By Michael Tsibelman, Head of Architecture – DoControl‍By Matt Dubreuil, Strategic Alliances Manager – DoControl‍By Cole Calistra, Principal Startup Solutions Architect – AWS‍By Faisal Farooq, Sr. Startup Solutions Architect – AWS

The expansion of software-as-a-service (SaaS) applications is an ongoing trend as numerous enterprises transition to cloud-based solutions. While SaaS applications greatly enhance collaboration efforts, they can concurrently introduce unmonitored security issues across an organization’s security landscape. Without proper controls, SaaS data can become overexposed and create a risk for security leaders striving to maintain oversight.

Security leaders face the dual challenge of cost reduction and resource optimization, while mitigating security threats throughout their organization. These objectives, while demanding, become daunting without the use of automation.

This is precisely where a SaaS Ecosystem Security (SES) steps in to play a crucial role. With an SES, you can centralize SaaS data across multiple applications to provide end-to-end visibility into your exposure. Additionally, you can build scalable automation to continuously monitor and control the ongoing threats.

In this post, we will dive deep into the problems facing organizations that have decentralized SaaS applications and how DoControl can help provide visibility, monitoring, and automated remediation to risks that can often be overlooked.

DoControl is an AWS Partner and AWS Marketplace Seller that’s an agentless event-driven security platform that secures sensitive data and files within business-critical SaaS applications.

Customer Story

Vox Media, a modern mass media company, relies heavily on cloud collaboration tools for efficient collaboration. Yet, keeping data secure and preventing accidental sharing of sensitive information is a major concern for their security team.

Approximately 20% of Vox Media’s SaaS documents had sharing that exceeded what was necessary, but with DoControl’s support they were able to quickly remediate that risk and build a scalable process to align with the principle of least privilege access.

“DoControl is the first product we’ve used that allowed us to address data loss prevention without requiring a large team of individuals to manage the platform,” says Mark Jacques, Director of Information Security at Vox Media. “The out-of-box solutions as well as customization allowed us to educate employees on safely sharing and quickly resolve digital loss prevention (DLP) violations. Additionally, DoControl allows us to target the highest risk areas without having negative impacts on the productivity of our employees.”

Accidental Oversharing Detection and Mitigation

• Problem: Modern businesses encounter the ongoing problem of trying to protect corporate data from overexposure in SaaS applications that are great for driving collaboration but lack capabilities for information security teams to properly protect their organizations’ sensitive data.
• Challenge: Vox Media employees collaborate internally and externally over multiple business-critical SaaS applications. In this situation, there are millions of SaaS activities requiring ongoing monitoring, risk classification, and if needed, remediation. Previously-used SaaS security solutions struggled with scale and with the accuracy of detecting and responding to relevant, potential high-risk security events.
• DoControl solution: Vox Media uses DoControl to proactively detect and mitigate accidental data oversharing within their cloud collaboration environments. DoControl’s advanced monitoring and alerting capabilities ensure sensitive information is not exposed to unauthorized individuals. When oversharing incidents are detected, DoControl automatically takes appropriate actions to restrict access or notify administrators for further review.

Employee Departure Management (Onboarding and Offboarding)

• Problem: As part of any regular offboarding process, information security or technology teams are responsible for suspending SaaS users belonging to departing employees, as well as transferring data ownership from departing employees to their managers, peers, or others as defined in each company’s playbook. Without proper data ownership transfer, there is high risk of data loss due to native data deletion processes implemented by SaaS vendors toward data owned by deleted SaaS accounts.
• Challenge: To support business continuity, data ownership must be transferred to the right individuals who need such data access to remain productive. For this, Vox Media’s information security team wanted to transfer data ownership with the right business context and extreme granularity. This way internal and external data access remain available to the right authorized individuals.
• DoControl solution: DoControl enables Vox Media to change file ownership upon the departure of an employee. DoControl is able to do this automatically by integrating with Vox Media’s identity provider (IdP) and human resources information system (HRIS) tools. This critical process is seamlessly integrated into their onboarding and offboarding procedures, ensuring departing employees no longer have access to company data.

