LastPass can now monitor employees' rogue reliance on shadow SaaS – including AI tools

With LastPass’s browser extension for password management already well-positioned to observe — and even restrict — employee web usage, the security company has announced that it’s diversifying into SaaS monitoring for small to midsize enterprises (SMEs). 

SaaS monitoring is part of a larger technology category known as SaaS Identity and Access Management, or SaaS IAM. 

As more employees are drawn to AI to improve productivity, the company is pitching an affordable solution to help SMEs contain the risks and costs associated with shadow SaaS; an umbrella of rogue SaaS procurement that’s inclusive of shadow IT and its latest variant — shadow AI.   

Also: 10 passkey survival tips: Prepare for your passwordless future now

Compared to the $7 per user per month rate that LastPass charges for its Business Edition tier, the new Business Max tier — which includes the SaaS monitoring capability — will cost $9 per user per month. 

“Detecting which employees are accessing which applications is actually a solved problem,” LastPass chief product officer Don MacLennan told ZDNET. “Except that it’s solved by really expensive and really complex technologies that a large enterprise would use, but that a mid-size enterprise can’t afford.”

According to MacLennan, LastPass currently serves organizations ranging in size from 20 to “a few thousand” employees, and the main reason those companies need a password manager is due to the proliferation of SaaS applications across the enterprise. In order to minimize the risks associated with poor password hygiene, organizations turn to password managers as a means of enforcing credential management best practices. 

Also: Your password manager is under attack: How to defend yourself against a new threat

Not only are password managers already in the critical path of SaaS application access, but the password management extensions that almost all users install into their web browsers have the necessary superpowers to both read, manipulate (alter), and autofill every web page that a user visits. When installing a password manager extension into Chrome, for example, the browser typically asks the user to grant permission for that extension to “read and change all your data on all websites,” as shown in the partial screenshot below. 

Without installing any new management agents, password manager extensions already have the power to observe and document everything a user is doing with their web browser and disrupt a user’s attempt to engage with organizationally unsanctioned SaaS sites. 

As an example, an organization trying to keep a lid on usage of unsanctioned AI applications — i.e., shadow AI — could use LastPass’ SaaS monitoring solution to identify where employees are logging into approved versus unapproved applications and take whatever risk reduction actions are deemed necessary. 

Also: If we want a passwordless future, let’s get our passkey story straight

According to IBM’s research on the risks of shadow data and shadow AI, “various stakeholders in the organization can easily expose it to unmanaged risk linked with unsanctioned data, [AI] models, and overall use of AI. These uses can be invisible to the IT and security teams.” IBM’s findings align to those of Gartner’s research which stated that “by 2027, 75% of employees will acquire, modify or create technology outside IT’s visibility – up from 41% in 2022.”

LastPass sees the new capabilities aligning with an organization’s business objectives in a variety of ways.

 “One could be compliance,” MacLennan told ZDNET. “Another could be the organization’s internal sense of risk and risk management. Another could be cost because we’re surfacing apps by category, in which case you’ll see the whole universe of duplicative apps in use.”

MacLennan also noted that the new offering makes it easy to reduce costs due to the over-provisioning of SaaS licenses. For example, an organization is paying for 100 seats of some SaaS solution while the SaaS monitoring tool reveals that only 30 of those licenses are in active use. 

Also: The best password managers: Expert tested

LastPass isn’t the first password management solution provider to venture into the adjacent category of SaaS IAM. Earlier this year, 1Password diversified its solution portfolio with its acquisition of Trelica. 

The screenshot below offers an example of the analytics LastPass administrators might see when viewing its SaaS monitoring dashboard. For example, it offers at-a-glance statistics about how users are logging into their SaaS apps — via single sign-on through a solution like Okta, via passkey, or via password. As a part of a risk management exercise, an IT department could use data like this to drive more employees to access organizationally sanctioned apps via SSO or passkeys versus the riskier usage of passwords. Additionally, the dashboard reveals the extent to which users are leveraging LastPass to manage their credentials versus riskier manual approaches to password management.

The new solution does have its limitations. For example, compared to desktop and mobile agents that can monitor all desktop and SaaS app usage (i.e., not just web apps), the LastPass web extension’s visibility is limited to any SaaS apps accessed through a desktop web browser. 

How might LastPass evolve its SaaS monitoring capability? MacLennan discussed a few options but noted that the company is not yet committing to a roadmap. 

“You could use this to guide users away from unproductive time or harmful or malicious sites,” he said. “Some companies might want to guide employees away from social media during work hours or accessing adult content due to the company’s acceptable use policy.” He noted the possibility of future integrations with directory services like Microsoft Entra for the purpose of access control policy setting and enforcement based on a user’s workgroup or team membership. 

Stay ahead of security news with Tech Today, delivered to your inbox every morning.