Gaining Executive Buy-In

In order to gain executive buy-in to bring BetterCloud into BARK, Grossman calculated how long it took to onboard or offboard an employee manually at the precise moment it needed to be done. In order to complete all these tasks, he would require an additional full time employee on his team. This calculation proved true. BARK saved 2,747 hours of IT time using BetterCloud workflows to automate manual tasks.

“If you’re going to hire more people, it’s going to be a strain on your budget. BetterCloud can make life easy for everybody.”

Elliott explained how streamlining manual tasks with BetterCloud didn’t just satisfy IT needs. The executive team was pleased with the financial savings and the compliance team was relieved to have confirmation that users were being deprovisioned appropriately and in an automated system that avoids human error. Finally, the IT team was building capacity, without building headcount and getting time back to work on strategic projects and improve their knowledge in new areas.

Focusing on Security

Beyond automating manual IT tasks, BARK’s IT organization was focused on security compliance and combating shadow IT within the company. During the webinar Grossman explained that shadow IT occurs when a department invests in an application and manages it themselves, without the approval or knowledge of IT. 

As a public company with compliance top of mind, the IT team needs to ensure these applications are offboarded as well. However, IT often doesn’t have admin rights to these apps. With BetterCloud’s offboarding workflow, IT is able to automate an email that will get sent to the app admin saying that an employee has been terminated, and requests confirmation that access has been revoked. “We have passed compliance every single time on applications we don’t even have our hands in,” said Grossman.

Up-Leveling IT with Expanded Capacity

As an IT leader, Grossman takes on great responsibility for his team, ensuring they are building skills to advance in their career. So what did he have them do with all of their time saved? Gain knowledge in other areas of interest, participate in training, earn certifications, and become proficient through broader IT experiences.

“I want my team to succeed. Denying the opportunity for professional development hurts career growth and makes employees less valuable in the long-term,” Grossman said.

On a personal level, Grossman takes pride in making sure automations are compliant to pass audits, saving his team time, saving the company money, removing the need to hire additional headcount, and retaining the existing talent on his team of three by making sure they enjoy their work. 

“Right now BARK has over 800 employees. I’ve seen the company grow from 300 all the way up. Being able to keep the amazing people on my team around as we scale is key for me,” said Grossman.

Watch the webinar recording here to learn more about the BARK IT automation story.

Ready to learn more about BetterCloud? Request a demo with a BetterCloud product expert today.

“As a security practitioner, one of the most difficult things about the migration to SaaS has been understanding what data I have, where they are, and who has access to it.”

Matt Svensson, Senior Security Engineer at BetterCloud

Perform One-Time Audits to Uncover and Remediate Existing Threats

By aggregating all of a company’s cloud storage files into a single view, BetterCloud gives IT teams much-needed visibility into where all of its data lives. Once a company’s files are aggregated, IT admins can use BetterCloud to perform one-time security audits to see how files are being shared and if they contain sensitive data. 

One-time audits are also useful when two company’s IT environments are merged. With BetterCloud, IT admins can quickly uncover threats in an incoming company’s files.

During these initial audits, many BetterCloud customers find employees that share their work files with their personal accounts in order to work on personal devices. One company discovered a shared document filled with credit card information that was being used to send payment information to outside vendors. 

In these instances, IT can use BetterCloud to remediate issues quickly by taking bulk actions, such as unsharing files and notifying file owners. If needed, you can transfer the ownership of the file to IT or a manager, or even permanently delete the file.

“Your users can put any data they want into these SaaS file storage applications and name it whatever they want. You can’t just look for ‘creditcards.txt’ to find all your credit cards. You have to look across all the files, inside each file, to see what is actually there. And you have to do this on an ongoing basis as the files change.”

Svensson

Use Workflows and Alerts to Automate Real-Time Data Protection

Once this “first pass” of security audits is complete, the next step is to set up BetterCloud to alert you and take action automatically whenever a policy is violated. For example, if an employee shares a file containing sensitive data publicly, BetterCloud can automatically unshare the file, and then notify IT and the file owner, protecting your company from a potential data leak.

