Overshadowed

Episode 2: The security risk that should be avoidable

In the second episode of our “Overshadowed” series, Nudge Security CEO and co-founder Russ Spitler welcomes Dave Anderson, virtual CISO and principal consultant at TSC Security to discuss how IT offboarding has changed with the explosion of SaaS and cloud applications in most modern organizations. Tune in to gain insight into blind spots often overlooked in offboarding, and the resulting risks to security and business continuity.

Russell Spitler:

Hello, and thank you for joining us for episode two of our Overshadowed series, discussing how modern IT and security teams are dealing with the risks of shadow IT. I'm Russ Spitler, CEO and co-founder of Nudge Security, and with me today is Dave Anderson, virtual CISO and principal consultant at TSC Security. Welcome, Dave.

Dave Anderson:

Hey, how's it going?

Russell Spitler:

Great to have you here today. Thanks for talking with us.

Dave Anderson:

Yeah, thanks for having me.

Russell Spitler:

Today, we'll be talking about the risk that should be avoidable and that's really about incomplete IT offboarding. What we've seen is this explosion of employee-led SaaS applications and tasks that should be simple like IT offboarding just aren't anymore. This introduces a lot of risks and challenges for businesses of all shapes and sizes. Gone are the days when we assume that all of our apps are in a single sign-on system. We could just flip a switch and smile as somebody walks out the door. The reality is as people work, they introduce a lot of new technologies. So Dave, in your role, you work with a variety of companies, a variety of IT and security maturity. When you start working with a company, how do you get an understanding of the technology stack, especially now that so much of it is SaaS delivered?

Dave Anderson:

Yeah. Generally, it ends up being mostly interviews with the IT leaders and the IT teams to understand what applications that they have that everybody's using, what applications that the engineering teams might be using, and so on and so forth. With that, there's always things that have been used that unfortunately, the teams don't know about. And the more people you talk to like, "Oh, yeah, there's that tool here or that tool there," there's this other marketing tool that the marketing team is using that has all the information about all the prospects and everything else that could be construed to sensitive data and whatnot. So it's crazy how there's so many different SaaS applications and whatnot that are being used that IT isn't even aware of and it's not secured. It's not in single sign-on. When people are offboarding, they still have accounts.

Russell Spitler:

It's amazing today. I always think of it as a mesh of applications because it's like a Rube Goldberg machine for sure. You sign into an app, hey, I can link this into all my other apps, and all of a sudden, you're clicking through OAuth grants and you just have this giant mesh of things. The beauty of it is is that most often, there are great business productivity gain. I can solve things that used to take me weeks to get insight into in a few seconds with all this new technology. But when you think about that employee interview process and you think about the security programs that are out there, what are the blind spots that you most often see when managing user life cycle and deprovisioning access?

Dave Anderson:

Basically everything that's not in a single sign-on. That's really when it comes down to and that's even assuming a company's using single sign-on. I have a few clients, they're like 25% startups and they may be using Google and using Google's OAuth and whatnot for single sign-on, but they have still a myriad of apps that are literally just using username and password. Unless you have a good inventory of those apps, it's impossible to know who has accounts where.

Russell Spitler:

It's amazing based on the work that we've done with our customers, you're doing a great job if you have 30% of your apps in single sign-on, which is probably the inverse of what most people think their posture is.

Dave Anderson:

Yeah. That's been my experience too. One of the big challenges, especially for smaller companies is that if you're using a SAML-based single sign-on like a OneLogin or an Okta or whatnot, that you sometimes have to get the enterprise version of many of these SaaS applications in order to be able to even be able to use SAML-based single sign-on, which is just insane. Unfortunately, a lot of companies, that I think they're doing their customers a disservice by not allowing them to integrate with, even if it was just a Google OAuth or something like that to provide that level of security and not having to have just using a password.

Russell Spitler:

To me, that's like selling a burger and charging extra for the bun. Single sign-on makes it usable. It's really hard to eat a burger without a piece of bread around it.

Dave Anderson:

Yeah.

Russell Spitler:

Anyways, the interesting data point that we recently gathered is we just did a survey of 375 IT pros about employee offboarding, deprovisioning access. What we saw that was a little bit surprising, but in retrospect perhaps expected was that 70% of the respondents said that they've experienced business disruption, security incidents, unauthorized access as a result of incomplete offboarding. How does that resonate with what you've seen out there in the field and in your experience?

Dave Anderson:

It aligns 100% of unfortunately, unless you have that inventory of applications and you know who has access to what. Some people leave, if you have a reduction in force or anything like that, there's all these dangling accounts out there. One of the challenges that many of the companies that I've worked with and worked at, when you're offboarding, even if it's just a single employee or a large number of employees, the IT team's going to have a checklist. They're going to have there the most critical apps like whatever you're using for single sign-on, maybe like a Dropbox or a Box, any place where sensitive data could be stored. Then they're going to have a whole list of the other apps that they know about that they then actually have to go through and make sure that they cut access to like developer tools and marketing tools and so on and so forth that may not have been in single sign-on or didn't have that available because they had to pay the tax.

