Episode 3: Navigating the challenges of SaaS sprawl

Join Russ Spitler, CEO and co-founder of Nudge Security, and Kunal Anand, CTO and CISO at Imperva Security, in episode three of our "Overshadowed" series, as they delve into common misconceptions that lead to challenges for IT and security practitioners trying to secure their SaaS ecosystem.

Russell Spitler:

Overshadowed. We are here discussing how modern IT and security teams are dealing with SaaS sprawl. Joining me today is a good friend, Kunal Anand, who is the CTO and CISO at Imperva Security.

Kunal Anand:

Hey, Russ. Thanks for having me.

Russell Spitler:

It's a pleasure to be speaking with you today. I am so excited to jump into this. Obviously we've had conversations over the years about SaaS sprawl and the implications, but I'd love to just hear a little bit about your perspective as CISO of Imperva. Sorry, I keep on saying it like that because I'm so amused that Kunal has such operational responsibility for security. He's been on the product side for so long now he actually has to use his own products, and that's always a challenge.

Anyways, really excited to hear what your perspective is as CISO about the use of SaaS in your organization and some of the challenges and risks that you've had to deal with.

Kunal Anand:

First of all, again, thanks for having me, and I couldn't agree more that it's a challenge, and I think it's a challenge that a lot of organizations are just beginning to acknowledge.

And let me kind of take a step back. Our organization is several thousand folks. And in that population, we use a lot of third party software and we use a lot of SaaS software. And we have a big issue trying to get our arms around the different types of applications that people use, trying to understand why and trying to rationalize why people use certain tools. And sometimes it's preference, sometimes it's because they want to try something new.

So I would say one of the issues that we and other organizations have right now is generally understanding how much SaaS software is being used, who's using that SaaS software, is it active. Then you get into second dimension things, which is it secure, do we have the right controls, do we have the right visibility around all of that. And then of course, when people inside the organization come, when people in the organization go, when people change teams, are they appropriately scoped to using the right SaaS software as well.

So those are the large challenges. And I can tell you that I'm not the only organization that has to think about this. I've spent a lot of time in my role talking to some of the largest companies in the world, the Fortune 500s or the Global 2000. And when I have these conversations with CTOs, CIOs, CISOs, this is a topic that's at the forefront of their brains right now.

Russell Spitler:

And when I've had these conversations, there's always an interesting sort of bifurcated perspective. There's the organizations who've sort of locked things down at the edge and have this assertion that, "Hey, we've separated the good internet from the bad and our employees never go to the bad internet and they only go to approved apps. And if they don't, they're fired." And then there's other organizations who've kind of come up with a much more realistic understanding of the current problem and they sort of say, "Hey, my employees are largely outside of our explicit control, but we really are trying to drive them towards the best decisions."

Where do you guys fall on that spectrum? And certainly don't want to put you in one bucket or the other, but how have you guys thought about trying to manage and control the use of SaaS in your org?

Kunal Anand:

I think there's a fallacy that these companies have, or fallacy that people believe with respect to SaaS. Here's what I mean by that. A lot of people use single sign-on sort of solutions in their environment. So they may use an Okta or a Ping or whatever it might be for SSO. And I think for those in enterprise environments, for those running security teams, you generally know what that is. You get to a portal and all the apps that you need are in that portal.

Security teams generally think that all of the SaaS is there. They genuinely think that all of the things that they need to consider from a security perspective are in SSO. Guys, and I am going to say this as guys to the global security people listening to this, that is really irresponsible if that's what you think, because there are so many different applications that are being used in the environment that do not fall under SSO, and maybe they should for your organization or for your enterprise.

But I think let's start there, which is the sort of myth that people think they have an understanding or they have a complete inventory, like a SaaS bill of materials or a full awareness of all the SaaS applications that are being used in their environment. And that's just not true. So let's start there. I think that is the big, big issue. It's that overall issue of lack of inventory. I think let's just say that. That's the problem that people have right now.

Russell Spitler:

It's really interesting to hear you bring up a single sign-on. One of our experiences as we've worked with customers is typically we end up seeing about 20% to 30% of their total SaaS usage being managed by a single sign-on system. And those are in organizations that are pretty rigorous about it.

Now, to be fair, a lot of the super critical systems do find its way into single sign-on pretty fast. Your source code repositories, your CRM, your financial services. But the real challenge is what happens when you start to see that sort of OAuth grants. I like to call them the new ULAs. Nobody thinks twice as they click through an OAuth grant.

