[{"data":1,"prerenderedAt":981},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/how-to-discover-saas-use-without-invading-employee-privacy":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":577,"faqItemsCollection":578,"faqTitle":62,"featured":6,"hashTags":62,"meta":580,"metaTitle":581,"ogImage":62,"publishedDate":582,"relatedBlogPostsCollection":583,"slug":953,"stem":954,"subtitle":62,"summary":955,"synopsis":966,"sys":967,"tagsCollection":970,"__hash__":980},"blog/blog/how-to-discover-saas-use-without-invading-employee-privacy.json","How to discover SaaS use without invading employee privacy",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Andy Waugh","Andy","VP Product",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/3Rf76rJn6S9inMb4dUnAIJ/0a787f8141d05b95300e2fe77c4493fa/DSC_6868.jpg",{"json":238,"links":559},{"data":239,"content":240,"nodeType":558},{},[241,250,258,265,272,279,286,293,300,307,314,321,346,368,375,382,389,454,478,497,504,511,518,525,532,539],{"data":242,"content":243,"nodeType":249},{},[244],{"data":245,"marks":246,"value":247,"nodeType":248},{},[],"Prevention isn’t always the answer","text","heading-1",{"data":251,"content":252,"nodeType":257},{},[253],{"data":254,"marks":255,"value":256,"nodeType":248},{},[],"As a security team, our job is to help our company achieve its goals by taking risks securely. Simply using a computer represents a risk over the more traditional pen and paper, but the productivity gains clearly outweigh the risk; so the security team ensures the business takes that risk securely. Outright prevention - i.e. not using a computer - in this case, makes no sense.","paragraph",{"data":259,"content":260,"nodeType":257},{},[261],{"data":262,"marks":263,"value":264,"nodeType":248},{},[],"Of course, within how the computer operates we might choose to prevent some functionality in the name of security, but the principle remains the same - prevention usually requires a trade-off against productivity.",{"data":266,"content":267,"nodeType":249},{},[268],{"data":269,"marks":270,"value":271,"nodeType":248},{},[],"Detection, but at the cost of privacy",{"data":273,"content":274,"nodeType":257},{},[275],{"data":276,"marks":277,"value":278,"nodeType":248},{},[],"When a base level of security became more common (through better awareness, accessible knowledge, and sensible vendor defaults), attackers shifted to using techniques that couldn’t be prevented because the business relied on the underlying tools - a malicious Word doc, a sneaky PowerShell script, a dodgy PDF.",{"data":280,"content":281,"nodeType":257},{},[282],{"data":283,"marks":284,"value":285,"nodeType":248},{},[],"Now prevention wasn’t an option, the security team had to monitor usage for malicious activity. But monitoring comes at a cost. To detect when malicious activity happens, the security team needs to monitor all activity, including legitimate activity. So, while a detection approach doesn’t restrict what a user can do, it comes at the cost of their privacy.",{"data":287,"content":288,"nodeType":249},{},[289],{"data":290,"marks":291,"value":292,"nodeType":248},{},[],"Building trust with your users",{"data":294,"content":295,"nodeType":257},{},[296],{"data":297,"marks":298,"value":299,"nodeType":248},{},[],"In either case, when introducing security controls you should aim to justify and explain this decision to your users, remembering that security’s job is to help them do their jobs securely - it shouldn’t be for them to figure out how to do their jobs within the confines of what the security team has decided is OK. A security team should be more like the secret service, than the prison service.",{"data":301,"content":302,"nodeType":257},{},[303],{"data":304,"marks":305,"value":306,"nodeType":248},{},[],"Although, of course, many employees won’t have much interest in the motivations of their IT/security team, maintaining this attitude will help you build and keep trust with them. With trust in hand, employees will be less likely to try to work around your controls.",{"data":308,"content":309,"nodeType":249},{},[310],{"data":311,"marks":312,"value":313,"nodeType":248},{},[],"SaaS - the new frontier",{"data":315,"content":316,"nodeType":257},{},[317],{"data":318,"marks":319,"value":320,"nodeType":248},{},[],"In recent years, our computers are mostly just windows to the Internet - many users access their email, video conferencing, productivity suites and more via their browser (or Electron apps pretending they aren’t browsers).",{"data":322,"content":323,"nodeType":257},{},[324,328,334,338,342],{"data":325,"marks":326,"value":327,"nodeType":248},{},[],"And, as is often the way, we’re relearning the same lessons as before. Should employees be ",{"data":329,"marks":330,"value":333,"nodeType":248},{},[331],{"type":332},"italic","allowed",{"data":335,"marks":336,"value":337,"nodeType":248},{},[]," to sign up for and use arbitrary SaaS platforms? Should employees be ",{"data":339,"marks":340,"value":333,"nodeType":248},{},[341],{"type":332},{"data":343,"marks":344,"value":345,"nodeType":248},{},[]," to add arbitrary apps into Microsoft 365, Google Workspace, or other SaaS platforms?",{"data":347,"content":348,"nodeType":257},{},[349,353,364],{"data":350,"marks":351,"value":352,"nodeType":248},{},[],"Regardless of your answer, your coworkers have already spoken and it’s almost certainly already happening. A ",{"data":354,"content":356,"nodeType":363},{"uri":355},"https://track.g2.com/resources/shadow-it-statistics",[357],{"data":358,"marks":359,"value":362,"nodeType":248},{},[360],{"type":361},"underline","report from G2","hyperlink",{"data":365,"marks":366,"value":367,"nodeType":248},{},[]," stated that 80% of workers admit to using SaaS applications at work without getting approval from IT. If you want to enable your colleagues’ productivity, prevention, it would seem, isn’t an option.",{"data":369,"content":370,"nodeType":249},{},[371],{"data":372,"marks":373,"value":374,"nodeType":248},{},[],"The risks of SaaS",{"data":376,"content":377,"nodeType":257},{},[378],{"data":379,"marks":380,"value":381,"nodeType":248},{},[],"So how do we secure the company in this new way of working? We still have plenty to consider.",{"data":383,"content":384,"nodeType":257},{},[385],{"data":386,"marks":387,"value":388,"nodeType":248},{},[],"We can start thinking about SaaS not just as an allow or not to allow, but taking a more flexible and pragmatic approach, asking questions like::",{"data":390,"content":391,"nodeType":453},{},[392,403,413,423,433,443],{"data":393,"content":394,"nodeType":402},{},[395],{"data":396,"content":397,"nodeType":257},{},[398],{"data":399,"marks":400,"value":401,"nodeType":248},{},[],"What kind of data users are entering into these third-party platforms?","list-item",{"data":404,"content":405,"nodeType":402},{},[406],{"data":407,"content":408,"nodeType":257},{},[409],{"data":410,"marks":411,"value":412,"nodeType":248},{},[],"How much do we trust the controls the third-party has in place?",{"data":414,"content":415,"nodeType":402},{},[416],{"data":417,"content":418,"nodeType":257},{},[419],{"data":420,"marks":421,"value":422,"nodeType":248},{},[],"Are those controls appropriate for the data? ",{"data":424,"content":425,"nodeType":402},{},[426],{"data":427,"content":428,"nodeType":257},{},[429],{"data":430,"marks":431,"value":432,"nodeType":248},{},[],"Is this platform redundant with the other services we use (e.g. “we use Google Drive, not Dropbox”)? ",{"data":434,"content":435,"nodeType":402},{},[436],{"data":437,"content":438,"nodeType":257},{},[439],{"data":440,"marks":441,"value":442,"nodeType":248},{},[],"Does IT or security need to manage accounts for joiners/leavers?",{"data":444,"content":445,"nodeType":402},{},[446],{"data":447,"content":448,"nodeType":257},{},[449],{"data":450,"marks":451,"value":452,"nodeType":248},{},[],"Does this platform impact our compliance? (e.g. does storing this data on this platform compromise our GDPR status?)","unordered-list",{"data":455,"content":456,"nodeType":257},{},[457,461,474],{"data":458,"marks":459,"value":460,"nodeType":248},{},[],"No one said it would be easy 🙃 and it’s easy to see why many organizations initially opt to simply try to block users from using such systems. Assessing each