On-Demand Webcast: Collaborative SaaS Security Remediation

Transcript

Yoni Shohet  

Hi everyone, my name is Yoni, and I'm one of the co-founders and the CEO of Valence. Today we're excited to announce our $25 million Series A led by Microsoft’s M12 venture fund, and we're excited to also launch our collaborative SaaS security remediation platform.

During this webinar, we will talk a bit about what it means to apply collaborative SaaS security remediation workflows within our organization and also have a conversation with Doug Graham who is the Chief Trust Officer at Lionbridge one of Valence's trusted customers to walk you through different examples of how the Valence platform was able to help Lionbridge secure and remediate risks that are associated with their SaaS applications.

What is collaborative SaaS security remediation? Today we have so many different challenges within SaaS applications that are involved with data, the supply chain aspects ( third party integrations), identities, misconfigurations covering what we have in the SaaS mesh and being able to practically and effectively reduce this risk over time that is associated with unauthorized access to data and to our permission sets and identities. Effectively applying zero trust across the board within SaaS mesh requires a unified platform that doesn't only involve the security teams which is no longer the single owner of these platforms, but also engages different business users across the board to different business application owners within that process of reducing risk and remediating unnecessary risks within SaaS environments.

So basically, how did we get here? Look at the SaaS mesh today, within organizations. It's becoming a more and more complex network of SaaS applications, third-party integrations, data, identity, the different types of small configurations that either admin users or business users can configure within their SaaS applications during their day to day work that on one hand creates a lot of value for the business that allows us to innovate it allows us to be more productive, and to adopt new technology and adopt best of breed capabilities across the board within today's day to day activities. But of course it also enhances or includes different types of challenges that are related to how do we properly configure and secure these SaaS applications because today, different users or administrators can create different types of configurations, whether it's just clicking that consent screen that allows you to authorize the new third party vendor granted Oauth access to your core SaaS applications, during data certainly opening those sources and repositories to the internet or to public reading a new no code/low code workflow automation that creates a new automated data flow that takes data from one sanctioned SaaS application and puts it out to the internet, and these types of configurations can again unlock a lot of productivity benefits, but also can be leveraged by malicious actors in order to exfiltrate data from the organization to gain persistent access to these core applications and to bypass a lot of mechanisms like identity governance and MFA and different controls that we've built over the years to secure applications.

Of course, when the hackers identify good opportunities they take advantage of them, and we've seen multiple examples of attacks that are focused on SaaS applications over the past few years. This year,we've seen the major breaches such as GitHub that have leveraged Oauth tokens were that hackers were able to breach third party vendors that were trusted with access to a GitHub platform to leverage the Oauth tokens or keys in order to gain unauthorized access to GitHub repositories, but without GitHub as a platform, which is hardly a secure platform being breached or thousands of GitHub customers being breached that customers data on the GitHub platform was still stolen and it was unauthorized access to different resources that were stored within these platforms. And of course, this is not a single case. We've seen attacks against platforms like Microsoft 365, Hubspot, MailChimp, Okta, Slack and of course, Google Workspace and we're seeing a lot of different examples of breaches over the past few years that are focused on the supply chain aspect on data that is stored in these applications and identities. lack of proper MFA and application governance, and being able to gain unauthorized access to critical resources within the organization. And that's already widely expanded our Collaborative SaaS Security Remediation Platform to solve many more different use cases to extend to more and more capabilities is beyond supply chain governance that we started with and that will solve data sharing risks and identity risks and discovery of assets and misconfigurations across the board within SaaS applications, all within one unified platform that allows security teams to consolidate how they do today security within the organization and how they properly address with their associated with SaaS applications.

