When Jesse Kriss started as head of security at Watershed, a 200-person climate tech company with multiple office locations and remote employees, he knew he would need immediate visibility into the organization’s SaaS footprint.
Past experience as a staff security engineer at Netflix had taught Jesse the importance of looking beyond corporate-managed devices and known asset inventories to understand what SaaS applications are really being used across the organization, as well as which employees and third parties have access to sensitive customer data stored in those applications.
Whereas gaining visibility of engineering systems was straightforward, Jesse knew that getting a handle on Watershed’s SaaS footprint would be a more complex challenge. “With web applications, it's kind of impossible to know what's going on. People are purchasing software on their own, and expensing it. There's tons of free stuff. Looking at the officially approved apps or the things that go through SSO is really just a tiny fraction of the story.”
Within his first few weeks at Watershed, Jesse deployed Nudge Security to provide immediate visibility of Watershed’s entire SaaS attack surface.
“I thought the approach was really clever,” Jesse explains. “I'm a big fan of figuring out ways to look at the actual whole picture and not just the things that are easy to measure. Not just what's set up in Okta, what's going through SAML, or what's on the approved vendor list, but what’s actually in use. That’s the much more important question.”
The result was a level of visibility of his organization’s SaaS footprint that Jesse says wouldn’t have been possible to achieve manually, or with a different product. “Nudge Security is the way to find out what applications your employees are actually using, and that's just not addressed completely by any other solution.”
Jesse sees Nudge Security as a critical part of keeping track of his organization’s SaaS attack surface on an ongoing basis, providing him with critical information on who has access to what without slowing down the pace of business.
“My first motivation was to know what the current SaaS surface area was. It was a huge benefit to be able to plug in Nudge Security and see what was already in use. That was awesome,” says Jesse, adding, “But it’s not just about historical discovery. I also wanted to know when people started using new applications without having to implement a heavyweight approval process.”
With Nudge Security, Jesse knows any time an employee signs up for a SaaS application the organization hasn’t used before, giving him the opportunity to assess new vendors before usage spreads, but without forcing employees to jump through hoops. Nudge Security also gives him security context to help accelerate security reviews for each new application, including compliance certification details, breach history, and third- and fourth-party SaaS attack surface visibility.
Before Nudge Security, Jesse had no way of knowing the implications of a third-party application’s security breach on Watershed’s supply chain, because he didn’t have complete visibility of what was in use and by whom. When news came out about a potentially serious breach, he would have had to choose between ignoring it or sending an alarming message to the entire employee population.
Now, Nudge Security notifies Jesse when a tool his employees are using experiences a security incident. Earlier this year, for example, Nudge Security alerted Jesse to a data breach affecting LastPass, an application that wasn’t under official IT governance at Watershed. However, Nudge Security revealed that several employees had created their own accounts for corporate use.
“There was no sign of LastPass use in our organization,” Jesse says. “Without Nudge Security, I probably would have just asked in Slack if anyone used LastPass or offered general guidance and left it at that. But instead, I had a solid answer of who was using it at work that was nearly instant and offered high assurance that the list was complete.”
With knowledge of the exact employees affected, Jesse was able to intervene quickly in a targeted way that made sense for the business. “It was this great shortcut: I have a tool that can answer this question for me right now, and I can do the thing that makes sense given the actual surface area,” he explains.
Using Nudge Security, Jesse has been able to improve the effectiveness of Watershed’s offboarding process, extending his ability to find and deprovision accounts that could pose a security risk to the organization.
“Nudge Security is really great at the stuff you don't know you should be looking for,” Jesse explains. “It's great for the cases where you don't even have SSO set up and there are five users of a system, but it's critical. Nudge lets you find those accounts and turn them off, even if they aren’t on your standard offboarding checklist.”
With Nudge Security, Jesse has more confidence that departing employees have been offboarded completely, with no lingering SaaS access or orphaned accounts that could expose corporate data.
"It was a huge benefit to be able to plug in Nudge Security and see what was already in use."
At some organizations, security can be perceived as a business blocker or a Big Brother figure. That’s not how Jesse wants security to operate at Watershed.
For Jesse, Nudge Security helps Watershed strike the right balance between security, employee productivity, and transparency.
“In startup environments, there’s a mentality of, ‘do what you need to get your job done,’” he says. “Employee productivity and overall company productivity is a really big question. Clearly we want people to be able to use SaaS products and be able to onboard them quickly and be able to experiment and all of that. If people are using applications for good reasons or it’s core to the business, I'm not going to ask them to stop. But, if we can see the SaaS applications that have a lot of unnecessary access and reduce that with little to no impact on productivity, that's really ideal.”
That’s why Jesse appreciates Nudge Security’s approach of engaging employees in this effort. “I like the user-respecting approach of, ‘We're not just going to block things. We're not just going to do things invisibly.’ We're going to give the information to the people, including the people that the information is about, which I always like,” he says. “It definitely fits the ethos of how I want security to run and how I want it to be perceived.”
Overall, Nudge Security helps Jesse to reinforce the relationship he wants security to have with the rest of the organization. He explains, “It's important for me that the security team is not ‘the scary people who have all the information and who knows what they're even doing?’ Tools like Nudge Security that are designed to actually be transparent about what is being collected are really helpful. To me, that is a big piece of building and maintaining trust internally with the security team.”
“Nudge Security is the way to find out what applications your employees are actually using, and that's just not addressed completely by any other solution.”