application can be daunting using traditional third-party security assessment techniques - we’ve written a ",{"data":462,"content":468,"nodeType":473},{"target":463},{"sys":464},{"id":465,"type":466,"linkType":467},"3PqX7fLrTIYhWjbEhHSRHG","Link","Entry",[469],{"data":470,"marks":471,"value":472,"nodeType":248},{},[],"short guide","entry-hyperlink",{"data":475,"marks":476,"value":477,"nodeType":248},{},[]," on how to approach security auditing in a world of SaaS, which you might find useful.",{"data":479,"content":480,"nodeType":257},{},[481,485,493],{"data":482,"marks":483,"value":484,"nodeType":248},{},[],"But the first step in managing this new world is through visibility. Knowing the problem is half the battle and we published ",{"data":486,"content":488,"nodeType":363},{"uri":487},"https://pushsecurity.com/blog/rolling-your-own-saas-discovery/",[489],{"data":490,"marks":491,"value":492,"nodeType":248},{},[],"an article",{"data":494,"marks":495,"value":496,"nodeType":248},{},[]," about how to manually find the SaaS apps your employees are using. The problem is, a lot of them are either error-prone or quite invasive, potentially collecting your users private activity. In the trade-off of security versus privacy, we think that’s a bit too far and will likely damage the trust you’ve built with your coworkers.",{"data":498,"content":499,"nodeType":249},{},[500],{"data":501,"marks":502,"value":503,"nodeType":248},{},[],"Monitoring SaaS use without compromising privacy",{"data":505,"content":506,"nodeType":257},{},[507],{"data":508,"marks":509,"value":510,"nodeType":248},{},[],"Our approach at Push is to deploy our browser extension to our users’ browsers which is configured with the domains we use for work (e.g. @pushsecurity.com). The browser extension only monitors logins where an @pushsecurity.com email address is used, which we can reasonably assume means the platform is being used for work reasons.",{"data":512,"content":513,"nodeType":257},{},[514],{"data":515,"marks":516,"value":517,"nodeType":248},{},[],"We share this with employees up front during the onboarding process and, if you click on the browser extension, it also lets you know which domains it’s monitoring:",{"data":519,"content":523,"nodeType":524},{"target":520},{"sys":521},{"id":522,"type":466,"linkType":467},"6z1apzuDIaXXN7xIAHEUku",[],"embedded-entry-block",{"data":526,"content":527,"nodeType":257},{},[528],{"data":529,"marks":530,"value":531,"nodeType":248},{},[],"This helps our users understand why we are monitoring which SaaS they’re using which in turn makes them aware of the risk we are managing and why.",{"data":533,"content":534,"nodeType":257},{},[535],{"data":536,"marks":537,"value":538,"nodeType":248},{},[],"With this approach we’ve built a comprehensive picture of which SaaS platforms our team is using which has helped us understand where our data lives and which platforms need extra attention to ensure we have all the right controls in place. When our users use a new platform we can reach out to them at the start of their journey to understand what they’re trying to achieve and how we can help them do it securely.",{"data":540,"content":541,"nodeType":257},{},[542,545,554],{"data":543,"marks":544,"value":29,"nodeType":248},{},[],{"data":546,"content":548,"nodeType":363},{"uri":547},"https://pushsecurity.com/features/saas-discovery",[549],{"data":550,"marks":551,"value":553,"nodeType":248},{},[552],{"type":361},"Learn more about how Push can discover SaaS apps your employees are using",{"data":555,"marks":556,"value":557,"nodeType":248},{},[]," without compromising their privacy. ","document",{"entries":560},{"inline":561,"hyperlink":562,"block":568},[],[563],{"sys":564,"__typename":565,"title":566,"slug":567},{"id":465},"BlogPosts","5 steps to manage the risk of unsanctioned SaaS ","manage-saas-risks-without-hindering-employees",[569],{"sys":570,"__typename":571,"title":572,"caption":62,"layoutMode":62,"file":573},{"id":522},"Image","User privacy screenshot",{"url":574,"width":575,"height":576},"https://images.ctfassets.net/y1cdw1ablpvd/6y7ZPjWSXkqKuX0WW901HD/03a716aac860f7d460a6ba0ec6df8d86/image1.png",762,434,"json",{"items":579},[],{},"How