6 Ways to Simplify SaaS Identity Governance

11 March 2024

With SaaS applications now making up the vast majority of technology used by employees in most organizations, tasks related to identity governance need to happen across a myriad of individual SaaS apps. This presents a huge challenge for centralized IT teams who are ultimately held responsible for managing and securing app access, but can't possibly become experts in the nuances of the native security settings and access controls for hundreds (or thousands) of apps. And, even if they could, the sheer volume of tasks would easily bury them.

Modern IT teams need a way to orchestrate and govern SaaS identity governance by engaging the application owners in the business who are most familiar with how the tool is used, and who needs what type of access. 

1 . Discover all SaaS apps used by anyone in the org

As the old saying goes, you can't secure what you can't see, so the first step in SaaS identity governance is to get a full inventory of what technology is actually being used, and by whom.

Solution need to discover and categorize all SaaS apps ever introduced by anyone in the organization and provides a vendor security profile for each app to give IT and security teams the context they need to vet new SaaS providers. And after they've reviewed an app, they can assign a status like "Approved," "Acceptable," or "Unacceptable" to indicate if usage should be permitted. For any apps that are deemed "Unacceptable", automated nudges can be triggered in response to new accounts to redirect the user towards a similar, approved app or ask for context on why they need to use that particular app.

2. Share a directory of approved apps with employees

In an ideal world, IT teams want to empower employees to adopt technologies that will both enhance productivity and keep the business secure and compliant. Unfortunately, employees often have no way of knowing which tools fit the business's requirements as well as their own. 

Solution need to make it easy to create and share an app directory with employees, so everyone in the org can view a comprehensive list of approved applications that meet appropriate security and compliance standards. Employees can peruse the list by category and submit access requests that are routed directly to each application's technical owner, whether or not that person sits within central IT. This removes the need for IT to be the "event forwarder" between users and app owners, while still retaining visibility and centralized governance.

3. Keep app owners up to date

Ever feel like you're on the world's worst scavenger hunt when tracking down the right people in your organization to get context on a SaaS application or user account? You're not alone. This knowledge is often siloed and changes frequently. Solution can use various methods to deduce the likely "technical contact" (like the first user) for every SaaS application discovered in your environment and gives you the ability to automate nudges to confirm app ownership periodically. 

With this technical contact discovery process, solution will need to automate emails or Slack messages to assumed technical contacts with a simple nudge that asks them to either validate that they are the correct technical contact or update this information. No more strings of emails and Slack threads to figure it out. With Nudge Security, you can automate the process of keeping this information up to date as administrative responsibilities change.‍

4. Automate user access reviews

For companies subject to any of a number of compliance standards like SOC 2, HIPAA, PCI DSS, and others, it is typically required to do periodic user access reviews of in-scope systems to ensure that only those who need access actually have access. And, for anyone who's had the pleasure of conducting user access reviews, you know it usually involves an assortment of spreadsheets with inconsistent and incomplete information and a lot of manual effort to track down who's using what.

Instead of this spreadsheet puzzle, solution can help you to automate the process. First, you can group your in-scope assets together and automate the app users to verify if they still need access. Then, solution can collect the responses for you and routes the consolidated list of accounts to be removed to the app owners. Finally, it collects responses from the app owners to confirm they've completed the removals and documents all the actions taken in a .pdf report you can share with auditors. 

5. Identify and clean up unused accounts

Meeting compliance requirements is one good reason to regularly review who needs access to what, but cost savings is another. Gartner's research shows that 25% of SaaS is underutilized or over-deployed. No matter what the size of your organization, that can add up quickly.

Nudge Security monitors cloud and SaaS account status across your entire organization, so you can easily find and prune inactive and abandoned SaaS accounts. And, you'll have up-to-date information at your fingertips in some very good-looking charts, so you can monitor SaaS account statuses right next to SaaS adoption trends.

While you can always discover unused accounts one app at a time from each application's overview page, solution have playbook for removing unused accounts enables you to audit multiple applications at once so you reduce SaaS sprawl at scale.

6. Ensure complete offboarding

Here's a dirty little secret: most employees have signed up for apps outside the purview of IT, or even their department managers. With Nudge Security, you can see every account ever signed up for by anyone using an email associated with your organization. This includes domain registrations, social media accounts, developer accounts, and other assets that are often overlooked. You can also see if those apps are connected to other apps via OAuth grants, so you can minimize the chance of something breaking when an employee leaves the organization.

And, better yet, you can automate key steps of IT offboarding like suspending accounts, resetting passwords, revoking OAuth grants and more. And you'll start with a full inventory of every account ever created for the departing employee so you can ensure all access is revoked.

Related News

A review of zero-day in-the-wild exploits in 2023

28 Mar 2024

In 2023, Google observed 97 zero-day vulnerabilities exploited in-the-wild. That’s over 50 percent more than in 2022, but still shy of 2021’s record of 106. Today, Google published its fifth annual review of zero-days exploited in-the-wild.

Read More

Vulnerability In 16.5K+ VMware ESXi Instances Let Attackers Execute Code

25 Mar 2024

VMware has acknowledged the presence of several vulnerabilities in its products after they were privately reported.The company has released updates to address these issues in the affected software. While each vulnerability is rated as ‘Important,’ their combined potential impact escalates to ‘Critical’ severity. Shadowserver has tweeted a warning about vulnerabilities in VMware ESXi instances. These vulnerabilities can enable a malicious actor with local admin privileges to bypass sandbox protections. Shadowserver is conducting scans and sharing its findings to help mitigate the risks associated with these vulnerabilities.

Read More

NIST Cybersecurity Framework 2.0: 4 Steps to Get Started

20 Mar 2024

The National Institute of Standards and Technology has revised the book on creating a comprehensive cybersecurity program that aims to help organizations of every size be more secure. Here's where to start putting the changes into action.

Read More