The IT team is stuck having to basically cut everything, cut the important stuff, and then maybe go through overtime, over the course of a week or something like that, spend all that time because it's a very manual effort to go in and actually disable all these other accounts.

Russell Spitler:

Disabling access is one piece, but the other thing that I've seen out there in the field is you disable a user's account and all of a sudden, some business automation breaks because they had created the connection between GitHub and Snyk or something along those lines that just mesh, just continues to grow.

Dave Anderson:

Yeah. We had a interesting situation that a couple of places that I've worked actually where we use Slack, will have created a Slackbot. It was pretty heavily used by a lot of people in the company. [inaudible], who actually created that Slackbot or integrated it in, left. Their Slack account was disabled and suddenly, the bot went away and stuff that's just hugely important to people like a Salesforce integration. I figured exactly what they all were, but there was a bunch of those where it was suddenly, this integration that we've been depending upon that feeds us data on a constant basis just poof, went away because a person's account was disabled.

Russell Spitler:

In some ways, that's the beauty of where we are today, is like I don't need to reach out to IT in order to get two services working together. There doesn't need to be some in-house dev team gluing APIs together with a bunch of Python. It works, which is awesome, but it's also a challenge because now, it's each individual employee who ultimately is attributed to that access and keeping track of that is a huge challenge. One really interesting piece that came around that survey, which was while 70% of people experienced instance from incomplete offboarding, we saw 80% of those same users express confidence that their IT offboarding process was good. So where do you think that disconnect comes from? If I think I have a good process, I probably shouldn't be experiencing incidents at that rate. Where do you think that challenge is?

Dave Anderson:

It is primarily just around the things you don't know that you don't know. There's all these various applications that have customer data or other company data that just the IT team's not aware of. There's a possibility that let's say the marketing team, they know like, okay, when someone leaves, we go through and cut off these accounts and these systems that the marketing team knows about that IT doesn't know about because maybe the head of marketing is paying for it off the credit card or, not to pick on marketing, it happens across the whole company like engineering and engineering's probably one of the bigger offenders with all the different SaaS tooling out there, especially for doing things like automation as you were talking about before.

Russell Spitler:

Yeah, that CI/CD pipeline has so many little dangling apps off of it these days that I don't think you can blame marketing for the SaaS ball anymore. I think fingers are squarely back in the other direction at this point.

Dave Anderson:

Definitely. Definitely.

Russell Spitler:

When we think about how IT teams are balancing the need to ensure the complete offboarding with the reality and the time and energy to do that, how do you think they're achieving that balance? You talked about that huge tale of manual efforts versus the immediate need. What do you see when you're working with clients and how do you advise people to help work through that?

Dave Anderson:

Well, nowadays, there's tools like Nudge that we can plug in that will actually crawl the environment and find out where all the long tail is. It's hard to actually even know necessarily what all the different applications are out there. It's unfortunate that there's a lot of manual effort in doing these off boardings. Like I said before, you could cut SSO and if these apps are behind SSO, then you're at least cutting access, but not removing licenses that you're paying for or transferring the data to the people who need to have it after the person leaves. It's extremely tough on the IT teams and extremely scary for the security teams knowing that all this data and system access is just dangling out there.

Russell Spitler:

It's an area we're really excited about and we've got some exciting automations coming through there that I think will be a game changer for a lot of people who are responsible for this, but that's not what we're here to talk about today. When you think about the advice you have for IT and security teams looking to improve their ability to manage this SaaS-first world, what are some of the basic building blocks that you encourage people to start to think about and the steps that you encourage them to take?

Dave Anderson:

Number one is an inventory. You have to know what you have, what applications are out there even if it's only being used by one or two people. Even if it's not being managed by IT, IT needs to know about it and the security team needs to know about it as well so that they can make sure that they know what data is there, who has access. Maybe ideally, having an inventory of who has access to these particular apps, but unfortunately with that, without some automation in place, it's really difficult to keep track of that. But having the inventory, the applications. There's a reason it's on the critical security controls. It's number one or two, systems inventory and application inventory.

Russell Spitler:

I only smile at that because every company's got an inventory. They probably have more than one inventory and it's probably in a dusty spreadsheet that hasn't been touched in a while, right?

Dave Anderson:

Yeah.

Russell Spitler:

I think that's the [inaudible] of this SaaS-first, employee-led adoption world where we see, again, in our customer base, upwards, one organization was adopting 90 new SaaS applications every month. If you think about that, that's a whole new application getting introduced in your environment every eight hours. It's hard to keep up. And along those same lines, the other stat that we saw was for a thousand person organization, there's a new SaaS account every 20 minutes. So keeping track of who has access to what is something that only happens with automation these days. Because if you're relying on a spreadsheet, you're already out of date by the time you hit save.

Dave Anderson:

Exactly.

Russell Spitler:

Well, we could go on about this topic for hours, but it's time for us to wrap up today. Thank you, everyone for joining us, and Dave, thank you so much for spending time with us today. Pleasure to talk with you. Stay tuned for future episodes of Overshadowed and hope you all can join us again soon.

See what you've been missing.

Let’s stay in touch.

Sign up for product updates, resources, and news. We promise we'll never send you spam. Or boring emails. Ever.