Modern SaaS Risks - CISO View on the SaaS Sprawl

Dec 15, 2021

Dec 15, 2021

Managing SaaS Risks: The latest CISO view the SaaS Sprawl Apps like GitHub, CircleCI and Hubspot have access to your sensitive assets. So why aren’t we connecting them via SSO? Why are we focusing so many of our SaaS concerns on DLP?

Leon Ravenna
CISO at KAR Global
Link to Linkedin
Ray Espinoza
VP Cloud Security at Medallia
Link to Linkedin
Lior Yaari
CEO at Grip
Link to Linkedin
Modern SaaS Risks - CISO View on the SaaS Sprawl
This webinar will cover:

Managing SaaS Risks: The latest CISO view the SaaS Sprawl
Apps like GitHub, CircleCI and Hubspot have access to your sensitive assets. So why aren’t we connecting them via SSO? Why are we focusing so many of our SaaS concerns on DLP?

Join Ray Espinoza (VP Cloud Security at Medallia) and Leon Ravenna (CISO at KAR Global) in our latest discussion on actual modern SAAS risks and security best practices for large enterprises.

Fill out the form and watch webinar
In this webinar:

Lior Yaari:

Thank you everyone for joining modern SaaS risks, CISO view on the SaaS sprawl. We have the pleasure to have with us Ray Espinoza, VP Cloud Security at Medallia, and Leon Ravenna, CISO at Kar Global. My name is Lior Yaari, and I'm the CEO at Grip Security, which is a SaaS security startup. But I'll show more about us at the end of the webinar. So Ray, Leon, thank you for being here. I really appreciate the time, and I will really appreciate the insights as well. And I'd love to start the webinar with, let's say a simple question. What effective measures do you use today to keep track of SaaS usage within your companies?

Leon Ravenna:

I'll let you start, Ray.

Ray Espinoza:

All right. Sounds good. So, the short answer is we do a lot. If we dive down a little bit deeper into that, it's really important for us to do a number of different things. One, to ensure that our employees have a good understanding of what SaaS tools we have available. The last thing we want is for them to go out and find other solutions on their own when we already have one in-house. And I think that's solving problem number one, in ensuring that there's greater awareness around there. Two, is we also do a ton of evangelism around why self-registering and what we call a shadow SaaS deployment is bad. How that affects Medallia. How other companies have been affected by use of some of these other tools that haven't had the chance to go through a procurement and security review to ensure that they meet the standards that the company requires of vendors to be able to process or store information, assuming that, that's going to be the case going forward.

Ray Espinoza:

And then I would add on top of that, for the SaaS solutions that are in place, because they've grown tremendously here as many companies have shifted from on-prem software to in the cloud SaaS systems, a lot of times security isn't enabled or configured by default. And it takes a bit of time to dive deeper and understand and realize what capabilities are there. I mean, a perfect example, and maybe on the opposite end of the spectrum would be Salesforce, and it's an absolute platform through and through. It's not necessarily a SaaS application, and the amount of knobs and dials to turn related to security are huge, where they have certifications associated with that. And you have others like Box and whatnot, that have some of these capabilities. I think, just if we have an understanding of SaaS systems that are in use, we're able to work through some of those business stakeholders and ensure they're configured appropriately. I can go on and on in a number of different spots, but Leon, I'd love to hear your thoughts on some of the things that you do as well.

Leon Ravenna:

Sure. So, we try and push a lot of that through SSO. Yeah. I'll give you a quick example. And I came in '17, and I sat down with Box, Dropbox and Slack in '17, and said, "Look, guys, we're licensing your product wrong. We're signing up for free licenses. And I want to pay you, because you are ransoming, or you have my data, I'm going to pay you ransom. And then I'm going to stop using you." And so they heard the, 'I'm going to pay you part.' They never heard the, 'I'm going to stop using you part.' But we've actually been fairly successful with Box and Dropbox. Those are now SSO based apps. You can't get to them without going through SSO. We block them with Zscaler. Now, Slack different story. Lost big time. And I think we've tripled or quadrupled our Slack usage.

Leon Ravenna:

However, we are licensing and paying for it like we should be. So I lost, but I won. And then for everything else, we're working on how much we can get into SSO. And I think you'll probably end up asking this later Lior, but trying to get everything in, if we're licensing it, we want it to go right into SSO, just to make it easier for people to manage.

Lior Yaari:

Yeah, I think SSO today is one of the more important measures for SaaS security. I had an interesting conversation almost a year ago, when someone told me, "If I had $1 to spend on SaaS security, I would buy SSO." And what we often found when we do SaaS discovery as part of our discovery platform at Grip, is that the more SaaS applications coming in than security teams can connect to SSL. So the pool is getting filled faster than water is going out, but there's a lot of ways to accelerate these processes within a company. And I actually wonder, how do you choose what is the next app to connect? What's usually the process before connecting an app?

Ray Espinoza:

I think it usually starts with, well, and I'll follow up and say, we are absolutely on that SSO train as well for all of our SaaS apps. But we really try to better understand the amount of users that are going to use this, what's to be affected? Also, the data classification of the data that's going to be stored and processed there. I mean, there's a number of different things that we use. I mean, the short answer is everything goes there, but when you start thinking about, well, what's going to be new? If we can't apply all the security standards coming in and we're doing... And at places in the past, I've had to do this, where you walk in and you recognize that an organization is already using some sort of SaaS application unofficially. And it's grown organically over time that the team started with the best intentions, and now all of your intellectual property is in there and no one's actually done a review.

Ray Espinoza:

But we try to figure out is what has the biggest likelihood for potential impact? And then we start working our way backwards from there. How many users? If it's been reviewed or not. And how do we start to do some of that cleanup? Many times I've also found too, folks are willing to be honest and transparent. You ask them, what apps have you been using, and we're not here to take anything away from you, but we want to make things more accessible for you via SSO with Okta, or ensure that you have secure configurations. Because if you brought this in, there's an expectation that you're going to meet the business requirements that we have, the promises we've made to our customers, as well as to ourselves. And I've always received tons of transparency around that, which I think is good.

