SaaS Management

We’ve added new filtering options for accounts and OAuth grants within Nudge Security to help you manage your organization's SaaS estate.

‍

Now, you can filter accounts by MFA status to surface and prioritize enrollment gaps. You can also filter accounts and OAuth grants based on categories such as organizational unit, department, division, location, and cost center, which are fields set within Google Workspace or Microsoft 365.

‍

Nudge Security has released new SaaS spend data and cost optimization insights to help security and IT teams drive smarter, more efficient SaaS investment decisions and surface opportunities to optimize SaaS spend.

‍

To help organizations take advantage of new spend data, Nudge Security has released a Spend dashboard highlighting SaaS expenses that may be unnecessary or redundant. With this new dashboard, customers can:

‍

• Spot inactive or abandoned accounts associated with paid apps.
• Discover similar apps that may be redundant and assessing overlapping usage.
• Track upcoming renewal dates alongside up-to-date app usage information.
• Flag spend associated with AWS accounts that fall outside of your central AWS Organization.
• Identify and rationalize paid apps with single users that may have slipped under the radar in credit card statements.
• Detect paid accounts associated with unapproved apps.

‍

Nudge Security has added new SaaS spend discovery, empowering customers to make better SaaS investment decisions by triangulating insights into SaaS spend, risk, and usage.

‍

Now, Nudge Security automatically categorizes apps as paid based on data from email invoices and other billing communications from the previous three years, enabling organizations to track SaaS spend alongside app risk and usage insights. Nudge Security also automatically identifies a billing owner and cost center for each paid app. You customize the Google or Microsoft field Nudge Security uses to allocate spend to cost centers by going to Settings > Organization Settings.

‍

Customers can add additional spend data manually, such as estimated annual spend, billing frequency, and renewal date. This information can be found in a new Spend card within each App Overview, or you can sort, filter, and edit these new fields in bulk directly from the App view.

‍

Note: By default, Nudge Security will only extract billing information from emails associated with users that have accounts for an app, which means we will not analyze mailboxes without associated accounts such as accounts payable (ex: accountspayable@company.com) or group accounts. If there are additional mailboxes used to receive billing information that you would like to analyze, you can add them under Settings > Spend Settings.

‍

Search results from Nudge Security’s main dashboard now include apps with no associated accounts at your organization, making it easier to evaluate apps before your organization begins to use them. 

‍

Now, you can access security profiles for apps outside of your organization, including:

‍

• App info: App category and app description
• Organization details: Corporate location, legal terms, and hosting details
• Security program: Certifications and security links related to the vendor’s public support for security engagement, such as their terms of service, privacy policy, corporate security page, and status page
• Authentication: Authentication methods the vendor supports, including supported methods of SSO
• Supply chain: SaaS services used by the vendor‍
• Breach history: A summary of any known breaches related to the vendor

‍

We recently revamped our SaaS events record to provide additional context, including associated resources, and to make it even easier to search and filter events by event type, time range, or user. This applies to the Events tab for SaaS apps and SaaS accounts.

‍

Each SaaS app has its own events record where you can search and filter activities for all users of that app. For example, you could review a timeline of user account creation events within an app.  Additionally, each SaaS account has its own event record, so you can review activities associated with an individual user account, such as password reset or MFA disablement events.

‍

Now that SaaS resources are associated with their relevant events and searchable, we’ve also retired the all-purpose Resources tab from the primary navigation.

‍

We’ve enhanced our ability to collect information about app usage from employees by updating an existing nudge. We’ve added more relevant response options to the “Request clarification of use” nudge, and we’re storing employees’ answers in a more actionable format. 

‍

Now, you can send a nudge to the technical owner of an app asking them to specify whether an application is fully adopted, under evaluation, just an experiment, or for personal use only. Optionally, the employee can also add a text response and select whether the application will handle corporate, customer, employee, or financial data. These responses populate fields labeled “Lifecycle stage” and “Data type,” which can be used to filter the Apps view. 

‍

Nudge Security has released new app health statuses showing the operational state of the SaaS applications in use across your organization. Now, security and IT teams can see an at-a-glance view of the operational health of your organization’s SaaS applications and swiftly identify if a SaaS service is experiencing disruptions.

‍

Learn more in today’s blog.

‍

Nudge Security has introduced a new app directory to streamline the process of onboarding employees to SaaS applications. Now, security and IT teams can share a directory of approved SaaS apps with employees, making it easier for users to request access to apps that are in compliance with corporate guidelines and have already cleared security review and procurement processes. 

‍

To get started, enable the app directory under Organization Settings and invite users to sign up for Nudge Security accounts with Personal View set as the user role. Note: Administrative privileges are required to change these settings or approve access requests for new users.

‍

Read our blog tutorial to learn more, or check out our interactive demo below.

‍

Nudge Security designates a technical contact for every app in your environment. This should be someone with administrative privileges within the app who can serve as the point-person for all questions and requests related to the technical aspects of managing that app, including access controls. While the first user of an app can often fill that role, employee turnover and team changes can sometimes make it challenging to figure out who to turn to for help with tasks like onboarding or offboarding users.

