The rise of software-as-a-service (SaaS) applications has been a boom to companies small and large. Gartner notes that spending on SaaS solutions is projected to rise from just over $100 billion in 2019 to more than $138 billion by 2022. SaaS pay-as-you-grow pricing models have allowed enterprises to flex as needed and pivot quickly to meet new business demands without making large capital investments. This may involve scaling rapidly, tapping third-party service providers, distributing workflows across geographic regions, enabling bring-your-own-device (BYOD) policies, or any combination of these and other familiar operational strategies.
The challenging part of all this SaaS agility falls on the chief information security officer (CISO)/security team and/or the chief technology officer/IT team tasked with protecting the company’s networks and assets from security breaches. To them, the flexibility of SaaS is a whole lot of unmanageable access that leaves many open doors to data exfiltration. Storing data in SaaS applications means you’re storing data outside of your organization’s perimeter, leaving protection of the data entirely dependent on the security measures the SaaS providers has implemented. For the SaaS customer, that’s a boatload of risk.
Many companies use identity providers like Okta to create users and permissions. Then they rely on VPN or more modern zero trust solutions to secure remote connections. After that, the employee is in and has access to the library of SaaS apps included in the specific security policy that has been assigned to the given worker.
Here’s where the security challenges start to branch out. Workers with access share extensively, both externally and publicly, to drive business enablement with external partners. They may also share with their own private accounts. External collaborators may do that, as well. Over time, vendor contracts expire and employees leave the company… but does their access to corporate systems stop? Maybe. Maybe not.
In the typical company, getting a handle on unmanaged access leads CISOs and IT organizations to pit security against worker productivity. To protect corporate assets, leadership may choose unpalatable endpoint hardening solutions that severely limit end-user freedom to access applications and data, frustrating workers who rely on a broad range of applications in order to fulfill their job responsibilities. Endpoint hardening can even be configured to prohibit all external sharing, which significantly harms business enablement and adds a ton of friction for end users who simply want to do their job and get things done.
To favor business enablement, liberal security policies make it extremely difficult and labor-consuming to track who has access to what, especially for companies trying to do it manually. Reviewing permissions with spreadsheets every month, writing scripts to check for outdated permissions, tracking which employees have left the company are time-intensive activities that require constant attention, and, most concerning, distract the team managing corporate security from addressing immediate threats across other security verticals (endpoint, infrastructure, mobile, corporate, etc.). Add in managing access for vendors who are no longer under contract and monitoring employees granting access to corporate assets from their personal accounts, and security teams are in an untenable position.
Fortunately, DoControl has the answer. DoControl gives organizations the automated, self-service tools they need for SaaS applications data access monitoring, orchestration, and remediation. We take a unique, customer-focused approach to the challenge of labor-intensive security risk management and data exfiltration prevention in popular SaaS applications.
By replacing manual work with automation, DoControl reduces the overload of work and complexity that Security and IT teams have to deal with every day. What’s more, DoControl involves all employees as part of the security equation to drive business enablement and encourage a collaborative and frictionless security culture.
Three main components comprise the DoControl solution:
Visibility and automation are the keys to managing your company’s SaaS applications data access. Face it -- your company needs its SaaS applications. There’s no way around them. If you’re going to have a lot of data residing outside of your security perimeter, you need a partner dedicated to reducing that risk and making it operationally feasible. DoControl covers your SaaS.
This stat comes from the industry report we published earlier this year: The Immense Risk of Unmanaged SaaS Data Access. It’s a great read. We recommend you check it out.
We are excited to announce our expansion of DoControl’s integrated technology partnership program to include Datadog. As a leading platform provider for monitoring and security for cloud applications, the integration with Datadog allows security operations teams to have a more holistic view of risk across the mission-critical Software as a Service (SaaS) applications being leveraged to enable business enablement and productivity.
The last time the RSA Conference was a live, in-person event was right before the world as we knew it came to a screeching halt. Every technology vendor did their best to rollout “virtual” events which were in no way comparable to the real thing. Everyone – including all of us here at DoControl – was missing the “human connection.” As a vendor that was “born out of the pandemic,” we were very excited to (for the first time!) meet face-to-face with prospects, customers, peers, partners and more to talk about all things Software as a Service (SaaS) data security.
When it comes to addressing insider risk, security starts within. Protecting sensitive company data from exfiltration and misuse requires a combination of the right people, process, and technology. Managing insider risk and preventing threats to the business is not achieved with any of these pillars individually. Modern businesses require technology that prevents and detects unauthorized access to critical assets; processes to support automated data access remediation; and people that are educated about – and watchful of – potentially risky activity who can course-correct during potentially risky activity. Modern organizations need all three pillars interconnected in order to protect their most critical assets.