Leon Ravenna:

Yeah. I think people want to be transparent. I mean, every company needs 57 different project management tools. There is that. But going back to the SSO piece, I think the average number of applications that people have in SSO is something like 88. And people are trying to take that higher. There's always going to be the pieces that you don't see. So, will we see some of that with Zscaler? Yeah. And we'll see with other pieces of technology, but I think really trying, to your question Lior, how do you decide what's next? It ends up being very much like Ray said, number of users, number criticality. And quite frankly, the two benefits that I get out of doing that, are number one, people don't have to worry about passwords. And they don't have to think about it, it just work for them. And then the second piece, quite frankly, and this is more the selfish security piece, is that when Johnny leaves the company, so do the apps, because he doesn't have a license to them, can't get to them at all. So that data stays with me.

Lior Yaari:

Cool. Thank you very much. I'd love to ask, and you mentioned it a bit. Because SaaS is not a new problem, it's been with us for at least 10 years now. And I wonder in your view, what capabilities are still missing from legacy solutions, like KSB for SaaS security. Leon, maybe you could start this time.

Leon Ravenna:

Sure. Yeah. I think there's a number of capabilities that are growing. I think, one of the things that we look for first in any cloud tool, quite frankly, and this is a little bit off topic, but how quickly can I deploy it? If it's something that we can do role based and AWS, and Azure, that's all goodness. If it's something that requires an agent, it's going to be a hassle, because you've got to get it across thousands of systems. So, I think that the biggest thing we're looking for is ease of deployment. What is the lift to get stuff done? How hard is it for us to get people engaged in using the toolset or whatever it is.

Leon Ravenna:

Like, we do some cloud security posture stuff. It had to be role based. There's no other way to do that with the way that we bring stuff up and down. But I think in terms of features, naturally there's going to be DLP there. But, I really want to understand more focused on some of the more PII type things. We do a lot of privacy stuff. I built all our stuff in Europe for GDPR, and I want to know anything that has any kind of PII. I want to know anything that has... We shouldn't have anything that has socials. So do I have something that has socials? A long time ago, I had a DLP filter at another company, and I saw a spreadsheet go through that had socials and salaries. Well, I could tell the company was being sold.

Leon Ravenna:

And so, I went back to the people in finance and said, "Hey, you guys have got to encrypt this." And they never bothered to. And I said, "Well, I know we're being sold, but I'll keep my mouth shut. But here's the thing, and here's what I can tell based on what you're sending." I'll let you jump in Ray with features and such.

Ray Espinoza:

Sure. So I mean, one of the things that I found early on is, and I hinted at it a little bit here earlier. But the amount of security requirements or security capabilities of SaaS solutions, it varies wildly. And again, depending on the type of service it is, and how mature it is. It's tough to apply policies through like a Legacy Cloud access security broker type of solution. Many times we're trying to enforce on the endpoint with DLP, or enforce some of those policies there. What I found early on is that CASB solutions had a really tough time keeping up with security capabilities of these tools. There's only so many that they can support to be able to apply those policies appropriately. And again, if you were using something like Okta or another SSO type of solution, you took out half of the problem with authentication. But that was always some of the biggest pieces, that it gets kind of munched up.

Ray Espinoza:

And it is interesting, I've had the honor and privilege of building security programs and leading teams for a 100% cloud-based company like Cobalt who didn't have any IT or internal infrastructure, we were 100% SaaS based. And, you look at other organizations that have been a part of as well that have a healthy mix of on-premise and cloud. And again, it still goes back down to a CASB solution rarely tells you what type of data that you have there, what types of controls are there? It tries to just overlay as much as possible, some of the roles, but it felt ineffective at times. And so we had to think through, how do we get to the root of some of those problems of identification and managing access. And thankfully I have an amazing SOC team now, they take data feeds from any SaaS solution that'll get it so we can keep track of events and whatnot that go on there. Things that CASB didn't really help us with for a long period of time.

Lior Yaari:

I think what's interesting about CASB and many other solutions on network based systems, is that even when companies do not have a network like Cobalt, like Grip, like Netflix, like others, even companies with a network do not longer work from the corporate network, so the employees are everywhere. And I'm really eager to see how this would affect the legacy proxy approach to SaaS security. And our topic, which is interesting when thinking about how SaaS evolved and the users have changed, is that the perception of SaaS risks historically, is DLP focused, like the Dropboxes and Boxes and G-drives of the world. But I wonder, how the world looks now, where, your marketing key team is using marketing applications, your developers are using SaaS for production environments, and almost everyone in the company is leveraging a few solutions to do their work. Is DLP still the main risk of SaaS usage for companies?

Leon Ravenna:

Yeah, I would say, one of the things is more intellectual property. And they can kind of go together, but one of the things that we've seen a couple times is, people have, enterprise get and they have their own get, and something will occasionally show up in the wrong place. And so, some of our threat solutions will go hunt that down. I looked at a couple solutions that will help me manage some of that. These files can only go in this place, but I'm more concerned about, again, PII specifically, but intellectual property showing up someplace it shouldn't.

Lior Yaari:

Ray, what do you think?

Ray Espinoza:

I think it continues to come back down. I mean, very similar type of theme. And I hinted at it early on as well, is driving great awareness around the risks of using SaaS tools. And then also getting a good understanding of what do we have and what type of data is there and what controls are available for us to be able to tighten, to ensure that it's configured with the appropriate level of security that we require based off the data classification that's there. I mean, that in itself, always seems to be the hardest problem to solve, because many organizations, and I'm not going to pick on marketing teams or sales teams, but in my past they've been notorious, and going out there, and they got to win.

Ray Espinoza:

And at the end of the day they're held to a specific standard, and they want to do what they think is best. And sometimes that means registering a new SaaS tool that looks cool, it's going to drive efficiency, it's going to help them meet their goal. And with the right intentions, they end up doing something. And so, we drive a lot of awareness there, we do try to funnel everything back through. And we also, in the past ,I've been able to work with our procurement and finance teams to ensure that if anybody tries to expense a SaaS solution that is not a corporate paid for solution, it's got to get blocked until it's reviewed. And so we have another gate to go by, and sure you may have some of those SaaS products that are 25, 50 bucks a month, enough for an individual to say, "Yeah, I'll pay for this out of my own pocket, because I'm getting so much value out of here."

