[{"data":1,"prerenderedAt":2979},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/3-steps-to-secure-your-data-across-shadow-saas-apps":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":235,"extension":1076,"faqItemsCollection":1077,"faqTitle":62,"featured":6,"hashTags":62,"meta":1079,"metaTitle":1080,"ogImage":62,"publishedDate":1081,"relatedBlogPostsCollection":1082,"slug":2953,"stem":2954,"subtitle":62,"summary":2955,"synopsis":2966,"sys":2967,"tagsCollection":2970,"__hash__":2978},"blog/blog/3-steps-to-secure-your-data-across-shadow-saas-apps.json","7 Steps to secure your data across shadow SaaS apps",{"items":230},[231],{"fullName":232,"firstName":232,"jobTitle":62,"profilePicture":233},"The Push Team",{"url":234},"https://images.ctfassets.net/y1cdw1ablpvd/7xpR9kiHAQWtZBj2rpOmmU/052ddfbb96afb37962278062047ab16d/Twitter_Linkedin_icon_white.png",{"json":236,"links":1012},{"nodeType":237,"data":238,"content":239},"document",{},[240,249,256,263,274,281,290,297,303,310,318,325,332,339,347,354,361,368,384,391,398,404,411,418,434,453,460,467,474,481,488,495,519,526,533,540,547,554,561,568,575,591,626,635,642,649,656,663,686,693,700,707,714,721,728,735,742,748,755,762,769,781,788,795,802,808,815,822,829,852,859,866,873,889,896,903,910,973,979,986,993,1000,1006],{"nodeType":241,"data":242,"content":243},"paragraph",{},[244],{"nodeType":245,"value":246,"marks":247,"data":248},"text","Employees using a new work SaaS application used to be the final step of the software-onboarding process. ",[],{},{"nodeType":241,"data":250,"content":251},{},[252],{"nodeType":245,"value":253,"marks":254,"data":255},"Now it's the first. ",[],{},{"nodeType":241,"data":257,"content":258},{},[259],{"nodeType":245,"value":260,"marks":261,"data":262},"SaaS providers bypass IT and security and hook employees with free apps and trials. This has led to sensitive data on shadow SaaS applications that’s accessible via unmanaged cloud accounts – all those accounts that aren’t protected by SSO or logged into via social login accounts. This leads to security threats because attackers know SaaS is a blind spot for most organizations.",[],{},{"nodeType":241,"data":264,"content":265},{},[266],{"nodeType":245,"value":267,"marks":268,"data":273},"Attackers exploit this unmonitored attack surface with new takes on old techniques that are going undetected.",[269,271],{"type":270},"bold",{"type":272},"italic",{},{"nodeType":241,"data":275,"content":276},{},[277],{"nodeType":245,"value":278,"marks":279,"data":280},"We’ve gone from this:",[],{},{"nodeType":282,"data":283,"content":289},"embedded-entry-block",{"target":284},{"sys":285},{"id":286,"type":287,"linkType":288},"1Dw4V0Fd0wI8yB6juzyWjg","Link","Entry",[],{"nodeType":241,"data":291,"content":292},{},[293],{"nodeType":245,"value":294,"marks":295,"data":296},"To this: ",[],{},{"nodeType":282,"data":298,"content":302},{"target":299},{"sys":300},{"id":301,"type":287,"linkType":288},"61Oj6GzX4amLxEJ5fPDJCq",[],{"nodeType":241,"data":304,"content":305},{},[306],{"nodeType":245,"value":307,"marks":308,"data":309},"Security is now coming in at the end of their old software procurement process and needs to figure out how to regain control of their data. ",[],{},{"nodeType":311,"data":312,"content":313},"heading-1",{},[314],{"nodeType":245,"value":315,"marks":316,"data":317},"You don’t want to stop employees from adopting SaaS apps… ",[],{},{"nodeType":241,"data":319,"content":320},{},[321],{"nodeType":245,"value":322,"marks":323,"data":324},"Employees self-adopting SaaS platforms might sound like a security nightmare, but it doesn’t have to be. This actually enables employees to be more productive and your business to be more competitive. ",[],{},{"nodeType":241,"data":326,"content":327},{},[328],{"nodeType":245,"value":329,"marks":330,"data":331},"This new landscape has fundamentally changed how software is brought into the business. The days of security acting as a gatekeeper that all apps must pass through before they can touch live data are over. The market forces driving self-service apps aren’t stopping, so the security industry needs to adapt.",[],{},{"nodeType":311,"data":333,"content":334},{},[335],{"nodeType":245,"value":336,"marks":337,"data":338},"What’s the impact of self-adoption on security?",[],{},{"nodeType":340,"data":341,"content":342},"heading-2",{},[343],{"nodeType":245,"value":344,"marks":345,"data":346},"Loss of visibility",[],{},{"nodeType":241,"data":348,"content":349},{},[350],{"nodeType":245,"value":351,"marks":352,"data":353},"Most SaaS providers have moved to the product-led growth (PLG) model as the fastest and easiest way to get users for their apps. They want employees to start using SaaS without going through IT and security teams’ lengthy approval processes. This SaaS vendor sales model has had a massive impact on security and introduced SaaS security risks, but most security teams are unaware of the scale and scope of the problem because they can’t get necessary visibility into all the tools and apps their employees are using.",[],{},{"nodeType":340,"data":355,"content":356},{},[357],{"nodeType":245,"value":358,"marks":359,"data":360},"Shadow SaaS",[],{},{"nodeType":241,"data":362,"content":363},{},[364],{"nodeType":245,"value":365,"marks":366,"data":367},"This problem is often called “Shadow SaaS” and it’s also the first problem to solve -  the old adage “you can’t secure what you don’t know about” is as true in the SaaS world as it is in any other security domain.",[],{},{"nodeType":241,"data":369,"content":370},{},[371,375,380],{"nodeType":245,"value":372,"marks":373,"data":374},"The lack of visibility means many IT and security teams missed the explosion of SaaS apps, plugins, extensions, and integrations that make up the modern IT stack. More crucially,",[],{},{"nodeType":245,"value":376,"marks":377,"data":379}," they’ve missed the movement of company data into these apps.",[378],{"type":272},{},{"nodeType":245,"value":381,"marks":382,"data":383}," ",[],{},{"nodeType":340,"data":385,"content":386},{},[387],{"nodeType":245,"value":388,"marks":389,"data":390},"SaaS Sprawl",[],{},{"nodeType":241,"data":392,"content":393},{},[394],{"nodeType":245,"value":395,"marks":396,"data":397},"Complicating matters further, many of these apps are duplicate, abandoned or unmanaged - an issue often called “SaaS sprawl.”",[],{},{"nodeType":282,"data":399,"content":403},{"target":400},{"sys":401},{"id":402,"type":287,"linkType":288},"5NfrrDeIPs7TE213UYly7E",[],{"nodeType":340,"data":405,"content":406},{},[407],{"nodeType":245,"value":408,"marks":409,"data":410},"Increasing incidents and impacts",[],{},{"nodeType":241,"data":412,"content":413},{},[414],{"nodeType":245,"value":415,"marks":416,"data":417},"Though security teams have lost direct visibility, they’ve not lost complete visibility and many are finding out about at least a fraction of these apps - typically by working with finance teams once employees want apps to go from free-tier to licensed plans. And all too often, security teams find out about shadow SaaS apps in the worst way possible - when something has already gone wrong and security is asked to respond to an incident on a SaaS platform.",[],{},{"nodeType":241,"data":419,"content":420},{},[421,425,430],{"nodeType":245,"value":422,"marks":423,"data":424},"In both cases, ",[],{},{"nodeType":245,"value":426,"marks":427,"data":429},"Security is getting visibility too late to be of much value",[428],{"type":272},{},{"nodeType":245,"value":431,"marks":432,"data":433},". Once a team has been using an app (even on a free tier) for a year, there’s not much Security can do that will convince employees/teams to move to a more secure app. ",[],{},{"nodeType":241,"data":435,"content":436},{},[437,443,448],{"nodeType":245,"value":438,"marks":439,"data":442},"To change that, Security needs to intervene and get involved very early in the app adoption process ",[440,441],{"type":270},{"type":272},{},{"nodeType":245,"value":444,"marks":445,"data":447},"- long before finance is involved.",[446],{"type":272},{},{"nodeType":245,"value":381,"marks":449,"data":452},[450,451],{"type":270},{"type":272},{},{"nodeType":241,"data":454,"content":455},{},[456],{"nodeType":245,"value":457,"marks":458,"data":459},"Incident Response is necessary, of course, when a SaaS account is breached, but can’t recover the lost data after attackers have had access to it. ",[],{},{"nodeType":340,"data":461,"content":462},{},[463],{"nodeType":245,"value":464,"marks":465,"data":466},"Holy S*it - there are so many apps!",[],{},{"nodeType":241,"data":468,"content":469},{},[470],{"nodeType":245,"value":471,"marks":472,"data":473},"Once teams get visibility into the scope of the Shadow SaaS and sprawl problem, they’re usually surprised by the sheer volume of apps employees have adopted. \n\nThen they realize they need to do risk assessments on dozens of apps a month instead of the dozen a year that were going through IT in the old, managed and controlled process. To deal with this massive influx of new apps, security teams feel they must either radically increase the headcount, cut corners or drastically increase acceptable risk levels for data security. Neither of these are great options.",[],{},{"nodeType":340,"data":475,"content":476},{},[477],{"nodeType":245,"value":478,"marks":479,"data":480},"This is why SSPMs and CASBs exist, right?",[],{},{"nodeType":241,"data":482,"content":483},{},[484],{"nodeType":245,"value":485,"marks":486,"data":487},"SaaS Security Posture Management (SSPMs) and Cloud Access Security Brokers (CASBs) are the most common categories of solutions meant to attack this visibility blindspot issue, but none of these tools are getting the full picture of the problem. ",[],{},{"nodeType":241,"data":489,"content":490},{},[491],{"nodeType":245,"value":492,"marks":493,"data":494},"At best, they simply chip away at the problem and make security feel like they’ve got a handle on employee-adopted SaaS. At worst, they give a false sense of security while only actually covering a small portion of the SaaS apps where business data actually lives. ",[],{},{"nodeType":241,"data":496,"content":497},{},[498,502,515],{"nodeType":245,"value":499,"marks":500,"data":501},"The key thing to consider about any of these solutions is what data sources they’re using to collect (typically network data, financial records, email data, application or endpoint data). We won’t dig into the full list of pros and cons of these types of tools, but we encourage you to read about them more ",[],{},{"nodeType":503,"data":504,"content":508},"entry-hyperlink",{"target":505},{"sys":506},{"id":507,"type":287,"linkType":288},"45iZ69EdPF4629gZ6yf7p5",[509],{"nodeType":245,"value":510,"marks":511,"data":514},"here",[512],{"type":513},"underline",{},{"nodeType":245,"value":516,"marks":517,"data":518},". ",[],{},{"nodeType":241,"data":520,"content":521},{},[522],{"nodeType":245,"value":523,"marks":524,"data":525},"SSPM tools typically don’t do SaaS discovery - they don’t find apps employees log into, but they do tackle the application hardening and monitoring problem because they focus on policy enforcement and log-monitoring through APIs. ",[],{},{"nodeType":241,"data":527,"content":528},{},[529],{"nodeType":245,"value":530,"marks":531,"data":532},"Both SSPMs and CASBs make sense logically as a way to regain control of the situation. But we’d like to challenge the thinking that regaining control has to mean enforcing rigid security policies and restricting app access. ",[],{},{"nodeType":311,"data":534,"content":535},{},[536],{"nodeType":245,"value":537,"marks":538,"data":539},"Adjust your thinking to secure SaaS",[],{},{"nodeType":340,"data":541,"content":542},{},[543],{"nodeType":245,"value":544,"marks":545,"data":546},"Resist the temptation to revert to the old ways ",[],{},{"nodeType":241,"data":548,"content":549},{},[550],{"nodeType":245,"value":551,"marks":552,"data":553},"When the idea of the options above proves daunting or impossible, Security often tries to revert to the old process - putting security measures in place to regain the ability to set the pace of adoption by re-establishing the gate. ",[],{},{"nodeType":241,"data":555,"content":556},{},[557],{"nodeType":245,"value":558,"marks":559,"data":560},"Practically, this means that you’re deploying technical controls to try block all SaaS apps until they are approved (and marked as allowed) by IT or Security. Technically, this makes total sense. But the unforeseen consequence is that it positions Security as blockers (aka the “Department of No”) and puts them at odds with the rest of the business, rather than working towards a shared goal. ",[],{},{"nodeType":340,"data":562,"content":563},{},[564],{"nodeType":245,"value":565,"marks":566,"data":567},"Why being the “Department of No” doesn’t work ",[],{},{"nodeType":241,"data":569,"content":570},{},[571],{"nodeType":245,"value":572,"marks":573,"data":574},"This