How do we do it? So we start of course with the discovery and visibility aspects. We analyze and normalize the complex data sets of permissions, data, terminology, and small configurations that exist across the board within SaaS applications. We normalize into one data set that allows you to get central visibility and discovery of the resources that you have today within your SaaS applications. Then on top of that we automate the policy enforcement in which can be automatically it can be semi automatically can be completely configurable by the security users to define how they want to set the policies and what type of policies they want to enforce, and to set automation level that they want for remediation workflows. And eventually, this also includes engagement with business users. So a lot of our innovation that we're doing today for organizations is to be able to democratize or decentralize processes that are related to security remediation–remediating security risks by engaging with business users working in the organization. How does this all connect for example, if you've detected at a certain user has considered revenue Oauth tokens on Oauth apps within a Google Workspace and Microsoft 365 they will get an education from Valence and find out about the risks they created within the organization in order to understand if there's a business justification or if it was a mistake or whether there was a malicious actor that led to this change within the core business critical SaaS application. This allows organizations to scale this process and to remediate more and more risks without having to be involved into day to day manual processes that are required within organizations. That is how the platform works, you start by onboarding using an API, which connects to the core SaaS applications. Then configuration and data can be read only and doesn't have to have any unnecessary privileges all right sized with zero trust in mind. And then we'll create a central inventory of all the different relevant data that exists within SaaS applications. So that's it's the users, third party integrations, the privileges the configuration data. You have one central view of your risk surface, which allows you to start initiating the automated remediation workflows and can be engaging with the business users regarding third party risk management and governance Risk and Compliance dashboards. Leveraging your security orchestration and automation tools, or leveraging the security users and administrators that exist within the organization to be able to properly collaborate within the organization. And then basically, this allows you to see, understand and tackle that after you prioritize the most important SaaS security risks that you have today across the board within your business critical SaaS. Going into specific examples of the use cases that we can tackle using our platform, it can go anywhere from basically discovery, just understanding what's connected into our SaaS applications, and what type of access levels do they have, did they go through proper risk management procedures and contextualizing understanding what the business is trying to achieve, and what type of security processes we will perform in order to properly assess and understand these SaaS applications. Then on top of them, we have to govern supply chains and third party integrations. Analyzing Oauth tokens, third party apps, API's, no-code/low-code workflows are created in Workato in Microsoft Power platform, and the different automation platforms, security identities and making sure that you have the proper offboarding process from an education to demonstrate in force, that you have a good understanding of events that are outside of your identity providers, and everything is properly governed or against the provider like Okta or Azure.

going into data protection, being able to use some data shared on a day to day basis. Today using platforms like Google Drive and OneDrive and Box and Dropbox is becoming a more and more ready to do process and best practice to be able to share data and files through these platforms because it's more secure, you have better governance over this, but you need to make sure that you properly apply zero trust and reduce unnecessary access that exists through these shares. We found a lot of files that have been shared by someone with the public without the proper passwords or covenants or authentication, including very sensitive information, public code repositories that are shared externally, email forwarding rules and a lot of different configurations should exist that can be related to protecting data within these SaaS platforms. Of course ensuring proper compliance and misconfiguration remediation by being able to ensure that you're in compliance with best practices and industry standards SOC II, and NIST and being able to properly ensure that you don't drift from baselines that are important for you as an organization, but also to define your own policies and analyze these misconfigurations but it can occur within SaaS applications, because there are a lot of security configurations and toggles and changes you can make within applications. It's becoming very challenging to stay up to date with all these different considerations and to ensure that you're taking advantage on the one hand of all the security configurations that you make and also that you're not keeping up or not reading up on the proper security controls that are important for you in order to reduce the risk surface when it comes to SaaS applications.

Now to the last part of the webinar, a short Q&A session with Doug Graham who is the Chief Trust Officer of Lionbridge and our longtime partner and a valuable customer of Valence during this short Q&A session we want to have a brief chat with Doug to hear more about his security challenges when it comes to securing SaaS applications, and also to hear more about how Valence is able to help with and assist in scaling the remediation workflows and engaging and collaborating with different business users across the organization in the process of remediating and tackling a lot of different risk surfaces that exist today within organizations in a SaaS environment. And with no further ado, Doug it's great to have you here with us. We can kick it off with a quick introduction to your background and current position.