Ray Espinoza:

And again, we try to hit that with just evangelism, education, and why do we care? And why should you care? And we find that, and when we lead with that, a lot of folks want to lean in, especially when we come to the point, as I mentioned, we're not going to take these away, we want to understand. Or, maybe you didn't know, but we have a solution already that's embedded, that we can move you towards. It goes back to trusting your employees and really expecting that they have the best intentions at heart. And for us in security teams that I've led, it's what can we do more of to drive greater awareness on both sides, on the risk and what's available, and building strong partnerships with our IT teams or business teams who manage these tools.

Lior Yaari:

I really do agree. I also, I don't know if you've seen, I've posted a poll on LinkedIn earlier this week asking what type, which dormant account poses a greater risk? So if someone leaves the company, retains access to an application and the options were: production access, source code access, shell drive access and sales data access. And surprisingly, shell drives received 6% of the vote, with production and source code being the top two.

Ray Espinoza:

Sure.

Lior Yaari:

Which, I was very happy to see, because I strongly think the way SaaS developed today, data is not the main risk anymore. So a user uploading data to Dropbox can use a USB, but if you've connected something to your production environment, source code, sales environment, they can just log in and get the data anytime, or someone else getting the credentials could do that. So, having a tight grip on those applications is more important.

Leon Ravenna:

It's interesting, riffing off of Ray's point. Security awareness is huge. Many times people don't know what they are doing wrong. And we take the attack of, we're not the guys who are going to beat over the head with the stick because you did something wrong. It's we want you to come tell us, we want you to come tell us, something as simple as, "I think I clicked on a link I shouldn't have." I don't want people to be afraid to come tell us something. And we react as such, and say, "Okay, let's go fix it. Let's go figure it out." And really, to your point Lior, the thing that scares me the most is those dormant things. Because people, they went out and they licensed weasel rider, because it was doing what they wanted for a month, and then it's just sitting there. Okay. And then, weasel rider gets breached, and nobody thinks to go back and well, do I have any data there?

Lior Yaari:

Yeah.

Leon Ravenna:

So it's stuff like that. One of the things that we do on a regular basis, not really connected to SaaS, but we'll get a feed that says, XYZ site was breached. Here's credentials that you have, that we see there. And we'll send a note to those people saying, "Hey, just so you know, this showed up on XYZ site, and at minimum, you need to go change your password." And the very first time we did that, about nine months ago, the very first email I got back that said, "Hey, is this a phishing email?" And I said, "Well no, there're is no link in it. But it's a service that we're offering to help you and try and find some of that dormant stuff."

Lior Yaari:

Yeah. Again, it makes lot sense. I think it's very beneficial for users as well, because they never do it themselves. They don't have access to those security feeds.

Leon Ravenna:

Right.

Ray Espinoza:

Yeah. But I love the fact. I mean, it warms my heart that somebody's first thought is, wait a minute, this looks like fishing, even if it's not. But you really have instilled a sense of vigilance in the workforce that you have, which I think is awesome. Kind of similar, on that same vein. I think, I mean, we talk a lot about servant leadership, even within my organization. I mean, it's just as important that we treat folks with respect and support when folks make honest mistakes. And similar to what you were saying, and I'm a huge advocate of security awareness, but it still comes back down to when you do report something, that we treat them like it's not their fault and it's not something that they did maliciously. Now, there's definitely those repeat offenders, etcetera, that we look for additional training for and whatnot.

Ray Espinoza:

But I think, we don't make friends and we don't instill trust with folks if we don't treat them fairly and with respect when they can come to it. And that's one of the things we ask is, come and tell us. You think something feels off, weird or different. Please tell us. We'd be happy to go, and as one of my coworkers says, we're happy to find out that you're reporting fire and just turns out to be somebody's barbecue. And we are happy to investigate that. And we love that partnership that we have with you. So I think it's-

Leon Ravenna:

Two quick thoughts on that. It's a little bit off SaaS topic, but I was talking to somebody yesterday and they said, "Hey, with our phishing email testing, we're punitive. So if you miss it, you get in trouble." And I said, "Man, the only thing you really want to do there is potentially more testing. What you don't want to do is scare people from coming to tell you there's a problem." And the example I've always used is, we get about 100 million emails a year, okay. If we're at five nines. Okay. With everything we do, that means 1,000 get through. So, five nines of uptime, perfection for IT. That's 1,000 emails that get through that are bad. So you have to have people in a vein to want to come tell you, "Hey, I found something." And to raise point the way that we run our instant response team is, just tell us, we're much happier to tell you, "Yep. No issue here. You're all good." They feel good about it. We don't have an incident to worry about, but they've told us, as opposed to, I'm terrified to go to tell somebody something.

Lior Yaari:

Yeah. I definitely do agree. We had a similar mentality in the military as well, back then when I was there. It's better to know about problems than to punish someone. I'd love to move to the next question. So, when I talk to security organizations and CISOs, I often ask how many applications you've got connected to your SSL? Sometimes the answer is all of them, and sometimes it's a lot, sometimes it's not a lot. But then I ask, and do you have a password manager? And often the answer is also yes. And if everything is SSO connected and you still pay for a password manager, why you need passwords? Because I think realistically, not everything is SSO connected. And we talked about this being the go to solution or the first step for SaaS security. And what I'd love to ask is, what are the challenges in connecting everything to SSO? What blocks us?

Ray Espinoza:

I was going to go in a different direction. Well, I thought you were taking that question in a different direction as far as like, why do you need a password manager if everything is SSO connected? I mean, I would first say, I mean, we all recognize, there are shared accounts, service accounts, other things within many organizations, that just can't use SSO for some reason, either for automation or something else. And they're not sophisticated enough to use a token for authentication. And what's the best way if we have to have credentials for an account is, at least have it in a vault and share it with the relevant folks. And so I think there's genuine uses for password managers that I think make sense.

Ray Espinoza:

I think, the one thing that makes it tough, and maybe it's the same type of answer, is that not everything can be connected, not everything is tied just to an individual. Many times it's an application from one to another, which doesn't use single sign on. But I mean, I would love to see a way where we don't ever have to worry about a service account or something else that isn't an account that's not tied to an individual. To see those go away, I just don't know in my lifetime, how do we solve one of those problems? I mean, maybe you look at something even as big as an AWS root account. For an organization, should that just be with one individual? And what happens if that individual moves on? It's things like that, that have a very legitimate use to be able to share that makes it tough. They're just not set up to be managed in that way. Leon, what are your thoughts?

