Why SaaS security and governance requires a human in the loop

Certain decisions simply can't be automated. Read our case for a scalable, human-centered approach to SaaS security and governance.

November 16, 2023

Despite the fact that apparently, 70% of business leaders would prefer a robot to make their decisions, we believe that SaaS security and governance decisions require a human-in-the-loop approach. Here’s why and how Nudge Security delivers a scalable, human-centered approach to SaaS security and governance.

‍

IT no longer “owns” IT.

Modern SaaS models have unapologetically led us to the point of peak IT decentralization, and there’s no going back. According to Gartner, 74% of technology purchases are now at least partially funded by business units outside of IT, and two-thirds of IT decision makers sit in departments outside of IT as well.

‍

At a time when any business unit or individual employee can reach for a new SaaS tool at a moment’s notice to solve a myriad of business problems, the question of who owns and administers that technology fundamentally shifts. Increasingly, that person sits in a non-IT role: the sales operations director is the Salesforce admin, the head of support deploys her own ticketing system, while DevOps tries to wrangle ownership of all AWS accounts.

‍

Today, any employee can serve as a SaaS administrator, but not all SaaS administrators share the same level of awareness about IT, security, and compliance requirements as the central IT and security organizations. While the most logical conclusion might be to attempt to repatriate ownership of all technology within the central IT organization, this is no longer a feasible approach.

‍

SaaS adoption outpaces IT.

With modern SaaS, it’s no longer feasible to expect a relatively small, centralized team of highly trained experts to manage and secure it all on their own. First of all, the clipping pace at which new SaaS tools are being adopted far outpaces the IT resources required to administer it. Our data shows that a new SaaS asset gets created roughly every 20 minutes in a midsized enterprise of 1000 employees. Simply keeping tabs on all the SaaS being adopted is enough of a challenge for many IT and security organizations.

‍

Secondly, every SaaS application is its own unique snowflake of native security settings and SaaS access controls, each requiring its own learning curve that, while not individually steep, becomes nearly insurmountable at scale. Already in our own install base, we’ve discovered about 32,000 unique SaaS applications in use, which would amount to many years of effort to securely configure and manage it all.

‍

The pipe dream, of course, is to connect all SaaS applications to some sort of federated policy management system, whether an SSO provider, a CASB or SaaS security posture management (SSPM) solution, a SaaS management platform (SMP), or some combination of all. We’ve written at length about the challenges and limitations of those approaches, including the API integration “race to the bottom.” Beyond the shortcomings of these approaches to SaaS security and SaaS management, there’s another glaring problem to consider...

‍

Not all SaaS decisions can be automated away.

Even if you could wave a magic wand to achieve federated SaaS security and policy management across your entire SaaS estate, could you really automate the work? More likely, you’d shift much of the effort toward writing policy rules and building workflows, having to account for every exception and corner case.

‍

The reality is that so much of modern SaaS management and security work involves context and decision making that require conversations with multiple people across the business: business line managers, SaaS administrators, SaaS end users, and other stakeholders.

‍

Take, for example, the following use cases:

  • “We want to manage this SaaS application in Okta. Is there budget to upgrade to the enterprise tier that supports SSO and SAML?”
  • “This developer hasn’t logged into this SaaS account in six months. Does she still need access?”
  • “Our Salesforce admin is changing roles. Who should take over as admin and how do we ensure that all third-party connections keep running when we de-provision the former admin’s account?”
  • “Why did the marketing department just roll out a new work management tool? Can’t they just use Jira like the rest of the organization?”

‍

No playbook or policy can solve these questions without input from various stakeholders. These decisions, like so many others related to SaaS security and SaaS management, require a human in the loop.

‍

Often, knowing who to talk to is the hardest part.

Ever feel like you’re on the world’s worst scavenger hunt tracking down the right people in your organization to talk to about a SaaS application or user account? You’re not alone. Whether conducting compliance access reviews, offboarding employees, rolling out SSO, or responding to a third-party SaaS data breach, it can be a challenge to answer the question, “who’s app is it anyway?”

‍

This knowledge is often siloed and changes frequently. That’s why as part of our SaaS discovery capabilities, Nudge Security uses various methods to deduce the correct “technical contact” for every SaaS application discovered in your environment. Often times, the correct technical contact is the first person to introduce a SaaS application into the organization. In other cases, we can glean this information from an SSO or IdP provider. Still, sometimes the best path is to simply ask the users of a SaaS application.

‍

That’s why we recently introduced improvements to our technical contact discovery process by enabling Nudge Security administrators to automatically reach out to assumed technical contacts with a simple nudge that asks them to either validate or update this information. It’s a sort of “Are you my mother?” workflow that helps you avoid having to manually conduct the search while also making it easier to keep this information up to date as administrative responsibilities change.

‍

Striking the right balance of automation + human intelligence

Having a system of record of SaaS technical contacts creates a powerful foundation for automating and orchestrating SaaS security and management in ways that other solutions fail to realize. Our approach to automating SaaS management centers on engaging the right stakeholders at the right time through the channels they rely on for modern work, and providing helpful and relevant context, inquires, and / or instructions needed to complete simple, yet effective SaaS security and administration tasks.

‍

For example, we include a playbook that’s purpose-built to help organizations curb SaaS sprawl using a system of orchestrated nudges. First, the end user of an inactive SaaS account receives a simple nudge that asks, “Are you still using this application?” If the user responds, “no,” then Nudge Security updates the account status to abandoned and then nudges the technical contact of the application to instruct them to remove unused accounts and reclaim any paid seats or licenses.

‍

This is how you scale SaaS security and governance.

The result of this approach is an well-orchestrated and automated system of SaaS delegation, one that allows IT and security organizations to evolve from SaaS administrators to SaaS governors, re-distributing administrative tasks to achieve scale while also maintaining centralized oversight.

‍

Not only does this approach account for the human decision-making that’s often required in many cases, but it also overcomes the limitations of other solutions that require SaaS integrations and thus only work across a finite number of IT-managed enterprise SaaS apps.

‍

As a residual benefit of this approach, nudges provide highly relevant, just-in-time knowledge that allow your non-IT workforce to practice and gain experience in adopting and managing SaaS applications in secure and compliant ways. Keeping the human in the loop in SaaS security is one key way to address the elusive human element challenge of modern cybersecurity.

Related posts

Report

Debunking the "stupid user" myth
in security

Exploring the influence of employees’ perception
and emotions on security behaviors