[{"data":1,"prerenderedAt":2275},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/what-is-saas-security":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":1010,"faqItemsCollection":1011,"faqTitle":62,"featured":6,"hashTags":62,"meta":1013,"metaTitle":1014,"ogImage":62,"publishedDate":1015,"relatedBlogPostsCollection":1016,"slug":2250,"stem":2251,"subtitle":62,"summary":2252,"synopsis":2262,"sys":2263,"tagsCollection":2266,"__hash__":2274},"blog/blog/what-is-saas-security.json","SaaS Security: what is it & how to manage the risk",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Sally Soulliere","Sally","Head of Brand & Content",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/7Gh4SbbEj6Zsbd6OzGto8Q/885041a4ddeccc5ef3045c0e22975ef4/T016S22KZ96-U036FPETQRH-330f87708d26-192.jpeg",{"json":238,"links":965},{"nodeType":239,"data":240,"content":241},"document",{},[242,251,258,265,272,280,287,294,319,326,333,340,347,355,362,388,395,402,423,430,437,444,450,457,464,471,478,485,519,526,532,539,546,567,574,581,598,605,621,628,635,642,649,656,791,798,805,812,845,852,859,866,881,887,894,901,944,951,958],{"nodeType":243,"data":244,"content":245},"paragraph",{},[246],{"nodeType":247,"value":248,"marks":249,"data":250},"text","SaaS security is a common phrase, but what does it mean? There are several categories of security products that do bits of “SaaS security,” but the phrase means different things to everyone, and there’s a lot of jargon to demystify in this space.",[],{},{"nodeType":243,"data":252,"content":253},{},[254],{"nodeType":247,"value":255,"marks":256,"data":257},"A quick Google search for “SaaS security” pulls in all types of security solutions and platforms, including those under these categories: cloud access security brokers (CASB), SaaS security posture management (SSPM), cloud security posture management (CSPM), and a few others.",[],{},{"nodeType":243,"data":259,"content":260},{},[261],{"nodeType":247,"value":262,"marks":263,"data":264},"When you’re on the hook to secure SaaS use in your company, it can be hard to even know where to start and where to focus. We hope this article helps you get some clarity about where you should focus and how to manage the risk in a sustainable way with your limited resources.",[],{},{"nodeType":243,"data":266,"content":267},{},[268],{"nodeType":247,"value":269,"marks":270,"data":271},"Let’s start with a quick, high-level definition.",[],{},{"nodeType":273,"data":274,"content":275},"heading-1",{},[276],{"nodeType":247,"value":277,"marks":278,"data":279},"What is SaaS security?",[],{},{"nodeType":243,"data":281,"content":282},{},[283],{"nodeType":247,"value":284,"marks":285,"data":286},"SaaS Security is focused on securing sensitive data that’s stored in or integrated with the SaaS applications the company and its employees use.",[],{},{"nodeType":243,"data":288,"content":289},{},[290],{"nodeType":247,"value":291,"marks":292,"data":293},"When it comes to managing the risk SaaS security introduces, people are really talking about two things: ",[],{},{"nodeType":295,"data":296,"content":297},"ordered-list",{},[298,309],{"nodeType":299,"data":300,"content":301},"list-item",{},[302],{"nodeType":243,"data":303,"content":304},{},[305],{"nodeType":247,"value":306,"marks":307,"data":308},"Managing supply chain risk - Do you trust the vendors of the applications you’re using?",[],{},{"nodeType":299,"data":310,"content":311},{},[312],{"nodeType":243,"data":313,"content":314},{},[315],{"nodeType":247,"value":316,"marks":317,"data":318},"SaaS account security and access controls - Are you using those applications securely?",[],{},{"nodeType":273,"data":320,"content":321},{},[322],{"nodeType":247,"value":323,"marks":324,"data":325},"Where should I focus my efforts?",[],{},{"nodeType":243,"data":327,"content":328},{},[329],{"nodeType":247,"value":330,"marks":331,"data":332},"We hear about the supply chain side of SaaS security more often than the account security aspect, likely because supply chain attacks have a much wider blast radius and are therefore the attacks that are getting detected and disclosed to the press. ",[],{},{"nodeType":243,"data":334,"content":335},{},[336],{"nodeType":247,"value":337,"marks":338,"data":339},"These are the far-reaching attacks that might start with a platform that many organizations use for business (Salesforce, for example). If that SaaS platform is compromised, every company’s data is compromised, including your own. These things aren’t something you can directly prevent from happening. ",[],{},{"nodeType":243,"data":341,"content":342},{},[343],{"nodeType":247,"value":344,"marks":345,"data":346},"SaaS account security, however, is something you have control of and you can lock down.",[],{},{"nodeType":348,"data":349,"content":350},"heading-2",{},[351],{"nodeType":247,"value":352,"marks":353,"data":354},"Focus on SaaS security at the account level, but don’t ignore supply chain risk",[],{},{"nodeType":243,"data":356,"content":357},{},[358],{"nodeType":247,"value":359,"marks":360,"data":361},"As a security leader, you need to deal with both halves of SaaS security. On the supply chain side, you need to investigate whether you trust the SaaS providers themselves and the security measures they use to look after your data. The SaaS vendor is best suited to manage the risk of their own app itself, but you do need to do due diligence on the supplier to ensure they’re doing enough to comply with your organization’s risk tolerance level. ",[],{},{"nodeType":243,"data":363,"content":364},{},[365,369,384],{"nodeType":247,"value":366,"marks":367,"data":368},"The bit you have direct control over, however, is the account security aspect of SaaS security. That’s a great area to focus on when it comes to SaaS security. You can enforce strong access controls and security basics like making sure employees use multi-factor authentication (MFA) and strong, unique passwords - or, better yet, ",[],{},{"nodeType":370,"data":371,"content":377},"entry-hyperlink",{"target":372},{"sys":373},{"id":374,"type":375,"linkType":376},"1pbtctbbJRqLuz8dOsecOt","Link","Entry",[378],{"nodeType":247,"value":379,"marks":380,"data":383},"social logins",[381],{"type":382},"underline",{},{"nodeType":247,"value":385,"marks":386,"data":387}," - to access their SaaS applications.",[],{},{"nodeType":243,"data":389,"content":390},{},[391],{"nodeType":247,"value":392,"marks":393,"data":394},"Let’s break down how a SaaS security program could work in your organization. Keep in mind, this may be closely tied to your cloud security program, but they’re two unique areas to focus on if you’re a SaaS-native or hybrid company that’s moving away from centralized infrastructure to the cloud and SaaS applications.",[],{},{"nodeType":273,"data":396,"content":397},{},[398],{"nodeType":247,"value":399,"marks":400,"data":401},"How do I build a SaaS security program in my organization?",[],{},{"nodeType":243,"data":403,"content":404},{},[405,409,419],{"nodeType":247,"value":406,"marks":407,"data":408},"\nThe National Cyber Security Centre produced a ",[],{},{"nodeType":410,"data":411,"content":413},"hyperlink",{"uri":412},"https://www.ncsc.gov.uk/collection/cloud/understanding-cloud-services/cloud-security-shared-responsibility-model",[414],{"nodeType":247,"value":415,"marks":416,"data":418},"shared responsibility model",[417],{"type":382},{},{"nodeType":247,"value":420,"marks":421,"data":422}," that does a great job of demonstrating the split between the SaaS provider’s responsibility when it comes to securing their app and the sensitive data put into it by their customers and the responsibility of the “customer” (you).  ",[],{},{"nodeType":424,"data":425,"content":429},"embedded-entry-block",{"target":426},{"sys":427},{"id":428,"type":375,"linkType":376},"4jeDpoYQzPmg5TFApeopSA",[],{"nodeType":243,"data":431,"content":432},{},[433],{"nodeType":247,"value":434,"marks":435,"data":436},"We’ve highlighted in purple the areas we’re focused on in this article. Let’s save on-prem, IaaS and PaaS for another article.",[],{},{"nodeType":243,"data":438,"content":439},{},[440],{"nodeType":247,"value":441,"marks":442,"data":443},"\nThis bears repeating - What the model above shows is that you as the customer are responsible for security at the SaaS account level and you must also configure the application securely. When it comes to SaaS applications, however, your configuration options are usually very basic, especially compared to larger cloud platforms.  ",[],{},{"nodeType":424,"data":445,"content":449},{"target":446},{"sys":447},{"id":448,"type":375,"linkType":376},"ToDXz2MBbEygwtJjiIKRX",[],{"nodeType":243,"data":451,"content":452},{},[453],{"nodeType":247,"value":454,"marks":455,"data":456},"A successful SaaS security program must address both these questions. ",[],{},{"nodeType":243,"data":458,"content":459},{},[460],{"nodeType":247,"value":461,"marks":462,"data":463},"We can’t spend all our time doing risk assessments and due diligence exercises on our supply chain while dropping the ball on account security. ",[],{},{"nodeType":243,"data":465,"content":466},{},[467],{"nodeType":247,"value":468,"marks":469,"data":470},"Similarly, we can’t just focus on making sure all accounts have MFA in place when the vendor is leaving the back door open.",[],{},{"nodeType":348,"data":472,"content":473},{},[474],{"nodeType":247,"value":475,"marks":476,"data":477},"Make the biggest impact by securing SaaS accounts and identities ",[],{},{"nodeType":243,"data":479,"content":480},{},[481],{"nodeType":247,"value":482,"marks":483,"data":484},"For the vast majority of SaaS applications in the organization, your responsibility will be:",[],{},{"nodeType":486,"data":487,"content":488},"unordered-list",{},[489,499,509],{"nodeType":299,"data":490,"content":491},{},[492],{"nodeType":243,"data":493,"content":494},{},[495],{"nodeType":247,"value":496,"marks":497,"data":498},"Account security, i.e. making sure MFA and SSO (where available) is in place. ",[],{},{"nodeType":299,"data":500,"content":501},{},[502],{"nodeType":243,"data":503,"content":504},{},[505],{"nodeType":247,"value":506,"marks":507,"data":508},"Ensuring employees are using strong passwords, especially if MFA and/or SSO aren’t available.",[],{},{"nodeType":299,"data":510,"content":511},{},[512],{"nodeType":243,"data":513,"content":514},{},[515],{"nodeType":247,"value":516,"marks":517,"data":518},"Removing external accounts (and accounts for those that have left the company) when no longer needed.",[],{},{"nodeType":348,"data":520,"content":521},{},[522],{"nodeType":247,"value":523,"marks":524,"data":525},"Customer responsibility for apps employees have adopted",[],{},{"nodeType":424,"data":527,"content":531},{"target":528},{"sys":529},{"id":530,"type":375,"linkType":376},"2T7DtBRBBITb4Wy8unQHZV",[],{"nodeType":243,"data":533,"content":534},{},[535],{"nodeType":247,"value":536,"marks":537,"data":538},"While most organizations think of the supply chain aspect (“Should we be using this app?”) as the majority of the problem, or at least the first problem to solve - account security is ultimately at the heart of the problem.",[],{},{"nodeType":243,"data":540,"content":541},{},[542],{"nodeType":247,"value":543,"marks":544,"data":545},"A developer or support engineer with a weak password or missing MFA is all it takes for them to get phished, kicking off a string of attacks. ",[],{},{"nodeType":243,"data":547,"content":548},{},[549,553,563],{"nodeType":247,"value":550,"marks":551,"data":552},"The mistake many security professionals make, is that they focus their efforts only on securing the critical apps that are known to the organization. However, it is possible to compromise what would be considered as a non-critical SaaS application and use that to move laterally to the critical ones. See our research project discussing the various ",[],{},{"nodeType":370,"data":554,"content":558},{"target":555},{"sys":556},{"id":557,"type":375,"linkType":376},"6VZQJzQ2FNetGNMEjiuXB2",[559],{"nodeType":247,"value":560,"marks":561,"data":562},"SaaS attacks",[],{},{"nodeType":247,"value":564,"marks":565,"data":566},".",[],{},{"nodeType":243,"data":568,"content":569},{},[570],{"nodeType":247,"value":571,"marks":572,"data":573},"Luckily, unlike the complex SaaS application supply chain risk audits, account security issues are straightforward to fix. ",[],{},{"nodeType":273,"data":575,"content":576},{},[577],{"nodeType":247,"value":578,"marks":579,"data":580},"Right, but how do I also manage supply chain risk?",[],{},{"nodeType":243,"data":582,"content":583},{},[584,588,594],{"nodeType":247,"value":585,"marks":586,"data":587},"Security due diligence or app risk assessments are typically how you answer the question - ",[],{},{"nodeType":247,"value":589,"marks":590,"data":593},"Should we use this app?",[591],{"type":592},"italic",{},{"nodeType":247,"value":595,"marks":596,"data":597}," ",[],{},{"nodeType":243,"data":599,"content":600},{},[601],{"nodeType":247,"value":602,"marks":603,"data":604},"These are standard processes for most organizations as part of a software procurement process.",[],{},{"nodeType":243,"data":606,"content":607},{},[608,612,618],{"nodeType":247,"value":609,"marks":610,"data":611},"However, security no longer fully controls software adoption - ",[],{},{"nodeType":247,"value":613,"marks":614,"data":617},"employees are self-adopting the tools they want without oversight",[615],{"type":616},"bold",{},{"nodeType":247,"value":564,"marks":619,"data":620},[],{},{"nodeType":243,"data":622,"content":623},{},[624],{"nodeType":247,"value":625,"marks":626,"data":627},"So, you need to work to find serious security risks as soon as possible once the self-adoption process begins (normally by the first employee creating an account on the app).",[],{},{"nodeType":243,"data":629,"content":630},{},[631],{"nodeType":247,"value":632,"marks":633,"data":634},"Ultimately, how much you care about any of the above comes down to the risk of the data in the application (is there sensitive customer data in it?) or the level of access you grant this application into the rest of your infrastructure (often through integrations with other SaaS apps). ",[],{},{"nodeType":243,"data":636,"content":637},{},[638],{"nodeType":247,"value":639,"marks":640,"data":641},"Therefore, a useful first step is to understand the sensitivity of the data and access granted to the app (or that will likely be granted by employees in future to make the app work as expected). This will help you prioritize reviews.",[],{},{"nodeType":348,"data":643,"content":644},{},[645],{"nodeType":247,"value":646,"marks":647,"data":648},"Tips for SaaS app and SaaS provider risk assessments",[],{},{"nodeType":243,"data":650,"content":651},{},[652],{"nodeType":247,"value":653,"marks":654,"data":655},"The security relevant areas of this risk assessment can typically be broken into:",[],{},{"nodeType":486,"data":657,"content":658},{},[659,696,763],{"nodeType":299,"data":660,"content":661},{},[662,673],{"nodeType":243,"data":663,"content":664},{},[665,670],{"nodeType":247,"value":666,"marks":667,"data":669},"Product risk",[668],{"type":616},{},{"nodeType":247,"value":595,"marks":671,"data":672},[],{},{"nodeType":486,"data":674,"content":675},{},[676,686],{"nodeType":299,"data":677,"content":678},{},[679],{"nodeType":243,"data":680,"content":681},{},[682],{"nodeType":247,"value":683,"marks":684,"data":685},"Does the product have the necessary security features (MFA, SSO, etc.) to protect our data, and ",[],{},{"nodeType":299,"data":687,"content":688},{},[689],{"nodeType":243,"data":690,"content":691},{},[692],{"nodeType":247,"value":693,"marks":694,"data":695},"Has the product security been technically verified (e.g. through a third party penetration test)?",[],{},{"nodeType":299,"data":697,"content":698},{},[699,710],{"nodeType":243,"data":700,"content":701},{},[702,707],{"nodeType":247,"value":703,"marks":704,"data":706},"Vendor risk",[705],{"type":616},{},{"nodeType":247,"value":595,"marks":708,"data":709},[],{},{"nodeType":486,"data":711,"content":712},{},[713,723,733,743,753],{"nodeType":299,"data":714,"content":715},{},[716],{"nodeType":243,"data":717,"content":718},{},[719],{"nodeType":247,"value":720,"marks":721,"data":722},"Does the vendor have the resources to secure the product? ",[],{},{"nodeType":299,"data":724,"content":725},{},[726],{"nodeType":243,"data":727,"content":728},{},[729],{"nodeType":247,"value":730,"marks":731,"data":732},"Have they invested in a security team and implemented appropriate security processes?",[],{},{"nodeType":299,"data":734,"content":735},{},[736],{"nodeType":243,"data":737,"content":738},{},[739],{"nodeType":247,"value":740,"marks":741,"data":742},"Have those processes been independently audited (e.g. SOC2)? ",[],{},{"nodeType":299,"data":744,"content":745},{},[746],{"nodeType":243,"data":747,"content":748},{},[749],{"nodeType":247,"value":750,"marks":751,"data":752},"Does the vendor operate in a high risk region?",[],{},{"nodeType":299,"data":754,"content":755},{},[756],{"nodeType":243,"data":757,"content":758},{},[759],{"nodeType":247,"value":760,"marks":761,"data":762},"Does the vendor have a history of repeated security incidents?",[],{},{"nodeType":299,"data":764,"content":765},{},[766,778],{"nodeType":243,"data":767,"content":768},{},[769,774],{"nodeType":247,"value":770,"marks":771,"data":773},"Vendor sub processors",[772],{"type":616},{},{"nodeType":247,"value":775,"marks":776,"data":777}," - the majority of SaaS applications are built on other *-as-a-Service platforms. These vendors are also part of your supply chain. Just because you don’t directly use a tool or app doesn’t mean you’re not affected when they’re popped. ",[],{},{"nodeType":486,"data":779,"content":780},{},[781],{"nodeType":299,"data":782,"content":783},{},[784],{"nodeType":243,"data":785,"content":786},{},[787],{"nodeType":247,"value":788,"marks":789,"data":790},"Realistically, you’re probably not going to be able to go very deep here, but when you’re wondering whether you’re affected by a breach in the news, you may want to know whether your vendors are using the affected SaaS app. ",[],{},{"nodeType":348,"data":792,"content":793},{},[794],{"nodeType":247,"value":795,"marks":796,"data":797},"How to quickly assess security risks of employee-adopted SaaS applications",[],{},{"nodeType":243,"data":799,"content":800},{},[801],{"nodeType":247,"value":802,"marks":803,"data":804},"For employee-adopted SaaS platforms (those neither you nor the IT team had a hand in procuring and officially