And that just enters these back channels into these data sets within these SaaS applications that is still sort of, it's sensibly protected by single sign-on. But now I have another service which is out there, which is hooked off of that, which is hooked off of that, which is hooked off of that. And that's where the real challenge starts to come in to rise, when you don't have that inventory and insight.

Kunal Anand:

So many ways to take that and so many places to go.

Number one, the lack of... I mean, I think it's safe to sort of connect these two things, but the lack of understanding your SaaS ecosystem if you're an enterprise probably means that you don't have a good understanding of the flows of data that your organization has in its current state or an environment. What I mean by that is you don't necessarily know where data's going, you don't know what SaaS solutions have in terms of the data that your organization is creating, whether it's specific teams, et cetera. I think there are just so many issues that a lot of companies have with finding out that they even have these things.

And I'll give you an example. I was talking to a peer in a financial services company and they found out that their organization was using a different cloud services provider because of a PO, an invoice that was sent, that someone in accounts payable had to address. And that's the moment when they realized that there was shadow IT or shadow SaaS in their environment.

And it's really weird that it's come to that point, but it also kind of makes sense because if you think about the last few years, people working from home, digital transformation, modernization, workforce has fundamentally changed, where we understand as consumers that we can sign up for apps, we can sign up for services. People are bringing those behaviors to the enterprise.

And so, people are trying new software, they're trying new things, but to your point, they don't even recognize that when they're in an environment or they work for a company and they sign up for a service and they begin to try out that service and try to put new data into that platform, maybe it's a CRM tool, maybe it's a marketing tool, maybe it's something related to finance or FinOps, as an example, you're creating a lot of data, you're creating a lot of wealth in that environment or inside that SaaS vendor's application.

How do you know if that stuff should even be there? I mean, people need a lot of help with this stuff. It actually reminds me of something, and I think this is something that from the Nudge side would be really interesting around people leveraging all this generative AI right now, people leveraging these... This is the thing that is so top of mind for people. People are leveraging SaaS AI solutions and they don't necessarily know the data that's going into those SaaS solutions. They don't know the data that's being held in those SaaS solutions. They have no idea who's accessing it from the other side. And it's crazy right now.

Russell Spitler:

It's unbelievable. And that's an area we've been investing in a little bit. We've found many dozens of generative AI tools, which are varying degrees of shims around the core models that are out there. But the reality is every single one of those players along the line has access to the data that you upload, and people are uploading everything in there. "Hey, take a look at this sales report. Help me figure out who I should contact next." "Hey, take a look at this source code, figure out what's wrong." That's a hugely problematic area for people to start to drill down because it's very hard to track and challenge.

And I love what you brought up there. Obviously that work from home mentality comes into play. You brought up those sort of expense reports of somebody finding a cloud provider due to a PO. But these are all places where I sort of look at that and I'm like, "Are we really at the point of digging through expense reports just to figure out what our employees are doing? Are we really just waiting for that next hit on the network log to know that you signed into a GitHub account you created months ago?" These are really sort of passive mechanisms for it, which is why obviously at Nudge we take a very different approach, but it just kind of exemplifies the challenges and the problems that people are facing because we're just trying to play catch-up. Nobody's at a place where they're effectively being proactive about this, and that's where I see the biggest opportunity right now.

Kunal Anand:

And I think many CIOs and CISOs would agree with you, if you go and you approach them, and I think the one thing that I've always appreciated in our conversations is you're not here from the Nudge perspective to be like, "Aha. See, I showed you, you have this thing happening." No, you're actually there to help people understand, "Okay, these are genuine applications that are being used. There's obviously third party risk associated with this. Maybe you should go and take a look at this." It's so important that organizations pay attention to this.

And by the way, it's in everyone's risk register. I can assure you, in everyone's risk register, and when they're talking to their cyber committees, when they're talking to their boards, there is something called third party risk. This is the topic that, what we're talking about today, the sprawl of SaaS and the security issues, the FinOps issues, there's lots of issues associated with it, this is something that is squarely in the risk register, and every enterprise, every organization is trying to deal with this today.

And so, I've always just appreciated the approach that Nudge takes, which is just, again, it's not about shaming. It's not about trying to pull a fast one or trying to say, "You only know 1% or 10% of what's actually going on." It's the opposite. It's more of, to your point, there are newer types of things that you have to care about now. There's OAuth grants that you have to care about when people start leveraging SaaS. There are different types of issues related to data risk and data posture that you need to consider. And so, it's less about shaming and it's more about really getting your arms around what exactly is going on.