Doug Graham  

Yeah, happy and I'm pleased to be here and thanks for having me. So yeah, as you said, I'm the Chief Trust Officer, which means for us I'm responsible for security, privacy and quality at Lionbridge. If you don't know, Lionbridge is a company that specializes in translation and localization of content as well as testing video games. By the nature of our company with a very diverse set of users and very diverse set of customers and a diverse environment and a diverse SaaS platform as well. So happy to talk about that as we move forward here. Yeah.

Yoni Shohet

Perfect. Thank you again for joining me just to give us an overview, whatever you can share in terms of the SaaS environment within Lionbridge kind of what are the core SaaS applications or platforms or even a category of platforms you are using on the organizational side and in general the usage and adoption today of SaaS within the organization?

Doug Graham

Yeah, for sure. As I mentioned in my introduction, we have a lot of diverse use cases at Lionbridge because our primary way of operating is we're interfacing with many different customers. In many cases using our own platforms, in some cases using third party SaaS platforms, and in some cases, using platforms that are controlled by the customers themselves, so that we can exchange data, exchange content and exchange ideas. Primarily we're on a Microsoft platform here. So our primary workspace is around the Office 365 environment. But again, due to the nature of what we do, we've got a fairly sizable Google environment as well. We've got apps you would expect business apps such as Salesforce as well, but when you start kind of getting to the longer tail of SaaS apps as well, I think when we were engaged with you Yoni with Valence the first time we were surprised just by how many SaaS apps we had, from the user perspective as well. And I think of our SS apps in two categories, I think about the apps that we configure from a corporate perspective. So we've got the core SaaS apps, and we've got a good idea of what we have out there and what footprint is, I think now, we're seeing more and more SaaS apps being driven and integrated by consumers. And I think that was the number that that surprises there so we've literally got hundreds of these consumer connected SaaS apps that they are legitimately using for their jobs, that they configure with our identity providers. Within Microsoft as well. So a very diverse set of SaaS apps and use cases. And, you know, I think it's been good to wrap our arms around just understanding the size and scale of that as we've leaned into the platform.

Yoni Shohet

Yeah, definitely. And I think I remember a few sessions where we kind of shared some of our findings where you're able to discover different things that have access to read employee email, or to do different things like third party vendors that have different types of privileges and access into your environment. Unfamiliar events were driven by the adoption of apps through democratized IT or decentralized adoption by the different end users. What are the other challenges noticed before and after in terms of security within your environment, when before and after your engagement with Valence?

Doug Graham

Yeah, I think I think it's a you know, this, there's still easy to have an impression I think that we can control all the SaaS centrally within companies. And honestly, SaaS providers drive adoption through going to the people that's going to consume the technology that's been, I think, a purposeful technique. I've nothing to hold against them, right. They want to increase the adoption of their platforms as well. So generally speaking, you know, in the old days, and I'll get to them if I can remember them. You know, when somebody wanted to introduce a new application or a new piece of technology into the environment, they go to IT, they go to security who do all their checks on the app we did our security and privacy impact assessments on the apps and we go through a process of diligence and then we say, okay, let's connect it now maybe entered our Single Sign On solution. And though that was kind of a process and in reality that took too long, right, so everybody started saying we've got to move faster. We got to drive agility and this democratization or consumerization of these apps started to occur as well. And I think if you try and take up what I would say is a previous generation governance model where you're slowing down the ability for people to connect to SaaS applications that they need to do the job, you're slowing down your business. Instead, you have to trust your users and allow them to make these connections just as the platform has allowed to be set up. And without having the tool to allow you to see these connections, monitor them and govern them and things like that. For sure you can put policies in place, but it's difficult to actually make sure that people are following the policies. So as we started working with the Valence tool, the first thing we got was visibility. What have people connected to what permissions does that mean that they get into their own platforms through the Office 365 environment, the Google environment so the first thing is visibility, which is somewhat interesting, from that standpoint, as well. But then when you get visibility, and many vendors come to me and they say, Hey, Doug, I can give you visibility of your security environment. I'm like, great, now you've given me a whole bunch of work, because with that visibility, I've got to go do something with the information you're given. And I start to think about what's the security flow look like for a security...It's not really an incident but this new piece of information, but when I go give it to one of my security engineers on my analyst, the analyst reaches out to the user and the user says, Oh, I'm using this for a business purpose, and we validate that business purpose and we kind of see okay, and then we move on, or we have a discussion and we maybe pair things back. That just takes time and when you're doing this at the scale of hundreds of user initiated SaaS connections. Gosh, we're all struggling to scale around security teams. It's just not a scalable problem that we can go after. So it's a problem that we tend to see. Okay, well, let's focus on the biggest risk. Let's focus on the oddest things and you never get to the whole problem there. So I think what's been really good for us is we've been able to work with with your Valence and build up workflow in so that some of the work that the security engineer can get pre done by the platform, by the platform will say hey, why are you doing this or remainders what the policy is, and then it will flag things and then we can start to review it from there. So it's really in a lot of ways acting like a force multiplier is helping us reduce the risk by frankly, there's a lot of people that will create a SaaS application. A day later or two days later, they'll forget that they've done it or it didn't do what they thought it was going to do, and are quite happy to revoke it. That just happens automatically now. without us having to go jump on users and push them to do so. So that alone has just lowered the noise surface and yeah, there's still some things we got to follow up on, you know, in a one on one make those calls but not anywhere near as many.