adopting on behalf of the company) you’re typically stuck doing your usual software procurement tasks after the app is adopted.",[],{},{"nodeType":243,"data":806,"content":807},{},[808],{"nodeType":247,"value":809,"marks":810,"data":811},"These include things like: ",[],{},{"nodeType":486,"data":813,"content":814},{},[815,825,835],{"nodeType":299,"data":816,"content":817},{},[818],{"nodeType":243,"data":819,"content":820},{},[821],{"nodeType":247,"value":822,"marks":823,"data":824},"legal agreements (terms and conditions, master service agreements etc.)",[],{},{"nodeType":299,"data":826,"content":827},{},[828],{"nodeType":243,"data":829,"content":830},{},[831],{"nodeType":247,"value":832,"marks":833,"data":834},"spend (through licensing cost etc.)",[],{},{"nodeType":299,"data":836,"content":837},{},[838],{"nodeType":243,"data":839,"content":840},{},[841],{"nodeType":247,"value":842,"marks":843,"data":844},"uptime and availability (SLAs etc.) ",[],{},{"nodeType":243,"data":846,"content":847},{},[848],{"nodeType":247,"value":849,"marks":850,"data":851},"Often, this comes up once employees need to upgrade to a paid account or higher license tier, or once it makes financial sense to commit to longer term agreements. ",[],{},{"nodeType":243,"data":853,"content":854},{},[855],{"nodeType":247,"value":856,"marks":857,"data":858},"For that reason, I recommend you keep the security risk assessment focused on the direct security aspects initially, so you reduce the work required to determine if there’s a security reason to stop employees from using this app right now.",[],{},{"nodeType":273,"data":860,"content":861},{},[862],{"nodeType":247,"value":863,"marks":864,"data":865},"Managing SaaS account security for employee-adopted SaaS",[],{},{"nodeType":243,"data":867,"content":868},{},[869,873,878],{"nodeType":247,"value":870,"marks":871,"data":872},"Shifting the focus back to SaaS user account security, the very first step before you can even begin securing these accounts is to get visibility into all the apps your employees have adopted on their own. There are a few tools on the market to help with this. We’re obviously biased, but we feel that detecting SaaS use within the employees’ browser - where they’re accessing the app in the first place - is the most sensible and offers accurate visibility without a load of noisy false-positives. Read more about how we do this ",[],{},{"nodeType":247,"value":874,"marks":875,"data":877},"here",[876],{"type":382},{},{"nodeType":247,"value":564,"marks":879,"data":880},[],{},{"nodeType":424,"data":882,"content":886},{"target":883},{"sys":884},{"id":885,"type":375,"linkType":376},"6iKFd9Qys2SSuNqKVQB7ka",[],{"nodeType":348,"data":888,"content":889},{},[890],{"nodeType":247,"value":891,"marks":892,"data":893},"I’ve got visibility, now what?",[],{},{"nodeType":243,"data":895,"content":896},{},[897],{"nodeType":247,"value":898,"marks":899,"data":900},"Once you’ve found the accounts, you’ll want to ensure that you’re:",[],{},{"nodeType":486,"data":902,"content":903},{},[904,914,924,934],{"nodeType":299,"data":905,"content":906},{},[907],{"nodeType":243,"data":908,"content":909},{},[910],{"nodeType":247,"value":911,"marks":912,"data":913},"Enabling MFA for all accounts",[],{},{"nodeType":299,"data":915,"content":916},{},[917],{"nodeType":243,"data":918,"content":919},{},[920],{"nodeType":247,"value":921,"marks":922,"data":923},"Encouraging employees to use strong passwords (ideally through a password manager)",[],{},{"nodeType":299,"data":925,"content":926},{},[927],{"nodeType":243,"data":928,"content":929},{},[930],{"nodeType":247,"value":931,"marks":932,"data":933},"Using SSO, where possible and practical",[],{},{"nodeType":299,"data":935,"content":936},{},[937],{"nodeType":243,"data":938,"content":939},{},[940],{"nodeType":247,"value":941,"marks":942,"data":943},"Reviewing access delegated to third-parties (through e.g. OAuth integrations) ",[],{},{"nodeType":243,"data":945,"content":946},{},[947],{"nodeType":247,"value":948,"marks":949,"data":950},"These tasks are tricky to do at scale, where you’re likely to find hundreds of SaaS apps you didn’t know about. Most SaaS security solutions - those focused on security rather than just keeping an up-to-date inventory - will provide some insight into how employees are logging into SaaS apps and whether they’re using MFA and strong passwords.\n\nWhen you’re looking for a solution, this is the kind of actionable data you’re going to want if you want to make a real impact on SaaS security. ",[],{},{"nodeType":273,"data":952,"content":953},{},[954],{"nodeType":247,"value":955,"marks":956,"data":957},"Choose the solution that works best for your company and team",[],{},{"nodeType":243,"data":959,"content":960},{},[961],{"nodeType":247,"value":962,"marks":963,"data":964},"The increase in employee-adopted apps has led to employees creating more accounts, on more apps. Without the guiding hand of security to make sure strong identity and access controls are in place, you’ll need a SaaS security solution that can give you that level of visibility so you can take action. Manage SaaS risks by leveraging a SaaS security platform that offers you not just visibility, but can also provide security relevant information about the SaaS app and the SaaS provider to help you quickly perform due diligence so you can keep up.",[],{},{"entries":966},{"inline":967,"hyperlink":968,"block":978},[],[969,974],{"sys":970,"__typename":971,"title":972,"slug":973},{"id":374},"BlogPosts","Should I let my employees login with their work Google account?","should-i-let-my-employees-login-with-their-work-google-account",{"sys":975,"__typename":971,"title":976,"slug":977},{"id":557},"Let’s talk about SaaS attack techniques","saas-attack-techniques",[979,988,995,1003],{"sys":980,"__typename":981,"title":982,"caption":62,"layoutMode":983,"file":984},{"id":428},"Image","Customer responsibility for SaaS apps PLG","Centre aligned",{"url":985,"width":986,"height":987},"https://images.ctfassets.net/y1cdw1ablpvd/6jaP9nk2U89Y1TidafgXLB/9c3af2cd634ea0621b3e2ac05739582d/image7.png",1980,1214,{"sys":989,"__typename":981,"title":990,"caption":990,"layoutMode":983,"file":991},{"id":448},"Two parts of SaaS security",{"url":992,"width":993,"height":994},"https://images.ctfassets.net/y1cdw1ablpvd/2dRhaTc75s2mHGYmreOZDS/8d0c2dddbabfeaddd99f3f9aa781e718/image3.png",1999,806,{"sys":996,"__typename":981,"title":997,"caption":998,"layoutMode":983,"file":999},{"id":530},"Shared responsibility model - customer responsibilities - PLG","The security controls customers are responsible for",{"url":1000,"width":1001,"height":1002},"https://images.ctfassets.net/y1cdw1ablpvd/5NHny8Lh0CQjkK3N6WEbAM/ae9ee10605795c547d25177061b42391/image6.png",1966,1096,{"sys":1004,"__typename":1005,"type":1006,"ctaText":1007,"buttonLabel":1008,"buttonColour":1009,"buttonUrl":62},{"id":885},"CtaWidget","Demo","Learn how Push can help you secure identities across your org","Book a demo!","sunny orange","json",{"items":1012},[],{},"SaaS security — what is it and how to manage the risk","2023-08-03T00:00:00.000Z",{"items":1017},[1018,1612],{"__typename":971,"sys":1019,"content":1021,"title":1594,"synopsis":1595,"hashTags":62,"publishedDate":1596,"slug":1597,"tagsCollection":1598,"authorsCollection":1608},{"id":1020},"RColcmPkti04JQrda9WOp",{"json":1022},{"nodeType":239,"data":1023,"content":1024},{},[1025,1032,1039,1046,1063,1070,1076,1083,1090,1097,1104,1124,1131,1137,1144,1151,1174,1181,1188,1195,1202,1208,1215,1222,1231,1239,1246,1253,1260,1267,1274,1286,1293,1300,1307,1332,1365,1382,1393,1400,1407,1411,1418,1425,1432,1439,1446,1453,1460,1467,1474,1481,1488,1495,1502,1509,1516,1532,1551,1558,1565,1588],{"nodeType":243,"data":1026,"content":1027},{},[1028],{"nodeType":247,"value":1029,"marks":1030,"data":1031},"The way we’ve adopted software in our businesses has shifted dramatically over the years due to the rise of the product-led growth (PLG) movement. ",[],{},{"nodeType":273,"data":1033,"content":1034},{},[1035],{"nodeType":247,"value":1036,"marks":1037,"data":1038},"What is PLG and how does it lead SaaS sprawl?",[],{},{"nodeType":243,"data":1040,"content":1041},{},[1042],{"nodeType":247,"value":1043,"marks":1044,"data":1045},"In PLG, SaaS providers offer free trials and free versions to entice employees to sign up and immediately start using and testing their SaaS applications. SaaS vendors know they can close deals quicker if they can prove the value of their tool with their users - your employees - and “become sticky” with those users. ",[],{},{"nodeType":243,"data":1047,"content":1048},{},[1049,1053,1059],{"nodeType":247,"value":1050,"marks":1051,"data":1052},"If vendors can make their cloud apps useful enough for employees to rely on them, ",[],{},{"nodeType":247,"value":1054,"marks":1055,"data":1058},"it’s much harder for IT and security teams to swoop in and force a move to a more secure or similar SaaS application",[1056,1057],{"type":592},{"type":616},{},{"nodeType":247,"value":1060,"marks":1061,"data":1062}," that another team in the company is already using. ",[],{},{"nodeType":243,"data":1064,"content":1065},{},[1066],{"nodeType":247,"value":1067,"marks":1068,"data":1069},"This isn’t malicious, mind you - it’s just that vendors know