Russell Spitler:

I always like to point out when people have these conversations, and there's again different perceptions of the challenges. There's one mentality where it's like, "Oh, the stupid users, they keep on doing this stuff. And they know what they should be using?" It's like, well, maybe they just started. Maybe they moved to a new team. Maybe this is how they used to do it. Maybe this is what they're familiar with. Maybe they know some feature of this product that makes it work better. Ultimately, people are reaching for technology because it helps them do their job better. They're not signing up for Airtable because it's funner. That's not the reality. Nobody creates a spreadsheet just because they're bored. This is somebody trying to be more effective in their day-to-day work.

And when they hit a wall that security puts up, they get upset, they get frustrated, and they work around that wall. And that's really kind of the biggest piece of the puzzle when you think about changing people's behaviors, is we can't just put up walls, we actually need to help. At the point they're learning the lesson, redirect them in the right path, in the right manner. And that's a big shift in security mentality because we're so used to blocking the bad stuff from coming in. That's been such a traditional mechanism for security, and this is a little bit different when it comes down to it.

Kunal Anand:

The key theme this year when you talk to security organizations within very, very large companies, the key theme is not blocking. When you think of security, you think of organizations that are interested in taking an action. I want to block something, or I want to turn something off, it's actually not that.

And it could just be that, in COVID, there was this sort of great resignation of CISOs and you're getting a different persona now in that role, but people genuinely are caring about observability and visibility and discovery. These are the three words that come up in all the discussions that I have. And people just want to know what's going on. And then they'll figure out how they want to take action. And that action could be leveraging software, leveraging existing processes, building different things.

I'll give you some examples. If you find out that there are people inside your organization using a different cloud services provider than the one that you are going with, to your point, Russ, that could be one of those example.

Let's talk to those folks or let's train them that, "Oh, listen, I know you're using CSP X over here, but let's go and use the one that we're paying for, CSP Y. Or let's find out why you did X over Y. Let's have that discussion." Or you might find out that in your population, and let's just kind of hone in on in a group, maybe marketing or sales are really using a specific tool or a solution that you didn't even know they were using. That's actually a good insight for your organization to say, "Okay, maybe this is a better tool because people are voting with their feet, or they're voting with their time, or they're voting with their clicks. This is the thing that they want to use. Okay, let's adjust. And let's, as an organization, get better at it."

Or it could be someone's using this application, and generally you don't use this thing unless you are storing sensitive information or there could be an issue around the sensitive information that could be stored theoretically in this place. Do I have the right security posture? Do I have the right settings enabled? Do I have audit logs as an example? What happens if people leave my organization? Do I know what action to take with respect to that SaaS application?

So again, there's lots of different use cases here, and I think it's so cool and refreshing finally to see people starting to take this stuff very, very seriously. And also people recognizing that it needs to belong in a risk framework or a risk register that needs to be tracked and monitored. And these use cases transcend basic security, like blocking, to things like discovery, visibility, observability, and you can leverage it across multiple teams in an organization.

Russell Spitler:

It's so funny, because we keep on saying SaaS, but as I hear you discuss this, the reality is this is technology these days. This is not some sort of subset of our technology. Frankly, it's kind of the majority of what we're using to run our business, and it's incredibly complicated. And since we've sort of treated it as something that was emerging or new, that might've worked 10 years ago, but it's not going to work anymore because now we need to catch-up with the times and start to deal with this with the reality it is, which is this is just technology. And right now, our governance model handles about 30% of our technology, the stuff that's in single sign-on. We've got to start dealing with the respite in the same way.

Well, I feel like I could talk with you for hours, Kunal, and I have, and I probably will again, but today we're going to keep it just around 15 minutes. And so, I really appreciate your time and thank you for joining us and I hope to see you again soon.

Kunal Anand:

Thanks, Russ. And I'm loving what you all are doing and I'm so excited to watch your adventure and Nudge's story unfold. So, really looking forward to it and-

Russell Spitler:

Thanks a lot, Kunal.

Kunal Anand:

... rooting you and the team on.

Russell Spitler:

Awesome. Thank you so much.

See what you've been missing.

Let’s stay in touch.

Sign up for product updates, resources, and news. We promise we'll never send you spam. Or boring emails. Ever.