to discover employee SaaS use without being creepy","2022-08-22T00:00:00.000Z",{"items":584},[585],{"__typename":565,"sys":586,"content":588,"title":937,"synopsis":938,"hashTags":62,"publishedDate":939,"slug":940,"tagsCollection":941,"authorsCollection":947},{"id":587},"4ZNEAZLwXE9Pz3lx1mhEZN",{"json":589},{"data":590,"content":591,"nodeType":558},{},[592,599,616,623,630,637,646,653,661,693,700,707,714,721,728,735,742,750,757,764,771,778,794,801,808,815,822,829,836,843,850,857,864,870,877,904,911,918],{"data":593,"content":594,"nodeType":249},{},[595],{"data":596,"marks":597,"value":598,"nodeType":248},{},[],"Blocking SaaS isn’t working ",{"data":600,"content":601,"nodeType":257},{},[602,607,611],{"data":603,"marks":604,"value":606,"nodeType":248},{},[605],{"type":332},"tl;dr",{"data":608,"marks":609,"value":610,"nodeType":248},{},[],": ",{"data":612,"marks":613,"value":615,"nodeType":248},{},[614],{"type":332},"The traditional way of just blocking apps that haven’t been vetted or approved by the security team isn’t working now and absolutely won’t scale as businesses now value flexibility as much as productivity and security. You don’t have to choose one anymore. Empower your employees to be productive and move fast, securely, and partner with them to secure SaaS.",{"data":617,"content":618,"nodeType":257},{},[619],{"data":620,"marks":621,"value":622,"nodeType":248},{},[],"It’s common for organizations to have hundreds of SaaS apps in use at all times and we expect that number to continue to rise. Most companies accept SaaS use because it helps employees be productive and get their work done, but each SaaS app does introduce risk to the company because they require access to business data, employees input data into each app, and the app becomes a part of your larger corporate attack surface. ",{"data":624,"content":625,"nodeType":257},{},[626],{"data":627,"marks":628,"value":629,"nodeType":248},{},[],"Simply blocking SaaS use hasn’t worked to date and, as more and more apps are built, with more and more functionality employees need, blocking and restricting just can’t scale and will widen the divide between security and employees.",{"data":631,"content":632,"nodeType":257},{},[633],{"data":634,"marks":635,"value":636,"nodeType":248},{},[],"But to secure SaaS, security teams need visibility. There are some newer tools on the market built specifically to discover cloud and SaaS adoption (SaaS discovery and shadow IT discovery tools), but they tend to be focused exclusively on knowing what employees are using so that security and IT can enforce rules and controls on that SaaS use in order to keep company data out of the hands of the bad guys. ",{"data":638,"content":639,"nodeType":257},{},[640],{"data":641,"marks":642,"value":645,"nodeType":248},{},[643],{"type":644},"bold","Instead of focusing on using that SaaS visibility to create and enforce new policies to restrict SaaS use, what if we could leverage SaaS visibility to help employees actually adopt and use SaaS how they want to? ",{"data":647,"content":648,"nodeType":257},{},[649],{"data":650,"marks":651,"value":652,"nodeType":248},{},[],"We’re trying a different approach that puts more trust in employees’ desire and ability to keep themselves secure. ",{"data":654,"content":655,"nodeType":249},{},[656],{"data":657,"marks":658,"value":660,"nodeType":248},{},[659],{"type":644},"Introducing a user-centric approach to securing SaaS ",{"data":662,"content":663,"nodeType":257},{},[664,668,676,680,689],{"data":665,"marks":666,"value":667,"nodeType":248},{},[],"\nThe user-centric movement has been successfully adopted by industry leaders like ",{"data":669,"content":671,"nodeType":363},{"uri":670},"https://slack.engineering/distributed-security-alerting/",[672],{"data":673,"marks":674,"value":675,"nodeType":248},{},[],"Slack",{"data":677,"marks":678,"value":679,"nodeType":248},{},[],", ",{"data":681,"content":683,"nodeType":363},{"uri":682},"https://netflixtechblog.com/introducing-netflix-stethoscope-5f3c392368e3",[684],{"data":685,"marks":686,"value":688,"nodeType":248},{},[687],{"type":361},"Netflix",{"data":690,"marks":691,"value":692,"nodeType":248},{},[],", Github, Duo