During Altitude 2021, two BetterCloud experts hosted a 30-minute session that walks through best practices for automating file security, and how to use BetterCloud to: 

• use the Files Grid to see how cloud file storage documents have been shared,
• scan the contents of all these documents for sensitive company data,
• create new alerts from existing templates to notify you when policies have been violated in real time, 
• and then create workflows from these alerts to automatically take action to make sure your company’s files stay in compliance with your security policy.

Altitude 2021 was filled to the brim with in-depth sessions just like this one, from topics that range from custom integrations to kicking off automated workflows outside of IT. You can browse additional workshops and keynote videos in our Altitude 2021 resource library.

But, first let’s make sure that we’re all on the same page.

What are audits, IGAs, and SMPs?

Let’s begin with explaining what happens in an audit, which itself starts with your security policy. Among other things, that security policy needs to cover identity management, approval processes, and data protection.

Audits are a part of compliance, regardless of the exact laws or standards an enterprise follows.

This compliance tree can help you navigate which laws, regulations, and standards might be applicable to you.

A compliance audit means the auditor follows three fundamental steps to understand:

1. What do you say you do for effective security and privacy compliance (e.g., the documented data privacy and security policies and processes)?
2. Does what you say satisfy requirements of relevant laws, regulations, or standards?
3. Do you do what you say? 

Audit trails show whether an enterprise satisfies requirements of laws, regulations, or standards.

IGA and SMP functions are key to the audit trail

IGA, sometimes called identity management and governance, or IGM, is an automation platform for provisioning, deprovisioning, and managing user accounts, roles, and access rights. They work across both cloud and on-prem infrastructure and provide visibility into managing passwords, access certifications, and access approvals for both on-prem and SaaS apps.

They facilitate compliance because they provide:

• Identity-related risk insight
• Improved security
• Ability to meet audit requirements

Mostly used by large organizations or highly regulated ones, IGAs are an established technology that is deployed on-prem or as a service in the cloud.

Meanwhile, an SMP is a comparatively new IT automation platform that enterprises are now quickly adopting.

In enterprise IT, an SMP provides a central place to automatically discover SaaS apps in use throughout the organization, as well as manage and secure users, apps, data, files, folders, and user interactions within SaaS apps.

SMPs are used for many reasons, and among them are:

• • Spend reporting
  • Spend optimization
  • Least privilege access enforcement
  • SaaS app management
  • File security and compliance
  • File sharing and data exposure alerts
  • User lifecycle management (on/offboarding and mid-lifecycle changes)

As such, to accomplish these tasks, SMPs are the ultimate technology team player.

To operate, they must integrate with several other systems. These could be: a cloud access security broker (CASB), IT service management tool (ITSM), or a human resources information system (HRIS). They’ll also integrate with identity providers like OneLogin as well as endpoint management tools like Jamf. From there, they obviously integrate with a range of cloud productivity apps, like Google Workspace and Microsoft 365, as well as point apps like Asana, Jira, and countless others.

Achieving compliance with IGA and SMP tools

Now you know that each tool performs different functions for enterprise IT, let’s take some time to detail how IT teams achieve compliance with IGA and SMP tools.

Improving compliance with IGAs

App approvals are obviously part of user onboarding—and to a lesser degree, mid-lifecycle changes. And compliance generally requires that organizations verify and closely track requests for app approvals.

From start to finish, IGAs automate the entire app approval process. This includes:

• Submission of app requests
• Logging of all app requests
• Logging of the entire process to the ultimate app approval
• Audit reports showing compliance with documented process for auditors

An IGA then usually integrates with another identity management tool, the identity as a service (IDaaS) platform. Once a user’s app access is approved, the IDaaS then creates the user, associates necessary SaaS app licenses, and adds the user to the appropriate groups.

While it is possible to use an IGA to automate an entire onboarding process, its out-of-box catalog contains fewer actions IT teams can use to build workflows. To automate more of the process, significant custom programming is generally necessary.