that SaaS security audits and due diligence can extend their sales cycles and complicate their deals. Their quickest win is to get in with your employee and turn them into their champion within your company. Here’s a quick visual for how software onboarding typically flows in this PLG-ruled world:",[],{},{"nodeType":424,"data":1071,"content":1075},{"target":1072},{"sys":1073},{"id":1074,"type":375,"linkType":376},"61Oj6GzX4amLxEJ5fPDJCq",[],{"nodeType":243,"data":1077,"content":1078},{},[1079],{"nodeType":247,"value":1080,"marks":1081,"data":1082},"Because of this shift to adoption or free trials as the first step of a “software onboarding process,” Security and IT are left with huge visibility gaps, with shadow SaaS and shadow IT growing exponentially with each employee sign up. Those shadow apps are what we’re talking about when we discuss SaaS sprawl and the risks these unmonitored accounts introduce.",[],{},{"nodeType":273,"data":1084,"content":1085},{},[1086],{"nodeType":247,"value":1087,"marks":1088,"data":1089},"The impact on SaaS security",[],{},{"nodeType":243,"data":1091,"content":1092},{},[1093],{"nodeType":247,"value":1094,"marks":1095,"data":1096},"This Saas provider shift toward pushing employees to sign up for SaaS apps without your oversight has already been happening and it’ll continue to grow in the years to come. That’s because PLG works! It’s helping SaaS vendors grow their businesses exponentially and more and more SaaS providers are going to start following suit.",[],{},{"nodeType":273,"data":1098,"content":1099},{},[1100],{"nodeType":247,"value":1101,"marks":1102,"data":1103},"How big of a problem is this, really?",[],{},{"nodeType":243,"data":1105,"content":1106},{},[1107,1111,1120],{"nodeType":247,"value":1108,"marks":1109,"data":1110},"Back in 2015, Forrester ",[],{},{"nodeType":410,"data":1112,"content":1114},{"uri":1113},"https://www.forrester.com/blogs/15-04-14-death_of_a_b2b_salesman/",[1115],{"nodeType":247,"value":1116,"marks":1117,"data":1119},"reported",[1118],{"type":382},{},{"nodeType":247,"value":1121,"marks":1122,"data":1123}," that 75% of B2B buyers prefer a no-sales-rep buying process. Product-led growth (PLG) is now the norm for SaaS companies, with around 60% of SaaS companies using this model now.  ",[],{},{"nodeType":243,"data":1125,"content":1126},{},[1127],{"nodeType":247,"value":1128,"marks":1129,"data":1130},"Here are just a few examples of common business SaaS applications sold via the PLG model, which you’ll definitely recognize. One thing you’ll quickly notice is that most of these apps are built for sales, marketing, and customer support:",[],{},{"nodeType":424,"data":1132,"content":1136},{"target":1133},{"sys":1134},{"id":1135,"type":375,"linkType":376},"747PuaJ26IbolPB1ugxd2h",[],{"nodeType":273,"data":1138,"content":1139},{},[1140],{"nodeType":247,"value":1141,"marks":1142,"data":1143},"SaaS sprawl: A massive increase in the number of SaaS applications businesses use ",[],{},{"nodeType":243,"data":1145,"content":1146},{},[1147],{"nodeType":247,"value":1148,"marks":1149,"data":1150},"Adding to the shadow SaaS and SaaS sprawl storm, the sheer number of apps in use has increased dramatically over the years, and will continue to do so. There are a couple reasons for this: ",[],{},{"nodeType":295,"data":1152,"content":1153},{},[1154,1164],{"nodeType":299,"data":1155,"content":1156},{},[1157],{"nodeType":243,"data":1158,"content":1159},{},[1160],{"nodeType":247,"value":1161,"marks":1162,"data":1163},"The big old monolithic on-prem software is being replaced not by a single SaaS app, but an ecosystem of specialized apps. ",[],{},{"nodeType":299,"data":1165,"content":1166},{},[1167],{"nodeType":243,"data":1168,"content":1169},{},[1170],{"nodeType":247,"value":1171,"marks":1172,"data":1173},"Since apps are virtually zero-maintenance these days, the operating cost of running multiple apps is almost the same as running one giant on-prem or SaaS platform. This further multiplies the number of apps and vendors used in your business.",[],{},{"nodeType":273,"data":1175,"content":1176},{},[1177],{"nodeType":247,"value":1178,"marks":1179,"data":1180},"Security SaaS applications don’t use PLG ",[],{},{"nodeType":243,"data":1182,"content":1183},{},[1184],{"nodeType":247,"value":1185,"marks":1186,"data":1187},"IT & security folks are usually ahead of the curve when it comes to technology shifts, but in this case many might have missed the scale or speed of the change. ",[],{},{"nodeType":243,"data":1189,"content":1190},{},[1191],{"nodeType":247,"value":1192,"marks":1193,"data":1194},"That’s because IT and security tools are among the least product-led of any sector. Most of our industry’s tools require heavy integrations, complicated setup, agent deployments, and so on. ",[],{},{"nodeType":243,"data":1196,"content":1197},{},[1198],{"nodeType":247,"value":1199,"marks":1200,"data":1201},"Note the difference between these common SaaS platforms for security and the ones for the rest of the company above:",[],{},{"nodeType":424,"data":1203,"content":1207},{"target":1204},{"sys":1205},{"id":1206,"type":375,"linkType":376},"2ldVELsUQIU0xaPSPJyXBR",[],{"nodeType":243,"data":1209,"content":1210},{},[1211],{"nodeType":247,"value":1212,"marks":1213,"data":1214},"Notice how all those “Sign up now” buttons have morphed into “Get a demo” buttons? This is the “old-school” way of procuring software. You work with sales and get a live demo with the sales rep, rather than signing up and trying it for yourself. Then you do still have to do your due diligence and work directly with the vendor to vet whether they’ll responsibly protect your corporate and/or customer data, that they’re SOC2 compliant, and so on.",[],{},{"nodeType":243,"data":1216,"content":1217},{},[1218],{"nodeType":247,"value":1219,"marks":1220,"data":1221},"Unfortunately, few security companies are making products as easy to set up and use as new tools for marketing, sales, finance, development, engineering design, legal, HR, and basically every other sector.",[],{},{"nodeType":243,"data":1223,"content":1224},{},[1225],{"nodeType":247,"value":1226,"marks":1227,"data":1230},"This leads to a misconception that self-adopted apps are rare and don’t contain sensitive data. ",[1228,1229],{"type":616},{"type":592},{},{"nodeType":243,"data":1232,"content":1233},{},[1234],{"nodeType":247,"value":29,"marks":1235,"data":1238},[1236,1237],{"type":616},{"type":592},{},{"nodeType":273,"data":1240,"content":1241},{},[1242],{"nodeType":247,"value":1243,"marks":1244,"data":1245},"Free trials interact with real, live corporate data",[],{},{"nodeType":243,"data":1247,"content":1248},{},[1249],{"nodeType":247,"value":1250,"marks":1251,"data":1252},"It’s not just the paid, fully-adopted apps that introduce third-party, supply-chain and SaaS application security risks to your organization. Even those free trials before an app is officially “adopted” can pose a significant security risk. ",[],{},{"nodeType":243,"data":1254,"content":1255},{},[1256],{"nodeType":247,"value":1257,"marks":1258,"data":1259},"For PLG to work, users need to experience meaningful value during that initial experience. To do that, users/your employees almost always need to connect the app to your live environment where it interacts with real data. ",[],{},{"nodeType":273,"data":1261,"content":1262},{},[1263],{"nodeType":247,"value":1264,"marks":1265,"data":1266},"Security and IT only see a few of the apps employees are testing and signing up for",[],{},{"nodeType":243,"data":1268,"content":1269},{},[1270],{"nodeType":247,"value":1271,"marks":1272,"data":1273},"To make matters worse, only a small subset of those apps ever get submitted to finance or any official app-onboarding process. Typically, this happens when an employee outgrows the free or trial tier and needs to upgrade to a paid account. ",[],{},{"nodeType":243,"data":1275,"content":1276},{},[1277,1283],{"nodeType":247,"value":1278,"marks":1279,"data":1282},"The freemium and trial versions of apps are unlikely to ever be presented to IT and security.",[1280,1281],{"type":592},{"type":616},{},{"nodeType":247,"value":595,"marks":1284,"data":1285},[],{},{"nodeType":243,"data":1287,"content":1288},{},[1289],{"nodeType":247,"value":1290,"marks":1291,"data":1292},"Most agree that only about 2-5% of folks on freemium/free tiers become paying customers. With conversions from free to paid happening only at a very very low rate, it’s very likely that a lot of your employees are using a lot of free tier apps for at least some significant timeframe.",[],{},{"nodeType":243,"data":1294,"content":1295},{},[1296],{"nodeType":247,"value":1297,"marks":1298,"data":1299},"As mentioned earlier, real live data is often still input into those free apps. So, if you’re relying on finance records to tell you which apps employees are using, you’re going to miss all those free apps, which may never reach finance. And those free apps present just as much risk as the paid apps, more if you consider that you have no visibility into the majority of them. ",[],{},{"nodeType":273,"data":1301,"content":1302},{},[1303],{"nodeType":247,"value":1304,"marks":1305,"data":1306},"Losing direct visibility into SaaS apps means Security is getting in too