Security. For endpoint security, those user-centric approaches were spot on. They engaged employees to make decisions about their devices that would inform security teams about employee devices. We even developed our own user-centric solution for endpoint devices when working together at MWR (acquired by F-Secure). ",{"data":694,"content":695,"nodeType":257},{},[696],{"data":697,"marks":698,"value":699,"nodeType":248},{},[],"When it comes to securing SaaS, working directly with users (employees) is not just a huge value add, it's essential. That's because the SaaS apps employees are using are giant unknowns - they’re not known entities or endpoints like employee devices - so you can't find out about or address security issues in SaaS apps without working with employees who are using those apps.",{"data":701,"content":702,"nodeType":249},{},[703],{"data":704,"marks":705,"value":706,"nodeType":248},{},[],"SaaS is owned by users, so needs to be secured by users",{"data":708,"content":709,"nodeType":257},{},[710],{"data":711,"marks":712,"value":713,"nodeType":248},{},[],"Scared yet? We get it, and we don’t expect you to relinquish all control of security and hand it off to employees. But stick with us for a second… There’s a stat making the rounds that suggests that more than two-thirds of SaaS is owned by employees. They’re self-adopting SaaS, integrating it with your business data, and using those tools to work faster, smarter, and generally be more productive. So, while it may not make sense to give up and just let employees continue doing what they’re doing with zero oversight, there’s a scalable way to meet in the middle. ",{"data":715,"content":716,"nodeType":257},{},[717],{"data":718,"marks":719,"value":720,"nodeType":248},{},[],"We decided to focus on improving the security of SaaS use by equipping employees to help. If this approach lets employees freely adopt and use SaaS, then it’s a win for both employees and security teams.",{"data":722,"content":723,"nodeType":257},{},[724],{"data":725,"marks":726,"value":727,"nodeType":248},{},[],"Could user-centric security concepts be used to secure SaaS and cloud application usage - not just securing access to SaaS, but restricting excessive app permissions, removing unused cloud apps and shadow IT, and so on?  ",{"data":729,"content":730,"nodeType":257},{},[731],{"data":732,"marks":733,"value":734,"nodeType":248},{},[],"SaaS is user-powered. They’re adopting it and using it on their own already. Trying to secure SaaS by either completely restricting its use or only allowing employees access to a handful of corporate-sanctioned apps won’t scale. It would be naive to ignore the fact that SaaS introduces risk. Each app requests access to business data, employees have to integrate the apps into your systems and they’ll be inputting business data into the app. Which means that each app becomes a part of the attack surface security teams must protect.",{"data":736,"content":737,"nodeType":257},{},[738],{"data":739,"marks":740,"value":741,"nodeType":248},{},[],"The old way of dealing with this was just to block SaaS as soon as the security team discovers an app in use, or requiring administrator approval before integrating with other SaaS - keeping the security team in the role of the enforcer or blocker to employee SaaS use. Everyone hates that way - employees and security teams. But leaving SaaS adoption wide open is a security nightmare. So where do you start when it comes to securing SaaS use? With the owners of SaaS - the users.",{"data":743,"content":744,"nodeType":749},{},[745],{"data":746,"marks":747,"value":748,"nodeType":248},{},[],"You can’t secure SaaS without involving the user","heading-2",{"data":751,"content":752,"nodeType":257},{},[753],{"data":754,"marks":755,"value":756,"nodeType":248},{},[],"To secure SaaS, you need to: ",{"data":758,"content":759,"nodeType":257},{},[760],{"data":761,"marks":762,"value":763,"nodeType":248},{},[],"1) know what SaaS employees are using and how they’re using