This, of course, hampers the flexibility and agility that IT teams need to manage user lifecycle automations. Quite simply, changing custom programs is difficult, whereas no-code SMP platforms are purpose-built for ULM automation flexibility. An SMP like BetterCloud can also work together with an IGA to handle much of what an IDaaS is typically used for, including account creation and adding users to groups. This functionality is especially critical for organizations looking to transition to a zero touch IT model.

For these reasons, most organizations tend to use an IGA for its strength—the app approval process—and leave the rest to other tools.

Using an SMP to improve compliance

An SMP has some important functions that help compliance. Specifically, it helps with:

• Automating user lifecycle management according to security policy
• Managing files in your SaaS environment to enforce data sharing policies
• Content scanning to prevent data loss
• Proving actions occurred according to built-in audit logs

Let’s go through how each one helps.

Manage the user lifecycle to remain secure and compliant

While IGAs have a greater role in offboarding than offboarding, an SMP plays a role to automate user onboarding, mid-lifecycle changes, and offboarding.

Because each SaaS app has its own way of doing things, SMPs perform a deeper and broader range of app configuration actions within each SaaS app for onboarding.

So while an SMP onboards in a handful of workflows, complete and secure offboarding can take dozens, and in some cases, hundreds of different workflows—each with its own actions.

This includes actions like transferring files—wherever they may be within a SaaS app throughout your SaaS environment—to a manager. It also includes actions like revoking app licenses, starting the compliance-related waiting period for file deletion, and then returning licenses to inventories.

Prove compliance with embedded file security best practices

An SMP allows you to manage, secure, and view all the files and folder contents across your domain’s connected apps, audit details about particular items, filter and search files, and take actions against items you select. An IGA has nothing to do with these actions, so this sort of compliance with an IGA is not possible.

An SMP aids manageability and security by monitoring for:

• Sensitive files being publicly or externally shared
• Sensitive folder paths, like accounting or finance, being publicly or externally shared
• Email forwarding to a personal email account (e.g., Gmail, Yahoo)
• Specific file types being publicly or externally shared (e.g., spreadsheets and PDFs are more likely to contain sensitive information)
• Users who should no longer have access to specific files, folders, calendars, etc. (e.g., consultants, interns, employees who’ve switched teams)
• Users who should no longer belong to specific groups/distribution lists (e.g., contractors, employees who’ve switched teams)
• External domains to which files are shared
• External people with whom files are shared

Boost security and compliance with SMP’s content scanning

Content scanning in an SMP allows enterprises to secure the data within SaaS apps, as well as pinpoint suspicious activity without impeding employees’ productivity.

IT defines what an enterprise considers as sensitive data within apps. And because it’s data within SaaS apps, the SMP enforces granular policies to include users, apps, files and folders and the range of how sharing occurs. For example, should data be shared externally, publicly, domain-wide, internally, or within departments or groups?

SMPs also allows enterprise IT to run audits to scan content contained in the entire environment or select files to find the most common sensitive content, such as Social Security, credit card, or passport numbers. They even let enterprises set up alerts to notify the appropriate teams when files with sensitive data are overshared.

IT also defines actions the SMP should take in the event of a violation. It dictates the most appropriate action from a greater range of actions that consider context.

The best SMPs also makes the process easy. By selecting from pre-set data identifiers for common sensitive data types across different countries, good SMPs allow enterprises to create custom regular expressions.

Make audits easier and more affordable using SMP audit logs

Many laws, regulations, and standards require that organizations prove that they comply with them. In particular, they generally require timeline tracking to log system changes. Of course, this includes when changes were made and who made them.

So audit logs and reporting within SaaS apps are a necessity. Compliance with IGA logs only are simply not enough.

Rather, SMP audit logs show a complete picture of everything that happens within a domain within all SaaS apps.

An SMP, thus, gives complete visibility into:

• Exact action or event
• Date and time action or event happened
• User or entity that took an action
• Integrations and third-party app data
• Status of the action or event

While audit logs help IT teams discover, manage, and secure the SaaS environment, they also verify adherence with compliance policies. As a byproduct of normal operations, an SMP simplifies compliance.