late",[],{},{"nodeType":243,"data":1308,"content":1309},{},[1310,1314,1319,1323,1328],{"nodeType":247,"value":1311,"marks":1312,"data":1313},"Though security teams have lost ",[],{},{"nodeType":247,"value":1315,"marks":1316,"data":1318},"direct visibility",[1317],{"type":592},{},{"nodeType":247,"value":1320,"marks":1321,"data":1322},", they’ve not lost ",[],{},{"nodeType":247,"value":1324,"marks":1325,"data":1327},"complete visibility.",[1326],{"type":592},{},{"nodeType":247,"value":1329,"marks":1330,"data":1331}," Many are finding out about at least a fraction of these apps, though things like:",[],{},{"nodeType":486,"data":1333,"content":1334},{},[1335,1345,1355],{"nodeType":299,"data":1336,"content":1337},{},[1338],{"nodeType":243,"data":1339,"content":1340},{},[1341],{"nodeType":247,"value":1342,"marks":1343,"data":1344},"Pulling expense reports once employees need to move from a free to paid tier of an app",[],{},{"nodeType":299,"data":1346,"content":1347},{},[1348],{"nodeType":243,"data":1349,"content":1350},{},[1351],{"nodeType":247,"value":1352,"marks":1353,"data":1354},"Scanning employee email inboxes for key phrases like, “Thanks for signing up for [app]”",[],{},{"nodeType":299,"data":1356,"content":1357},{},[1358],{"nodeType":243,"data":1359,"content":1360},{},[1361],{"nodeType":247,"value":1362,"marks":1363,"data":1364},"And, unfortunately, when something has already gone wrong and they’re asked to respond to an incident on a SaaS platform",[],{},{"nodeType":243,"data":1366,"content":1367},{},[1368,1372,1378],{"nodeType":247,"value":1369,"marks":1370,"data":1371},"In both cases, ",[],{},{"nodeType":247,"value":1373,"marks":1374,"data":1377},"security is getting visibility too late to be of much value",[1375,1376],{"type":592},{"type":616},{},{"nodeType":247,"value":1379,"marks":1380,"data":1381},". As I mentioned earlier, once a team has been using an app (even on a free tier) for a year, it’s a huge challenge for Security to convince them to move to a more secure app or to consolidate apps when they find multiple teams using very similar apps. ",[],{},{"nodeType":243,"data":1383,"content":1384},{},[1385,1390],{"nodeType":247,"value":1386,"marks":1387,"data":1389},"This intervention needs to happen very early - long before finance is involved - in order to make a positive impact.",[1388],{"type":592},{},{"nodeType":247,"value":595,"marks":1391,"data":1392},[],{},{"nodeType":243,"data":1394,"content":1395},{},[1396],{"nodeType":247,"value":1397,"marks":1398,"data":1399},"Incident Response is necessary, of course, when a SaaS account is breached, but cannot recover the lost data after a successful attack. ",[],{},{"nodeType":243,"data":1401,"content":1402},{},[1403],{"nodeType":247,"value":1404,"marks":1405,"data":1406},"All of this obviously poses a problem from an IT and security standpoint. Don’t sound the alarms yet, though, there’s a way to regain some control over your corporate data without having to play bad cop with your entire company.",[],{},{"nodeType":1408,"data":1409,"content":1410},"hr",{},[],{"nodeType":273,"data":1412,"content":1413},{},[1414],{"nodeType":247,"value":1415,"marks":1416,"data":1417},"First steps to reclaiming control",[],{},{"nodeType":243,"data":1419,"content":1420},{},[1421],{"nodeType":247,"value":1422,"marks":1423,"data":1424},"This is a very high-level take on where to start when it comes to SaaS sprawl and security and building out a strong SaaS and cloud security program. But, it’s a start!",[],{},{"nodeType":348,"data":1426,"content":1427},{},[1428],{"nodeType":247,"value":1429,"marks":1430,"data":1431},"1. Shift your perspective ",[],{},{"nodeType":243,"data":1433,"content":1434},{},[1435],{"nodeType":247,"value":1436,"marks":1437,"data":1438},"To regain visibility and control, you need to work with employees, rather than focusing on blocking them from their favorite tools.",[],{},{"nodeType":243,"data":1440,"content":1441},{},[1442],{"nodeType":247,"value":1443,"marks":1444,"data":1445},"You can rein this in, but you must shift from the old way of thinking - you can no longer be the “Department of No” and have to shift to becoming the “Department of Yes, Unless….”",[],{},{"nodeType":348,"data":1447,"content":1448},{},[1449],{"nodeType":247,"value":1450,"marks":1451,"data":1452},"2. Get in early",[],{},{"nodeType":243,"data":1454,"content":1455},{},[1456],{"nodeType":247,"value":1457,"marks":1458,"data":1459},"Do yourself a favor and buy yourself time to do due diligence on the multiple SaaS applications employees sign up for on their own. ",[],{},{"nodeType":243,"data":1461,"content":1462},{},[1463],{"nodeType":247,"value":1464,"marks":1465,"data":1466},"Getting involved before an employee or team are fully reliant on an app is the best way to make a positive impact on your SaaS security posture.",[],{},{"nodeType":243,"data":1468,"content":1469},{},[1470],{"nodeType":247,"value":1471,"marks":1472,"data":1473},"To do this, you need…",[],{},{"nodeType":348,"data":1475,"content":1476},{},[1477],{"nodeType":247,"value":1478,"marks":1479,"data":1480},"3. Get real-time visibility into the SaaS and cloud apps your employees are signing up for",[],{},{"nodeType":243,"data":1482,"content":1483},{},[1484],{"nodeType":247,"value":1485,"marks":1486,"data":1487},"This can be a noisy mess, but it doesn’t have to be. Look for solutions with options that work with your existing workflow. Tools that send a ChatOps message to security whenever an employee signs up for a new app is a great start.",[],{},{"nodeType":243,"data":1489,"content":1490},{},[1491],{"nodeType":247,"value":1492,"marks":1493,"data":1494},"To cut through the noise, rely on a SaaS security solution that also provides security-relevant information that tells you when you should dig into an app further or when an app only poses minimal risk and can be ignored.",[],{},{"nodeType":348,"data":1496,"content":1497},{},[1498],{"nodeType":247,"value":1499,"marks":1500,"data":1501},"4. Find and fix account security issues at the same time",[],{},{"nodeType":243,"data":1503,"content":1504},{},[1505],{"nodeType":247,"value":1506,"marks":1507,"data":1508},"We suggest you focus on account security issues since this is where the attacks are happening - at the account level. ",[],{},{"nodeType":243,"data":1510,"content":1511},{},[1512],{"nodeType":247,"value":1513,"marks":1514,"data":1515},"Getting SaaS visibility is crucial, but it’s not useful if the data leads to false positives. Tracking down cloud apps that aren’t actually in use is a massive waste of your time.",[],{},{"nodeType":243,"data":1517,"content":1518},{},[1519,1523,1528],{"nodeType":247,"value":1520,"marks":1521,"data":1522},"To get the most accurate visibility into shadow SaaS, consider a browser extension. Why, yes, we ",[],{},{"nodeType":247,"value":1524,"marks":1525,"data":1527},"are ",[1526],{"type":592},{},{"nodeType":247,"value":1529,"marks":1530,"data":1531},"biased! But we built our product on top of a combo of API data and browser data because that’s where employees are accessing and signing up for their SaaS and cloud apps. ",[],{},{"nodeType":243,"data":1533,"content":1534},{},[1535,1539,1547],{"nodeType":247,"value":1536,"marks":1537,"data":1538},"We dig into this SaaS discovery data source topic in much more detail ",[],{},{"nodeType":410,"data":1540,"content":1542},{"uri":1541},"https://pushsecurity.com/blog/want-to-discover-the-full-extent-of-your-saas-sprawl-embrace-browser/",[1543],{"nodeType":247,"value":874,"marks":1544,"data":1546},[1545],{"type":382},{},{"nodeType":247,"value":1548,"marks":1549,"data":1550},", so that’s worth a read when you’re ready to start prioritizing SaaS security and evaluating solutions. ",[],{},{"nodeType":348,"data":1552,"content":1553},{},[1554],{"nodeType":247,"value":1555,"marks":1556,"data":1557},"5. Work with employees to reduce the burden on your security team ",[],{},{"nodeType":243,"data":1559,"content":1560},{},[1561],{"nodeType":247,"value":1562,"marks":1563,"data":1564},"No, you don’t want employees making security decisions, but you will need to find a way to help them secure the SaaS accounts they have at a user-level.",[],{},{"nodeType":486,"data":1566,"content":1567},{},[1568,1578],{"nodeType":299,"data":1569,"content":1570},{},[1571],{"nodeType":243,"data":1572,"content":1573},{},[1574],{"nodeType":247,"value":1575,"marks":1576,"data":1577},"To keep up with the scale of SaaS adoption and SaaS sprawl in your attack surface, which will continue to grow weekly, you’ll need to automate the information-gathering part of the process. ",[],{},{"nodeType":299,"data":1579,"content":1580},{},[1581],{"nodeType":243,"data":1582,"content":1583},{},[1584],{"nodeType":247,"value":1585,"marks":1586,"data":1587},"When possible, equip employees to self-remediate issues and complete tasks (like signing up for MFA in the app) that your team would otherwise have to do. ",[],{},{"nodeType":243,"data":1589,"content":1590},{},[1591],{"nodeType":247,"value":29,"marks":1592,"data":1593},[],{},"Free and trial SaaS applications are even riskier than paid apps","Free and trial SaaS accounts are often invisible to security teams and still interact with real, live corporate