block-everything-until-security-approves-it position requires incredible executive support to maintain. For all but the most risk-sensitive organizations (read .gov), this position also normalizes employee behavior to bypass Security in favor of working quickly and effectively. ",[],{},{"nodeType":241,"data":576,"content":577},{},[578,582,587],{"nodeType":245,"value":579,"marks":580,"data":581},"In the end, Security actually ",[],{},{"nodeType":245,"value":583,"marks":584,"data":586},"loses visibility",[585],{"type":272},{},{"nodeType":245,"value":588,"marks":589,"data":590}," into employee SaaS use and effectively loses control, rather than locking it down. On behalf of all the employees out there, I want to make a point to say employees aren’t trying to break rules Security put in place, they’re just trying to get their jobs done, and might try and find ways around things they see as unreasonably slowing them down or preventing them from reaching their targets. Seen in this light, it’s no surprise that:",[],{},{"nodeType":592,"data":593,"content":594},"unordered-list",{},[595,606,616],{"nodeType":596,"data":597,"content":598},"list-item",{},[599],{"nodeType":241,"data":600,"content":601},{},[602],{"nodeType":245,"value":603,"marks":604,"data":605},"If you block websites, employees bypass network controls, ",[],{},{"nodeType":596,"data":607,"content":608},{},[609],{"nodeType":241,"data":610,"content":611},{},[612],{"nodeType":245,"value":613,"marks":614,"data":615},"if you block social logins, employees use passwords, ",[],{},{"nodeType":596,"data":617,"content":618},{},[619],{"nodeType":241,"data":620,"content":621},{},[622],{"nodeType":245,"value":623,"marks":624,"data":625},"if you stop them using work devices to sign up to apps, they use personal devices.",[],{},{"nodeType":241,"data":627,"content":628},{},[629],{"nodeType":245,"value":630,"marks":631,"data":634},"Each blocking action leads to a worse security outcome and blinds the security team further - losing control rather than regaining it.",[632,633],{"type":270},{"type":272},{},{"nodeType":241,"data":636,"content":637},{},[638],{"nodeType":245,"value":639,"marks":640,"data":641},"You can attempt to delay this process by blocking, or you can adapt.",[],{},{"nodeType":340,"data":643,"content":644},{},[645],{"nodeType":245,"value":646,"marks":647,"data":648},"Don’t worry, there’s a better way, but you must adapt your thinking",[],{},{"nodeType":241,"data":650,"content":651},{},[652],{"nodeType":245,"value":653,"marks":654,"data":655},"The first thing we need to do as an industry is agree that we don’t want to be the blockers. We don’t want to stop employees from self-adopting apps. We understand they are best placed to find and select the tools that are going to allow them to be more productive and help your company succeed. ",[],{},{"nodeType":241,"data":657,"content":658},{},[659],{"nodeType":245,"value":660,"marks":661,"data":662},"We need to:",[],{},{"nodeType":592,"data":664,"content":665},{},[666,676],{"nodeType":596,"data":667,"content":668},{},[669],{"nodeType":241,"data":670,"content":671},{},[672],{"nodeType":245,"value":673,"marks":674,"data":675},"embrace SaaS app self-adoption, and ",[],{},{"nodeType":596,"data":677,"content":678},{},[679],{"nodeType":241,"data":680,"content":681},{},[682],{"nodeType":245,"value":683,"marks":684,"data":685},"stop asking employees to adapt to fit our legacy processes. ",[],{},{"nodeType":241,"data":687,"content":688},{},[689],{"nodeType":245,"value":690,"marks":691,"data":692},"Security can no longer be a gate with a default stance of “No, until.” Instead Security needs to be a partner that says “Yes, unless.”",[],{},{"nodeType":340,"data":694,"content":695},{},[696],{"nodeType":245,"value":697,"marks":698,"data":699},"From the “Department of No” to the “Department of Yes, Unless?”",[],{},{"nodeType":241,"data":701,"content":702},{},[703],{"nodeType":245,"value":704,"marks":705,"data":706},"To adapt to this new SaaS-first world, security must move from saying “No, until we’ve had time to fully vet and onboard this app officially” to “Yes! You can use that app, unless we quickly identify security risks that outweigh the value of the tool.”",[],{},{"nodeType":241,"data":708,"content":709},{},[710],{"nodeType":245,"value":711,"marks":712,"data":713},"We know this is deeply uncomfortable for many security practitioners, but it will lead to a better long-term outcome.",[],{},{"nodeType":311,"data":715,"content":716},{},[717],{"nodeType":245,"value":718,"marks":719,"data":720},"How to regain control of the SaaS explosion",[],{},{"nodeType":340,"data":722,"content":723},{},[724],{"nodeType":245,"value":725,"marks":726,"data":727},"Step 1: Understand how employees typically test drive and eventually adopt SaaS",[],{},{"nodeType":241,"data":729,"content":730},{},[731],{"nodeType":245,"value":732,"marks":733,"data":734},"Obviously, self-adoption of SaaS is fundamentally different to IT/Security adopted and managed from a risk perspective. With SaaS, there’s no giant commitment upfront. Apps don’t (usually) just go from unknown and unused to adopted in a day. Just like adopting software was a process for Security and IT back in the day, employees follow a (less rigid) process with SaaS - from testing > to using > to finding value > to inviting teammates, etc. ",[],{},{"nodeType":241,"data":736,"content":737},{},[738],{"nodeType":245,"value":739,"marks":740,"data":741},"The risk grows as we proceed through the adoption process as employees add more data into the app and integrate it with other apps. The workflow below outlines a fairly typical SaaS testing and adopting process for employees:",[],{},{"nodeType":282,"data":743,"content":747},{"target":744},{"sys":745},{"id":746,"type":287,"linkType":288},"2nzyuXDxjBGZN0YMvskGak",[],{"nodeType":340,"data":749,"content":750},{},[751],{"nodeType":245,"value":752,"marks":753,"data":754},"Step 2: Get involved early to have a real security impact",[],{},{"nodeType":241,"data":756,"content":757},{},[758],{"nodeType":245,"value":759,"marks":760,"data":761},"The upside for Security is that because SaaS adoption is a process over time, we can use that time to assess the risk of the app before it’s fully adopted, as long as we know about the app from the start. ",[],{},{"nodeType":241,"data":763,"content":764},{},[765],{"nodeType":245,"value":766,"marks":767,"data":768},"The goal is to catch those apps that are high risk, either because the data going into them (or that will be) is high risk or because the app can perform some high-risk action (like managing your inventory or sending emails to customers or your behalf). Security can focus their efforts on these high-risk vendors and apps to make sure they can be trusted with their data. ",[],{},{"nodeType":241,"data":770,"content":771},{},[772,776],{"nodeType":245,"value":773,"marks":774,"data":775},"But this is key: ",[],{},{"nodeType":245,"value":777,"marks":778,"data":780},"Security needs to get involved early in the adoption process. ",[779],{"type":272},{},{"nodeType":340,"data":782,"content":783},{},[784],{"nodeType":245,"value":785,"marks":786,"data":787},"Step 3: Get real-time visibility into SaaS apps and risks as employees sign up for them",[],{},{"nodeType":241,"data":789,"content":790},{},[791],{"nodeType":245,"value":792,"marks":793,"data":794},"You guessed it - Push can help!",[],{},{"nodeType":241,"data":796,"content":797},{},[798],{"nodeType":245,"value":799,"marks":800,"data":801},"We detect employees signing up to new apps and integrating third-party apps to your core work platforms in real-time. That allows you to step in at the earliest opportunity to vet the app for critical issues and guide the employee through the appropriate app onboarding steps. This allows you to focus on the new stuff and buy yourself time. ",[],{},{"nodeType":282,"data":803,"content":807},{"target":804},{"sys":805},{"id":806,"type":287,"linkType":288},"1hqMZl60NhvhHIfnO7FttV",[],{"nodeType":340,"data":809,"content":810},{},[811],{"nodeType":245,"value":812,"marks":813,"data":814},"Step 4: Avoid wasting time on false-positives",[],{},{"nodeType":241,"data":816,"content":817},{},[818],{"nodeType":245,"value":819,"marks":820,"data":821},"You need to trust your data if you want to take action based on the visibility you have of what apps employees are using and how they’re using them. Doing risk assessments or chasing employees about apps they’re not using wastes time and burns goodwill. ",[],{},{"nodeType":241,"data":823,"content":824},{},[825],{"nodeType":245,"value":826,"marks":827,"data":828},"Good data allows you to:",[],{},{"nodeType":592,"data":830,"content":831},{},[832,842],{"nodeType":596,"data":833,"content":834},{},[835],{"nodeType":241,"data":836,"content":837},{},[838],{"nodeType":245,"value":839,"marks":840,"data":841},"Quickly and accurately identify new SaaS apps and integrations as employees adopt them. ",[],{},{"nodeType":596,"data":843,"content":844},{},[845],{"nodeType":241,"data":846,"content":847},{},[848],{"nodeType":245,"value":849,"marks":850,"data":851},"Identify the security issues that attackers can exploit to compromise your data through common attacks like Credential Stuffing. ",[],{},{"nodeType":340,"data":853,"content":854},{},[855],{"nodeType":245,"value":856,"marks":857,"data":858},"Step 5: Use Browser extension data to get the most accurate and useful data for SaaS visibility and risk ",[],{},{"nodeType":241,"data":860,"content":861},{},[862],{"nodeType":245,"value":863,"marks":864,"data":865},"Push collects data directly from the app using a browser extension, rather than guessing possible use from other sources like network traffic or email. ",[],{},{"nodeType":241,"data":867,"content":868},{},[869],{"nodeType":245,"value":870,"marks":871,"data":872},"That makes Push the only SaaS security solution that can directly observe all SaaS use and the only solution that can identify account security issues across hundreds of apps - completely automatically. ",[],{},{"nodeType":241,"data":874,"content":875},{},[876,880,885],{"nodeType":245,"value":877,"marks":878,"data":879},"No need for API support, no need for an admin account. It just works. For ",[],{},{"nodeType":245,"value":881,"marks":882,"data":884},"all",[883],{"type":270},{},{"nodeType":245,"value":886,"marks":887,"data":888}," your SaaS.",[],{},{"nodeType":340,"data":890,"content":891},{},[892],{"nodeType":245,"value":893,"marks":894,"data":895},"Step 6: Identify account security risks and discover shadow SaaS at the same time",[],{},{"nodeType":241,"data":897,"content":898},{},[899],{"nodeType":245,"value":900,"marks":901,"data":902},"Of course you need to start by discovering SaaS and getting a reliable inventory - but this on its own won’t stop accounts on those apps from getting breached. The most common way SaaS accounts are breached is through attacks like credential stuffing that target weak, breached or shared passwords on accounts that don’t have MFA enabled. ",[],{},{"nodeType":241,"data":904,"content":905},{},[906],{"nodeType":245,"value":907,"marks":908,"data":909},"Push can identify account security issues to prevent these common attacks. These include:",[],{},{"nodeType":592,"data":911,"content":912},{},[913,923,933,943,953,963],{"nodeType":596,"data":914,"content":915},{},[916],{"nodeType":241,"data":917,"content":918},{},[919],{"nodeType":245,"value":920,"marks":921,"data":922},"Compromised passwords",[],{},{"nodeType":596,"data":924,"content":925},{},[926],{"nodeType":241,"data":927,"content":928},{},[929],{"nodeType":245,"value":930,"marks":931,"data":932},"Guessable passwords",[],{},{"nodeType":596,"data":934,"content":935},{},[936],{"nodeType":241,"data":937,"content":938},{},[939],{"nodeType":245,"value":940,"marks":941,"data":942},"Account-sharing between multiple employees",[],{},{"nodeType":596,"data":944,"content":945},{},[946],{"nodeType":241,"data":947,"content":948},{},[949],{"nodeType":245,"value":950,"marks":951,"data":952},"Sharing passwords across multiple accounts",[],{},{"nodeType":596,"data":954,"content":955},{},[956],{"nodeType":241,"data":957,"content":958},{},[959],{"nodeType":245,"value":960,"marks":961,"data":962},"Missing MFA",[],{},{"nodeType":596,"data":964,"content":965},{},[966],{"nodeType":241,"data":967,"content":968},{},[969],{"nodeType":245,"value":970,"marks":971,"data":972},"Password manager use",[],{},{"nodeType":282,"data":974,"content":978},{"target":975},{"sys":976},{"id":977,"type":287,"linkType":288},"3hR2N6WoP5WDyD6O6zdJP1",[],{"nodeType":241,"data":980,"content":981},{},[982],{"nodeType":245,"value":983,"marks":984,"data":985},"We identify these issues at the same time we discover shadow SaaS apps, so you can tackle account compromise at the same time as SaaS discovery to reduce your SaaS security risk exposure