Leon Ravenna:

Well, I'll take the question as I think Lior's asking it. Why isn't everything SSO? And in some cases the applications won't do it. To give you an example of, and in some cases it's just hard. I have a friend who's a CISO at a very large company. He's got over 300 security products. Now, that's just security. Okay. And then looking at the whole rest of the company, you're talking, well over 1,000 applications to get an SSO. And which of them are SAML, which of them won't do what you need to? There will be some, and so you're probably not going to get everything, but getting the vast majority of them is where you're trying to start. Well above the 88, that is average.

Lior Yaari:

Are you familiar with the SSO tax website. It's sso.tax.

Leon Ravenna:

No, I haven't seen it.

Lior Yaari:

It's a wall of shame for applications that charge extra to enable SSO. And we often see this come as a challenge, just because, if you want to upgrade the license, the department that's paying for the license is usually marketing or finance, or anyone is using the app itself. And then when security comes with this request, upgrade for SSL, there's no available budget for it. Security doesn't want to pay for it. They don't want to pay for it. And it could be for some of the applications, like 600% more.

Leon Ravenna:

Yeah. There's a couple that could be added to the list that I'm looking at right now, so.

Lior Yaari:

Yeah. Well, maybe there's a report button you can add as well.

Leon Ravenna:

Yeah.

Lior Yaari:

It often comes to the challenge. So, to the next question. Just looking back in hindsight, did you make mistakes in how you designed your SaaS security program? Or, advice that you would give to your past self about this?

Leon Ravenna:

I don't know that it's actually hindsight, because we're still in the fight. I think number one, is nothing's going to surprise us. I mean, people always think, well, I don't want to tell somebody, because you don't like to talk about it, you'll get in trouble. Nothing ever surprises us. I tell people all the time, I am this monotone, good, bad or indifferent, because I have to be. And nobody wants to get screamed at, that doesn't make sense. But I think just understanding that you're going to find stuff, you're going to find more stuff than you thought. Every time...Every tool that you put out is going to find a lot more stuff than you even, I won't say your worst nightmare, but it's always going to be a lot more than you thought. And so it's just one more layer of that onion that you're peeling back to find, okay, we did that, now here's the next thing. And you're going to see that over and over and over.

Ray Espinoza:

I think, I would say one of the catalysts that really shined a light on how well we know what the business is using when it comes to SaaS apps, was honestly privacy requirements. When GDPR came through and it really forced us to really get a good understanding of what data is where, and then that ultimately led to the question of, well, how is that configured and how is it secure, and what are the capabilities? And then, similar to the SaaS or the sso.tax of security features or paywall behind additional user licenses that we don't have, that's a tough pill to swallow. But that was one of the things that I had found in previous roles is, we had to from a privacy perspective, get a good understanding of what data is where, and what it's connected to. And maintain that inventory so that we can action some of those data subject access requests in the previous organizations I've owned or been a key stakeholder in the privacy program.

Ray Espinoza:

And so I think, but it did open the gates. And that's what I would say back to, maybe a historical self is, spend more time with education, spend more time really understanding what users are doing. And if there are just better alternatives with a million problems to solve, and you get some of those baseline security controls in place, you're always trying to figure out, well, there's tons of different fires that I can go and really focus my effort on how do I get something to be manageable and up to a level that we all feel comfortable with, knowing that there's some risk that we can manage to allow me to move on to that next business problem that we want to try to solve.

Ray Espinoza:

But sometimes the compliance stick really forces us to go a little bit deeper. And I think, in retrospect, I mean it was really helpful. Because one of the things that we didn't take account for previously was you have something like Salesforce, how many apps are actually plugged into Salesforce, and what type of data are they pulling out? When you have a conversation, "Oh, I have this one tool and it's going to help us send some emails, etcetera." If the right questions aren't asked at that time, you end up with additional risks that you may not necessarily be aware of. And so it's been an evolution, and Leon hit on the head, we're still very much in it. And we've learned a ton, to be able to ask some of these questions and really drive and improve security posture, but still learning. But if anything, it would've been great to start to do some of this sooner.

Lior Yaari:

Yeah. We see small surprises in how acute is the problem. So we hired a new employee a few weeks ago. And when she joined, I gave her the explanation of the problems we've had to solve with SaaS security. And we talked about the employees leaving, retaining access to all the applications, or applications of the previous employer. And I told her, "You can try to log in, and it'll probably work." So she took out her phone and opened the Notes app, went to passwords. And I saw that, I told her, "Are you saving all of the password on a sticky note on your phone?" She said, "Yeah." I asked, "Is it at least backed somewhere? What happens if you lose your phone?" She said, "Well, it doesn't matter, because most of the passwords are the same." And-

Leon Ravenna:

How long did she stay at your company?

Lior Yaari:

Hmm? What?

Leon Ravenna:

How long did she stay at your company?

Lior Yaari:

No, no, I installed a password manager on the machine, she's amazing. And we enforce using OIDC and NSSO where we can, and we enforce the password. And we have the internal tools to enforce them, because we're building solutions exactly for this. But it's those daily reminders that this is the same problem that happens everywhere, at every company, because we're not special in that sense. And even we can be surprised, because sometimes we forget that. We are very familiar with the problem, but not everyone else isn't. To finish, I'd love to ask a short question. And it's, what is your one tip for CISOs and security leaders who want to secure those SaaS applications? And it can go in every direction, but one or two sentences from you to get them wiser.

Ray Espinoza:

Go ahead, Leon.

Leon Ravenna:

I would look at it and say, you're always going to find more than you expect. And never be surprised with what you find.

Lior Yaari:

Yeah.

Ray Espinoza:

I apologize for being redundant, but I would say, provide a mechanism and opportunity. If you don't have the tools to be able to self-identity what's being used, allow your employees a safe space to be able to say, "Hey, we use this, and we want to do the right thing." And reward folks for being able to do that. Build trust.

Lior Yaari:

Yeah. I think, my tip, I'll jump in, is when you get visibility, make sure it's actionable, because there's a lot of ways to get visibility that would pile more work on your desk. But if you want to do things with it, then make sure you have the resources to act on the findings before you see the results. And with that, the webinar has come to an end. Ray, Leon, I really appreciate your time again and being here.

Leon Ravenna:

Sure.