data.","2023-07-11T00:00:00.000Z","free-and-trial-saas-applications-are-even-riskier-than-paid-apps",{"items":1599},[1600,1604],{"sys":1601,"name":1603},{"id":1602},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"sys":1605,"name":1607},{"id":1606},"3SA5H01UkKauuiTdt0KC6q","Shadow IT",{"items":1609},[1610],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":1611},{"url":236},{"__typename":971,"sys":1613,"content":1615,"title":2232,"synopsis":2233,"hashTags":62,"publishedDate":2234,"slug":2235,"tagsCollection":2236,"authorsCollection":2242},{"id":1614},"3PqX7fLrTIYhWjbEhHSRHG",{"json":1616},{"nodeType":239,"data":1617,"content":1618},{},[1619,1631,1638,1645,1652,1659,1688,1695,1714,1721,1741,1748,1754,1892,1899,1906,1913,1965,1972,1991,1998,2005,2012,2019,2026,2033,2040,2047,2054,2061,2068,2075,2100,2107,2114,2121,2128,2135,2142,2149,2156,2163,2170,2177,2184,2191,2198,2205,2208,2215,2218,2225],{"nodeType":243,"data":1620,"content":1621},{},[1622,1626],{"nodeType":247,"value":1623,"marks":1624,"data":1625},"SaaS is exploding and making employees more productive than ever. If your security strategy relies on simply blocking all SaaS that hasn’t been sanctioned by your security team, you’re also blocking your coworkers from all the productivity gains that SaaS brings to the table. Not only that, but blocking through official channels doesn’t effectively stop employees from accessing the SaaS apps they want to use – you just can’t see it because they may have turned off the endpoint agent you’re using to manage SaaS policies, bypass the proxy, or change proxy settings. And now you’ve got a “Shadow IT problem!” *",[],{},{"nodeType":247,"value":1627,"marks":1628,"data":1630},"Dread ensues*",[1629],{"type":592},{},{"nodeType":243,"data":1632,"content":1633},{},[1634],{"nodeType":247,"value":1635,"marks":1636,"data":1637},"Some folks even choose to block or turn off app stores to limit SaaS adoption by employees. The issue with this is that you’re blocking them from using productivity tools they want to do their work. You think you’re preventing risk (though we know employees find ways to adopt and use SaaS regardless of your controls), but you’re also restricting employees from being productive, flexible, and, frankly, you’re ticking them off. These kinds of actions widen the divide between security and the rest of the company, which is never a good thing. ",[],{},{"nodeType":243,"data":1639,"content":1640},{},[1641],{"nodeType":247,"value":1642,"marks":1643,"data":1644},"Stay cool, stay calm, we’ve got this. To manage SaaS, you need some sense of control over what employees are using and how they’re using it, right? By working with employees and doing the legwork to understand their needs, you can start to repair relationships there, which makes your job much easier in the long run.",[],{},{"nodeType":243,"data":1646,"content":1647},{},[1648],{"nodeType":247,"value":1649,"marks":1650,"data":1651},"However, before we go down the path of understanding how employees are using SaaS, you first need to know which apps they’re using.",[],{},{"nodeType":273,"data":1653,"content":1654},{},[1655],{"nodeType":247,"value":1656,"marks":1657,"data":1658},"How do I find the SaaS apps employees are actually using?",[],{},{"nodeType":243,"data":1660,"content":1661},{},[1662,1666,1671,1675,1684],{"nodeType":247,"value":1663,"marks":1664,"data":1665},"You can discover the apps employees are using in a couple ways: 1) manually, using the data you already have access to or, 2) using a pre-existing tool (oh hey, we have one you can ",[],{},{"nodeType":247,"value":1667,"marks":1668,"data":1670},"use for free",[1669],{"type":382},{},{"nodeType":247,"value":1672,"marks":1673,"data":1674},"). We wrote a ",[],{},{"nodeType":410,"data":1676,"content":1678},{"uri":1677},"https://pushsecurity.com/blog/rolling-your-own-saas-discovery/",[1679],{"nodeType":247,"value":1680,"marks":1681,"data":1683},"guide",[1682],{"type":382},{},{"nodeType":247,"value":1685,"marks":1686,"data":1687}," about how you might do the manual approach for SaaS discovery, though fair warning… this manual effort isn’t for the faint of heart.",[],{},{"nodeType":243,"data":1689,"content":1690},{},[1691],{"nodeType":247,"value":1692,"marks":1693,"data":1694},"For the purposes of this guide, we’re going to assume you’ve taken care of the SaaS discovery process already and you’re now facing a list of SaaS - potentially a very large one - you didn’t know employees were using. ",[],{},{"nodeType":243,"data":1696,"content":1697},{},[1698,1702,1710],{"nodeType":247,"value":1699,"marks":1700,"data":1701},"If you haven’t discovered the unknown SaaS in your organization, we suggest you ",[],{},{"nodeType":410,"data":1703,"content":1705},{"uri":1704},"https://login.pushsecurity.com/u/signup",[1706],{"nodeType":247,"value":1707,"marks":1708,"data":1709},"sign up",[],{},{"nodeType":247,"value":1711,"marks":1712,"data":1713},", let us do the heavy lifting for you to discover SaaS, then use that list as a starting point for this next phase of the process…",[],{},{"nodeType":273,"data":1715,"content":1716},{},[1717],{"nodeType":247,"value":1718,"marks":1719,"data":1720},"I’ve found some SaaS apps I didn’t know about. Now what?",[],{},{"nodeType":243,"data":1722,"content":1723},{},[1724,1728,1737],{"nodeType":247,"value":1725,"marks":1726,"data":1727},"You’ve found the apps (hooray!), so now you’re on the hook to figure out what risks those apps might pose to the company (wasn’t ignorance bliss?). Does it help to know that most organizations find a large list of unknown apps so you’re not alone? A ",[],{},{"nodeType":410,"data":1729,"content":1731},{"uri":1730},"https://track.g2.com/resources/shadow-it-statistics",[1732],{"nodeType":247,"value":1733,"marks":1734,"data":1736},"report",[1735],{"type":382},{},{"nodeType":247,"value":1738,"marks":1739,"data":1740}," from G2 Crowd stated that the average company has 975 unknown cloud services and that 67% of teams have introduced their own collaboration tools into an organization.",[],{},{"nodeType":243,"data":1742,"content":1743},{},[1744],{"nodeType":247,"value":1745,"marks":1746,"data":1747},"Even though you’re not alone, you still need to protect employee and company data from unnecessary third-party risk. Here’s a quick rundown of what you need to do next to get a handle on SaaS without restricting its use.",[],{},{"nodeType":424,"data":1749,"content":1753},{"target":1750},{"sys":1751},{"id":1752,"type":375,"linkType":376},"TgFACpcpdooMuPLPXvlk4",[],{"nodeType":295,"data":1755,"content":1756},{},[1757,1815,1830,1845,1860],{"nodeType":299,"data":1758,"content":1759},{},[1760,1772],{"nodeType":243,"data":1761,"content":1762},{},[1763,1768],{"nodeType":247,"value":1764,"marks":1765,"data":1767},"Ensure basic account security controls are in place across all SaaS. ",[1766],{"type":616},{},{"nodeType":247,"value":1769,"marks":1770,"data":1771},"To get at this information, you’ll need either a tool (we got you!) or you’ll need to go directly to employees to get necessary information about how they’re accessing and using SaaS. You’ll need to know:",[],{},{"nodeType":295,"data":1773,"content":1774},{},[1775,1785,1795,1805],{"nodeType":299,"data":1776,"content":1777},{},[1778],{"nodeType":243,"data":1779,"content":1780},{},[1781],{"nodeType":247,"value":1782,"marks":1783,"data":1784},"Are employees using multi-factor authentication (MFA) or two-factor authentication (2FA) where available? ",[],{},{"nodeType":299,"data":1786,"content":1787},{},[1788],{"nodeType":243,"data":1789,"content":1790},{},[1791],{"nodeType":247,"value":1792,"marks":1793,"data":1794},"What about strong passwords and password policies? ",[],{},{"nodeType":299,"data":1796,"content":1797},{},[1798],{"nodeType":243,"data":1799,"content":1800},{},[1801],{"nodeType":247,"value":1802,"marks":1803,"data":1804},"Are they sharing passwords across multiple apps? ",[],{},{"nodeType":299,"data":1806,"content":1807},{},[1808],{"nodeType":243,"data":1809,"content":1810},{},[1811],{"nodeType":247,"value":1812,"marks":1813,"data":1814},"Are they sharing login credentials as a team - some teams will do this to stay on a free or trial tier by only having a “single” user. ",[],{},{"nodeType":299,"data":1816,"content":1817},{},[1818],{"nodeType":243,"data":1819,"content":1820},{},[1821,1826],{"nodeType":247,"value":1822,"marks":1823,"data":1825},"Try to identify SaaS that is no longer needed/used and remove it. ",[1824],{"type":616},{},{"nodeType":247,"value":1827,"marks":1828,"data":1829},"You won't believe how quickly you build up SaaS baggage as users move to the newest hottest thing.",[],{},{"nodeType":299,"data":1831,"content":1832},{},[1833],{"nodeType":243,"data":1834,"content":1835},{},[1836,1841],{"nodeType":247,"value":1837,"marks":1838,"data":1840},"Identify apps that are used to create and store data you care about. ",[1839],{"type":616},{},{"nodeType":247,"value":1842,"marks":1843,"data":1844},"Then prioritize them for some additional scrutiny.",[],{},{"nodeType":299,"data":1846,"content":1847},{},[1848],{"nodeType":243,"data":1849,"content":1850},{},[1851,1856],{"nodeType":247,"value":1852,"marks":1853,"data":1855},"Identify apps that integrate with those core apps. ",[1854],{"type":616},{},{"nodeType":247,"value":1857,"marks":1858,"data":1859},"They’re also processing that same data you care about. These are usually