The detail of Shadow IT detection

Katsutoshi Murakami Updated by Katsutoshi Murakami

Translation Disclaimer: The documents herein have been machine translated for your convenience by translation software. While reasonable efforts are made to provide accurate translations, portions may be incorrect. If you would like to report a translation error or inaccuracy, we encourage you to please contact us.

Admina by Money Forward has a mechanism to detect when an employee is using SaaS (i.e., shadow IT).

The following is an explanation of the shadow IT detection mechanism.


What is Shadow IT?

In a broad sense, Shadow IT includes the use of LINE and Messenger among clients, but Shadow IT in our service description refers to IT management cloud services that are formally used as company tools.


How Shadow IT detection works using Google

Shadow IT detection using Google login history is available if Google is used as the employee master.

Cloud services are detected based on the history of which cloud services employees have logged into.



  1. Admina by Money Forward periodically calls Google's Audit Log API to retrieve login history data.
  2. The data is cross-checked against the SaaS catalog database to discover and aggregate cloud services.
  3. SaaS that are not linked to the Admina by Money Forward are displayed as "Recommendations from Discovery".
  4. CSV provides all aggregate results as ROW data, including cloud services that cannot be displayed in the Admina by Money Forward. 


Since audit logs hold a very large amount of data, the initial linkage will gradually collect the data with the following behavior. ( The logs can be several hundred million records, especially if you have many employees and use many cloud services.)      

  1. Immediately after the linkage is established, data acquisition is started, and at first, one week's worth of data is acquired & totaled and displayed.
  2. The data acquisition and aggregation will proceed gradually over a longer period of time. (It may take several hours to three days to complete the acquisition and tabulation of all data for three months after the initial linkage.)
  3. Finally, 3 months of data will be acquired & totaled.
  4. Thereafter, detection results will be updated with periodic differential updates.  


Finally, as for the data storage period, we will check 3 months of data at the first integration. Thereafter, only the last access record per Service x User will be stored, retrieving data as needed.

When the integration is terminated and the Admina by Money Forward is cancelled, the data will be destroyed.     



How did we do?

Shadow IT Detection