faster.",[],{},{"nodeType":340,"data":987,"content":988},{},[989],{"nodeType":245,"value":990,"marks":991,"data":992},"Step 7: Automatically reduce the risks we find by engaging employees",[],{},{"nodeType":241,"data":994,"content":995},{},[996],{"nodeType":245,"value":997,"marks":998,"data":999},"How do we actually reduce the risks? We engage employees directly via Slack or MS Teams, explain the account security issue we’ve identified in a way they’ll understand, and help them understand how it’s putting them and the business at risk. Then we guide them on how to fix it.",[],{},{"nodeType":282,"data":1001,"content":1005},{"target":1002},{"sys":1003},{"id":1004,"type":287,"linkType":288},"7Hgf81IlfZKoUMOp26ZXmq",[],{"nodeType":241,"data":1007,"content":1008},{},[1009],{"nodeType":245,"value":29,"marks":1010,"data":1011},[],{},{"entries":1013},{"inline":1014,"hyperlink":1015,"block":1021},[],[1016],{"sys":1017,"__typename":1018,"title":1019,"slug":1020},{"id":507},"BlogPosts","How to roll-your-own SaaS discovery","rolling-your-own-saas-discovery",[1022,1031,1038,1046,1054,1062,1070],{"sys":1023,"__typename":1024,"title":1025,"caption":1026,"layoutMode":62,"file":1027},{"id":286},"Image","Old software procurement process","Traditional software procurement process",{"url":1028,"width":1029,"height":1030},"https://images.ctfassets.net/y1cdw1ablpvd/5WwGnHoSxS9HFJMNYNrn4V/16c03fe426dce8a4d131a6185dcc9dc7/image__33_.png",1412,502,{"sys":1032,"__typename":1024,"title":1033,"caption":1034,"layoutMode":62,"file":1035},{"id":301},"New way of procuring software due to PLG","The new way of procuring software due to PLG",{"url":1036,"width":1029,"height":1037},"https://images.ctfassets.net/y1cdw1ablpvd/1bwMESg7gXQ5XsSYJax69u/664c3d2a124535c98c68e6d20432ce02/image__32_.png",634,{"sys":1039,"__typename":1024,"title":1040,"caption":1040,"layoutMode":1041,"file":1042},{"id":402},"SaaS sprawl","Centre aligned",{"url":1043,"width":1044,"height":1045},"https://images.ctfassets.net/y1cdw1ablpvd/1KIj9P7eQ7UfOWgnUmTWUU/5f9d7369dd1ce148227db632aa1fabc7/image1.png",1731,658,{"sys":1047,"__typename":1024,"title":1048,"caption":1049,"layoutMode":1041,"file":1050},{"id":746},"Get in early to assess SaaS apps","\"Yes, unless\" is a good fit for self adoption because risk increases gradually",{"url":1051,"width":1052,"height":1053},"https://images.ctfassets.net/y1cdw1ablpvd/6KEFysuMJJS96lSqhGCGDV/f99004f71f088ff37e0fbbc0d81cff38/image8.png",1758,864,{"sys":1055,"__typename":1024,"title":1056,"caption":1057,"layoutMode":1041,"file":1058},{"id":806},"Slack message new app alert for Security team","Channel message to security team via Slack about new app ",{"url":1059,"width":1060,"height":1061},"https://images.ctfassets.net/y1cdw1ablpvd/6CKhrva6Jh3jpHfnt0Maq5/edeeac0b00f1109e8601016f5a6e0c63/image17.png",1999,1034,{"sys":1063,"__typename":1024,"title":1064,"caption":1065,"layoutMode":1041,"file":1066},{"id":977},"Push's account security dashboard","Push's account security dashboard shows you which accounts need attention",{"url":1067,"width":1068,"height":1069},"https://images.ctfassets.net/y1cdw1ablpvd/2LmWdqq57ZdIXHUSublBLK/eed71e0fa5c3039ae06f780c64057651/image4.png",1580,945,{"sys":1071,"__typename":1024,"title":1072,"caption":1073,"layoutMode":1041,"file":1074},{"id":1004},"Slack message to employee about MFA","Slack message to employee about enabling MFA for their SaaS account",{"url":1075,"width":1060,"height":1061},"https://images.ctfassets.net/y1cdw1ablpvd/1vWInHTSFEwt2kTXj0SK1I/5312ff9147b78837a71e367c9a59492f/image11.png","json",{"items":1078},[],{},"Secure your data across shadow SaaS apps in 7 steps","2023-06-26T00:00:00.000Z",{"items":1083},[1084,2558],{"__typename":1018,"sys":1085,"content":1087,"title":2536,"synopsis":2537,"hashTags":62,"publishedDate":2538,"slug":2539,"tagsCollection":2540,"authorsCollection":2550},{"id":1086},"3ic4Ok5kwIE8UuUClhPFPn",{"json":1088},{"nodeType":237,"data":1089,"content":1090},{},[1091,1098,1105,1111,1118,1125,1132,1139,1146,1189,1196,1203,1210,1217,1224,1229,1236,1243,1250,1258,1265,1272,1279,1286,1293,1300,1307,1328,1334,1341,1348,1360,1368,1375,1380,1387,1394,1400,1407,1416,1432,1456,1463,1469,1476,1483,1488,1494,1500,1507,1514,1521,1528,1548,1555,1562,1569,1576,1590,1620,1629,1635,1642,1649,1656,1663,1670,1677,1682,1689,1696,1703,1710,1717,1724,1744,1751,1757,1764,1787,1794,1801,1834,1841,1848,1855,1862,1875,1882,1953,1960,1967,1990,1996,2003,2010,2017,2050,2057,2457,2464,2483,2490,2499,2515,2522,2529],{"nodeType":311,"data":1092,"content":1093},{},[1094],{"nodeType":245,"value":1095,"marks":1096,"data":1097},"Introduction",[],{},{"nodeType":241,"data":1099,"content":1100},{},[1101],{"nodeType":245,"value":1102,"marks":1103,"data":1104},"Employees using a new work app used to be the final step of the software-onboarding process. ",[],{},{"nodeType":241,"data":1106,"content":1107},{},[1108],{"nodeType":245,"value":253,"marks":1109,"data":1110},[],{},{"nodeType":241,"data":1112,"content":1113},{},[1114],{"nodeType":245,"value":1115,"marks":1116,"data":1117},"SaaS vendors bypass IT and security and hook employees with free apps and trials. This has led to sensitive data on shadow SaaS applications (more on this later) that is accessible via unmanaged cloud accounts (accounts that aren’t protected by SSO or logged into via social login accounts). Attackers exploit this unmonitored attack surface with new takes on old techniques that are going undetected.",[],{},{"nodeType":241,"data":1119,"content":1120},{},[1121],{"nodeType":245,"value":1122,"marks":1123,"data":1124},"Employees self-adopting apps might sound like a security nightmare, but it doesn’t have to be. In fact, it can be a really good thing that enables employees to be more productive and your business to be more competitive. And, frankly, there’s no way to stop it without causing a SaaS sprawl issue. ",[],{},{"nodeType":241,"data":1126,"content":1127},{},[1128],{"nodeType":245,"value":1129,"marks":1130,"data":1131},"What’s clear is that this new landscape has fundamentally changed the way software is brought into the business. The days of security acting as a gatekeeper that all apps must pass through before they can touch live data are over. The market forces driving self-service apps aren’t stopping, so the security industry needs to adapt.",[],{},{"nodeType":241,"data":1133,"content":1134},{},[1135],{"nodeType":245,"value":1136,"marks":1137,"data":1138},"Security teams need to regain visibility and control over company data and how it’s secured. ",[],{},{"nodeType":241,"data":1140,"content":1141},{},[1142],{"nodeType":245,"value":1143,"marks":1144,"data":1145},"In this guide I’ll show security teams: ",[],{},{"nodeType":592,"data":1147,"content":1148},{},[1149,1159,1169,1179],{"nodeType":596,"data":1150,"content":1151},{},[1152],{"nodeType":241,"data":1153,"content":1154},{},[1155],{"nodeType":245,"value":1156,"marks":1157,"data":1158},"What’s driving employee app self-adoption and the impact on security teams",[],{},{"nodeType":596,"data":1160,"content":1161},{},[1162],{"nodeType":241,"data":1163,"content":1164},{},[1165],{"nodeType":245,"value":1166,"marks":1167,"data":1168},"Why the go-to solutions of policies and tools that block access to unsanctioned apps don’t work",[],{},{"nodeType":596,"data":1170,"content":1171},{},[1172],{"nodeType":241,"data":1173,"content":1174},{},[1175],{"nodeType":245,"value":1176,"marks":1177,"data":1178},"What new approaches can work and how to apply them",[],{},{"nodeType":596,"data":1180,"content":1181},{},[1182],{"nodeType":241,"data":1183,"content":1184},{},[1185],{"nodeType":245,"value":1186,"marks":1187,"data":1188},"The two aspects to address when securing SaaS and managing risk ",[],{},{"nodeType":241,"data":1190,"content":1191},{},[1192],{"nodeType":245,"value":1193,"marks":1194,"data":1195},"At the end of this book, we’ll link to a guide filled with practical guidance on how to manage those risks and quickly reduce your risk exposure. In that guide, we’ll also cover which data sources are available for SaaS security and why the choice is crucial.",[],{},{"nodeType":241,"data":1197,"content":1198},{},[1199],{"nodeType":245,"value":1200,"marks":1201,"data":1202},"The guidance provided here has been developed after talking with security leaders and CISOs that are already successfully embracing SaaS self-adoption while keeping a handle on risks. There are too many folks here to thank personally, but if you recognize some of this from our discussions, please accept my thanks, and hopefully there’s something new and useful here for you as well!",[],{},{"nodeType":311,"data":1204,"content":1205},{},[1206],{"nodeType":245,"value":1207,"marks":1208,"data":1209},"Why is it so easy for employees to self-adopt new apps without IT?",[],{},{"nodeType":340,"data":1211,"content":1212},{},[1213],{"nodeType":245,"value":1214,"marks":1215,"data":1216},"Memories of a simpler time",[],{},{"nodeType":241,"data":1218,"content":1219},{},[1220],{"nodeType":245,"value":1221,"marks":1222,"data":1223},"Before cloud computing was a thing, IT teams procured and managed hardware, software, networks and services for their businesses. The business was dependent on IT deploying new software across their on-prem network and managing it, so it was nearly impossible to bypass them. They became, in effect, the gatekeepers to the business’ IT environment. The onboarding process typically looked something like this:",[],{},{"nodeType":282,"data":1225,"content":1228},{"target":1226},{"sys":1227},{"id":286,"type":287,"linkType":288},[],{"nodeType":241,"data":1230,"content":1231},{},[1232],{"nodeType":245,"value":1233,"marks":1234,"data":1235},"IT asked Security to review a new app and its vendor to identify risks and determine if it should be adopted. At this point, security would specify which controls were required for it to be used securely. This all happened  before an app touched their network and interacted with any live data.",[],{},{"nodeType":241,"data":1237,"content":1238},{},[1239],{"nodeType":245,"value":1240,"marks":1241,"data":1242},"In return, Security could rely on IT to give them accurate information about all the businesses’ technology assets that needed to be protected. This process gave both teams great visibility across their total IT environment. Security and IT could maintain a high degree of control over how technology was used. ",[],{},{"nodeType":241,"data":1244,"content":1245},{},[1246],{"nodeType":245,"value":1247,"marks":1248,"data":1249},"In other words, life was wonderful and no one ever got hacked (maybe, it’s hard to remember now). Then the cloud happened and ruined everything.",[],{},{"nodeType":241,"data":1251,"content":1252},{},[1253],{"nodeType":245,"value":1254,"marks":1255,"data":1257},"Clearly I’m joking, but while very few orgs got it perfect, it was “good enough” at providing process-driven visibility of what enterprise software was being deployed for most.",[1256],{"type":272},{},{"nodeType":340,"data":1259,"content":1260},{},[1261],{"nodeType":245,"value":1262,"marks":1263,"data":1264},"The birth of the “as-a-Service” era",[],{},{"nodeType":241,"data":1266,"content":1267},{},[1268],{"nodeType":245,"value":1269,"marks":1270,"data":1271},"I jest, the cloud hasn’t ruined everything. It gave organizations the opportunity to be faster, more flexible and more efficient. Businesses no longer had to buy and manage all their own infrastructure and apps, they could just pay for what they used when they needed it. It led to a wave of “as-a-service” business models that stretched across infrastructure, platforms and software. ",[],{},{"nodeType":241,"data":1273,"content":1274},{},[1275],{"nodeType":245,"value":1276,"marks":1277,"data":1278},"Thousands of new software-as-a-service (SaaS) companies emerged with high quality apps that were easy to use over the internet. Essentially SaaS created software employees could use on-demand, which was a huge departure from the old days when IT and Security would do loads of security vetting upfront because they knew they’d be stuck with the software for years after deploying.",[],{},{"nodeType":241,"data":1280,"content":1281},{},[1282],{"nodeType":245,"value":1283,"marks":1284,"data":1285},"Leveraging great on-demand software tools boosted employee productivity and made their businesses more competitive. Tech-savvy employees, used to subscribing to on-demand software services in their personal lives, started to demand more autonomy over the technology they use at work. They were no longer satisfied with the generic suite of programs that IT could provide for them. Instead, they wanted the specialist tools designed and built for people like them by people like them. ",[],{},{"nodeType":241,"data":1287,"content":1288},{},[1289],{"nodeType":245,"value":1290,"marks":1291,"data":1292},"Despite users loving the software once they tried it, SaaS vendors were struggling