Quick: As a security or IT pro, what’s the first thing that pops into your head when you hear the phrase “asset management?” Chances are you thought about endpoint security and the vulnerable points of your cloud infrastructure.
But what about your SaaS applications? Do you think of them and the corporate data residing in these applications as assets that need to be protected? You should. There are too many ways in which a SaaS app can provide a conduit for unwanted parties to access your corporate data and potentially cause as much harm as if you had left an endpoint unmonitored and unprotected.
Here’s another overwhelming thought: As necessary as it is to get a holistic view of your SaaS application vulnerabilities, managing assets within the SaaS applications themselves is an impossibly tedious, manual process. Fortunately, we’ve taken on the heavy lifting of automating this process, quickly giving you the full visibility you need to take charge of your SaaS asset management.
How Exposed Are You?
For most IT and security administration people, they have only the vaguest idea at best of how many people have access to their company’s data through SaaS applications. They may think in terms of a few hundred, but our work with clients shows this is usually a drastic underestimate. You may well have thousands, or even tens of thousands, of people external to the company with access to your data.
How is this possible? When you compile a list of all the SaaS applications a typical mid-to-large-sized company depends on -- CRMs, collaboration and creativity platforms, development applications, HR tools, back office solutions, and more -- the number can skyrocket quickly. Then, when you think about the different ways that colleagues, contractors, customers, prospects and partners can come into contact with assets stored in these SaaS applications, the scope of SaaS asset management facing security and IT teams simply explodes.
At DoControl, we help companies monitor and manage seven crucial data access vulnerabilities that lurk in their SaaS subscriptions:
- Public Sharing: Exposing company assets to anyone who has a link to the asset
- External Sharing: Giving access to specific people outside the corporate domain
- Personal Sharing: Employees granting themselves access to corporate assets via personal email addresses
- Outdated Permissions: Granting data access with no expiration date
- Outdated Vendors: Allowing access by external entities to persist when there are no longer legitimate business needs for such access
- Former Employees: Allowing access to persist for people who are no longer employed by the company
- Insider Threat: Allowing leaving employees to collect significant data shortly before their separation
Each of these unique data access vulnerabilities represents a potential path for bad actors to ferret their way to data you don’t want them to have. Further, in addition to the data access your employees have extended to others via sharing links they created, there’s an entire other layer of risk stemming from indirect access by third-party OAuth applications. In any of these scenarios, the data access may have been given intentionally or unintentionally, recently or long ago. Much of this persistent access may be long forgotten and remain unchecked.
Let’s Create a Baseline of Knowledge
As with all endeavors, to solve a problem you must first fully understand it. In the case of SaaS security, that means creating an inventory of all the relevant sources of data leakage. Specifically, you need to compile an exhaustive inventory of the following:
- SaaS applications
- Internal users
- External collaborators
- Third-party OAuth applications
- Centralized audit logs
- User activity
- Data exposures
- Data ownership
As you can tell from a glance, this list represents an impossible amount of work to undertake manually. But the DoControl platform automates the process and pulls all that data into a central location to give you full visibility across your company’s portfolio of SaaS applications. And it does it fast! With DoControl’s SaaS Asset Management, IT and security teams can aggregate the intelligence they need to monitor SaaS data access, identify anomalies in data movement, and remediate risky situations before they become verified security incidents.
Just the Beginning of the Process
Complete and centralized visibility is the only way you can know what you need to protect. But this asset inventory is only the first step. You need continuous monitoring of user activities within these SaaS applications to take informed action to prevent data access where it shouldn’t be granted, cut off data access where it’s no longer warranted, and stop data exfiltration wherever it’s happening. Such remediation capabilities are critical, and as with DoControl’s SaaS Asset Management, DoControl’s security workflows are supercharged with intelligent automation to make remediation at scale feasible.
We’ll look more closely at Continuous Monitoring and Automated Security Workflows in upcoming blog posts. For now, rest assured that DoControl has been engineered to address these phases of SaaS application security as well. In the meantime, explore our website to learn more about DoControl and get in touch with us to see how we can help your organization.
