min read
Aug 27, 2021

Native SaaS Security Features Not Enough to Solve Business Use Cases

Let’s talk about a certain word and the concept behind it for a second. The word is “granularity.” 


You say it’s overused to the point of becoming a buzzword? I won’t argue. But when it comes to SaaS security and data access control, the word and the concept it represents are critically important.  

Here’s what I mean: For almost all of the popular SaaS applications, the security controls don’t allow “granularity” in enforcement. They paint their restrictions with a broad brush, covering areas that should remain untouched – or they don’t paint at all. The needs of business and security must be balanced. If they’re not, the security controls are either ineffective or counterproductive. 

Let’s take a look at the areas in which granularity – or discrete enforcement, if you prefer – is needed but lacking.


Public sharing of files and data


We’ve laid out in a previous blog post the ways in which security can be compromised on SaaS applications. Public sharing – making files available to the entire public – is one of those areas.

Your organization may want to allow some of your departments to share publicly while prohibiting others. Sales and marketing, for example, can benefit from pushing content to the public quickly. Other departments such as the finance, legal and R&D departments may not want to let any of their files come into public view. 

But guess what? For applications such as Google Drive, Microsoft OneDrive, Box and Dropbox, public sharing can either be enabled or disabled. On/off, black/white -- either everyone is allowed to share publicly or no one is. 

External sharing of files and data


External sharing is similar to public sharing, but limited to one or more specific partners or outside parties. Your organization may share content with your marketing agency, public relations firm, auditors, media outlets, investors, etc.

Again, the major SaaS applications use a sledgehammer approach to external sharing. You can vanquish external sharing altogether or let everyone share and share alike. There is some ability to control the hammer: Specific external domains might escape its security pounding. But that’s not really helpful.

For example, you probably want to allow your finance department to share only with your auditor, and you likely want to ensure that your external marketing agency or PR firm can only receive material from your marketing or communications department. Or you may want to share information for a limited time, such as letting your R&D department share access to an external manufacturer for a specific product. Leaving access open beyond the time of the project might allow that manufacturing partner to snoop around and discover proprietary information it could pass along to your competitors. And once the file or database access is shared, it may be impossible with the native SaaS application controls to rein it in.


Sharing links to sensitive data internally


Inside your organization, employees may be freely sharing with each other within and across departments in potentially dangerous ways. During budget negotiations, it would be detrimental for everyone to see the information the finance department has assembled, for example, just as HR data should not be shared with anyone outside of that business unit. And a disgruntled employee who’s soon to separate from the company may be grabbing sensitive data that could hurt your organization if it were released externally or taken to a competitor.

Again, having greater control – more granularity – helps circumvent these dangers without impeding internal business needs. At minimum, you’d want to have such links expire after a set time period, as well as the ability to remove sharing links to sensitive assets before their widespread distribution can cause damage.


DoControl’s granular controls provide critical balance


At DoControl, we don’t believe in an either/or set of security features. Business is too nuanced for such heavy-handedness. We’ve designed our platform so you can selectively apply controls as needed – letting marketing share documents publicly while ensuring finance can’t, for example, or restricting R&D updates to key partners externally and internally. You can set auto-expiration dates for data access to any asset that should have limited exposure and shut off access for those no longer having a business need while preserving it for those that still do.

Even if a SaaS application could provide this level of granularity within its native security controls, the problem remains that the controls ONLY affect that single app. DoControl provides such control across ALL your SaaS applications. 


Let us show you what we mean with greater, um, granularity in a demo. We look forward to hearing from you. 


Adam Gavish is the Co-Founder and Chief Executive Officer of DoControl. Adam brings 15  years of experience in product management, software engineering, and network security. Prior to founding DoControl, Adam was a Product Manager at Google Cloud, where he led ideation, execution, and strategy of Security & Privacy products serving Fortune 500 customers. Before Google, Adam was a Senior Technical Product Manager at Amazon, where he launched customer-obsessed products improving the payment experience for 300M customers globally. Before Amazon, Adam was a Software Engineer in two successfully acquired startups, eXelate for $200M and Skyfence for $60M.

Adam is a lifetime information geek, breaking down business and technical problems into components to generate long-term learning. He loves running outdoors, playing with LEGOs with his son, and watching a good movie with his wife.

Adam holds a B.S. in Computer Science from the Academic College of Tel-Aviv Yafo and an MBA from the Johnson Graduate School of Management at Cornell University.

Get updates to your inbox

Our latest tips, insights, and news