to sell into large organizations with complicated procurement processes - it was too difficult to get their software in user's hands, and got more difficult the more niche and specialized the app was.",[],{},{"nodeType":340,"data":1294,"content":1295},{},[1296],{"nodeType":245,"value":1297,"marks":1298,"data":1299},"The rise of Product-Led Growth",[],{},{"nodeType":241,"data":1301,"content":1302},{},[1303],{"nodeType":245,"value":1304,"marks":1305,"data":1306},"Enter Wes Bush, a young SaaS marketer who published his book Product Led Growth in 2019. In it, he showed SaaS vendors how they can increase their sales revenues while reducing their sales cycles and costs by using their products as their primary go-to-market vehicle, as opposed to traditional sales teams. ",[],{},{"nodeType":241,"data":1308,"content":1309},{},[1310,1314,1324],{"nodeType":245,"value":1311,"marks":1312,"data":1313},"The premise is simple; prospective customers prefer to experience the value of a product rather than be told about it by sales people. Back in 2015 Forrester ",[],{},{"nodeType":1315,"data":1316,"content":1318},"hyperlink",{"uri":1317},"https://www.forrester.com/blogs/15-04-14-death_of_a_b2b_salesman/",[1319],{"nodeType":245,"value":1320,"marks":1321,"data":1323},"reported",[1322],{"type":513},{},{"nodeType":245,"value":1325,"marks":1326,"data":1327}," that 75% of B2B buyers prefer a sales-rep-free buying process. The book became a phenomenon within the SaaS industry. Product-led growth (PLG) is now the norm for SaaS companies, and around 60% of SaaS companies now use PLG and that’s only going to increase.",[],{},{"nodeType":282,"data":1329,"content":1333},{"target":1330},{"sys":1331},{"id":1332,"type":287,"linkType":288},"747PuaJ26IbolPB1ugxd2h",[],{"nodeType":241,"data":1335,"content":1336},{},[1337],{"nodeType":245,"value":1338,"marks":1339,"data":1340},"Why is PLG turning software adoption on its head? In order to establish a PLG go-to-market motion, SaaS vendors need end users to try their product, either as a free trial or a free version of the app, and quickly experience value from it so  they’re motivated to champion the internal business case through to a successful purchase. ",[],{},{"nodeType":241,"data":1342,"content":1343},{},[1344],{"nodeType":245,"value":1345,"marks":1346,"data":1347},"PLG not only relies upon end users as the initial adopters of a new app, but for them to experience meaningful value during that initial experience. This nearly always necessitates that the new app interacts with real data in a live environment. What’s more, it’s only the apps that end users want to use in a paid tier that are likely to ever get submitted to the app-onboarding process. The freemium and trial versions of apps that are just tried out are unlikely to ever be presented to IT and security. ",[],{},{"nodeType":241,"data":1349,"content":1350},{},[1351,1355],{"nodeType":245,"value":1352,"marks":1353,"data":1354},"This obviously poses a problem from an IT and security standpoint.",[],{},{"nodeType":245,"value":1356,"marks":1357,"data":1359}," ",[1358],{"type":270},{},{"nodeType":241,"data":1361,"content":1362},{},[1363],{"nodeType":245,"value":1364,"marks":1365,"data":1367},"SaaS vendors are deliberately bypassing the traditional software procurement processes that used to give IT and security teams visibility of the third party apps that had their data. ",[1366],{"type":270},{},{"nodeType":241,"data":1369,"content":1370},{},[1371],{"nodeType":245,"value":1372,"marks":1373,"data":1374},"Instead, SaaS vendors are directly targeting employees with their apps and encouraging them to plug them straight into live environments before they’ve been vetted. Software onboarding now looks a lot more like this:",[],{},{"nodeType":282,"data":1376,"content":1379},{"target":1377},{"sys":1378},{"id":301,"type":287,"linkType":288},[],{"nodeType":340,"data":1381,"content":1382},{},[1383],{"nodeType":245,"value":1384,"marks":1385,"data":1386},"IT and security teams might be the last to know about PLG and miss the scale of the change",[],{},{"nodeType":241,"data":1388,"content":1389},{},[1390],{"nodeType":245,"value":1391,"marks":1392,"data":1393},"IT & security folks are usually ahead of the curve when it comes to technology shifts, but in this case many might have missed the scale or speed of the change. That’s because IT and security tools are among the least product-led of any sector. Most of our industry’s tools require heavy integrations, complicated setup, agent deployments, and so on. ",[],{},{"nodeType":282,"data":1395,"content":1399},{"target":1396},{"sys":1397},{"id":1398,"type":287,"linkType":288},"2ldVELsUQIU0xaPSPJyXBR",[],{"nodeType":241,"data":1401,"content":1402},{},[1403],{"nodeType":245,"value":1404,"marks":1405,"data":1406},"Unfortunately, few security companies are making products as easy to set up and use as new tools for marketing, sales, finance, development, engineering design, legal, HR, and basically every other sector that can’t rely on a technical first user. ",[],{},{"nodeType":241,"data":1408,"content":1409},{},[1410],{"nodeType":245,"value":1411,"marks":1412,"data":1415},"This leads to a misconception in IT and Security teams that self-adopted apps are fringe and don’t contain significant sensitive data.",[1413,1414],{"type":272},{"type":270},{},{"nodeType":241,"data":1417,"content":1418},{},[1419,1423,1428],{"nodeType":245,"value":1420,"marks":1421,"data":1422},"Most concerning for security teams is that ",[],{},{"nodeType":245,"value":1424,"marks":1425,"data":1427},"the sheer number of apps in use has increased dramatically",[1426],{"type":270},{},{"nodeType":245,"value":1429,"marks":1430,"data":1431}," and will continue to do so. There are a couple reasons for this: ",[],{},{"nodeType":1433,"data":1434,"content":1435},"ordered-list",{},[1436,1446],{"nodeType":596,"data":1437,"content":1438},{},[1439],{"nodeType":241,"data":1440,"content":1441},{},[1442],{"nodeType":245,"value":1443,"marks":1444,"data":1445},"The big old monolithic on-prem software is being replaced not by a single SaaS app, but an ecosystem of specialized apps. Each new app integrates and extends the functionality as the team using the stack learns what they need, so there is a one-to-many shift happening. ",[],{},{"nodeType":596,"data":1447,"content":1448},{},[1449],{"nodeType":241,"data":1450,"content":1451},{},[1452],{"nodeType":245,"value":1453,"marks":1454,"data":1455},"Since apps are virtually zero-maintenance these days, the operating cost (if not the licensing cost) of running multiple apps is almost the same as one (compared to on-prem apps), so duplicate apps are far less of a problem. This also makes them pretty common and further multiplies the number of apps and vendors.",[],{},{"nodeType":311,"data":1457,"content":1458},{},[1459],{"nodeType":245,"value":1460,"marks":1461,"data":1462},"The impact of self-adoption on security",[],{},{"nodeType":340,"data":1464,"content":1465},{},[1466],{"nodeType":245,"value":344,"marks":1467,"data":1468},[],{},{"nodeType":241,"data":1470,"content":1471},{},[1472],{"nodeType":245,"value":1473,"marks":1474,"data":1475},"We’ve seen how SaaS vendors' move to PLG has led to greater employee self-adoption of work apps that don’t require IT or Security to be involved. The direct consequence of this is that Security teams have lost process-driven visibility of their company’s SaaS estate. This problem is often called “Shadow SaaS.” It is also the first problem to solve -  the old adage “you can’t secure what you don’t know about” is as true in the SaaS world as it is in any other security domain.",[],{},{"nodeType":241,"data":1477,"content":1478},{},[1479],{"nodeType":245,"value":1480,"marks":1481,"data":1482},"The lack of visibility means many IT and security teams missed the explosion of SaaS apps, plugins, extensions, and integrations that make up the modern IT stack.  More crucially, they’ve missed the movement of company data into these apps. Complicating matters further, many of these apps are duplicate, abandoned or unmanaged - an issue often called “SaaS sprawl.”",[],{},{"nodeType":282,"data":1484,"content":1487},{"target":1485},{"sys":1486},{"id":402,"type":287,"linkType":288},[],{"nodeType":340,"data":1489,"content":1490},{},[1491],{"nodeType":245,"value":408,"marks":1492,"data":1493},[],{},{"nodeType":241,"data":1495,"content":1496},{},[1497],{"nodeType":245,"value":415,"marks":1498,"data":1499},[],{},{"nodeType":241,"data":1501,"content":1502},{},[1503],{"nodeType":245,"value":1504,"marks":1505,"data":1506},"In both cases, security is getting visibility too late to be of much value. Once a team has been using an app (even on a free tier) for a year, there is very little Security can do that will convince them to move to a more secure app, or for multiple teams to use a single app. Typically, this intervention from Security needs to happen very early - long before finance is involved - in order to make a positive impact. ",[],{},{"nodeType":241,"data":1508,"content":1509},{},[1510],{"nodeType":245,"value":1511,"marks":1512,"data":1513},"Incident Response is necessary, of course, when a SaaS account is breached (or an ex-employee SaaS account that was never properly offboarded), but cannot recover the lost data after the proverbial horse has bolted. It’s now possible to get into the process early, so security teams can get ahead of the problem to reduce the risk.",[],{},{"nodeType":241,"data":1515,"content":1516},{},[1517],{"nodeType":245,"value":1518,"marks":1519,"data":1520},"Another situation that is increasingly pressing, and difficult for security teams to deal with is the increasingly regular: “App X has just had a major breach, are we using AppX, is any of our data there?” It’s an embarrassing situation to not be able to answer these questions.",[],{},{"nodeType":340,"data":1522,"content":1523},{},[1524],{"nodeType":245,"value":1525,"marks":1526,"data":1527},"Core problem",[],{},{"nodeType":241,"data":1529,"content":1530},{},[1531,1535,1544],{"nodeType":245,"value":1532,"marks":1533,"data":1534},"Once teams get visibility into the scope of the Shadow SaaS and sprawl problem, they find that Security no longer dictates the pace of adoption. They’re also typically surprised by the sheer volume of apps employees have adopted. A ",[],{},{"nodeType":1315,"data":1536,"content":1538},{"uri":1537},"https://ascendixtech.com/number-saas-companies-statistics/",[1539],{"nodeType":245,"value":1540,"marks":1541,"data":1543},"report from Ascendix",[1542],{"type":513},{},{"nodeType":245,"value":1545,"marks":1546,"data":1547}," claims that “by the end of 2023, there will be anywhere from 30,000-72,000 SaaS companies in operation.” Clearly these aren’t all work apps or hyper specialized, but there should be no doubt that we aren’t talking about a few dozen apps being adopted.",[],{},{"nodeType":241,"data":1549,"content":1550},{},[1551],{"nodeType":245,"value":1552,"marks":1553,"data":1554},"Once teams get visibility of the pace that news apps are added they realize they need to risk assess dozens of apps a month instead of the dozen a year that were going through IT in the old, managed and controlled process. To deal with this massive influx of new apps, security teams feel they must either radically increase the headcount, cut corners or drastically increase acceptable risk levels for data security. None of these are pleasant options.",[],{},{"nodeType":340,"data":1556,"content":1557},{},[1558],{"nodeType":245,"value":1559,"marks":1560,"data":1561},"Temptation to revert to the old ways of block-first",[],{},{"nodeType":241,"data":1563,"content":1564},{},[1565],{"nodeType":245,"value":1566,"marks":1567,"data":1568},"When the idea of the options above proves daunting or impossible, Security often tries to revert to the old process - regain the ability to set the pace of adoption by re-establishing the gate. Practically, this means that you’re deploying technical controls to try block all SaaS apps until they are approved (and marked as allowed) by IT or Security. Cloud Access Security Brokers (CASBs) were built to do exactly this - help security teams control (and block) access to “unsanctioned” SaaS that IT hasn’t approved (incidentally I think this explains why the CASB segment has failed). ",[],{},{"nodeType":241,"data":1570,"content":1571},{},[1572],{"nodeType":245,"value":1573,"marks":1574,"data":1575},"Technically, this makes total sense. But the unforeseen consequence is that it positions Security as blockers (aka the “department of no”), and puts them at odds with the rest of the business, rather than working towards a shared goal. ",[],{},{"nodeType":241,"data":1577,"content":1578},{},[1579,1583,1587],{"nodeType":245,"value":1580,"marks":1581,"data":1582},"This block-everything-until-security-approves-it position requires incredible executive support to maintain. For all but