Why Nudge Security’s approach to SaaS discovery is so effective at finding shadow IT and business-led IT.
Yes, you read that correctly. To date, Nudge Security has discovered nearly 32,000 unique SaaS applications in our customers’ environments. As a reminder, we launched on October 13, 2022. That works out to about 160 unique SaaS applications discovered daily, if you’re keeping track.
This staggering number may have you wondering how Nudge Security is able to discover all of this SaaS adoption, especially as other SaaS security and SaaS management vendors are proudly touting support for dozens—even hundreds!—of SaaS applications.
In this post, I’ll explain Nudge Security’s approach to SaaS discovery and how it works to uncover ALL shadow IT and business-led IT across remote and distributed organizations. I’ll also argue why we think we have the best method for SaaS discovery, and where other SaaS discovery methods fall short. Finally, I’ll close by urging you to experience it for yourself. Really: size it up against your current SaaS discovery methods and see if I’m lying.
In fact, why not skip this post and dive right in with a no-risk, no-commitment, 14-day free trial?
If you’ve read the how it works section on our product page, you know that our SaaS discovery method is no secret. Heck, I’ve even written openly about our own blindspot.
In case you’re new here, here’s a quick primer on how Nudge Security discovers SaaS:
Nudge Security takes advantage of a simple, yet consistent design pattern of every modern SaaS provider: the use of email to drive user engagement. When you first sign up for an account or free trial, you receive a welcome email. When you reset a password, email. Enable MFA, email. A security incident, email.
Nudge Security uses this rich source of data to discover and build a continuous inventory of SaaS applications, accounts, users, resources, and activities. For full and continuous visibility of your org’s SaaS footprint, all it takes is read-only API access to your organization’s email domain (Google Workspace or Microsoft 365)—but you can also try it out on your own individual email account with a simple OAuth grant. Read more about our discovery method here.
Ready to start discovering shadow SaaS with Nudge Security? Get started with a free trial >
While there are many ways to uncover shadow IT (and a few wrong ways), starting from the corporate email environment is a highly effective SaaS discovery method as it provides a number of advantages over other SaaS discovery methods:
1. Historical SaaS discovery
Perimeter-based SaaS discovery methods like web proxies, CASBs, SWGs, DNS, and other acronyms under the security service edge (SSE) umbrella are one of the most common methods for SaaS discovery, especially among large enterprises with legacy IT and networking infrastructure.
These methods have plenty of shortcomings, most notably a limitation of only being able to discover SaaS use from the point of deployment forward. That means there is no record of historical SaaS adoption and use, which in turn means thousands of apps and accounts would remain invisible. In contrast, we know that email is retained for long periods, which allows us to analyze an organization’s historical and present SaaS footprint as far back as their email is archived. In one case, we found SaaS activity dating all the way back to 2003.
2. Last-mile SaaS discovery
Our proprietary machine-learning algorithms use email pattern recognition to discover totally new and unknown SaaS applications (zero-day SaaS, anyone?). This allows you to conduct true last-mile SaaS discovery without any prior knowledge of services or domains being used in your organization.* This also eliminates your reliance on a SaaS security vendor to maintain a “massive SaaS database” or build integrations, plugins, or rulesets for new SaaS.
*Side note: If a SaaS security or management vendor tells you they discover shadow IT but then requires a list of all of your enterprise SaaS applications or integration with your existing tools (SSO, CASB, HR, or ITSM) to do it, that’s not discovery.
3. SaaS discovery for remote work
Another advantage of our approach to SaaS discovery is that it works without any browser plugins, endpoint agents, network touches, or changes in how employees adopt and use SaaS. Not only does this make for a much faster and less painful deployment, but it also closes the visibility gaps often created when workers use personal or mobile devices, travel, or disconnect from the VPN. So, whether your workforce is RTO or still living their best digital nomad lives somewhere in the Caribbean, the IT security team at HQ can still discover and inventory their SaaS use.
4. SaaS-to-SaaS OAuth discovery
Connecting our SaaS discovery solution to your Microsoft 365 or Google Workspace environment also allows Nudge Security to create an inventory of all of the OAuth grants that exist between these providers and third-party applications, as well as surface any risky or overly permissive connections. Employees often use their corporate Microsoft 365 or Google accounts for single-sign on (SSO) to other SaaS applications. They may also grant additional permissions to do things like update calendars, send email, or even delete drive files and folders. Having such actionable visibility of OAuth grants and scopes is critical to SaaS security.
It’s important to note that not every SaaS security provider that connects to Microsoft 365 or Google Workspace provides the same visibility or SaaS discovery capabilities. Some vendors are limited to only OAuth discovery, claiming to map the mesh of SaaS-to-SaaS integrations. However, in order to perform OAuth discovery beyond Google and Microsoft, they require prior knowledge and integration with these SaaS applications, such as GitHub, Salesforce, or Zoom. In contrast, Nudge Security discovers such SaaS-to-SaaS OAuth integrations without requiring any additional connections.
I love this quote from Frank Dickson, IDC Group Vice President, Security & Trust:
“In today’s SaaS-fueled enterprise, monitoring access at the network layer is no longer enough. Context is key, and 'SaaS context as control' becomes the basis for implementing modern identity- and data-based security controls.”
What exactly is “SaaS context?” Context is knowing that 60% of your business teams are now adopting a new customer data platform without any SOC 2 certification, and that Faraz in operations was the first person to introduce the tool just three weeks ago. Context is reading about a big SaaS data breach and knowing within minutes who in your organization uses the service and also which of your SaaS suppliers use the breached service and may put you at risk of a SaaS supply chain attack.
Frank goes on in his quote to say, “Nudge Security innovates beyond other cloud and SaaS security technologies by providing SaaS context quickly and efficiently across all applications and user accounts, managed and unmanaged, enabling security and IT professionals to modernize their SaaS governance efforts.”
A question we often get when onboarding new users to Nudge Security (after their heads stop spinning seeing all of the shadow SaaS we just discovered) is, “okay, now what?” And, I get it. Just as a problem stated is a problem half-solved, shadow IT discovered reveals a whole new set of problems for IT, security, and governance organizations to solve. That’s why any evaluation of a SaaS security or SaaS management vendor should not only involve SaaS discovery alone, but also the vendor’s ability to operationalize the information to protect and secure the organization’s assets.
Nudge Security’s approach to operationalizing this information requires another blog post, but the TL;DR is this: employee-led and business-led SaaS adoption is now the rule, not the exception. The only way to secure SaaS at scale is to work with your business partners and individual employees, not against them. More to come.
As I warned, here’s the plug for our free trial. I promise it will be more convincing of our SaaS discovery method than any words I write here. Our 14-day free trial offers:
