SaaS visibility remains a mixed bag. Within company-sanctioned tools, we have visibility. But when it comes to visibility across tools, we struggle. And don’t forget all of the SaaS apps your employees use that you don’t know about. How do you start to address that SaaS visibility gap?
In this episode, Russell Spitler, co-founder and CEO of Nudge Security, discusses how using email as the foundation for SaaS visibility makes the whole situation much easier to manage. Russell is joined by our panelists, Steve Zalewski, co-host of Defense in Depth, and Nick Espinosa, host of the nationally syndicated Deep Dive Radio Show.
Got feedback? Join the conversation on LinkedIn.
UPDATE:
Big news! Nudge Security has extended their SaaS and AI governance capabilities to the browser, delivering real-time insights into SaaS and AI use as it happens. Now you can deliver guardrails to users in the browser when Nudge detects weak or re-used passwords, missing MFA, file uploads to AI tools, and other security risks.
See how you can regain control of SaaS and AI security risks.
Huge thanks to our sponsor, Nudge Security
Full Transcript
Rich Stroffolino: Welcome to Security You Should Know. Today we’re gonna be talking with Nudge Security and what they’re doing in SaaS security and governance. And the problem they’re going to be, trying to address here and we’re going to be learning more about is SaaS visibility. Helping us get some answers to these questions are Steve Zalewski, the co-host of Defense in Depth, and former CISO at Levi Strauss and Nick Espinosa, host of the nationally syndicated Deep Dive Radio show.
So Nick, I’m going to get started with you. Why is SaaS visibility still a problem?
Nick Espinosa: Honestly, it’s risk. if you look at it, everybody’s hacking everybody, right? So. how many cloud platforms or SaaS platforms have we seen hit? Not to mention the visibility for an organization. If you don’t understand the shadow, IT aspects essentially of your risk. You’ve got a big problem. You have people that are going to be connecting to SaaS platforms to transfer files to their home computers, so they can legitimately work at night.
Now you basically have data exfiltration risks. You can be using SaaS platforms for a lot of different things, and by virtue of that, if you don’t have a good control or visibility of that’s a huge problem. This is probably one of the, I don’t want to, I don’t want to say last frontiers of risk, that is tough to quantify, but it’s one of the big categories that a lot of companies have real issues, categorizing, quantifying, and then basically controlling.
So it’s a big problem.
Rich Stroffolino: Steve, lemme turn that to you. Why is SaaS visibility still a challenge today?
Steve Zalewski: I would equivalent to as parents, having children are a lot of fun. Okay. And the lines of business use SaaS applications as if they’re children. They like a lot of applications, but once they buy the application, they want the nanny to take care of the kids at that point. Okay.
And so why visibility? It continues to be a problem is we, security are the nannies. And the business constantly has more kids, but they’re kinda leaving it to us to find them and raise them, and I go, that is the challenge that we have. And so, long as the business continues to want to go buy these SaaS apps without telling us, we’re constantly having to find them and then raise them.
Rich Stroffolino: Alright, helping us get some more information about what Nudge Security is doing is Russell Spitler, CEO and Co-founder, and we’re gonna start out with just three essential questions. get these. Preliminaries and get a, basic understanding here and then dive into some more questions. So Russell, the first three questions we need to answer here are, how do I explain the value of your solution to A CEO?
What does your solution do? What doesn’t it do? And what’s the pricing model? Can you help us out here?
Russel Spitler: Yeah, you got it. so the easiest way to explain our solution is, to remind your CEO of the wonderful time. Everything was perfect, which was probably far back in their memory. But then your employees started using the internet and, the challenge that we see today is every single time an user or an employee interacts with the internet, they have choices to sign up for SaaS applications to choose how they’re authenticating with those applications to choose how data is being shared across those applications with the API keys with OAuth grants.
And that ultimately is a benefit to the company with productivity. But the challenge that everybody has today is exactly as. Steve described, how are we gonna manage the risk related to that? And ultimately, every company out there is on their heels right now because the employees have become the CIOs.
They make their own business decisions. Departments of organizations make decisions, and we need to recentralize that visibility so we actually understand the risk and the attack surface of our operational technology that runs our business, which is delivered through SaaS.
Rich Stroffolino: And in terms of pricing model, what are we talking about with Nudge?
Russel Spitler: our product gives you visibility across all your employees, historical adoption rates, as well as ongoing detection. We have one platform fee, which covers honest per seat basis. Essentially the number of employees you might have in Google or Microsoft. That’s the same rate that we use for our pricing.
Rich Stroffolino: Excellent. So we’ve gotten some preliminaries out of the way, but I’m sure both of our panelists have a lot of questions. So Steve, I’m gonna start with you. What other questions do you have for Nudge security?