the most risk-sensitive organizations (read .gov), this position also normalizes employee behavior to bypass Security in favor of working quickly and effectively. In the end, Security actually ",[],{},{"nodeType":245,"value":583,"marks":1584,"data":1586},[1585],{"type":272},{},{"nodeType":245,"value":588,"marks":1588,"data":1589},[],{},{"nodeType":592,"data":1591,"content":1592},{},[1593,1602,1611],{"nodeType":596,"data":1594,"content":1595},{},[1596],{"nodeType":241,"data":1597,"content":1598},{},[1599],{"nodeType":245,"value":603,"marks":1600,"data":1601},[],{},{"nodeType":596,"data":1603,"content":1604},{},[1605],{"nodeType":241,"data":1606,"content":1607},{},[1608],{"nodeType":245,"value":613,"marks":1609,"data":1610},[],{},{"nodeType":596,"data":1612,"content":1613},{},[1614],{"nodeType":241,"data":1615,"content":1616},{},[1617],{"nodeType":245,"value":623,"marks":1618,"data":1619},[],{},{"nodeType":241,"data":1621,"content":1622},{},[1623],{"nodeType":245,"value":1624,"marks":1625,"data":1628},"Each blocking action leads to a worse security outcome, and blinds the security team further - losing control rather than regaining it.",[1626,1627],{"type":272},{"type":270},{},{"nodeType":241,"data":1630,"content":1631},{},[1632],{"nodeType":245,"value":639,"marks":1633,"data":1634},[],{},{"nodeType":340,"data":1636,"content":1637},{},[1638],{"nodeType":245,"value":1639,"marks":1640,"data":1641},"Surely there’s a better way",[],{},{"nodeType":241,"data":1643,"content":1644},{},[1645],{"nodeType":245,"value":1646,"marks":1647,"data":1648},"Of course we think there’s a better way, or we wouldn’t have written this. And don’t call me Shirley. ",[],{},{"nodeType":241,"data":1650,"content":1651},{},[1652],{"nodeType":245,"value":1653,"marks":1654,"data":1655},"The first thing we need to do as an industry is agree that we don’t want to be the blockers. We don’t want to stop employees from self-adopting apps. We understand they are best placed to find and select the tools that are going to allow them to be more productive and help your company succeed. We need to embrace SaaS app self-adoption. Stop asking employees to adapt to fit our legacy processes and meet them halfway. Security can no longer be a gate with a default stance of “No, until.” Instead Security needs to be a business enablement partner that says “Yes, unless.”",[],{},{"nodeType":340,"data":1657,"content":1658},{},[1659],{"nodeType":245,"value":1660,"marks":1661,"data":1662},"Yes, unless?",[],{},{"nodeType":241,"data":1664,"content":1665},{},[1666],{"nodeType":245,"value":1667,"marks":1668,"data":1669},"To adapt to this new SaaS-first world, security must move from saying “No, until we’ve had time to fully vet and onboard this app officially” to “Yes! You can use that app, unless we quickly identify security risks that outweigh the value of the tool.” I understand this is deeply uncomfortable for many security practitioners (as it still is for me), but let me explain why I think this leads to a better long-term outcome.",[],{},{"nodeType":241,"data":1671,"content":1672},{},[1673],{"nodeType":245,"value":1674,"marks":1675,"data":1676},"Obviously, self-adoption of SaaS is fundamentally different to IT/Security adopted and managed from a risk perspective. With SaaS, there’s no giant commitment upfront. SaaS apps aren’t forever - quite the opposite! Apps aren’t just unused and not-adopted and then suddenly fully-adopted. Just like adopting software was a process for Security and IT back in the day, employees follow a (less rigid) process with SaaS - from testing > to using > to finding value > to inviting teammates, etc. The risk grows as we proceed through the adoption process as employees add more data into the app and integrate it with other apps. ",[],{},{"nodeType":282,"data":1678,"content":1681},{"target":1679},{"sys":1680},{"id":746,"type":287,"linkType":288},[],{"nodeType":241,"data":1683,"content":1684},{},[1685],{"nodeType":245,"value":1686,"marks":1687,"data":1688},"The upside for Security is that because SaaS adoption is a process over time, we can use that time to assess the risk of the app before it’s fully adopted, as long as we know about the app from the start. Luckily, many apps employees are using might ultimately be very low risk, so not every app will require a full security vetting like you would have done in the old-school process.",[],{},{"nodeType":241,"data":1690,"content":1691},{},[1692],{"nodeType":245,"value":1693,"marks":1694,"data":1695},"Our role as Security is to catch those apps that are high risk, either because the data going into them (or that will be) is high risk or because the app can perform some high-risk action (like managing your inventory or sending emails to customers or your behalf). Security can focus their efforts on these high-risk vendors and apps to make sure they can be trusted with their data. But the key thing is that Security needs to get involved early in the adoption process. ",[],{},{"nodeType":241,"data":1697,"content":1698},{},[1699],{"nodeType":245,"value":1700,"marks":1701,"data":1702},"I’m getting into the details now - so this feels like a good time to take a step back and think about the elements that make up a SaaS security program.",[],{},{"nodeType":311,"data":1704,"content":1705},{},[1706],{"nodeType":245,"value":1707,"marks":1708,"data":1709},"What’s a good SaaS security program?",[],{},{"nodeType":241,"data":1711,"content":1712},{},[1713],{"nodeType":245,"value":1714,"marks":1715,"data":1716},"The shared-responsibility model between cloud platforms and their customers is a great place to start, as it helps customers understand what their responsibilities are, and which responsibilities they’re delegating to their cloud provider.",[],{},{"nodeType":340,"data":1718,"content":1719},{},[1720],{"nodeType":245,"value":1721,"marks":1722,"data":1723},"Delegate to the cloud provider when you can ",[],{},{"nodeType":241,"data":1725,"content":1726},{},[1727,1731,1740],{"nodeType":245,"value":1728,"marks":1729,"data":1730},"It’s ",[],{},{"nodeType":1315,"data":1732,"content":1734},{"uri":1733},"https://www.ncsc.gov.uk/collection/cloud/understanding-cloud-services/cloud-security-shared-responsibility-model",[1735],{"nodeType":245,"value":1736,"marks":1737,"data":1739},"generally preferable",[1738],{"type":513},{},{"nodeType":245,"value":1741,"marks":1742,"data":1743}," to delegate as much responsibility as possible to the cloud provider, so it’s no surprise that the SaaS model is the most common and fastest growing sector.",[],{},{"nodeType":241,"data":1745,"content":1746},{},[1747],{"nodeType":245,"value":1748,"marks":1749,"data":1750},"The following summary table produced by the National Cyber Security Centre (NCSC) does a great job at showing how much of the balance of security responsibility is outsourced to the SaaS provider. For reference, IaaS = infrastructure-as-a-service; PaaS = platform-as-a-service; SaaS = software-as-a-service:",[],{},{"nodeType":282,"data":1752,"content":1756},{"target":1753},{"sys":1754},{"id":1755,"type":287,"linkType":288},"17rMTpxgCAU5ropjkGIIjK",[],{"nodeType":241,"data":1758,"content":1759},{},[1760],{"nodeType":245,"value":1761,"marks":1762,"data":1763},"According to NCSC, the customer is responsible only for:",[],{},{"nodeType":1433,"data":1765,"content":1766},{},[1767,1777],{"nodeType":596,"data":1768,"content":1769},{},[1770],{"nodeType":241,"data":1771,"content":1772},{},[1773],{"nodeType":245,"value":1774,"marks":1775,"data":1776},"The configuration of the SaaS app and ",[],{},{"nodeType":596,"data":1778,"content":1779},{},[1780],{"nodeType":241,"data":1781,"content":1782},{},[1783],{"nodeType":245,"value":1784,"marks":1785,"data":1786},"Making sure that the identity and access control features provided by the vendor are used properly.",[],{},{"nodeType":241,"data":1788,"content":1789},{},[1790],{"nodeType":245,"value":1791,"marks":1792,"data":1793},"It’s worth pointing out here that the way application configuration is presented here is a bit of a red herring. The vast majority of SaaS apps (and especially self-adopted apps) allow very little, if any, configuration. Sure, the big core apps like Salesforce, Google Workspace, Microsoft 365 do (and often require a dedicated team or partner to run them), but they are highly unlikely to be self-adopted by employees.  As far as configuration is concerned, Security teams will often be limited to enabling “force MFA for all users” or “disallow public sharing” type of controls that are accessible even to non-technical users.",[],{},{"nodeType":241,"data":1795,"content":1796},{},[1797],{"nodeType":245,"value":1798,"marks":1799,"data":1800},"For the vast majority of apps in the organization, Security’s responsibility will boil down to:",[],{},{"nodeType":592,"data":1802,"content":1803},{},[1804,1814,1824],{"nodeType":596,"data":1805,"content":1806},{},[1807],{"nodeType":241,"data":1808,"content":1809},{},[1810],{"nodeType":245,"value":1811,"marks":1812,"data":1813},"Account security, i.e. making sure MFA and SSO (where available) is in place. ",[],{},{"nodeType":596,"data":1815,"content":1816},{},[1817],{"nodeType":241,"data":1818,"content":1819},{},[1820],{"nodeType":245,"value":1821,"marks":1822,"data":1823},"Ensuring  employees are using strong passwords, especially if MFA and/or SSO aren’t available.",[],{},{"nodeType":596,"data":1825,"content":1826},{},[1827],{"nodeType":241,"data":1828,"content":1829},{},[1830],{"nodeType":245,"value":1831,"marks":1832,"data":1833},"Removing external accounts (and accounts for those that have left the company) when no longer needed.",[],{},{"nodeType":241,"data":1835,"content":1836},{},[1837],{"nodeType":245,"value":1838,"marks":1839,"data":1840},"Isn’t it risky to delegate responsibility? While delegating security responsibilities is great and takes a huge load off your team, we do, unfortunately, need to consider who we’re delegating it to. Those gray boxes in the diagram above need to be taken care of.",[],{},{"nodeType":241,"data":1842,"content":1843},{},[1844],{"nodeType":245,"value":1845,"marks":1846,"data":1847},"This is what’s sometimes understood as “supply chain” security. You need to trust the SaaS vendor to uphold their end of the bargain and, more often than not, also the SaaS/cloud vendors they use (their sub-processors) as well.",[],{},{"nodeType":241,"data":1849,"content":1850},{},[1851],{"nodeType":245,"value":1852,"marks":1853,"data":1854},"This sounds a lot scarier than it is and in practice many SaaS vendors do a great job, with many providing easy-to-audit, externally-verified, policies through a framework such as SOC2, and most do regular penetration tests and have bug bounty programs etc.",[],{},{"nodeType":241,"data":1856,"content":1857},{},[1858],{"nodeType":245,"value":1859,"marks":1860,"data":1861},"There are exceptions when it makes sense to think more carefully about whether a third party can be trusted. Common reasons Push customers have cited for not trusting third parties include; ",[],{},{"nodeType":592,"data":1863,"content":1864},{},[1865],{"nodeType":596,"data":1866,"content":1867},{},[1868],{"nodeType":241,"data":1869,"content":1870},{},[1871],{"nodeType":245,"value":1872,"marks":1873,"data":1874},"The data going into these apps is simply too high risk. Many organizations have very sensitive customer information or intellectual property that they simply aren’t willing to entrust to a third party. Many don’t trust a third party with administrative access to the systems where this data is held.",[],{},{"nodeType":241,"data":1876,"content":1877},{},[1878],{"nodeType":245,"value":1879,"marks":1880,"data":1881},"If the data in the app, or the access the app has represents some significant (but not unacceptable) risk, you may also care about:",[],{},{"nodeType":592,"data":1883,"content":1884},{},[1885,1933,1943],{"nodeType":596,"data":1886,"content":1887},{},[1888],{"nodeType":241,"data":1889,"content":1890},{},[1891,1895,1904,1908,1917,1920,1929],{"nodeType":245,"value":1892,"marks":1893,"data":1894},"Vendors who’ve had a string of repeated breaches or security incidents. This is troubling because it’s a fairly common pattern for attackers to breach apps in ways that don’t impact customer information, but then use the information they learn from these breaches to launch far more successful breaches in future. Consider the string of breaches at ",[],{},{"nodeType":1315,"data":1896,"content":1898},{"uri":1897},"https://www.bleepingcomputer.com/search/?q=lastpass+breach",[1899],{"nodeType":245,"value":1900,"marks":1901,"data":1903},"LastPass",[1902],{"type":513},{},{"nodeType":245,"value":1905,"marks":1906,"data":1907},", ",[],{},{"nodeType":1315,"data":1909,"content":1911},{"uri":1910},"https://www.bleepingcomputer.com/search/?q=okta+breach",[1912],{"nodeType":245,"value":1913,"marks":1914,"data":1916},"Okta",[1915],{"type":513},{},{"nodeType":245,"value":1905,"marks":1918,"data":1919},[],{},{"nodeType":1315,"data":1921,"content":1923},{"uri":1922},"https://www.bleepingcomputer.com/search/?q=twilio+breach",[1924],{"nodeType":245,"value":1925,"marks":1926,"data":1928},"Twilio",[1927],{"type":513},{},{"nodeType":245,"value":1930,"marks":1931,"data":1932}," (and