Lior Yaari:

This was super interesting for me, and I'm sure it was interesting to everyone in the crowd as well. And everyone listening, thank you for joining in. Grip Security is a SaaS security company. We help companies see and secure their SaaS inventory, and act upon it. So, finding the applications and users in your company and govern them at scale. My name is Lior Yaari, I'm the CEO of the company, and it was a pleasure to be here. So thanks everyone.

Leon Ravenna:

Thank you very much.

Ray Espinoza:

Thank you.

Lior Yaari:

Thank you. Bye-bye.

See More
See more
Oops! Something went wrong while submitting the form.
Register now and save your seat!
Registration successful!
Webinar link will be sent to your email soon
Oops! Something went wrong while submitting the form.
In this webinar:

Lior Yaari:

Thank you everyone for joining modern SaaS risks, CISO view on the SaaS sprawl. We have the pleasure to have with us Ray Espinoza, VP Cloud Security at Medallia, and Leon Ravenna, CISO at Kar Global. My name is Lior Yaari, and I'm the CEO at Grip Security, which is a SaaS security startup. But I'll show more about us at the end of the webinar. So Ray, Leon, thank you for being here. I really appreciate the time, and I will really appreciate the insights as well. And I'd love to start the webinar with, let's say a simple question. What effective measures do you use today to keep track of SaaS usage within your companies?

Leon Ravenna:

I'll let you start, Ray.

Ray Espinoza:

All right. Sounds good. So, the short answer is we do a lot. If we dive down a little bit deeper into that, it's really important for us to do a number of different things. One, to ensure that our employees have a good understanding of what SaaS tools we have available. The last thing we want is for them to go out and find other solutions on their own when we already have one in-house. And I think that's solving problem number one, in ensuring that there's greater awareness around there. Two, is we also do a ton of evangelism around why self-registering and what we call a shadow SaaS deployment is bad. How that affects Medallia. How other companies have been affected by use of some of these other tools that haven't had the chance to go through a procurement and security review to ensure that they meet the standards that the company requires of vendors to be able to process or store information, assuming that, that's going to be the case going forward.

Ray Espinoza:

And then I would add on top of that, for the SaaS solutions that are in place, because they've grown tremendously here as many companies have shifted from on-prem software to in the cloud SaaS systems, a lot of times security isn't enabled or configured by default. And it takes a bit of time to dive deeper and understand and realize what capabilities are there. I mean, a perfect example, and maybe on the opposite end of the spectrum would be Salesforce, and it's an absolute platform through and through. It's not necessarily a SaaS application, and the amount of knobs and dials to turn related to security are huge, where they have certifications associated with that. And you have others like Box and whatnot, that have some of these capabilities. I think, just if we have an understanding of SaaS systems that are in use, we're able to work through some of those business stakeholders and ensure they're configured appropriately. I can go on and on in a number of different spots, but Leon, I'd love to hear your thoughts on some of the things that you do as well.

Leon Ravenna:

Sure. So, we try and push a lot of that through SSO. Yeah. I'll give you a quick example. And I came in '17, and I sat down with Box, Dropbox and Slack in '17, and said, "Look, guys, we're licensing your product wrong. We're signing up for free licenses. And I want to pay you, because you are ransoming, or you have my data, I'm going to pay you ransom. And then I'm going to stop using you." And so they heard the, 'I'm going to pay you part.' They never heard the, 'I'm going to stop using you part.' But we've actually been fairly successful with Box and Dropbox. Those are now SSO based apps. You can't get to them without going through SSO. We block them with Zscaler. Now, Slack different story. Lost big time. And I think we've tripled or quadrupled our Slack usage.

Leon Ravenna:

However, we are licensing and paying for it like we should be. So I lost, but I won. And then for everything else, we're working on how much we can get into SSO. And I think you'll probably end up asking this later Lior, but trying to get everything in, if we're licensing it, we want it to go right into SSO, just to make it easier for people to manage.

Lior Yaari:

Yeah, I think SSO today is one of the more important measures for SaaS security. I had an interesting conversation almost a year ago, when someone told me, "If I had $1 to spend on SaaS security, I would buy SSO." And what we often found when we do SaaS discovery as part of our discovery platform at Grip, is that the more SaaS applications coming in than security teams can connect to SSL. So the pool is getting filled faster than water is going out, but there's a lot of ways to accelerate these processes within a company. And I actually wonder, how do you choose what is the next app to connect? What's usually the process before connecting an app?

Ray Espinoza:

I think it usually starts with, well, and I'll follow up and say, we are absolutely on that SSO train as well for all of our SaaS apps. But we really try to better understand the amount of users that are going to use this, what's to be affected? Also, the data classification of the data that's going to be stored and processed there. I mean, there's a number of different things that we use. I mean, the short answer is everything goes there, but when you start thinking about, well, what's going to be new? If we can't apply all the security standards coming in and we're doing... And at places in the past, I've had to do this, where you walk in and you recognize that an organization is already using some sort of SaaS application unofficially. And it's grown organically over time that the team started with the best intentions, and now all of your intellectual property is in there and no one's actually done a review.

Ray Espinoza:

But we try to figure out is what has the biggest likelihood for potential impact? And then we start working our way backwards from there. How many users? If it's been reviewed or not. And how do we start to do some of that cleanup? Many times I've also found too, folks are willing to be honest and transparent. You ask them, what apps have you been using, and we're not here to take anything away from you, but we want to make things more accessible for you via SSO with Okta, or ensure that you have secure configurations. Because if you brought this in, there's an expectation that you're going to meet the business requirements that we have, the promises we've made to our customers, as well as to ourselves. And I've always received tons of transparency around that, which I think is good.

Leon Ravenna:

Yeah. I think people want to be transparent. I mean, every company needs 57 different project management tools. There is that. But going back to the SSO piece, I think the average number of applications that people have in SSO is something like 88. And people are trying to take that higher. There's always going to be the pieces that you don't see. So, will we see some of that with Zscaler? Yeah. And we'll see with other pieces of technology, but I think really trying, to your question Lior, how do you decide what's next? It ends up being very much like Ray said, number of users, number criticality. And quite frankly, the two benefits that I get out of doing that, are number one, people don't have to worry about passwords. And they don't have to think about it, it just work for them. And then the second piece, quite frankly, and this is more the selfish security piece, is that when Johnny leaves the company, so do the apps, because he doesn't have a license to them, can't get to them at all. So that data stays with me.