Yoni Shohet

Yeah, thanks for that and I think, really what we've learned, probably the most repeating quote I heard from CISOs over the past couple of years is I don't want this ability into a problem I can't solve afterwards. I think it's really driven us to build the platform that kind of reverses the democratization of IT and adoption of applications tools will democratize the remediation workflows. You have to adjust and accommodate the process of how these applications are being adopted and configured, and misconfigured and close with the proper processes that allow you to contextualize what the business is trying to achieve because usually what the business is trying to achieve  is legitimate but you want to find this, you want to reduce the risk surface and to apply zero trust as much as you can and make sure that whatever is not necessary is not there. And whatever is necessary or at least are aware of and goes through the proper processes. And it doesn't have to be in mind. Many cases could be out of band or retrospectively or after the fact it doesn't have to be that can be much more of an enabler. And I think that it allows you to avoid doing any kind of drastic measures of saying, You can't do this. I wont accept it and now you need to do more of the allowing and enabling for the business. We think this isn't what drove us a lot of these types of engagements really drove us also to solve more use cases using a how we solve our problem, not just the problem that we saw and kind of allowed to expand now the team to focus on additional risk surfaces whether data protection or external data is being shared, whether it's through native controls like OneDrive and Google Drive and everything else or through you know, email forwarding rules or whether it's through identity platforms, and whether or not users are properly offboarded or not offboarded. I think even in the enablement process to get us some of your business owners and administrators within the business units to be excited about the platform because it helps them solve problems because they eventually want to secure their platform. They own it. They own the rest of them in many cases. And they want to make sure that it's as secure as possible that you need to allow them to have the right platform to get the proper like you mentioned visibility in action items and remediation workflows across the board. And they I know you're really an industry veteran, and you've seen a lot of different approaches to securing SaaS applications and you have different layers. It's eventually a defense in depth you have different layers of approaches that are implemented to ensure proper security. What do you think of the Valence approach and how is it different compared to more of the traditional security vendors or like CASB vendors, or the up and coming SSPM vendors or general different approaches that we've seen so far within the industry?