many others) or as a typical example of this.",[],{},{"nodeType":596,"data":1934,"content":1935},{},[1936],{"nodeType":241,"data":1937,"content":1938},{},[1939],{"nodeType":245,"value":1940,"marks":1941,"data":1942},"Products that don’t offer adequate security features. Customers expect features such as MFA, SSO (either social login through OIDC or, ideally, SAML), and the ability to enforce these controls. This is especially important on platforms where the data is high-risk.",[],{},{"nodeType":596,"data":1944,"content":1945},{},[1946],{"nodeType":241,"data":1947,"content":1948},{},[1949],{"nodeType":245,"value":1950,"marks":1951,"data":1952},"The vendor operates in a sanctioned country or may not have the resources to adequately protect your data. Clearly vendors operating from (or that have close ties with) sanctioned or politically-complicated countries represent additional risk, as do vendors that are “one man bands” or are so small that it is hard to imagine they can afford to spend significant resources on security.",[],{},{"nodeType":340,"data":1954,"content":1955},{},[1956],{"nodeType":245,"value":1957,"marks":1958,"data":1959},"The two questions you need to ask to assess risk ",[],{},{"nodeType":241,"data":1961,"content":1962},{},[1963],{"nodeType":245,"value":1964,"marks":1965,"data":1966},"The essence of the shared-responsibility model can summarized as two questions:",[],{},{"nodeType":1433,"data":1968,"content":1969},{},[1970,1980],{"nodeType":596,"data":1971,"content":1972},{},[1973],{"nodeType":241,"data":1974,"content":1975},{},[1976],{"nodeType":245,"value":1977,"marks":1978,"data":1979},"Should we be using this app?",[],{},{"nodeType":596,"data":1981,"content":1982},{},[1983],{"nodeType":241,"data":1984,"content":1985},{},[1986],{"nodeType":245,"value":1987,"marks":1988,"data":1989},"Are we using it securely?",[],{},{"nodeType":282,"data":1991,"content":1995},{"target":1992},{"sys":1993},{"id":1994,"type":287,"linkType":288},"ToDXz2MBbEygwtJjiIKRX",[],{"nodeType":241,"data":1997,"content":1998},{},[1999],{"nodeType":245,"value":2000,"marks":2001,"data":2002},"A successful SaaS security program must address both these questions. We can’t spend all our time doing risk assessments and due diligence exercises on our supply chain while dropping the ball on account security. Similarly, we can’t just focus on making sure all accounts have MFA in place when the vendor is leaving the back door open.",[],{},{"nodeType":311,"data":2004,"content":2005},{},[2006],{"nodeType":245,"value":2007,"marks":2008,"data":2009},"When shared responsibility goes wrong",[],{},{"nodeType":241,"data":2011,"content":2012},{},[2013],{"nodeType":245,"value":2014,"marks":2015,"data":2016},"The following is an extract of some well-covered recent(ish) breaches of SaaS companies. As we go through it, pay attention to which side is dropping the ball in terms of the shared responsibility. The same organization can be:",[],{},{"nodeType":592,"data":2018,"content":2019},{},[2020,2030,2040],{"nodeType":596,"data":2021,"content":2022},{},[2023],{"nodeType":241,"data":2024,"content":2025},{},[2026],{"nodeType":245,"value":2027,"marks":2028,"data":2029},"the source of a breach, ",[],{},{"nodeType":596,"data":2031,"content":2032},{},[2033],{"nodeType":241,"data":2034,"content":2035},{},[2036],{"nodeType":245,"value":2037,"marks":2038,"data":2039},"the ultimate target that motivated a breach at a partner that was a softer target, ",[],{},{"nodeType":596,"data":2041,"content":2042},{},[2043],{"nodeType":241,"data":2044,"content":2045},{},[2046],{"nodeType":245,"value":2047,"marks":2048,"data":2049},"or simply the unlucky victim of a breach further down its supply chain.",[],{},{"nodeType":241,"data":2051,"content":2052},{},[2053],{"nodeType":245,"value":2054,"marks":2055,"data":2056},"That’s the thing about supply chain attacks, organizations are the attacker’s stepping stones. Where they are in the attack chain determines how we label their victims. ",[],{},{"nodeType":2058,"data":2059,"content":2060},"table",{},[2061,2088,2169,2226,2269,2394],{"nodeType":2062,"data":2063,"content":2064},"table-row",{},[2065,2077],{"nodeType":2066,"data":2067,"content":2068},"table-cell",{},[2069],{"nodeType":241,"data":2070,"content":2071},{},[2072],{"nodeType":245,"value":2073,"marks":2074,"data":2076},"Date",[2075],{"type":270},{},{"nodeType":2066,"data":2078,"content":2079},{},[2080],{"nodeType":241,"data":2081,"content":2082},{},[2083],{"nodeType":245,"value":2084,"marks":2085,"data":2087},"SaaS attack",[2086],{"type":270},{},{"nodeType":2062,"data":2089,"content":2090},{},[2091,2101],{"nodeType":2066,"data":2092,"content":2093},{},[2094],{"nodeType":241,"data":2095,"content":2096},{},[2097],{"nodeType":245,"value":2098,"marks":2099,"data":2100},"April 2021",[],{},{"nodeType":2066,"data":2102,"content":2103},{},[2104,2132],{"nodeType":241,"data":2105,"content":2106},{},[2107,2110,2119,2123,2128],{"nodeType":245,"value":29,"marks":2108,"data":2109},[],{},{"nodeType":1315,"data":2111,"content":2113},{"uri":2112},"https://about.codecov.io/security-update/",[2114],{"nodeType":245,"value":2115,"marks":2116,"data":2118},"Backdoors inserted into some Codecov.io",[2117],{"type":513},{},{"nodeType":245,"value":2120,"marks":2121,"data":2122}," (a software development SaaS) tools after a credential breach grants access to their ",[],{},{"nodeType":245,"value":2124,"marks":2125,"data":2127},"Google Cloud Project",[2126],{"type":270},{},{"nodeType":245,"value":2129,"marks":2130,"data":2131}," (cloud infrastructure SaaS).  ",[],{},{"nodeType":241,"data":2133,"content":2134},{},[2135,2139,2148,2152,2157,2161,2165],{"nodeType":245,"value":2136,"marks":2137,"data":2138},"This breach ",[],{},{"nodeType":1315,"data":2140,"content":2142},{"uri":2141},"https://www.twilio.com/blog/response-to-the-codecov-vulnerability",[2143],{"nodeType":245,"value":2144,"marks":2145,"data":2147},"affected multiple customers",[2146],{"type":513},{},{"nodeType":245,"value":2149,"marks":2150,"data":2151},", including ",[],{},{"nodeType":245,"value":2153,"marks":2154,"data":2156},"Atlassian",[2155],{"type":270},{},{"nodeType":245,"value":2158,"marks":2159,"data":2160}," (a developer and collaboration SaaS platform) and ",[],{},{"nodeType":245,"value":1925,"marks":2162,"data":2164},[2163],{"type":270},{},{"nodeType":245,"value":2166,"marks":2167,"data":2168}," (communications tooling SaaS company).  ",[],{},{"nodeType":2062,"data":2170,"content":2171},{},[2172,2182],{"nodeType":2066,"data":2173,"content":2174},{},[2175],{"nodeType":241,"data":2176,"content":2177},{},[2178],{"nodeType":245,"value":2179,"marks":2180,"data":2181},"Jan 2022",[],{},{"nodeType":2066,"data":2183,"content":2184},{},[2185],{"nodeType":241,"data":2186,"content":2187},{},[2188,2192,2196,2205,2209,2214,2218,2222],{"nodeType":245,"value":1913,"marks":2189,"data":2191},[2190],{"type":270},{},{"nodeType":245,"value":2193,"marks":2194,"data":2195}," (identity provider SaaS) ",[],{},{"nodeType":1315,"data":2197,"content":2199},{"uri":2198},"https://www.okta.com/blog/2022/03/oktas-investigation-of-the-january-2022-compromise/",[2200],{"nodeType":245,"value":2201,"marks":2202,"data":2204},"systems breached",[2203],{"type":513},{},{"nodeType":245,"value":2206,"marks":2207,"data":2208}," through a breach at ",[],{},{"nodeType":245,"value":2210,"marks":2211,"data":2213},"Sitel",[2212],{"type":270},{},{"nodeType":245,"value":2215,"marks":2216,"data":2217},", a support partner - attackers got access to Okta’s instances of ",[],{},{"nodeType":245,"value":2153,"marks":2219,"data":2221},[2220],{"type":270},{},{"nodeType":245,"value":2223,"marks":2224,"data":2225}," Jira, Slack, Splunk, RingCentral, and support tickets through Salesforce.  ",[],{},{"nodeType":2062,"data":2227,"content":2228},{},[2229,2239],{"nodeType":2066,"data":2230,"content":2231},{},[2232],{"nodeType":241,"data":2233,"content":2234},{},[2235],{"nodeType":245,"value":2236,"marks":2237,"data":2238},"March 2022",[],{},{"nodeType":2066,"data":2240,"content":2241},{},[2242],{"nodeType":241,"data":2243,"content":2244},{},[2245,2249,2253,2257,2266],{"nodeType":245,"value":2246,"marks":2247,"data":2248},"“0ktapus” phishing toolkit targeting ",[],{},{"nodeType":245,"value":1913,"marks":2250,"data":2252},[2251],{"type":270},{},{"nodeType":245,"value":2254,"marks":2255,"data":2256}," customers ",[],{},{"nodeType":1315,"data":2258,"content":2260},{"uri":2259},"https://www.bleepingcomputer.com/news/security/twilio-hackers-hit-over-130-orgs-in-massive-okta-phishing-attack/",[2261],{"nodeType":245,"value":2262,"marks":2263,"data":2265},"is released",[2264],{"type":513},{},{"nodeType":245,"value":29,"marks":2267,"data":2268},[],{},{"nodeType":2062,"data":2270,"content":2271},{},[2272,2282],{"nodeType":2066,"data":2273,"content":2274},{},[2275],{"nodeType":241,"data":2276,"content":2277},{},[2278],{"nodeType":245,"value":2279,"marks":2280,"data":2281},"Aug 2022",[],{},{"nodeType":2066,"data":2283,"content":2284},{},[2285,2326,2353,2368,2387],{"nodeType":241,"data":2286,"content":2287},{},[2288,2292,2296,2300,2304,2313,2317,2322],{"nodeType":245,"value":1925,"marks":2289,"data":2291},[2290],{"type":270},{},{"nodeType":245,"value":2293,"marks":2294,"data":2295}," (one such ",[],{},{"nodeType":245,"value":1913,"marks":2297,"data":2299},[2298],{"type":270},{},{"nodeType":245,"value":2301,"marks":2302,"data":2303}," customer) ",[],{},{"nodeType":1315,"data":2305,"content":2307},{"uri":2306},"https://www.twilio.com/blog/august-2022-social-engineering-attack",[2308],{"nodeType":245,"value":2309,"marks":2310,"data":2312},"was again breached",[2311],{"type":513},{},{"nodeType":245,"value":2314,"marks":2315,"data":2316}," and attackers used access to one of their products (",[],{},{"nodeType":245,"value":2318,"marks":2319,"data":2321},"Authy",[2320],{"type":270},{},{"nodeType":245,"value":2323,"marks":2324,"data":2325},", an MFA mobile app) to bypass MFA for some of their customers. ",[],{},{"nodeType":241,"data":2327,"content":2328},{},[2329,2333,2337,2340,2349],{"nodeType":245,"value":2330,"marks":2331,"data":2332},"Attackers appear to also have used ",[],{},{"nodeType":245,"value":1925,"marks":2334,"data":2336},[2335],{"type":270},{},{"nodeType":245,"value":1356,"marks":2338,"data":2339},[],{},{"nodeType":1315,"data":2341,"content":2343},{"uri":2342},"https://www.bleepingcomputer.com/news/security/okta-one-time-mfa-passcodes-exposed-in-twilio-cyberattack/",[2344],{"nodeType":245,"value":2345,"marks":2346,"data":2348},"to gain access to SMS’s",[2347],{"type":513},{},{"nodeType":245,"value":2350,"marks":2351,"data":2352}," that were delivering Okta MFA codes to customers: ",[],{},{"nodeType":241,"data":2354,"content":2355},{},[2356,2360,2364],{"nodeType":245,"value":2357,"marks":2358,"data":2359},"This leads to a breach at",[],{},{"nodeType":245,"value":1356,"marks":2361,"data":2363},[2362],{"type":270},{},{"nodeType":245,"value":2365,"marks":2366,"data":2367},"Mailchimp (email marketing SaaS), which in turn affects many upstream customers like Digital Ocean (infrastructure hosting SaaS) and Signal Messenger",[],{},{"nodeType":241,"data":2369,"content":2370},{},[2371,2375,2384],{"nodeType":245,"value":2372,"marks":2373,"data":2374},"Klaviyo (another email marketing SaaS) ",[],{},{"nodeType":1315,"data":2376,"content":2378},{"uri":2377},"https://www.bleepingcomputer.com/news/security/email-marketing-firm-hacked-to-steal-crypto-focused-mailing-lists/",[2379],{"nodeType":245,"value":2380,"marks":2381,"data":2383},"is also impacted",[2382],{"type":513},{},{"nodeType":245,"value":516,"marks":2385,"data":2386},[],{},{"nodeType":241,"data":2388,"content":2389},{},[2390],{"nodeType":245,"value":2391,"marks":2392,"data":2393},"Breaches on these email marketing SaaS apps lead to even more downstream breaches for customers in finance and crypto spaces, such as Trezor, Edge Wallet, Cointelegraph, Ethereum FESP, Messari and Decrypt.",[],{},{"nodeType":2062,"data":2395,"content":2396},{},[2397,2407],{"nodeType":2066,"data":2398,"content":2399},{},[2400],{"nodeType":241,"data":2401,"content":2402},{},[2403],{"nodeType":245,"value":2404,"marks":2405,"data":2406},"Sept and Dec 2022",[],{},{"nodeType":2066,"data":2408,"content":2409},{},[2410],{"nodeType":241,"data":2411,"content":2412},{},[2413,2417,2426,2430,2434,2438,2453],{"nodeType":245,"value":2414,"marks":2415,"data":2416},"Product source code ",[],{},{"nodeType":1315,"data":2418,"content":2420},{"uri":2419},"https://www.bleepingcomputer.com/news/security/oktas-source-code-stolen-after-github-repositories-hacked/",[2421],{"nodeType":245,"value":2422,"marks":2423,"data":2425},"stolen