Lior Yaari:

Cool. Thank you very much. I'd love to ask, and you mentioned it a bit. Because SaaS is not a new problem, it's been with us for at least 10 years now. And I wonder in your view, what capabilities are still missing from legacy solutions, like KSB for SaaS security. Leon, maybe you could start this time.

Leon Ravenna:

Sure. Yeah. I think there's a number of capabilities that are growing. I think, one of the things that we look for first in any cloud tool, quite frankly, and this is a little bit off topic, but how quickly can I deploy it? If it's something that we can do role based and AWS, and Azure, that's all goodness. If it's something that requires an agent, it's going to be a hassle, because you've got to get it across thousands of systems. So, I think that the biggest thing we're looking for is ease of deployment. What is the lift to get stuff done? How hard is it for us to get people engaged in using the toolset or whatever it is.

Leon Ravenna:

Like, we do some cloud security posture stuff. It had to be role based. There's no other way to do that with the way that we bring stuff up and down. But I think in terms of features, naturally there's going to be DLP there. But, I really want to understand more focused on some of the more PII type things. We do a lot of privacy stuff. I built all our stuff in Europe for GDPR, and I want to know anything that has any kind of PII. I want to know anything that has... We shouldn't have anything that has socials. So do I have something that has socials? A long time ago, I had a DLP filter at another company, and I saw a spreadsheet go through that had socials and salaries. Well, I could tell the company was being sold.

Leon Ravenna:

And so, I went back to the people in finance and said, "Hey, you guys have got to encrypt this." And they never bothered to. And I said, "Well, I know we're being sold, but I'll keep my mouth shut. But here's the thing, and here's what I can tell based on what you're sending." I'll let you jump in Ray with features and such.

Ray Espinoza:

Sure. So I mean, one of the things that I found early on is, and I hinted at it a little bit here earlier. But the amount of security requirements or security capabilities of SaaS solutions, it varies wildly. And again, depending on the type of service it is, and how mature it is. It's tough to apply policies through like a Legacy Cloud access security broker type of solution. Many times we're trying to enforce on the endpoint with DLP, or enforce some of those policies there. What I found early on is that CASB solutions had a really tough time keeping up with security capabilities of these tools. There's only so many that they can support to be able to apply those policies appropriately. And again, if you were using something like Okta or another SSO type of solution, you took out half of the problem with authentication. But that was always some of the biggest pieces, that it gets kind of munched up.

Ray Espinoza:

And it is interesting, I've had the honor and privilege of building security programs and leading teams for a 100% cloud-based company like Cobalt who didn't have any IT or internal infrastructure, we were 100% SaaS based. And, you look at other organizations that have been a part of as well that have a healthy mix of on-premise and cloud. And again, it still goes back down to a CASB solution rarely tells you what type of data that you have there, what types of controls are there? It tries to just overlay as much as possible, some of the roles, but it felt ineffective at times. And so we had to think through, how do we get to the root of some of those problems of identification and managing access. And thankfully I have an amazing SOC team now, they take data feeds from any SaaS solution that'll get it so we can keep track of events and whatnot that go on there. Things that CASB didn't really help us with for a long period of time.

Lior Yaari:

I think what's interesting about CASB and many other solutions on network based systems, is that even when companies do not have a network like Cobalt, like Grip, like Netflix, like others, even companies with a network do not longer work from the corporate network, so the employees are everywhere. And I'm really eager to see how this would affect the legacy proxy approach to SaaS security. And our topic, which is interesting when thinking about how SaaS evolved and the users have changed, is that the perception of SaaS risks historically, is DLP focused, like the Dropboxes and Boxes and G-drives of the world. But I wonder, how the world looks now, where, your marketing key team is using marketing applications, your developers are using SaaS for production environments, and almost everyone in the company is leveraging a few solutions to do their work. Is DLP still the main risk of SaaS usage for companies?

Leon Ravenna:

Yeah, I would say, one of the things is more intellectual property. And they can kind of go together, but one of the things that we've seen a couple times is, people have, enterprise get and they have their own get, and something will occasionally show up in the wrong place. And so, some of our threat solutions will go hunt that down. I looked at a couple solutions that will help me manage some of that. These files can only go in this place, but I'm more concerned about, again, PII specifically, but intellectual property showing up someplace it shouldn't.

Lior Yaari:

Ray, what do you think?

Ray Espinoza:

I think it continues to come back down. I mean, very similar type of theme. And I hinted at it early on as well, is driving great awareness around the risks of using SaaS tools. And then also getting a good understanding of what do we have and what type of data is there and what controls are available for us to be able to tighten, to ensure that it's configured with the appropriate level of security that we require based off the data classification that's there. I mean, that in itself, always seems to be the hardest problem to solve, because many organizations, and I'm not going to pick on marketing teams or sales teams, but in my past they've been notorious, and going out there, and they got to win.

Ray Espinoza:

And at the end of the day they're held to a specific standard, and they want to do what they think is best. And sometimes that means registering a new SaaS tool that looks cool, it's going to drive efficiency, it's going to help them meet their goal. And with the right intentions, they end up doing something. And so, we drive a lot of awareness there, we do try to funnel everything back through. And we also, in the past ,I've been able to work with our procurement and finance teams to ensure that if anybody tries to expense a SaaS solution that is not a corporate paid for solution, it's got to get blocked until it's reviewed. And so we have another gate to go by, and sure you may have some of those SaaS products that are 25, 50 bucks a month, enough for an individual to say, "Yeah, I'll pay for this out of my own pocket, because I'm getting so much value out of here."

Ray Espinoza:

And again, we try to hit that with just evangelism, education, and why do we care? And why should you care? And we find that, and when we lead with that, a lot of folks want to lean in, especially when we come to the point, as I mentioned, we're not going to take these away, we want to understand. Or, maybe you didn't know, but we have a solution already that's embedded, that we can move you towards. It goes back to trusting your employees and really expecting that they have the best intentions at heart. And for us in security teams that I've led, it's what can we do more of to drive greater awareness on both sides, on the risk and what's available, and building strong partnerships with our IT teams or business teams who manage these tools.

Lior Yaari:

I really do agree. I also, I don't know if you've seen, I've posted a poll on LinkedIn earlier this week asking what type, which dormant account poses a greater risk? So if someone leaves the company, retains access to an application and the options were: production access, source code access, shell drive access and sales data access. And surprisingly, shell drives received 6% of the vote, with production and source code being the top two.