Personal Account Sharing and Preventing Public Exposure

• Problem: SaaS users, both employees and third parties, often share internal corporate data with their personal, non-corporate SaaS account. This happens in a number of ways: 1) accidently requesting access from personal accounts; 2) accidently sharing with personal emails; or, most importantly, 3) maliciously trying to steal company information by sharing with personal accounts. When this happens, there’s a chance that former employees and former vendors may still have direct access to company data through their personal accounts. In many cases, these personal accounts don’t have multi-factor authentication (MFA) set up, which means that in the event of an account takeover attack the attacker gets direct access to company data.
• Challenge: Remediating this use case requires a sophisticated algorithm that can mitigate multiple scenarios that in some cases requires machine learning (ML) algorithms. This is easiest is when users share data with their personal email logged under their profile in the company HRIS, a scenario referred to as a one-to-one match. Next is when they share with a personal account having a similar email alias to their corporate alias. Lastly, when they share a personal account that simply looks unknown.
• DoControl solution: Vox Media was able to use DoControl to solve the scenarios above by combining multiple data sources and running ML algorithms which detect sharing with personal accounts with very high accuracy. From there, Vox Media defined a number of remediation strategies, including the involvement of the end user to input business context or even fix the issue self-service. This empowers them to take necessary actions to secure their data.

Sensitive File Handling (PII, Financial Information)

• Problem: SaaS collaboration is necessary to push the business in the modern era. However, when sensitive data is involved that’s where a company’s information security team is obligated to prevent sensitive data exfiltration.
• Challenge: There are multiple challenges with this use case. First, how to detect sensitive data, such as personally identifiable information (PII), in an accurate manner. Second, given the sensitive data is detected, how to implement different mitigation strategies for different business units, each representing different risks for the company. Lastly, defining the last mile of defense to verify that no sensitive data gets exfiltrated. Vox Media had all of these concerns, as do most companies these days.
• DoControl solution: Vox Media uses DoControl to automatically remediate sensitive files, such as PII and financial information, when accidental sharing occurs. When an end user shares a file that contains PII or financial information, DoControl automatically deletes the asset and notifies the security team of the incident.

Internal Overexposure Remediation

• Problem: Even the most collaborative organizations need to implement a “need to know” security strategy, at least for the company’s most sensitive data such as HR, financial, and customer data that often needs tighter controls.
• Challenge: To implement a “need to know” security strategy correctly, the Vox Media information security team needed to understand who is sharing, with whom, and what kind of information at any given moment, and then take remediation actions on the spot to verify no overexposure is done. With so many employees and SaaS activity events in a large organization, this could be difficult to do, even with the native SaaS security tools available.
• DoControl solution: DoControl breaks down Vox Media into organizational units, cross-referenced between SaaS activity events to internal users to business units, and applies relevant remediation actions for each and every scenario defined upfront. This solution scales up quickly and relies on reliable API-based data sources ensuring all business context is up to date.

How it’s Built

DoControl’s platform is built on Amazon Web Services (AWS) and leverages several AWS services to create the workflow functionality that enables security teams to remediate their SaaS data exposure at scale.

DoControl’s security workflows are a patented, no-code approach to a flexible and visual way to monitor, control, and remediate data access in SaaS applications. It allows users to create custom security policies based on a large number of possible events, user actions, conditions, and remediation actions.

Let’s dive behind the scenes into what makes all of that possible:

• Events can be generated from a multitude of SaaS applications, such as from an email attachment, a document being uploaded, or a chat in a messenger service.
• These events are received via a DoControl webhook endpoint and validated. They are then transferred to an Amazon EventBridge event bus and onto Amazon Kinesis.
• Events coming from Amazon Kinesis are routed to the appropriate DoControl workflows as defined by users.
• When one of these events triggers a DoControl workflow, a corresponding AWS Step Functions workflow is created and executed.
• The execution of the Step Functions workflow triggers the execution of a number of AWS Lambda functions in the order defined by the workflow to complete the required automation steps that were previously defined visually in DoControl.

• AWS Step Functions are used to manage and orchestrate the workflows, and each step in the workflow corresponds to a Lambda function. The output of one function can be used as the input to the next function, allowing customers to create complex workflows easily.
• Step Functions support error handling and retry logic, making the workflows more robust.
• DoControl creates these workflows using Amazon States Language (ASL), which is a JSON-based language.

Conclusion

The collaboration between DoControl and AWS enables the DoControl platform to benefit from an up-to-date, reliable, and secure technology.

Want to see if your organization’s SaaS data is exposed? DoControl offers a free SaaS exposure assessment to check. If you’d like to try with your own environment, be sure to visit DoControl in AWS Marketplace for a 30-day free trial.

You can also learn more about DoControl and its services by visiting the DoControl website or requesting a live demo.