Doug Graham  

Yeah, I think the difference is, like I said, where your points of control are. Certainly looking at your network as a point of control is a lost cause. Right. You know, everybody's involved people for a number of years now. And so the concept of building over the network, the control points, of course, it's still there from defense in depth, but that's very difficult as well. And I think the concept of one size fits all control centralization, right? You can use this app, you can use that app. I'm trying to configure that around a policy, it works for some companies, so I for companies that have a limited number of apps and you know, very tight use cases or don't have the broad need for external. I don't know how many of these companies that are left now that don't drive the need for external collaboration. Some of these approaches can work but I think in reality, our users in general we found want to do the right thing. Or users in general don't want to be insecure. They don't want to be the people that cause a data breach or cause an issue downstream in the company. But they don't often understand what that means. They don't understand the implications of taking a lot of these risks on for themselves. And there was a concept that I think is still valid of this thing called I can justify security policy violation where somebody violates security policy, but they do it for all the right reasons. You know, the classic example which is slightly often the use cases, you know, they need to get PowerPoint to a customer and emails don't for example, so we take the PowerPoint, put something on a USB drive and validate policy there but it gets delivered to the customer and they were doing it for the right reasons as well. And I think a good sensible Governance Program, though, is very user specific. And I think about good governance and effective governance almost being the the kind of angel on the shoulder of the years or so to state that as soon as possible when they make the configuration because again, let's recognize that you're going to have to allow them to make some integration configurations for themselves in the modern environment and why should you just shut everything down? The closer to that point of decision you can get where you know the angel shows, are you sure you want to do that? Is that really what you want to do? Did you realize that by creating that integration, you have exposed you know, this piece of data or this configuration or you've allowed this application to read your email or access all of your OneDrive and things like that. Is that really what you want to do? I think in many cases, the user will take a pause and perhaps as we found, they're gonna say no. And if that's they're still being blase about it, if it's followed up by well, okay, well, let me do it. But we're going to inform the security team that you've made that decision and somebody's going to follow up with you, or you ask them for business justification then I think it starts to drive better behaviors in the organization and behaviors start to lead to a culture of security, behavior drives culture so I think in a lot of cases, this is the difference in the approach is it's kind of getting closer to influencing the behavior of the user. Whereas I think a lot of the other approaches were more we’ve got to presume what the user is going to be allowed to do before it actually happens and pre configure a set of rules and a set of apps and things like that. And we're not able to be nearly as reactive as we are with a tool called Valence. So you know, I guess it's kind of like painting with a fine brush versus painting with a broad brush. We've got the ability to get much more control and again, I think  every time we encourage users to make a good solid decision, and guide them through that, then there's been a bit of a learning experience and process that comes with that as well. And that's one aspect I really like.

Yoni Shohet  

Amazing. So moving from kind of the central governance to self governance with the proper guardrails  to make sure you guide them in the right direction. If they go too much to the right or to the left you can make sure that you help them see the right path and encourage them to make the right configuration or decision within the platform that they own eventually. So, again, this was great. Any kind of final words, kind of future thought about the trends that we see in terms of SaaS security, moving into 2023 and then the next 12 months? or challenges that you see as evolving or, or tips to our audience or to your fellow security community?

Doug Graham  

Yeah, okay. I think we're gonna see a further magnification of this trend, right where more and more control of the apps and subsequently the control of the data is being pushed out into the business and ultimately to the users of the business. You know, I think if you refer to IT now in your company as “the department”, you're probably getting it wrong, right? Because the simple fact is, IT is practiced as much by the business as it is by the IT department. And you know, many companies have good marketing technology departments that are dealing with it or sales ops teams or, you know, DevOps teams and various different, you know, constituents that are dealing with what was traditionally IT in the organization. And then even further along, as I said, it's getting to the years over the years, I was unable to do that. I think that trend is going to continue. And I think we've got to start really thinking about how we govern and encourage the right behaviors in that type of environment. And that means I think we need a different type of platform and a different type of approach. And I think the more that we can be leaning forward into that environment, and I think you said it very well. Right, you know, years of guidance with guardrails is the key forward and I think that's just going to become even more important as SaaS apps continue to diversify our IT infrastructure, our IT applications, beyond the control of the corporation.

Yoni Shohet  

Amazing. And again, thank you very much Doug. This was a pleasure looking forward to of course our continued partnership.

Doug Graham  

Absolutely.

Yoni Shohet

Thank you. Thanks, everybody.