Ray Espinoza:

Sure.

Lior Yaari:

Which, I was very happy to see, because I strongly think the way SaaS developed today, data is not the main risk anymore. So a user uploading data to Dropbox can use a USB, but if you've connected something to your production environment, source code, sales environment, they can just log in and get the data anytime, or someone else getting the credentials could do that. So, having a tight grip on those applications is more important.

Leon Ravenna:

It's interesting, riffing off of Ray's point. Security awareness is huge. Many times people don't know what they are doing wrong. And we take the attack of, we're not the guys who are going to beat over the head with the stick because you did something wrong. It's we want you to come tell us, we want you to come tell us, something as simple as, "I think I clicked on a link I shouldn't have." I don't want people to be afraid to come tell us something. And we react as such, and say, "Okay, let's go fix it. Let's go figure it out." And really, to your point Lior, the thing that scares me the most is those dormant things. Because people, they went out and they licensed weasel rider, because it was doing what they wanted for a month, and then it's just sitting there. Okay. And then, weasel rider gets breached, and nobody thinks to go back and well, do I have any data there?

Lior Yaari:

Yeah.

Leon Ravenna:

So it's stuff like that. One of the things that we do on a regular basis, not really connected to SaaS, but we'll get a feed that says, XYZ site was breached. Here's credentials that you have, that we see there. And we'll send a note to those people saying, "Hey, just so you know, this showed up on XYZ site, and at minimum, you need to go change your password." And the very first time we did that, about nine months ago, the very first email I got back that said, "Hey, is this a phishing email?" And I said, "Well no, there're is no link in it. But it's a service that we're offering to help you and try and find some of that dormant stuff."

Lior Yaari:

Yeah. Again, it makes lot sense. I think it's very beneficial for users as well, because they never do it themselves. They don't have access to those security feeds.

Leon Ravenna:

Right.

Ray Espinoza:

Yeah. But I love the fact. I mean, it warms my heart that somebody's first thought is, wait a minute, this looks like fishing, even if it's not. But you really have instilled a sense of vigilance in the workforce that you have, which I think is awesome. Kind of similar, on that same vein. I think, I mean, we talk a lot about servant leadership, even within my organization. I mean, it's just as important that we treat folks with respect and support when folks make honest mistakes. And similar to what you were saying, and I'm a huge advocate of security awareness, but it still comes back down to when you do report something, that we treat them like it's not their fault and it's not something that they did maliciously. Now, there's definitely those repeat offenders, etcetera, that we look for additional training for and whatnot.

Ray Espinoza:

But I think, we don't make friends and we don't instill trust with folks if we don't treat them fairly and with respect when they can come to it. And that's one of the things we ask is, come and tell us. You think something feels off, weird or different. Please tell us. We'd be happy to go, and as one of my coworkers says, we're happy to find out that you're reporting fire and just turns out to be somebody's barbecue. And we are happy to investigate that. And we love that partnership that we have with you. So I think it's-

Leon Ravenna:

Two quick thoughts on that. It's a little bit off SaaS topic, but I was talking to somebody yesterday and they said, "Hey, with our phishing email testing, we're punitive. So if you miss it, you get in trouble." And I said, "Man, the only thing you really want to do there is potentially more testing. What you don't want to do is scare people from coming to tell you there's a problem." And the example I've always used is, we get about 100 million emails a year, okay. If we're at five nines. Okay. With everything we do, that means 1,000 get through. So, five nines of uptime, perfection for IT. That's 1,000 emails that get through that are bad. So you have to have people in a vein to want to come tell you, "Hey, I found something." And to raise point the way that we run our instant response team is, just tell us, we're much happier to tell you, "Yep. No issue here. You're all good." They feel good about it. We don't have an incident to worry about, but they've told us, as opposed to, I'm terrified to go to tell somebody something.

Lior Yaari:

Yeah. I definitely do agree. We had a similar mentality in the military as well, back then when I was there. It's better to know about problems than to punish someone. I'd love to move to the next question. So, when I talk to security organizations and CISOs, I often ask how many applications you've got connected to your SSL? Sometimes the answer is all of them, and sometimes it's a lot, sometimes it's not a lot. But then I ask, and do you have a password manager? And often the answer is also yes. And if everything is SSO connected and you still pay for a password manager, why you need passwords? Because I think realistically, not everything is SSO connected. And we talked about this being the go to solution or the first step for SaaS security. And what I'd love to ask is, what are the challenges in connecting everything to SSO? What blocks us?

Ray Espinoza:

I was going to go in a different direction. Well, I thought you were taking that question in a different direction as far as like, why do you need a password manager if everything is SSO connected? I mean, I would first say, I mean, we all recognize, there are shared accounts, service accounts, other things within many organizations, that just can't use SSO for some reason, either for automation or something else. And they're not sophisticated enough to use a token for authentication. And what's the best way if we have to have credentials for an account is, at least have it in a vault and share it with the relevant folks. And so I think there's genuine uses for password managers that I think make sense.

Ray Espinoza:

I think, the one thing that makes it tough, and maybe it's the same type of answer, is that not everything can be connected, not everything is tied just to an individual. Many times it's an application from one to another, which doesn't use single sign on. But I mean, I would love to see a way where we don't ever have to worry about a service account or something else that isn't an account that's not tied to an individual. To see those go away, I just don't know in my lifetime, how do we solve one of those problems? I mean, maybe you look at something even as big as an AWS root account. For an organization, should that just be with one individual? And what happens if that individual moves on? It's things like that, that have a very legitimate use to be able to share that makes it tough. They're just not set up to be managed in that way. Leon, what are your thoughts?

Leon Ravenna:

Well, I'll take the question as I think Lior's asking it. Why isn't everything SSO? And in some cases the applications won't do it. To give you an example of, and in some cases it's just hard. I have a friend who's a CISO at a very large company. He's got over 300 security products. Now, that's just security. Okay. And then looking at the whole rest of the company, you're talking, well over 1,000 applications to get an SSO. And which of them are SAML, which of them won't do what you need to? There will be some, and so you're probably not going to get everything, but getting the vast majority of them is where you're trying to start. Well above the 88, that is average.

Lior Yaari:

Are you familiar with the SSO tax website. It's sso.tax.

