[PhLR]

We talked to lots of CISOs, InfoSec managers and IT admins about that issue. There's basically two camps: Actively block any new tool vs. not block but educate so people don't do anything stupid.

I feel not blocking makes most sense. Employee's want to be treated like adults, especially in tech savvy companies. If they feel like they are unnecessarily blocked they will just find a workaround (i.e. non-work email or device).

However, you definitely want to keep track of people are signing up for - that's where the Shadow IT scanner comes in handy. In case you see something that's against policy it's often enough to just explain why it's a risk for the company. No employee means harm and just wants to be treated like an adult.

[KingMachiavelli]

Agree it isn't practical to block everything while still allowing software engineers to do their job. An online regex tester is super useful or could be a big risk is an employee uses it incorrectly.

But it is helpful to block certain things that are just too common outside of work so people just don't think twice. Things like ChatGPT, Grammerly, Pastebin, etc. should be manually blocked.

[PhLR]

Another interesting approach I learned from the Director of IT at Intercom (Emanuele Sparvoli): They pay for a single seat in each of the typical "Shadow IT" SaaS apps. Then they block within the SaaS app the ability to sign up with email/password coming from their domain.

It's pretty drastic since you literally pay for a seat in a tool you don't want to use. But it stops anybody from quickly signing up and instead will guide them to the IT team. They then have the chance to explain what the official alternatives are.

What's important is that the employee's understand the reason why certain apps are not allowed - whether that's cost, security or something else.

[jabroni_salad]

To a lot of computer users, any window on the screen is as good as any other and they just don't have the concept of "I am uploading a file to an external computer that I do not control."

Any company that is reigning in SaaSes is doing so because they have had a bad experience. If you have this privilege, that's cool, but be smart about it. Make a unique account for your business use rather than comingling your personal data, and choose SaaS companies who you would actually be okay having a relationship with, because the relationship WILL get escalated and wouldn't it be nice if it were a cool HN person making the pitch instead of Oracle mailing you an extortion letter?

One of my clients, we had been trying to sell them on corporate groupware instead of personal dropboxes and gmails. The hammer dropped when they got sued and guess what got specified in the evidence search? Not only was executing that search deeply unpleasant for everyone involved, but it also cost a lot more consulting hours than searching a proper groupware would.

[galdosdi]

Jesus I've seen "newer developers" do dumb shit like need a damn website to pretty-print JSON or change something all to lower case or something instead of just learning to use their tools. In the absence of real mentorship and supervision, guardrails are necessary.

It's not like you have to have a lot of red tape around signing up for SaaSes. "Any employee can sign up for one, you just have to notify us" or "Approval is practically a rubber stamp" is waaaay better than "who knows what they're doing" -- at least you know what's happening and can deal with it later

Every company bigger than 100 people I've been at covers this in the corporate training on the first week. You can't just put the company's data into random textboxes on the internet. And you can't pretend you weren't told. This is how to get fired immediately anywhere with a clue.

Even at a startup, the process could be reaching out to the "CTO" on Slack for 30 seconds. Nobody should just be doing stuff like this with zero oversight, ever, anywhere, unless just none of it really matters, like some sort of complete joke app like something to rate the attractiveness of your college classmates or something

[throwaway48540]

Nobody without the power to sign contracts in company name can legally register and use a SaaS at work. They can make a personal account and using it amounts to extracting data out of the company.

[mathiasn]

From a legal point of view that might be true, but I believe people are not aware that this is a problem. They just register, check the "Agree terms of service" box and do whatever they want to do. I saw that often, especially with Marketing.

[galdosdi]

Then either the mandatory corporate training they signed off on their first day of employment was deficient, or they need to be fired for cause.

[throwaway48540]

It's not just legal but also the practical point of view. They committed fraud when they clicked that checkbox. It's exactly the same as signing a contract with someone else's name.

[npmeye]

Also when you do npm i. That's fraud.

Did you just agree to opt the company into that smorgasbord of licenses?

[throwaway48540]

Not really, most (larger) companies have internal policies about that, listing the acceptable licenses. Which is exactly what I said - the employees are given the power to accept the terms. Some employees can sign SaaS contracts, though that's usually much less people.