Steve Zalewski: So since these SaaS apps are like children, and they’re running around out in the fields and in the house and everything else, how do you find all of these children? So from a visibility perspective, I actually know how many I have.
Russel Spitler: Yeah, and, I’m not quite sure how I can relate our, detection to the children analogy, but I’m sure there’s some path there. But ultimately we take, three core detection methodologies to, to detect SaaS applications. The primary mechanism does not depend on the device or network your employee is on.
And there, what we do is we leverage this one standard design pattern every SaaS application has, which is as soon as you sign up, they’re trying to drive usage. And the only universal communication mechanism on the internet is email. So we tap into that incoming stream, a machine generated email. That gives us the benefit of historical detection from before Nudge was deployed, as well as ongoing detection that doesn’t require us to be in line between that employee and the internet.
The next thing that we do is we have a library of API connectors where we can start to hook up to those API instances and find additional insight into where their external contractors, provision. And then the final piece of the puzzle is we also have an in-row extension, which allows us to enrich that data set and see things like last login start to address some of the identity security, like password reuse, et cetera, giving you a very holistic picture of what’s out there, who’s using it, and how often they’re using it.
Rich Stroffolino: And Nick, what questions do you have for Nudge security?
Nick Espinosa: Longtime listeners of this show know that I’m really good at ripping off, Steve, so I’m gonna go ahead and, riff off him this time. as I understand it, basically your product as it’s identifying all these SaaS applications, is also designed to nudge people towards better practices, right?
Hence the concept of nudging. And so by virtue of that, and to take Steve’s premise here, at what point. Does like a helpful nudge, for example, become a form of paternalistic oversight? And how are you balancing, let’s say, the autonomy with organizational security? Because autonomy is important for a lot of employees, especially those that are self-starters, self achievers, they’re trying to go to from point A to point B themselves.
Russel Spitler: And that’s really the intent of our platform and probably something I should have covered under what should you do and not do. Nudge is not a hard shell that you put your organization inside that’s gonna block the good internet from the bad. We’ve been trying to do that for as long as the Internet’s been around.
It doesn’t work. Ultimately, what we have seen is employees are really good at working around hard technical controls because exactly as you described, they’re trying to get their job. Done. And they want more time at home with their puppies and their children, right? And so what we do with Nudge is we deputize every single employee to be part of your security team.
So as they’re making those decisions, we let them know when they’re making a high risk decision that they really can’t, be empowered to make. We’re letting them know when they are signing up for an alternative to something that already exists within the organization, and they might just be making an uninformed decision.
And they’re also, engaging with them when they’re making decisions about data sharing, about access, about identity security measures. And all of those opportunities are places where the employee really wants to do the right thing, but often doesn’t have the business context or the security context to balance out the productivity games that might come from making that decision.
Steve Zalewski: So let me ask it another way, which was, security people, are notorious for saying no. So we wield a big stick. We’re not so good at carrots. So how would you position Nudge Security as to the carrot versus the stick? Do you have both, or which way do you fall on that continuum?
Russel Spitler: We really believe that Nudge is the delivery mechanism. There are some places where you want to use a stick, and there’s other places where you want to use a carrot. Now, in my experience, the broader majority of those should be carrot based incentives where we can provide alternatives. Hey, you’re signing up for asana.com.
Guess what? We already have Monday in Jira. Probably three other project management tools already existing. Please don’t do that. And then that’s a way where there’s a, carrot. Now on the other side, recently, everybody was dealing with a slew of new AI signups for a AI tool that was based out of countries where people didn’t want their data resident.
In those scenarios, we can use a little bit more aggressive or a little bit more of a stick where we actually inform people of the risks. Related to that, we put up a bigger speed bump where they actually have to work around some technical controls to get past that, and ultimately we have a much better balance between those two, where we’re taking in context the business risk as well as the sort of friction we’re putting in front of that user while they’re making that decision.
Nick Espinosa: and I think that’s an interesting point. So if you, think about it historically, security responsibilities. Usually fall to a single department, right? It’s usually IT or cybersecurity under that umbrella. But the way I see Nudge is basically your platform spreads out responsibility across an organization.
Multiple departments are gonna have multiple SaaS needs, et cetera, et cetera. And so looking at that and typically cybersecurity and it look at centralization and management as the key to success. Do you believe. Essentially that like security should be universally owned or diffusing, like all of this accountability, does that have a risk in and of itself as somebody is or a company is trying to adopt?
Nudge.
Russel Spitler: Ultimately there is centralized responsibility for compliance with policy, and that will. Always land in the security or the IT organization depending on how that’s played out. But the challenge is, and I challenge any security organization that exists out there not to look at their backlog of things that they need to go run down, it often outnumbers their employees a hundred to one, if not a thousand to one, right?
