The one thing Nudge Security doesn’t do

Our product uses a powerful SaaS discovery method—but there’s one type of account it can’t find.

One thing I appreciate about security practitioners is that they’re always looking for the corner cases. The blindspots. The gotchas. The most unlikely scenarios that adversaries are most likely to exploit.

So it’s no surprise that when I explain to security practitioners how Nudge Security works, they’re often quick to point out the one visibility shortfall of our SaaS asset discovery method. Let’s see if you can guess it before I tell you…

Nudge Security’s SaaS discovery method

Briefly, here’s how cloud and SaaS asset discovery works in Nudge Security. We hook into an organization’s corporate email account (Microsoft 365 or Google Workspace) and use read-only API access to look for evidence of SaaS activity. Primarily, we search for machine-generated emails (think that SaaS applications send whenever a user creates an account, changes security settings, requests a password reset, etc. We’re also able to identify and inventory OAuth grants in ways that enable our users to readily visualize app-to-app relationships across their entire SaaS footprint. People are often surprised by how much SaaS visibility and context this method provides.

What’s really great about this discovery method is that it has absolutely zero reliance on the network, endpoint agents, or browser plugins, and it requires zero integration with known SaaS providers, expense report systems, CASBs or other security tools. This means that it’s super lightweight and fast to set up. It also provides historical visibility and it works no matter what network or device employees are on. We think this is a superior approach for modern, distributed organizations, especially compared to network and endpoint-based SaaS discovery methods. But, it still leaves one corner case. Have you figured it out?

Here’s the question I’m often asked first when demoing the product to security folks: “So, what if an employee uses a personal email address to create a SaaS account?”


The challenge of shadow root users

When an employee uses a personal email address to create a SaaS account for work purposes, we call it a “shadow root user.” Nudge Security does not directly discover SaaS accounts created using a personal email address, because it does not peer into personal email accounts. (Privacy-conscious security leaders don’t want that kind of liability anyway.) Still, B2B SaaS is built for collaboration, and Nudge Security does provide evidence of a shadow root user whenever the user starts to invite other colleagues to collaborate in the application. (That is, unless you have a ring of employees trying to keep their work covert by sharing personal email addresses. That’s a different problem.)

Beyond detecting shadow root user accounts, it’s important to understand why and how they emerge, and prevent them from becoming the achilles heel of your SaaS security program.

So, why do people use personal email addresses at work anyway? While you can’t rule out the possibility of an insider threat, it’s not the only reason. User error can definitely come into play. Have you ever noticed how easy it is to hit the “Continue as…” button in Google Chrome only to realize that you were signed into the wrong Google account? I do this more often than I’d like to admit, which is why I appreciate the periodic nudge asking me to review personal-looking SaaS accounts I’ve created with my Nudge Security email address.

How Nudge Security can help to discover and prevent shadow root users

As enterprise SaaS experiences look and feel increasingly like consumer app experiences, it can be tricky to keep personal and professional accounts separate, even if you’re a conscientious user. You can help your employees to disentangle their personal and professional digital identities simply by giving them visibility of their own SaaS footprint, which Nudge Security does. It’s one of the few (if only) security technologies that invites every employee to participate in their own SaaS governance and security.

The other reason people use personal email addresses to sign up for SaaS at work is a bit more insidious: because IT blocks them from accessing a SaaS application altogether. I’ve had more than one friend describe their remote work setup to me as a work laptop connected to the corporate VPN sitting next to a personal laptop, which they use for anything at work that gets blocked by the corporate network. It’s pretty common practice. In fact, our research shows that 67% of workers would look for a workaround if they couldn’t access a SaaS application they need for work. It’s not so much nefarious as it is practical. Employees are trying to get their work done quickly and efficiently. Great employees are tech-savvy and use their ingenuity to overcome barriers.

If this sounds like your workforce, it might be time to re-evaluate whether your IT security policies are so restrictive that they’re pushing legitimate work into the shadows—which only makes it harder to manage and secure. Instead of blocking access to legitimate SaaS tools that haven’t gone through a centralized procurement process, Nudge Security helps modern organizations to align their SaaS governance and security processes to the realities of how employees adopt and use SaaS tools to move work forward. By removing blockades and inviting employees to be active participants in your organization’s SaaS governance and security, you can not only start to curb shadow IT, but also promote better security behaviors and awareness.

If you’re ready to give it a try, you can start your free 14-day trial now.

Related posts


Debunking the "stupid user" myth
in security

Exploring the influence of employees’ perception
and emotions on security behaviors