If you’re reading this post, chances are you have an appreciation for the magnitude of vulnerability your company faces in the form of potential data exfiltration via SaaS applications. Maybe you’ve known for a while that controlling data access in SaaS apps is a huge challenge for pretty much every company, including yours. Or, maybe you’ve only recently become aware of how expansive your SaaS data exposure is. Either way, you need a comprehensive solution for understanding what you need to protect, maintaining vigilance in order to identify harmful activity, and automated processes for controlling SaaS data access.
This post is the second in a series of three looking at the process for keeping your data safe as your organization grows increasingly reliant on SaaS applications. As we noted in the first blog on this topic, Saas Asset Management: The First Step in Protecting Your Organization, it’s imperative to begin by creating an inventory of all relevant sources of data leakage – from data ownership to internal and external collaborators to third-party OAuth applications and more – to fully understand the risk you’re facing. (Spoiler alert for those who didn’t read that earlier post – it’s almost always much bigger than anyone imagines.)
Completing a SaaS asset management inventory marks the starting point for remediating SaaS data access exposure, but it’s just a static snapshot of where the risk lies. Next you need to know what to do with that SaaS asset management picture.
What’s Continuous Monitoring, and why is it important?
Continuous monitoring animates your SaaS asset inventory by monitoring the activities taking place in and around all of the SaaS applications your company is using. Continuous monitoring helps you understand the following:
Once you see that you may have potentially thousands or even tens of thousands of users accessing dozens of SaaS applications and performing hundreds of thousands or millions of SaaS-related activities each week – copying, sharing, downloading, pasting, etc. – a very logical and dire question comes to mind: How can we possibly tame this beast?
Extending the baseline: Understanding normal use patterns
As we first had to establish the baseline for SaaS data exposure companies face, now we need to identify what constitutes normal usage patterns. If we know what’s routine and expected, we can identify breaks from the pattern – that is, anomaly detection.
These out-of-the-ordinary patterns of data access could be executed internally by current employees, externally by third parties, or even by former employees whose access wasn’t terminated with their separation from the company. For example, if suddenly an employee or contractor is downloading massive quantities of files after only routinely accessing a handful of files daily, that’s an anomaly that should be checked out immediately. With the right SaaS data access control platform (ours), you can see this data exfiltration in its earliest stages and shut down the access before too much damage is done.
Sometimes, however, recognition of data exfiltration occurs after the fact. In those cases, continuous monitoring capabilities play an important role in security investigations to determine where and when the illicit access occurred, and what other activities surrounding the breach might be worth examining. All of those activities can be catalogued and reviewed later.
Further, in many industries and/or geographies, it’s essential that companies meet regulatory standards for data protection. A solution designed to continuously monitor activities in your various SaaS applications can provide compliance evidence that you’re adhering to industry or governmental data protection and privacy rules.
What’s needed for effective and efficient continuous monitoring?
To keep up with the volume of SaaS data access activity even a medium-sized company generates daily, you need to use the right tools for the job. At DoControl, one of the keys is agentless monitoring of SaaS applications. This allows organizations to easily monitor dozens of SaaS applications without trying to do so on each SaaS application individually. Agentless monitoring is a lightweight approach that requires no additional code to be deployed and minimal time and effort to maintain.
We accomplish this through the use of webhooks to get real-time updates on events of note in the various apps. Subscribing to webhooks simplifies the process of being informed of any and all changes without manual processes. DoControl subscribes to SaaS providers’ webhook events to aggregate and normalize 500+ event types into one centralized location, allowing for greater visibility across SaaS users, external collaborators, domains, and 3rd party apps.
But this information can’t be scattered across your organization or segmented into data silos. Instead, it needs to be displayed in one central location to have visibility into all users and assets and get an aggregated view of all SaaS applications.
One final step to address
We’ve talked about establishing an inventory of SaaS applications previously and now we’ve addressed the question of continuous monitoring of activities by users of those applications. In our third and final blog, we’ll look at automated security workflows and how they provide you even more control over your SaaS data access.