Earlier this year, we announced DoControl’s no-code Security Workflows mechanism, which provides IT and security teams with the ability to create SaaS data access control workflows based on conditional logic within a no-code policy enforcement platform (you can read all about it here). In the announcement, we discussed a select few popular use cases: public sharing of PII; departing employees sharing company documents with their personal accounts; and sharing of encryption keys outside secure locations.
To support our customers and provide an optimal user experience, we released a catalog of playbooks (pre-configured templates) which can be used out-of-the-box, or easily customized to specific applications or use cases covering a wide range of threat models and scenarios.dd Even with this rich catalog of templates, we knew our customers would come up with new and exciting use cases we hadn’t thought about. In my opinion, the flexibility to easily create advanced, fully customized playbooks is the real magic behind the DoControl Security Workflows. In this post, I want to share some of the interesting use cases we’ve seen implemented by our customers:
Employees share data with external parties regularly as a part of doing business. Over time, some of these external collaborators may no longer have relationships with the organization, or the business need for the information to be shared will expire.
However, more often than not, access to documents and data is not revisited by the sharing employee, nor by the security team due to scale limitations:It is not humanly possible to keep track of what every user in the organization has shared with whom and when, and manually query the business justification for the sharing. The end result is bad data hygiene, as well as an increased risk exposure to data exfiltration and leakage.
Some of our customers have addressed this by creating an approval flow with a “loop”: A workflow that asks the sharer, after an asset has been shared for a configurable amount of time, whether the asset should remain publicly/externally shared. If external access is no longer required, DoControl will immediately remove the share. If the sharer requests to extend the access, the workflow will “loop” back to the previous “wait” step and ask again later, repeating the process until access to the data is no longer required. This time-bound looping capability is what helps enable our customers to automatically enforce least privilege at scale.
Not all data is equal. Some assets are much more sensitive than others and require extra care and awareness from the security team. In one case, a customer wanted to ensure that no individual outside of a specific group of users could download information from a SharePoint site (this example refers to SharePoint, but we’ve seen similar use cases for specific Dropbox file locations, or parent folders in Google Drive).
In these situations, a DoControl workflow can be designed to block downloads from the specified location by users outside the predetermined “safe” group. In the below example, the security team will be notified of all successful downloads to ensure complete visibility into activity within this sensitive SharePoint site.
In many cases, organizations already have an established incident response process that involves a ticketing system, such as Jira or ServiceNow, or a SIEM/SOAR solution (i.e., Datadog, Splunk, or PagerDuty to name a few). To make DoControl a meaningful part of this process, our Security Workflows allow for sending HTTP requests to open tickets/incidents in the relevant systems.
See the below example, where a malware detection on an endpoint triggers the automatic creation of a security incident in Datadog.
Our Workflows are designed to help organizations address their unique SaaS security needs while ensuring maximum operational efficiency in every scenario. These are just a few of the many use cases we’ve seen for Security Workflows, and for organizations with needs that aren’t covered here – we’d appreciate the chance to demonstrate that DoControl has a solution for you, too.