The number of vulnerabilities that changes the, issues that they need to go resolve and find information on. The limiting factor in resolving those is business context. Every single time you’re going out there and you’re making a decision about, Hey, should this SaaS application talk to this other SaaS application?
guess what? That connection enables payroll for, sales commissions. Yes, it needs to exist for a business reason, but the centralized team might not have that context. So when we look at this, we’re really not focusing so much as, Hey, let’s just absolve security and IT responsibility for compliance.
But rather, let’s automate the engagement with those employees so we have the business context so that when we can remediate these things in an automated fashion, we can do so in a short circuit without waking somebody up in the middle of the night. And when we do need a bigger discussion, we have the context and the information we need to drive that conversation forward.
Steve Zalewski: So I want to pivot on that a bit and let’s talk about. Responsibility and accountability, which is from N’S perspective, bringing that visibility of what the lines of business and the employees are doing. How is that translating, which is when you have that accountability, now that the lines of business are being shown, what they’re doing is this actually curbing the adoption of a lot, or are some of what I call the spurious SaaS apps that you’re actually to make the security job better because you’re able to bend the curve on just willy-nilly adoption.
To be able to have that accountability to it actually has to provide a business value.
Russel Spitler: That’s one of the really interesting factors that we’ve seen in a lot of our customers, which is as soon as there is awareness that signing up for SaaS applications has a business impact from a security standpoint, a compliance standpoint, many other, places where people start to get nervous, there does tend to be an adoption drop.
So, in some organizations we are seeing adoption rates of. Multiple SaaS applications per day across the organization, upwards of three to five. And so when you propagate that out over the course of a year, you’re talking about hundreds, thousands of SaaS applications. When employees start to be aware of the impact of that decision, we see that.
Adoption rates start to drop major improvement in just the standard baseline, but then opportunity to move forward and start to reconcile the existing set of applications as well as reduce the risk in terms of usage and configuration and integrations across those applications as well.
Nick Espinosa: So let me pick up where Steve was. I think going with this, if I’m looking at this from, let’s say the perspective of an employee, employees do personal stuff, oftentimes they check their own email, et cetera, using company owned equipment. And so by mapping, basically like every SaaS footprint and access pattern that you’ve got.
Are we risking here blurring the line between necessary security monitoring and the right to digital privacy for an employee? How do you essentially equate that? If I’m checking my Gmail account or whatever, technically that’s a SaaS platform, right? And my company’s on Office 365 or whatever. So how do we reconcile those competing values with Nudge.
Russel Spitler: There’s a couple of things from a technical perspective that allows us to sidestep that problem a little bit. First and foremost, that primary discovery mechanism using the corporate email allows us to identify SaaS applications which have been registered with that corporate email. Those are now fair game for conversation, regardless of the nature of those applications.
Now, when you think about that. Without a doubt. There are lifestyle applications. There are healthcare applications that, I made a doctor’s appointment, I sign into my kids’ youth soccer league. Those things creep into your work life because you have responsibility while you’re working. Even though you know our employers wish you.
Clocked in nine to five like a YE did. What’s great about the platform is we’ve actually built it with that idea in mind. Any employee, if you choose to configure this setting can sign in and see what Nudge knows about that employee. We’ve found that is a great way to broker conversations when there are applications that the company doesn’t want you to be using your corporate email address for.
And certainly we’ve seen many scenarios in the past where there have been breaches in more lifestyle focused applications that have. Put some egg on the face of some corporations. Those are places where we have an opportunity to get ahead of that and keep that personal life separate from the corporate environment.
Rich Stroffolino: Alright, Russell, we are just about out of time, but what’s one thing that we didn’t ask about that we need to know about with Nudge security?
Russel Spitler: The one thing that we didn’t discuss here is I have been building products for about 20 years in the cybersecurity industry. I’m a firm believer in let technology speak for itself. Nudge Security and all the claims that I just made is available for you to try out for yourself. On our website, there’s a free trial.
Anybody can sign up. You don’t need to talk to a salesperson before you do it, and you can see how it works for yourself and get. Your own free SaaS report of who’s using what in your organization.
Rich Stroffolino: that’s about all the time we have for this episode of security. You should know. If you wanna learn more about Nudge Security, head on over to nudgesecurity.com. A big thank you to our panelists today, Nick Espinosa and Steve Zalewski for all of their great questions, helping to really bring out a lot of knowledge about what Nudge is doing.
And I wanna take a moment to thank you Russell and Nudge Security. For your time and all of your great answers provided, and thank you for listening to Security You Should Know.