from the Github repositories",[2424],{"type":513},{},{"nodeType":245,"value":2427,"marks":2428,"data":2429}," of ",[],{},{"nodeType":245,"value":1913,"marks":2431,"data":2433},[2432],{"type":270},{},{"nodeType":245,"value":2435,"marks":2436,"data":2437}," and ",[],{},{"nodeType":1315,"data":2439,"content":2441},{"uri":2440},"https://www.bleepingcomputer.com/news/security/auth0-warns-that-some-source-code-repos-may-have-been-stolen/",[2442,2448],{"nodeType":245,"value":2443,"marks":2444,"data":2447},"Auth0",[2445,2446],{"type":513},{"type":270},{},{"nodeType":245,"value":2449,"marks":2450,"data":2452}," (an Okta subsidiary",[2451],{"type":513},{},{"nodeType":245,"value":2454,"marks":2455,"data":2456}," that is also an identity provider SaaS platform)",[],{},{"nodeType":241,"data":2458,"content":2459},{},[2460],{"nodeType":245,"value":2461,"marks":2462,"data":2463},"This is a very shallow summary of a small sample of events during this time frame, but it’s interesting how interrelated these SaaS services are. Many are part of each other’s supply chains (for example, Twilio is targeted as an Okta customer itself, and used to compromise Okta customer MFA codes that are delivered by Twilio to other Okta customers) and so breaches in one SaaS have rippling effects that sometimes take months or even years to materialize after a breach occurs.",[],{},{"nodeType":241,"data":2465,"content":2466},{},[2467,2471,2479],{"nodeType":245,"value":2468,"marks":2469,"data":2470},"There’s an interesting trend to call out here: breaches at a SaaS vendor appear to lead to (or correlate with) further breaches, such as the string of breaches at ",[],{},{"nodeType":1315,"data":2472,"content":2474},{"uri":2473},"https://thehackernews.com/2023/02/lastpass-reveals-second-attack.html",[2475],{"nodeType":245,"value":1900,"marks":2476,"data":2478},[2477],{"type":513},{},{"nodeType":245,"value":2480,"marks":2481,"data":2482},". But it’s incredibly unclear how to balance the risk of using these vendors, especially when some of these companies (like Okta) are a big part of many organization’s security strategies.",[],{},{"nodeType":241,"data":2484,"content":2485},{},[2486],{"nodeType":245,"value":2487,"marks":2488,"data":2489},"Ultimately, though… ",[],{},{"nodeType":241,"data":2491,"content":2492},{},[2493],{"nodeType":245,"value":2494,"marks":2495,"data":2498},"The root of most of these networks of supply chain attacks are simple account compromises. ",[2496,2497],{"type":270},{"type":272},{},{"nodeType":241,"data":2500,"content":2501},{},[2502,2506,2511],{"nodeType":245,"value":2503,"marks":2504,"data":2505},"While most organizations think of the supply chain aspect (should we be using this app?) as the majority of the problem, or at least the first problem to solve - ",[],{},{"nodeType":245,"value":2507,"marks":2508,"data":2510},"account security",[2509],{"type":272},{},{"nodeType":245,"value":2512,"marks":2513,"data":2514}," is ultimately at the heart of the problem. A developer or support engineer with a weak password or missing MFA is all it takes for them to get phished, kicking off this string of attacks. Unlike the complex supply chain risk questions, account security issues are straightforward to fix. We’d be a whole lot closer to securing the whole supply chain if we could improve account security for all employees across all the SaaS apps they use. ",[],{},{"nodeType":311,"data":2516,"content":2517},{},[2518],{"nodeType":245,"value":2519,"marks":2520,"data":2521},"Where do we go from here?",[],{},{"nodeType":241,"data":2523,"content":2524},{},[2525],{"nodeType":245,"value":2526,"marks":2527,"data":2528},"So we’ve discussed the domino-like string of effects from SaaS sales, to PLG, to self-adoption, to shadow SaaS, to growing SaaS risks and the news stories we read about.",[],{},{"nodeType":241,"data":2530,"content":2531},{},[2532],{"nodeType":245,"value":2533,"marks":2534,"data":2535},"We’ve unpacked the shared responsibility model - and I hope I’ve convinced you that we need to look at both the supply chain and account security side equally (and in parallel!) to manage this risk. ",[],{},"SaaS sprawl isn't a problem - if you completely change your approach","Employees using a new work app used to be the final step of the software-onboarding process. Now it's the first. Security must adapt to secure business data. \n","2023-06-22T00:00:00.000Z","saas-has-changed-how-we-adopt-software-how-should-security-adapt",{"items":2541},[2542,2546],{"sys":2543,"name":2545},{"id":2544},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":2547,"name":2549},{"id":2548},"3SA5H01UkKauuiTdt0KC6q","Shadow IT",{"items":2551},[2552],{"fullName":2553,"firstName":2554,"jobTitle":2555,"profilePicture":2556},"Jacques Louw","Jacques","Co-founder / CRO",{"url":2557},"https://images.ctfassets.net/y1cdw1ablpvd/39m8bektV23lnCRcEq0G8h/2a08f6276a50744f1a4b499b273f6bb2/Push_Founders_at_Cahoots_October_28_2022_by_Doug_Coombe-21.jpg",{"__typename":1018,"sys":2559,"content":2561,"title":2933,"synopsis":2934,"hashTags":62,"publishedDate":2935,"slug":2936,"tagsCollection":2937,"authorsCollection":2945},{"id":2560},"19dT3oWX2H3EYtZIT3J5UO",{"json":2562},{"nodeType":237,"data":2563,"content":2564},{},[2565,2572,2579,2586,2592,2599,2619,2639,2646,2653,2660,2666,2673,2692,2712,2719,2726,2746,2762,2778,2785,2805,2812,2831,2838,2845,2852,2859,2866,2884,2891,2898,2905,2912,2919,2926],{"nodeType":241,"data":2566,"content":2567},{},[2568],{"nodeType":245,"value":2569,"marks":2570,"data":2571},"Security teams know they need full visibility into which SaaS platforms employees are using to even start focusing on SaaS management and security. Even better, they want to understand how employees are using them, right? ",[],{},{"nodeType":241,"data":2573,"content":2574},{},[2575],{"nodeType":245,"value":2576,"marks":2577,"data":2578},"Many people we talk to are starting to chip away at getting visibility into employee-adopted apps by using some combination of central information repositories such as email discovery, financial records, OAuth logs, SSO logs, web proxy logs, etc. So why would anyone want or need to use a browser extension? Browser extensions are the most effective SaaS discovery tool because they can capture employee SaaS use and adoption in real time, as employees sign up. The browser also allows us to work with the user to guide them to use SaaS more securely right where they’re working - in the browser.",[],{},{"nodeType":241,"data":2580,"content":2581},{},[2582],{"nodeType":245,"value":2583,"marks":2584,"data":2585},"We’ll dig into this topic a bit more in this article and we’d love to hear questions, concerns, and have a healthy debate on our social media channels, so hit us up!",[],{},{"nodeType":340,"data":2587,"content":2588},{},[2589],{"nodeType":245,"value":1095,"marks":2590,"data":2591},[],{},{"nodeType":241,"data":2593,"content":2594},{},[2595],{"nodeType":245,"value":2596,"marks":2597,"data":2598},"Different approaches for discovering SaaS use have unique advantages and disadvantages and the most effective solution is usually to combine several approaches that complement one another. That being said, in the case of SaaS discovery, browser extensions have some really significant advantages that can’t be matched by other approaches - so if you could only pick one approach, then a browser extension is the way to go.",[],{},{"nodeType":241,"data":2600,"content":2601},{},[2602,2606,2615],{"nodeType":245,"value":2603,"marks":2604,"data":2605},"The first point to consider is that it is extremely common for SaaS solutions to be self-adopted by individual employees or teams within a business, without working with IT or following the established procurement process. ",[],{},{"nodeType":1315,"data":2607,"content":2609},{"uri":2608},"https://track.g2.com/resources/shadow-it-statistics",[2610],{"nodeType":245,"value":2611,"marks":2612,"data":2614},"According to G2",[2613],{"type":513},{},{"nodeType":245,"value":2616,"marks":2617,"data":2618},", 80% of workers admit to using SaaS applications at work without getting approval from IT. Employees are likely to access SaaS however is easiest and most familiar for them. So, employees aren’t going to set up a full SSO connection with your own authentication provider (on the off chance that the app even provides SSO integration). They might not be using a social login using your M365/Google tenant and they might not even be using their company email to sign up/login - they could just be using a personal webmail account.",[],{},{"nodeType":241,"data":2620,"content":2621},{},[2622,2626,2635],{"nodeType":245,"value":2623,"marks":2624,"data":2625},"That leaves security teams with limited or no visibility of employee SaaS use using other centralized methods. We found that only around 30% of SaaS providers we analyzed support SSO and of those that do, many require paying for the highest cost enterprise plan in order to gain access to it - i.e. “",[],{},{"nodeType":1315,"data":2627,"content":2629},{"uri":2628},"https://sso.tax/",[2630],{"nodeType":245,"value":2631,"marks":2632,"data":2634},"The SSO tax",[2633],{"type":513},{},{"nodeType":245,"value":2636,"marks":2637,"data":2638},".” ",[],{},{"nodeType":241,"data":2640,"content":2641},{},[2642],{"nodeType":245,"value":2643,"marks":2644,"data":2645},"Many don’t support social logins and, if they do, you’ll find M365 social logins are much less commonly supported than Google, so if you’re a Microsoft house, that pushes users towards individual email/password logins, which are far less secure.",[],{},{"nodeType":340,"data":2647,"content":2648},{},[2649],{"nodeType":245,"value":2650,"marks":2651,"data":2652},"A comparison of data sources for SaaS discovery",[],{},{"nodeType":241,"data":2654,"content":2655},{},[2656],{"nodeType":245,"value":2657,"marks":2658,"data":2659},"We won’t do a deep dive of comparing data sources for SaaS discovery in this post, but here’s a quick and dirty overview. As we mentioned above, most companies (and off-the-shelf SaaS security and SaaS management tools) use some combination of the data sources depicted in the image below. ",[],{},{"nodeType":282,"data":2661,"content":2665},{"target":2662},{"sys":2663},{"id":2664,"type":287,"linkType":288},"E8ThSCqbNNa9nggaKE3p1",[],{"nodeType":241,"data":2667,"content":2668},{},[2669],{"nodeType":245,"value":2670,"marks":2671,"data":2672}," Now, it goes without saying that we’re a bit biased, but as we were deciding how to build our own SaaS discovery methods, we analyzed the pros and cons of each of these approaches before realizing that the most power was in the browser. Ease of deployment, you’ll notice, takes a bit more work than a couple other methods, but it’s worth it once you realize the powerful capabilities uniquely available in the browser. We’ll address the deployment and rollout challenges in a bit more detail later in this post. ",[],{},{"nodeType":241,"data":2674,"content":2675},{},[2676,2680,2689],{"nodeType":245,"value":2677,"marks":2678,"data":2679},"To dig into each of these approaches and how to potentially combine them to build your own SaaS discovery engine, check out ",[],{},{"nodeType":1315,"data":2681,"content":2683},{"uri":2682},"https://pushsecurity.com/blog/rolling-your-own-saas-discovery/",[2684],{"nodeType":245,"value":2685,"marks":2686,"data":2688},"this post.",[2687],{"type":513},{},{"nodeType":245,"value":381,"marks":2690,"data":2691},[],{},{"nodeType":241,"data":2693,"content":2694},{},[2695,2699,2708],{"nodeType":245,"value":2696,"marks":2697,"data":2698},"If you already know you don’t have the resources (time, team, budget) to build your own and you’re thinking about evaluating solutions, head over to ",[],{},{"nodeType":1315,"data":2700,"content":2702},{"uri":2701},"https://pushsecurity.com/blog/how-to-find-the-right-saas-security-solution-for-your-organization/",[2703],{"nodeType":245,"value":2704,"marks":2705,"data":2707},"this post",[2706],{"type":513},{},{"nodeType":245,"value":2709,"marks":2710,"data":2711}," to understand which might be the best fit for your company. ",[],{},{"nodeType":241,"data":2713,"content":2714},{},[2715],{"nodeType":245,"value":2716,"marks":2717,"data":2718},"Next, we’ll dig into how we manage our own SaaS security to provide some relevant context and we’ll explain where the browser extension fits in",[],{},{"nodeType":340,"data":2720,"content":2721},{},[2722],{"nodeType":245,"value":2723,"marks":2724,"data":2725},"A case study…with us!",[],{},{"nodeType":241,"data":2727,"content":2728},{},[2729,2733,2742],{"nodeType":245,"value":2730,"marks":2731,"data":2732},"To put this into context, we’ll use ourselves as an example, since we’re a fully SaaS-native company. Our entire business is SaaS security, we have no physical or virtual infrastructure to manage and we actively encourage