called OAuth applications or third-party integrations like apps and bots that add functionality and features to the core app.",[],{},{"nodeType":299,"data":1861,"content":1862},{},[1863,1879],{"nodeType":243,"data":1864,"content":1865},{},[1866,1870,1875],{"nodeType":247,"value":1867,"marks":1868,"data":1869},"Where your additional scrutiny identifies risks you can't live with, ",[],{},{"nodeType":247,"value":1871,"marks":1872,"data":1874},"stop new users adopting those apps (by giving them a better alternative)",[1873],{"type":616},{},{"nodeType":247,"value":1876,"marks":1877,"data":1878}," and migrate existing users over to that alternative, approved app. ",[],{},{"nodeType":295,"data":1880,"content":1881},{},[1882],{"nodeType":299,"data":1883,"content":1884},{},[1885],{"nodeType":243,"data":1886,"content":1887},{},[1888],{"nodeType":247,"value":1889,"marks":1890,"data":1891},"To do this, you’ll need to look for secure alternatives to the SaaS employees are using that you have deemed too risky. This is important, albeit time-consuming. Offering an alternative sweetens the process for using more secure platforms before you outright block the bad ones. It also lets your colleagues know you’re considering their needs and not just restricting their work.",[],{},{"nodeType":243,"data":1893,"content":1894},{},[1895],{"nodeType":247,"value":1896,"marks":1897,"data":1898},"Beyond just the security of the technology itself, you need to ensure employees are doing their part in using the app securely. ",[],{},{"nodeType":273,"data":1900,"content":1901},{},[1902],{"nodeType":247,"value":1903,"marks":1904,"data":1905},"How to prioritize which apps require additional scrutiny",[],{},{"nodeType":243,"data":1907,"content":1908},{},[1909],{"nodeType":247,"value":1910,"marks":1911,"data":1912},"There’s no right or wrong approach for how to prioritize the apps you find during the discovery process, but we’ve found that most our customers prioritize apps based on if the app is:",[],{},{"nodeType":486,"data":1914,"content":1915},{},[1916,1926,1936,1955],{"nodeType":299,"data":1917,"content":1918},{},[1919],{"nodeType":243,"data":1920,"content":1921},{},[1922],{"nodeType":247,"value":1923,"marks":1924,"data":1925},"used by many people in the company, and",[],{},{"nodeType":299,"data":1927,"content":1928},{},[1929],{"nodeType":243,"data":1930,"content":1931},{},[1932],{"nodeType":247,"value":1933,"marks":1934,"data":1935},"requesting access to highly sensitive data to work or integrating with SaaS that have data you don’t want exposed. This might be a cloud drive containing all sorts of documents, a CRM that uses customer data inputs, a billing platform, an app that’s used for signing legal documents, an HR platform, etc.",[],{},{"nodeType":299,"data":1937,"content":1938},{},[1939],{"nodeType":243,"data":1940,"content":1941},{},[1942,1946,1951],{"nodeType":247,"value":1943,"marks":1944,"data":1945},"one you’ve never heard of before. Larger SaaS apps built for businesses (Salesforce, Microsoft, Google, etc.) are ",[],{},{"nodeType":247,"value":1947,"marks":1948,"data":1950},"more likely",[1949],{"type":592},{},{"nodeType":247,"value":1952,"marks":1953,"data":1954}," to be secure than some of the smaller, newer SaaS apps who haven’t gone through the same levels of security reviews before going to market. ",[],{},{"nodeType":299,"data":1956,"content":1957},{},[1958],{"nodeType":243,"data":1959,"content":1960},{},[1961],{"nodeType":247,"value":1962,"marks":1963,"data":1964},"used by high profile employees or employees with access to very sensitive corporate information (C-level executives, finance, legal, HR, etc.). ",[],{},{"nodeType":243,"data":1966,"content":1967},{},[1968],{"nodeType":247,"value":1969,"marks":1970,"data":1971},"For example, if you have a whole team using a single app that you’ve never heard of, add that app to the top of your priorities list for investigation. It’s likely business critical and serving a need for that team, so taking it away won’t be a good idea if you’re trying to build bridges between security and employees. Plus, more users probably means more data is stored within the app. Those users might also have integrated a lot of third-party apps or bots (OAuth) to that core application. ",[],{},{"nodeType":243,"data":1973,"content":1974},{},[1975,1979,1987],{"nodeType":247,"value":1976,"marks":1977,"data":1978},"Once you’ve determined which apps need investigation and prioritized them, head over to the National Cyber Security Centre’s ",[],{},{"nodeType":410,"data":1980,"content":1982},{"uri":1981},"https://www.ncsc.gov.uk/collection/cloud/the-cloud-security-principles/lightweight-approach-to-cloud-security",[1983],{"nodeType":247,"value":1984,"marks":1985,"data":1986},"lightweight approach to cloud security",[],{},{"nodeType":247,"value":1988,"marks":1989,"data":1990}," article. They offer some great guidance for how to reasonably access the risk of a SaaS app with limited time and resources. ",[],{},{"nodeType":243,"data":1992,"content":1993},{},[1994],{"nodeType":247,"value":1995,"marks":1996,"data":1997},"A big missing piece most companies have in their SaaS security strategy, though, is that they’re not working with employees to understand how they’re using SaaS. Before you roll your eyes, hear us out…",[],{},{"nodeType":273,"data":1999,"content":2000},{},[2001],{"nodeType":247,"value":2002,"marks":2003,"data":2004},"Secure SaaS by working with employees",[],{},{"nodeType":243,"data":2006,"content":2007},{},[2008],{"nodeType":247,"value":2009,"marks":2010,"data":2011},"Remember, employees are the owners of SaaS in your company - they’ve adopted and used SaaS tools in your environment, so they know better than anyone else how they’re using it, if they’re still using it, what the additional integrations in the app offer, and what it does for them. You, as their security lead, know how to determine if they’re logging in securely, if the data the app is requesting access to is an acceptable risk, if they’ve enabled built-in common sense security features like 2FA/MFA, and if the third-party integrations they’ve added are too high risk or requesting excessive permissions.",[],{},{"nodeType":243,"data":2013,"content":2014},{},[2015],{"nodeType":247,"value":2016,"marks":2017,"data":2018},"By working with employees, you can get the full picture of SaaS use within the company and understand what your colleagues need and coach them to improve the security of how they’re accessing and using the tools they prefer. The problem is that it’s really difficult to do manually in a real world environment because it’s just so time-consuming to reach out to each employee and ask a series of questions to get the context you need. ",[],{},{"nodeType":243,"data":2020,"content":2021},{},[2022],{"nodeType":247,"value":2023,"marks":2024,"data":2025},"If an entire team is using an app you weren’t aware of, you can talk to the technical owner or administrator of the app to understand how they’re using it. What doesn’t work at scale with manual outreach, however, is understanding how securely employees are logging in and accessing SaaS. ",[],{},{"nodeType":243,"data":2027,"content":2028},{},[2029],{"nodeType":247,"value":2030,"marks":2031,"data":2032},"You can automate this process with the right tool, using things like ChatOps and browser notifications, and just sit back and watch as employees improve their own security over time. This is particularly useful when it comes to some of the security hygiene basics, like using strong passwords and enabling MFA, which make a significant impact on overall security posture for very little effort.",[],{},{"nodeType":273,"data":2034,"content":2035},{},[2036],{"nodeType":247,"value":2037,"marks":2038,"data":2039},"What will I gain from working with employees?",[],{},{"nodeType":243,"data":2041,"content":2042},{},[2043],{"nodeType":247,"value":2044,"marks":2045,"data":2046},"Now that you know that working directly with employees to secure SaaS isn’t a pipe dream, nor does it have to be a manual effort or a one-off security campaign, what impact should you expect from these efforts? And how do you measure that impact?",[],{},{"nodeType":243,"data":2048,"content":2049},{},[2050],{"nodeType":247,"value":2051,"marks":2052,"data":2053},"Here are some of the most obvious wins…",[],{},{"nodeType":348,"data":2055,"content":2056},{},[2057],{"nodeType":247,"value":2058,"marks":2059,"data":2060},"Reduce your attack surface",[],{},{"nodeType":243,"data":2062,"content":2063},{},[2064],{"nodeType":247,"value":2065,"marks":2066,"data":2067},"Say you discover your marketing team is using Trello to manage projects, while the sales team is using Asana. Once you have this information, you can talk to the heads of each department to see if they’ll agree on a single solution. ",[],{},{"nodeType":243,"data":2069,"content":2070},{},[2071],{"nodeType":247,"value":2072,"marks":2073,"data":2074},"Without management, you’re likely to wind up using multiple (often dozens) of chat, project management, calendar-sharing apps and so on within your company. The issue with this is that it opens you up to unnecessary risk, with your data being held on the systems of hundreds of third parties outside of your traditional perimeter. By connecting users to each other and consolidating the SaaS apps in your company, you can dramatically reduce your attack surface. ",[],{},{"nodeType":243,"data":2076,"content":2077},{},[2078,2082,2091,2096],{"nodeType":247,"value":2079,"marks":2080,"data":2081},"Similarly, removing dormant apps and accounts can have a huge impact. In a ",[],{},{"nodeType":410,"data":2083,"content":2085},{"uri":2084},"https://productiv.com/blog/less-than-half-of-company-saas-applications-are-regularly-used-by-employees/",[2086],{"nodeType":247,"value":2087,"marks":2088,"data":2090},"recent report",[2089],{"type":382},{},{"nodeType":247,"value":2092,"marks":2093,"data":2095}," ",[2094],{"type":382},{},{"nodeType":247,"value":2097,"marks":2098,"data":2099},"by Productiv, they found that on average only 45% of the apps an organization or its employees have an account with are regularly engaged with. That means that potentially half of your SaaS attack surface is totally unnecessary.",[],{},{"nodeType":243,"data":2101,"content":2102},{},[2103],{"nodeType":247,"value":2104,"marks":2105,"data":2106},"Working with employees to find out what apps they are using (and which they are no longer) will allow you to eliminate attacker opportunities to access your data or steal employee account credentials.  ",[],{},{"nodeType":348,"data":2108,"content":2109},{},[2110],{"nodeType":247,"value":2111,"marks":2112,"data":2113},"Reduce supply chain risk",[],{},{"nodeType":243,"data":2115,"content":2116},{},[2117],{"nodeType":247,"value":2118,"marks":2119,"data":2120},"Every third-party SaaS app that your employees use is a supplier and therefore contributes to your overall supply chain risk exposure. Traditionally all technology and software providers will have been reviewed by security teams to ensure that they do not present excessive risk to your organization. However, the explosion in SaaS use has made this more challenging; 1) Most organizations have a large number of SaaS suppliers and its growing, 2) SaaS suppliers are now responsible for more aspects of security than on-prem software suppliers ever were (such as infrastructure security) so there is more to review and assure. ",[],{},{"nodeType":243,"data":2122,"content":2123},{},[2124],{"nodeType":247,"value":2125,"marks":2126,"data":2127},"Every time a duplicate or dormant SaaS app is removed, you’re removing a supplier whose security practices and posture need assuring. This saves your security team bags of time and reduces your overall cyber risk exposure. ",[],{},{"nodeType":243,"data":2129,"content":2130},{},[2131],{"nodeType":247,"value":2132,"marks":2133,"data":2134},"However, for the third-parties you need to continue to work with, you’ll want to perform due diligence to make sure you aren’t exposing yourself to the risk of a supply chain attack. ",[],{},{"nodeType":243,"data":2136,"content":2137},{},[2138],{"nodeType":247,"value":2139,"marks":2140,"data":2141},"Before you can trust a SaaS vendor with your data, you have to be assured the vendor is committed to maintaining an appropriate security standard and has the resources and capabilities to deliver against it. And you need to know how the vendor will secure your data when it is in transit, use and at rest. Understand how the vendor secures their network, monitors for malicious activity, what they’ll do in the event of an incident, and whether they have an adequate business continuity and disaster recovery plan. ",[],{},{"nodeType":243,"data":2143,"content":2144},{},[2145],{"nodeType":247,"value":2146,"marks":2147,"data":2148},"To speed up the due diligence process, you might rely on the vendor providing certification of a recognized standard, such as ISO27001, which demonstrates a solid security baseline.",[],{},{"nodeType":348,"data":2150,"content":2151},{},[2152],{"nodeType":247,"value":2153,"marks":2154,"data":2155},"Establish security as a business enabler",[],{},{"nodeType":243,"data":2157,"content":2158},{},[2159],{"nodeType":247,"value":2160,"marks":2161,"data":2162},"One thing to note, if you’re removing an app, it’s always a good idea to notify the employee(s) using it and suggest secure alternatives. Security teams are often seen as a blocker to be avoided and worked around. During that conversation, you can ask them what they were using the app for and then do some research to offer an alternative option that isn’t as risky to the company. ",[],{},{"nodeType":243,"data":2164,"content":2165},{},[2166],{"nodeType":247,"value":2167,"marks":2168,"data":2169},"Being able to recommend useful tools that can help your colleagues with their jobs (as opposed to just saying no or blocking unsanctioned apps) is  the difference between being seen as a business enabler rather than a business blocker. Once your security team is known for promoting innovative new technology as well as managing risk, employee engagement will increase. ",[],{},{"nodeType":348,"data":2171,"content":2172},{},[2173],{"nodeType":247,"value":2174,"marks":2175,"data":2176},"Greater productivity and competitiveness",[],{},{"nodeType":243,"data":2178,"content":2179},{},[2180],{"nodeType":247,"value":2181,"marks":2182,"data":2183},"SaaS has empowered employees to self-adopt the tools that will help them do their jobs better. This is something that should be harnessed, not resisted. A more productive workforce creates a more competitive company. Security’s job is to manage the risks it introduces to a level that the business can accept, not to eliminate those risks altogether. ",[],{},{"nodeType":243,"data":2185,"content":2186},{},[2187],{"nodeType":247,"value":2188,"marks":2189,"data":2190},"Balancing productivity returns with cyber risk requires employees and security to work together to understand the trade-off and make the best decision for the whole organization. If you can facilitate this collaboration to make better decisions, faster as to what technology and tools your organization can safely take advantage of, then your organization will be more competitive and more successful.  ",[],{},{"nodeType":273,"data":2192,"content":2193},{},[2194],{"nodeType":247,"value":2195,"marks":2196,"data":2197},"You can secure SaaS without pissing off employees",[],{},{"nodeType":243,"data":2199,"content":2200},{},[2201],{"nodeType":247,"value":2202,"marks":2203,"data":2204},"We’ll end this blog with a single key takeaway: ",[],{},{"nodeType":1408,"data":2206,"content":2207},{},[],{"nodeType":243,"data":2209,"content":2210},{},[2211],{"nodeType":247,"value":2212,"marks":2213,"data":2214},"To keep employees happy and productive while still securing corporate data, you need to work with them to understand what they need and point them at the most secure SaaS alternative. ",[],{},{"nodeType":1408,"data":2216,"content":2217},{},[],{"nodeType":243,"data":2219,"content":2220},{},[2221],{"nodeType":247,"value":2222,"marks":2223,"data":2224},"One of the big wins that’s really hard to measure or quantify is that by working with employees, you position yourself as a business enabler. The more you know about the tools employees are choosing to use, the more you understand their needs and desires so that you can find a balanced solution.",[],{},{"nodeType":243,"data":2226,"content":2227},{},[2228],{"nodeType":247,"value":2229,"marks":2230,"data":2231},"We would never recommend that you just open the gates to SaaS and leave employees to sign up with wild abandon, but strictly locking down SaaS clearly doesn’t work. With more SaaS apps coming to market daily, the only approach that can scale and keep up with employees’ needs for productivity and flexibility is one that makes them part of the conversation. You’ve got to work with the SaaS users and empathize with their needs. Only then can you really create a cloud security strategy that’s going to work in the real world. With new tools that can do the heavy lifting for you, a user-powered approach finally makes sense. You got this.",[],{},"5 steps to manage the risk of unsanctioned SaaS ","Learn some lightweight ways to manage the risks SaaS introduces without relying on restrictive policies that block employees from using their preferred tools.","2022-08-11T00:00:00.000Z","manage-saas-risks-without-hindering-employees",{"items":2237},[2238,2240],{"sys":2239,"name":1607},{"id":1606},{"sys":2241,"name":1603},{"id":1602},{"items":2243},[2244],{"fullName":2245,"firstName":2246,"jobTitle":2247,"profilePicture":2248},"Jacques Louw","Jacques","Co-founder / CRO",{"url":2249},"https://images.ctfassets.net/y1cdw1ablpvd/39m8bektV23lnCRcEq0G8h/2a08f6276a50744f1a4b499b273f6bb2/Push_Founders_at_Cahoots_October_28_2022_by_Doug_Coombe-21.jpg","what-is-saas-security","blog/what-is-saas-security",{"json":2253},{"data":2254,"content":2255,"nodeType":239},{},[2256],{"data":2257,"content":2258,"nodeType":243},{},[2259],{"data":2260,"marks":2261,"value":284,"nodeType":247},{},[],"We'll quickly define SaaS security and help you better understand how to manage the risk SaaS applications introduce to your business",{"id":2264,"publishedAt":2265},"5lCSAF777tY9gHUL363UwZ","2025-01-15T14:22:40.566Z",{"items":2267},[2268,2270],{"sys":2269,"name":1603},{"id":1602},{"sys":2271,"name":2273},{"id":2272},"3pjES4THCIfSAwhGdNwBcy","Browser security","B7NQQqRG3JfEOJ9cnxQfKdEP_eseG_c2Zne4AzsC_Xo",1784196723384]