‍

Now, we’ve introduced a new nudge to help you find and validate the right technical contact for an app. With this nudge, you can send an email or Slack message to the person currently designated as an app's technical contact asking them to confirm whether or not they’re the right person for that role. If they aren’t the right contact, they’ll have the opportunity to identify the right contact, helping you keep this information up to date.

‍

Nudge Security has added a new filter enabling you to filter apps by technical contact. Now, you can see a list of all applications assigned to a particular technical contact and, if needed, edit them in bulk to reassign them.

‍

‍

Now, you can more easily update statuses or add context to your applications within Nudge Security by selecting and editing multiple apps at once. From the App view, you can bulk edit fields like an application’s labels, category, technical contact, approval status, and compliance scope, among others.

‍

We’ve released a new playbook to automate the process of removing abandoned accounts. Now, you can reduce unnecessary risks by minimizing your attack surface and eliminate wasted SaaS spend on unused accounts. Using the playbook, you can:

• Choose a list of applications to audit all at once, including apps your users may have forgotten about.

• Collect input from your workforce at scale to identify unused accounts.
• Delegate the work of removing unused accounts to app owners. 
• Track your progress toward eliminating wasted spend and unnecessary risk.

Learn more in today’s blog.

‍

When Nudge Security identifies abandoned accounts at your organization, you may need help from a user with administrative privileges for that app to delete them. To help you identify users with admin privileges, Nudge Security automatically designates a technical contact for each application, starting with the first user of that app. You can also reassign technical contacts manually as needed.

‍

Now, Nudge Security has added the ability to nudge technical contacts to assist with deleting or suspending abandoned accounts and reclaiming unused licenses. The technical contact will receive a list of abandoned accounts and instructions to confirm once they have performed the appropriate actions. Once they confirm that the accounts have been removed, the account statuses will be updated automatically within Nudge Security.

‍

Nudge Security has added new ways for you to identify and track whether your employees’ accounts are still active, enabling you to delete abandoned accounts, reclaim unused licenses, and clean up orphaned data. 

‍

Now, when you nudge users to ask if they’re still using an account, their answers will automatically apply account statuses within Nudge Security. In addition, for applications provisioned through SSO, Nudge Security will now automatically mark accounts as inactive after 90 days of inactivity. 

‍

To visualize this information, we’ve added a graph displaying account statues on each application’s overview page that can be changed manually or updated automatically in the following ways: 

‍

• Deleted - User has responded to a nudge saying, “Account has been deleted,” or the account has been marked as deleted through the SOC 2 access review playbook or employee offboarding playbook
• Active - User has responded to a nudge saying, “I’m still using it” or there is still activity in the SSO provider
• Access revoked - Account access has been removed through the employee offboarding playbook
• Abandoned - User has responded to a nudge saying, “No, I’m not using this”‍
• Inactive - App is provisioned through SSO and the account has had no activity for 90 days

‍

Nudge Security provides a variety of editable fields for each application and account in your environment, such as approval status, compliance scope, and SSO provider. Now, we’ve made it easier for you to understand how and when these fields are modified over time. 

‍

Any time a field update occurs, Nudge Security tracks when it happened and which user or automated process initiated it. You can view a timestamped list of each field’s history to understand when changes have occurred and who made them.

‍

For each application your employees are using, Nudge Security provides contextual information that you can use to accelerate security reviews.

‍

We've enhanced this security context by adding a summary of the forms of multi-factor authentication each application offers. Now, you can easily assess which options are most appropriate for your workforce, or determine if an application doesn’t meet corporate security guidelines if the available options aren’t sufficient.

‍

We’ve just released the ability to revoke OAuth grants for Google Workspace and Microsoft 365 directly within Nudge Security. This new feature builds on the OAuth risk scores we delivered earlier this year by making it faster and easier to respond to risky OAuth grants. We’ve also added more context to our OAuth overviews to help you understand the permissions a grant has authorized. When Nudge Security shows you an OAuth grant with overly-permissive scopes, you can revoke it in just two clicks. 

‍

With this new functionality, you can:

• Detect, investigate, and revoke risky OAuth grants without switching between different environments.
• Easily clean up OAuth grants for departing employees during IT offboarding.
• Swiftly quarantine a breached app in your SaaS supply chain by identifying and revoking active OAuth grants.

‍

Check it out in the interactive demo below, and read more in our blog post.

‍

We’ve released a new feature to give you more visibility of groups at your organization and their privacy settings, along with how and when they’re being used to create shared accounts. 

‍

The new group analysis functionality allows you to:

• Identify the groups in use at your organization and discover any accounts that have been created using that group
• Check which users can see a group’s emails, which gives them the ability to reset passwords for any accounts set up for the group
• Ensure each group has appropriate privacy settings

‍

‍

Learn more about the security risks of using groups for SaaS access in our blog post.