our employees to self-adopt SaaS solutions to solve their own business needs. We’re also a Google workspace enterprise customer and we educate our employees to ",[],{},{"nodeType":1315,"data":2734,"content":2736},{"uri":2735},"https://pushsecurity.com/blog/should-i-let-my-employees-login-with-their-work-google-account",[2737],{"nodeType":245,"value":2738,"marks":2739,"data":2741},"always use Google social logins",[2740],{"type":513},{},{"nodeType":245,"value":2743,"marks":2744,"data":2745}," for SaaS solutions as the first choice when available ). ",[],{},{"nodeType":241,"data":2747,"content":2748},{},[2749,2753,2758],{"nodeType":245,"value":2750,"marks":2751,"data":2752},"We tuck all SaaS apps behind SSO, wherever we can and wherever our licenses will let us. And since we’re a fairly new company, we’ve been able to push social logins and “login with Google” to our employees since day one, so that’s a pretty clean and ideal world compared to the environments many security folks are working in. This means we really should be a best case example when it comes to centralized SaaS discovery methods. That said, we also use almost 100 different SaaS platforms across the company and, despite everything else above, 33% of these SaaS platforms are ",[],{},{"nodeType":245,"value":2754,"marks":2755,"data":2757},"only ",[2756],{"type":272},{},{"nodeType":245,"value":2759,"marks":2760,"data":2761},"visible because we’re using a browser extension to discover them as our employees sign up.",[],{},{"nodeType":241,"data":2763,"content":2764},{},[2765,2769,2774],{"nodeType":245,"value":2766,"marks":2767,"data":2768},"A similar company without a browser extension ",[],{},{"nodeType":245,"value":2770,"marks":2771,"data":2773},"could be missing out on a third of their SaaS platforms",[2772],{"type":270},{},{"nodeType":245,"value":2775,"marks":2776,"data":2777},". Once we look at similar stats for our customers, particularly M365 users, we see the percentage of SaaS platforms that are only discovered via the browser extension increase and this is sometimes even as high as 70-80%. If you’re serious about SaaS discovery, then you should really not settle for missing such a large percentage of platforms.",[],{},{"nodeType":340,"data":2779,"content":2780},{},[2781],{"nodeType":245,"value":2782,"marks":2783,"data":2784},"Why does a browser see so much more?",[],{},{"nodeType":241,"data":2786,"content":2787},{},[2788,2792,2801],{"nodeType":245,"value":2789,"marks":2790,"data":2791},"Since SaaS is often self-adopted, the problem can often be attributed to a decentralized problem. Many SaaS vendors even encourage this as they have a product-led growth (PLG) model and prefer the frictionless growth of a PLG model over the high-friction sales cycle in a centralized procurement model. We’ve got a ",[],{},{"nodeType":1315,"data":2793,"content":2795},{"uri":2794},"https://pushsecurity.com/webinar/securing-employee-adopted-saas-apps",[2796],{"nodeType":245,"value":2797,"marks":2798,"data":2800},"webinar with our co-founder",[2799],{"type":513},{},{"nodeType":245,"value":2802,"marks":2803,"data":2804}," on this topic if you want to explore further. ",[],{},{"nodeType":241,"data":2806,"content":2807},{},[2808],{"nodeType":245,"value":2809,"marks":2810,"data":2811},"Additionally, your average non-technical employee may not be familiar with SSO or social logins as access methods, but everyone knows how to sign-up for a website with an email address, username and password. Consequently, it’s just common for centralized data sources to end up missing a lot of SaaS use if they’re looking at logs, proxies, and other data sources.",[],{},{"nodeType":241,"data":2813,"content":2814},{},[2815,2819,2827],{"nodeType":245,"value":2816,"marks":2817,"data":2818},"Without SSO or social logins, you aren’t seeing anything via those data sources. If you use email discovery, you’ll have lots of false positives to deal with from marketing spam and you’ll only know about it for employees that used their corporate email address and for SaaS platforms that actively send out emails. If you’re relying on network data sources like web proxy data then you need to be capturing everything including home/mobile employees and even then most details will be hidden behind HTTPS connections. You could intercept and decrypt all HTTPS traffic via your proxy, but then you’d be introducing a huge security risk by decrypting all communications in one place. We’ve got a more thorough article on the topic of ",[],{},{"nodeType":1315,"data":2820,"content":2821},{"uri":2682},[2822],{"nodeType":245,"value":2823,"marks":2824,"data":2826},"SaaS discovery data sources ",[2825],{"type":513},{},{"nodeType":245,"value":2828,"marks":2829,"data":2830},"and their pros and cons to read up on, too. ",[],{},{"nodeType":241,"data":2832,"content":2833},{},[2834],{"nodeType":245,"value":2835,"marks":2836,"data":2837},"On the other hand, browsers are quickly becoming the main way people operate from a desktop environment, with the browser as the way they’re doing almost every task. Since they’re using the browser to access their apps, it makes sense to use data collected from the browser to get visibility of SaaS. It doesn’t matter if they use an SSO login, a social login, an email address/password login, a corporate email or a personal webmail account - as long as they login or access the SaaS platform from a browser, then a browser extension is best placed to see that. Wherever the user is in the world, whatever they are doing, the extension can keep an eye out.",[],{},{"nodeType":340,"data":2839,"content":2840},{},[2841],{"nodeType":245,"value":2842,"marks":2843,"data":2844},"There are so many other security benefits beyond basic visibility",[],{},{"nodeType":241,"data":2846,"content":2847},{},[2848],{"nodeType":245,"value":2849,"marks":2850,"data":2851},"We’ve covered general visibility of SaaS platforms (i.e. whether they are in use or not, what login method is in use and by who), but there’s much more useful information for managing SaaS security risks. To secure SaaS, you also need to know whether multi-factor authentication (MFA) is in use; If the password is secure; If passwords are shared between different accounts; If accounts are shared between users; If sensitive files are uploaded to a particular SaaS platform.",[],{},{"nodeType":241,"data":2853,"content":2854},{},[2855],{"nodeType":245,"value":2856,"marks":2857,"data":2858},"Some SaaS vendors may provide APIs and logs that can answer some of these questions, but this tends to be limited to the biggest or most security conscious vendors. It’s overwhelming to handle this manually because you need to consider separate integrations with all your different SaaS vendors, and that’s assuming you already know they are in use. It might be viable for some of the most important SaaS platforms you use (think Salesforce, Slack, Trello, etc.) , but it’s not easy to go much further when you have hundreds of different SaaS platforms to consider.",[],{},{"nodeType":241,"data":2860,"content":2861},{},[2862],{"nodeType":245,"value":2863,"marks":2864,"data":2865},"A browser extension, on the other hand, can see all the interactions between users and any given SaaS platform, so it can provide insights that may not be visible via a SaaS vendor’s own APIs or logs. This is especially true for fairly standardized mechanisms such as web-based logins, where it provides an easy opportunity to provide password security checks and MFA checks. ",[],{},{"nodeType":241,"data":2867,"content":2868},{},[2869,2873,2881],{"nodeType":245,"value":2870,"marks":2871,"data":2872},"Being a decentralized model, this can all be achieved without sending lots of highly sensitive data (e.g. passwords) to a centralized point. Instead, the browser extension can just report individual security findings as necessary without feeding that private data to a central repository. The Push browser extension identifies weak passwords in use, MFA status, passwords shared between different SaaS platforms and even accounts being shared by multiple different users - none of this requires sending passwords or any other sensitive data to our central servers - just the findings themselves. You can find more information about what data we collect ",[],{},{"nodeType":1315,"data":2874,"content":2876},{"uri":2875},"https://pushsecurity.com/help/audience/administrators/docs/install-the-browser-extension",[2877],{"nodeType":245,"value":510,"marks":2878,"data":2880},[2879],{"type":513},{},{"nodeType":245,"value":516,"marks":2882,"data":2883},[],{},{"nodeType":340,"data":2885,"content":2886},{},[2887],{"nodeType":245,"value":2888,"marks":2889,"data":2890},"How do I roll out a browser extension to every single employee?",[],{},{"nodeType":241,"data":2892,"content":2893},{},[2894],{"nodeType":245,"value":2895,"marks":2896,"data":2897},"Traditionally, browser extensions have been focused on self-adoption by users via a browser extension store. In that case, the user makes the decision to install, rather than IT or security managing the deployment.",[],{},{"nodeType":241,"data":2899,"content":2900},{},[2901],{"nodeType":245,"value":2902,"marks":2903,"data":2904},"However, the major browser vendors have made it easy to install and manage browser extensions centrally, as well as making them more resilient to ensure they’re both secure and cannot induce significant performance issues in the browser.",[],{},{"nodeType":241,"data":2906,"content":2907},{},[2908],{"nodeType":245,"value":2909,"marks":2910,"data":2911},"Most larger organizations will be familiar with deploying desktop software remotely using central device management software, especially for endpoint security software like anti-virus and EDR. The same idea works with a browser extension using most of the common browser and operating system combinations. The Push browser extension can be deployed centrally on Chrome, Edge, Firefox and Brave, depending on the device management software and operating system in use. ",[],{},{"nodeType":241,"data":2913,"content":2914},{},[2915],{"nodeType":245,"value":2916,"marks":2917,"data":2918},"What’s more, browser extensions consist of JavaScript running in a tightly-controlled environment with additional performance controls in place by the browser and they even auto-update too. Compare this with the common case for endpoint security software of having an agent running as SYSTEM/root and users complaining it’s stealing all their CPU cycles and centralized browser deployment starts looking like a more attractive prospect than traditional endpoint agent deployment.",[],{},{"nodeType":340,"data":2920,"content":2921},{},[2922],{"nodeType":245,"value":2923,"marks":2924,"data":2925},"Conclusion",[],{},{"nodeType":241,"data":2927,"content":2928},{},[2929],{"nodeType":245,"value":2930,"marks":2931,"data":2932},"We’re pretty into browser extensions here, but it’s not just because that’s how our product works. We’re not trying to sell you a new thing just for the sake of building something novel. Browser extensions are going to become one of the most important methods of managing SaaS security going forward. They’ve got advantages that other approaches just can’t match and centralized deployment and management is now a slick, easy and - frankly - solved problem. ",[],{},"Want to discover the full extent of your SaaS sprawl? Embrace browser extensions ","Browser extensions are the most effective SaaS discovery tool because they can capture employee SaaS use and adoption in real time, as employees sign up. ","2023-04-25T00:00:00.000Z","want-to-discover-the-full-extent-of-your-saas-sprawl-embrace-browser",{"items":2938},[2939,2941],{"sys":2940,"name":2549},{"id":2548},{"sys":2942,"name":2944},{"id":2943},"3pjES4THCIfSAwhGdNwBcy","Browser security",{"items":2946},[2947],{"fullName":2948,"firstName":2949,"jobTitle":2950,"profilePicture":2951},"Luke Jennings","Luke","Vice President, R&D",{"url":2952},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg","3-steps-to-secure-your-data-across-shadow-saas-apps","blog/3-steps-to-secure-your-data-across-shadow-saas-apps",{"json":2956},{"data":2957,"content":2958,"nodeType":237},{},[2959],{"data":2960,"content":2961,"nodeType":241},{},[2962],{"data":2963,"marks":2964,"value":2965,"nodeType":245},{},[],"Attackers commonly target SaaS apps because they know employees sign up without running them past IT first. Learn how to adjust to secure your data.","Attackers commonly target SaaS apps because they know employees sign up without running them past IT first. Learn how to adjust to secure your data.\n",{"id":2968,"publishedAt":2969},"6ppEa7WXiKcgLQ9yGn7q3k","2025-01-15T14:20:14.374Z",{"items":2971},[2972,2974],{"sys":2973,"name":2549},{"id":2548},{"sys":2975,"name":2977},{"id":2976},"1gZi8NrRy2v9OqPV7C4dwD","Risk management","sLdJgLuX2Sn0ISC_aIyJfvTo94diLBGzCAg-BGsoRRg",1784196720550]