them",{"data":765,"content":766,"nodeType":257},{},[767],{"data":768,"marks":769,"value":770,"nodeType":248},{},[],"2) know what data the app has access to and what it requires",{"data":772,"content":773,"nodeType":257},{},[774],{"data":775,"marks":776,"value":777,"nodeType":248},{},[],"3) find out if security controls are missing and then chase employees to enable them improve",{"data":779,"content":780,"nodeType":257},{},[781,785,790],{"data":782,"marks":783,"value":784,"nodeType":248},{},[],"The most logical way to get this information is to talk to your employees directly, but that can’t scale. Let’s say you have 200 employees and each is using a dozen SaaS apps in their role. Are you going to go to each employee (through Slack or Teams, over the phone, via email?) and ask what they’re using, how they’re accessing it, what they’re using it for, if they’re still using it, who the admin is, and so on? Even if you ",{"data":786,"marks":787,"value":789,"nodeType":248},{},[788],{"type":332},"could",{"data":791,"marks":792,"value":793,"nodeType":248},{},[]," do that, would they even remember all the SaaS apps they’ve started trials with or what they’re using for free? What else would fall under your radar?",{"data":795,"content":796,"nodeType":257},{},[797],{"data":798,"marks":799,"value":800,"nodeType":248},{},[],"To satisfy the three SaaS security requirements we listed above, we’ve decided to focus our initial product efforts on SaaS discovery and getting business context from SaaS users (your employees) to ensure they’re using SaaS securely.",{"data":802,"content":803,"nodeType":257},{},[804],{"data":805,"marks":806,"value":807,"nodeType":248},{},[],"But knowing is just the start - what’s the point of getting visibility if you’re not using it to fix security issues or remove high-risk or dodgy apps?",{"data":809,"content":810,"nodeType":249},{},[811],{"data":812,"marks":813,"value":814,"nodeType":248},{},[],"Guide employees to fix security issues and use SaaS securely ",{"data":816,"content":817,"nodeType":257},{},[818],{"data":819,"marks":820,"value":821,"nodeType":248},{},[],"That’s where the user-centric approach to securing SaaS comes in. We believe employees want to do the right thing and don’t want to be the one responsible for a breach. As long as we make it as easy and quick as possible for them to help and to take action, they will. ",{"data":823,"content":824,"nodeType":257},{},[825],{"data":826,"marks":827,"value":828,"nodeType":248},{},[],"To make this work at scale, we use ChatOps to engage directly with the employee, and a browser extension to prompt users and help them fix SaaS security issues. By helping them self-remediate issues, we offload the more mindless security hygiene work from security and IT, while enabling employees to use the SaaS tools they want.",{"data":830,"content":831,"nodeType":257},{},[832],{"data":833,"marks":834,"value":835,"nodeType":248},{},[],"We can also use this technology to get relevant business context about how they’re using each app and if they’re even still using it. If they say they aren’t using it anymore, we can help them remove it from your attack surface. ",{"data":837,"content":838,"nodeType":749},{},[839],{"data":840,"marks":841,"value":842,"nodeType":248},{},[],"But I can’t trust employees to own security!",{"data":844,"content":845,"nodeType":257},{},[846],{"data":847,"marks":848,"value":849,"nodeType":248},{},[],"There’s an old trope in the security world that users are the weakest link. So, how can we expect “the weakest link” in a company to actually secure the company? We’d like to challenge that old adage and suggest that employees shouldn’t be expected to become security experts in order to secure a business. That’s not their job. ",{"data":851,"content":852,"nodeType":257},{},[853],{"data":854,"marks":855,"value":856,"nodeType":248},{},[],"What employees can do really well is provide context for the security team and to self-remediate the more mundane security issues by using stronger passwords, enabling MFA for SaaS apps, and so on. ",{"data":858,"content":859,"nodeType":257},{},[860],{"data":861,"marks":862,"value":863,"nodeType":248},{},[],"We believe the key