Leon Ravenna:

No, I haven't seen it.

Lior Yaari:

It's a wall of shame for applications that charge extra to enable SSO. And we often see this come as a challenge, just because, if you want to upgrade the license, the department that's paying for the license is usually marketing or finance, or anyone is using the app itself. And then when security comes with this request, upgrade for SSL, there's no available budget for it. Security doesn't want to pay for it. They don't want to pay for it. And it could be for some of the applications, like 600% more.

Leon Ravenna:

Yeah. There's a couple that could be added to the list that I'm looking at right now, so.

Lior Yaari:

Yeah. Well, maybe there's a report button you can add as well.

Leon Ravenna:

Yeah.

Lior Yaari:

It often comes to the challenge. So, to the next question. Just looking back in hindsight, did you make mistakes in how you designed your SaaS security program? Or, advice that you would give to your past self about this?

Leon Ravenna:

I don't know that it's actually hindsight, because we're still in the fight. I think number one, is nothing's going to surprise us. I mean, people always think, well, I don't want to tell somebody, because you don't like to talk about it, you'll get in trouble. Nothing ever surprises us. I tell people all the time, I am this monotone, good, bad or indifferent, because I have to be. And nobody wants to get screamed at, that doesn't make sense. But I think just understanding that you're going to find stuff, you're going to find more stuff than you thought. Every time...Every tool that you put out is going to find a lot more stuff than you even, I won't say your worst nightmare, but it's always going to be a lot more than you thought. And so it's just one more layer of that onion that you're peeling back to find, okay, we did that, now here's the next thing. And you're going to see that over and over and over.

Ray Espinoza:

I think, I would say one of the catalysts that really shined a light on how well we know what the business is using when it comes to SaaS apps, was honestly privacy requirements. When GDPR came through and it really forced us to really get a good understanding of what data is where, and then that ultimately led to the question of, well, how is that configured and how is it secure, and what are the capabilities? And then, similar to the SaaS or the sso.tax of security features or paywall behind additional user licenses that we don't have, that's a tough pill to swallow. But that was one of the things that I had found in previous roles is, we had to from a privacy perspective, get a good understanding of what data is where, and what it's connected to. And maintain that inventory so that we can action some of those data subject access requests in the previous organizations I've owned or been a key stakeholder in the privacy program.

Ray Espinoza:

And so I think, but it did open the gates. And that's what I would say back to, maybe a historical self is, spend more time with education, spend more time really understanding what users are doing. And if there are just better alternatives with a million problems to solve, and you get some of those baseline security controls in place, you're always trying to figure out, well, there's tons of different fires that I can go and really focus my effort on how do I get something to be manageable and up to a level that we all feel comfortable with, knowing that there's some risk that we can manage to allow me to move on to that next business problem that we want to try to solve.

Ray Espinoza:

But sometimes the compliance stick really forces us to go a little bit deeper. And I think, in retrospect, I mean it was really helpful. Because one of the things that we didn't take account for previously was you have something like Salesforce, how many apps are actually plugged into Salesforce, and what type of data are they pulling out? When you have a conversation, "Oh, I have this one tool and it's going to help us send some emails, etcetera." If the right questions aren't asked at that time, you end up with additional risks that you may not necessarily be aware of. And so it's been an evolution, and Leon hit on the head, we're still very much in it. And we've learned a ton, to be able to ask some of these questions and really drive and improve security posture, but still learning. But if anything, it would've been great to start to do some of this sooner.

Lior Yaari:

Yeah. We see small surprises in how acute is the problem. So we hired a new employee a few weeks ago. And when she joined, I gave her the explanation of the problems we've had to solve with SaaS security. And we talked about the employees leaving, retaining access to all the applications, or applications of the previous employer. And I told her, "You can try to log in, and it'll probably work." So she took out her phone and opened the Notes app, went to passwords. And I saw that, I told her, "Are you saving all of the password on a sticky note on your phone?" She said, "Yeah." I asked, "Is it at least backed somewhere? What happens if you lose your phone?" She said, "Well, it doesn't matter, because most of the passwords are the same." And-

Leon Ravenna:

How long did she stay at your company?

Lior Yaari:

Hmm? What?

Leon Ravenna:

How long did she stay at your company?

Lior Yaari:

No, no, I installed a password manager on the machine, she's amazing. And we enforce using OIDC and NSSO where we can, and we enforce the password. And we have the internal tools to enforce them, because we're building solutions exactly for this. But it's those daily reminders that this is the same problem that happens everywhere, at every company, because we're not special in that sense. And even we can be surprised, because sometimes we forget that. We are very familiar with the problem, but not everyone else isn't. To finish, I'd love to ask a short question. And it's, what is your one tip for CISOs and security leaders who want to secure those SaaS applications? And it can go in every direction, but one or two sentences from you to get them wiser.

Ray Espinoza:

Go ahead, Leon.

Leon Ravenna:

I would look at it and say, you're always going to find more than you expect. And never be surprised with what you find.

Lior Yaari:

Yeah.

Ray Espinoza:

I apologize for being redundant, but I would say, provide a mechanism and opportunity. If you don't have the tools to be able to self-identity what's being used, allow your employees a safe space to be able to say, "Hey, we use this, and we want to do the right thing." And reward folks for being able to do that. Build trust.

Lior Yaari:

Yeah. I think, my tip, I'll jump in, is when you get visibility, make sure it's actionable, because there's a lot of ways to get visibility that would pile more work on your desk. But if you want to do things with it, then make sure you have the resources to act on the findings before you see the results. And with that, the webinar has come to an end. Ray, Leon, I really appreciate your time again and being here.

Leon Ravenna:

Sure.

Lior Yaari:

This was super interesting for me, and I'm sure it was interesting to everyone in the crowd as well. And everyone listening, thank you for joining in. Grip Security is a SaaS security company. We help companies see and secure their SaaS inventory, and act upon it. So, finding the applications and users in your company and govern them at scale. My name is Lior Yaari, I'm the CEO of the company, and it was a pleasure to be here. So thanks everyone.

Leon Ravenna:

Thank you very much.

Ray Espinoza:

Thank you.

Lior Yaari:

Thank you. Bye-bye.

See More
See more
You might also like
Resources
April 16, 2021

Download our product overview

Download
Read more

for our latest updates and feature releases

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.