Shadow IT refers to scenarios where IT is 'in the dark' over employees storing/analyzing business data in non-approved applications. Today's employees have a plethora of either free or inexpensive SaaS options for just about every conceivable business function (analysis, sales, HR, etc), and if IT doesn't supply them an approved option, there is little stopping them from setting something up for themselves. From the employee's PoV, there is likely nothing malicious in their actions - they simply feel they are doing what they need to do to be effective in their job. From the enterprise's PoV, all these non-authorized SaaS applications vastly expand the attack surface of the business data and so Shadow IT must be controlled.
The identity that an employee uses when accessing a SaaS application will have an impact on the visibility of the enterprise into that usage.
For instance, if I were to create a Dropbox account for myself using a personal email address (which I would never do of course, not after last time) and then proceed to store sensitive financial data in that account (which I totally could because I am very important and am often asked for my insight on the $$ aspect of the business), Ping would be effectively completely oblivious (barring some sort of agent/proxy that would monitor my connection looking for such traffic). Neither would the application know I'm from Ping, thereby preventing it from alerting Ping to the account or perhaps preventing the initial creation of the account (do any SaaS do this?).
The above is the darkest corner of Shadow IT. Ping doesn't know I am going to the application and the application doesn't know I work at Ping.
If instead I create the account using my Ping email, then as above Ping is oblivious to the creation of account but the SaaS now does at least know where I work and so, could theoretically guide/prevent/alert accordingly.Ping doesn't know I am going to the application but the application does know I work at Ping.
A third scenario is possible when the user creates an account at the SaaS using their personal email, but the enterprise provides some sort of password vaulting functionality to their employees that facilitates access to applications - both enterprise subscribed and others. For instance, through Ping's Basic SSO browser extension, I can vault user accounts & passwords for non-business related applications (see diagram).
Because Ping is actively involved in the presentation of the credentials to those non-business applications (even if the credentials are encrypted so Ping can't actually see them) , Ping knows that I have an account at Facebook, Twitter etc, and also knows how often I login there. But, because the email account I used to set-up those accounts isn't my Ping address, these applications don't know I work at Ping (though Twitter at least might be able to make an educated guess based on my tweet stream). Consequently, in this scenario, Ping knows I'm going to the application but the application doesn't know I work at Ping.
The fourth scenario is when the employee's access to a SaaS is actively enabled by the enterprise through a federated SSO flow - as standardized by SAML or OpenID Connect. For instance, when I access Concur, Ping creates a SAML assertion that attests to my identity as a Ping employee. Because the assertion is specifically created for Concur, Ping explicitly knows when I visit the application. And, because Concur can verify that the assertion was created by Ping, they are in no doubt about who employs me. So, in this case, Ping knows I'm going to the application and the application knows I work at Ping.
The 4 scenarios are shown graphically below.
The Shadow IT scenario of the top-right corner is where neither Ping nor the application are 'in the know' about, respectively, who I am and what I'm doing.
I've also coined two new terms to contrast the 'darkness' of the shadows.
Bright IT is the federated SSO scenario where both Ping & and the SaaS know what's going on.
And Penumbra IT describes the two situations where either Ping or the application (but not both) are not fully informed.
Clearly, from a visibility & governance angle - bright is better than shadow, and penumbra is somewhere in the middle.
Bright & Penumbra IT - you heard them here first - going to be big.