to making the user-centric approach work is to give users clear, easy to follow instructions and asking them questions they can answer without Googling for more information. We ask questions to get useful context and then enrich SaaS usage data for admins so they can make decisions about what SaaS is appropriate for their business.",{"data":865,"content":869,"nodeType":524},{"target":866},{"sys":867},{"id":868,"type":466,"linkType":467},"7eWh1U86EEbSFeJdXIPUZl",[],{"data":871,"content":872,"nodeType":249},{},[873],{"data":874,"marks":875,"value":876,"nodeType":248},{},[],"Making user-centric security work in the real world ",{"data":878,"content":879,"nodeType":257},{},[880,884,889,895,900],{"data":881,"marks":882,"value":883,"nodeType":248},{},[],"Getting user-centric security to work well requires a near-perfect user experience - it must be quick and easy or they won’t engage with it. We need to understand employees, speak their language, empathize with them, respect their busy schedules, and help them when they’re ready to work with us. One truth remains: ",{"data":885,"marks":886,"value":888,"nodeType":248},{},[887],{"type":644},"If employees aren’t responding to prompts, assume ",{"data":890,"marks":891,"value":894,"nodeType":248},{},[892,893],{"type":644},{"type":332},"we’re ",{"data":896,"marks":897,"value":899,"nodeType":248},{},[898],{"type":644},"the problem",{"data":901,"marks":902,"value":903,"nodeType":248},{},[],". We’ll be optimizing continuously based on employee engagement rate. ",{"data":905,"content":906,"nodeType":249},{},[907],{"data":908,"marks":909,"value":910,"nodeType":248},{},[],"Users aren’t the problem, they’re part of the solution",{"data":912,"content":913,"nodeType":257},{},[914],{"data":915,"marks":916,"value":917,"nodeType":248},{},[],"Engaging users to self-remediate SaaS security issues just makes sense and it's by far the most scalable way to secure SaaS. Securing SaaS while balancing the needs of employees and security teams requires that we work together and share the responsibilities. To do this, we need to stop insisting that users are the problem and remember that attackers are the bad guys, not employees.",{"data":919,"content":920,"nodeType":257},{},[921,925,933],{"data":922,"marks":923,"value":924,"nodeType":248},{},[],"Follow us on ",{"data":926,"content":928,"nodeType":363},{"uri":927},"https://twitter.com/PushSecurity",[929],{"data":930,"marks":931,"value":932,"nodeType":248},{},[],"social media",{"data":934,"marks":935,"value":936,"nodeType":248},{},[]," and subscribe to our blog if you’re interested in hearing about what we’re learning from users along the way. We’d also love your feedback so we can keep improving!","Building a culture of trust to secure SaaS, together","We’re excited to announce our $4M seed round, led by Decibel. See how we’re building tech that allows companies to let employees freely & securely adopt SaaS.","2022-07-19T00:00:00.000Z","building-a-culture-of-trust-to-secure-saas-together",{"items":942},[943],{"sys":944,"name":946},{"id":945},"4EtskIWlj3SOH3UHbFR8uG","Company news",{"items":948},[949],{"fullName":950,"firstName":950,"jobTitle":62,"profilePicture":951},"The Push Team",{"url":952},"https://images.ctfassets.net/y1cdw1ablpvd/7xpR9kiHAQWtZBj2rpOmmU/052ddfbb96afb37962278062047ab16d/Twitter_Linkedin_icon_white.png","how-to-discover-saas-use-without-invading-employee-privacy","blog/how-to-discover-saas-use-without-invading-employee-privacy",{"json":956},{"data":957,"content":958,"nodeType":558},{},[959],{"data":960,"content":961,"nodeType":257},{},[962],{"data":963,"marks":964,"value":965,"nodeType":248},{},[],"Learn how to detect and secure employee SaaS use so you can help employees stay productive","Learn how to manage SaaS in a way that keeps employees productive and doesn't compromise privacy.",{"id":968,"publishedAt":969},"2cLFeaDTWWdZ8G8U12qmiZ","2024-03-21T09:25:03.554Z",{"items":971},[972,976],{"sys":973,"name":975},{"id":974},"3SA5H01UkKauuiTdt0KC6q","Shadow IT",{"sys":977,"name":979},{"id":978},"1gZi8NrRy2v9OqPV7C4dwD","Risk management","7s-HVo_8h2LyYo2rc7pSoHg6kGjyH1Tu6ZPKWECWuRk",1784196729633]