Build confidence in your compliance with IGA and SMP tools

In sum, these two tools are both essential in the large, modern digital enterprise. However, each tool plays a very different role.

Compliance with IGAs is more about automating identity management and tracking the app access approval process. Since SMPs discover, manage, and secure SaaS within each app across the SaaS environment, this platform is valuable for compliance across a broader set of actions occurring in the whole domain. In addition, SMPs show activity within SaaS apps.

Using both an IGA and SMP together is the best way for large enterprises to confidently achieve security and compliance.

For more information on compliance in a SaaS-powered workplace, check out our 4-part blog series:

• Content Scanning for Sensitive Data: Part 1 of Compliance Essentials in the SaaS Era
• Audit Logs & Sarbanes-Oxley Compliance for SaaS: Part 2 of Compliance Essentials in the SaaS Era
• Enforcing Access Privileges for SaaS: Part 3 of Compliance Essentials in the SaaS Era
• Managing Files in SaaS: Part 4 of Compliance Essentials in the SaaS Era

If you want to learn how SMPs help make compliance easier and faster, schedule some time with our team.

That’s why it’s critical to look at hidden risks of unauthorized SaaS apps, and how to limit risk to remain in compliance with security policies. Here’s how you can get started.

Opportunities and hidden risks of SaaS sprawl

SaaS transformed and continues to revolutionize how we work. By providing employees in organizations of all sizes and across all business functions with the latest technology, SaaS is now integral to an agile and productive workplace. And it’s easy for any employee to spin up a new account without regard to risk.

Meanwhile, it’s just as easy for them to speed past initial permissions that give access to user information and data, then sign in on behalf of the user within other cloud apps. Most people quickly click the “agree” button and don’t give it a second thought.

Nearly all of us are guilty of this: We simply grant permissions to the app without taking the time to understand the risks and the implications of that agreement.

Obviously, using unauthorized SaaS apps means trouble from a security and compliance perspective. Users are generally unaware of the security risks that lurk in SaaS apps.

For example, without monitoring app permissions your users grant, how is that app data stored? Is stored unencrypted? Is it encrypted while in transit?

Beyond unencrypted data, there are other hidden risks of SaaS.

For example, you have no idea what that unauthorized SaaS app integrates with in your domain. You don’t know its permissions to read or write data. You can’t control data loss, either. Nor can you prevent leakage of potentially sensitive information.

In addition, data stored in an unauthorized SaaS app isn’t part of company backup processes, so it can get lost. Finally, if your business needs to be compliant with any laws or regulations, you can’t prove compliance if you don’t know where your data is located.

Five steps to limiting the risks of unauthorized SaaS

Managing and limiting the risks of unauthorized SaaS applications is a tall order. But here are a few steps that you can (and should) take immediately.

1. Take inventory of your SaaS apps. After all, you can’t manage what you can’t see.
2. Audit permissions that employees granted to unauthorized SaaS user accounts. Remember that the more users you have, the more apps you have. So chances are good there’s some murky app permissions in your environment.
3. Compare permissions to your established data governance that defines who within an organization has authority and control over data assets and how those data assets may be used. It encompasses the people, processes, and technologies required to manage and protect data assets.
4. Monitor app usage to eliminate and prevent duplicate unauthorized SaaS accounts and app functionality. Work with business functions to standardize on SaaS apps with corporate-approved options. This will help reduce the need for employees to use them in the first place.
5. Build awareness around app security. Regularly train employees on the importance of understanding app permissions, and following your established data governance and security policies.

These steps are a good start, but how do you ensure that you’re consistently in compliance? And how do you stay on top of any unauthorized SaaS apps that are in (or could be added to) your cloud-based environment?

Stay in compliance by discovering unauthorized SaaS

The best way to stay up to date and continually discover unauthorized SaaS apps is to use an all-in-one SaaSOps platform like BetterCloud. In a single platform, BetterCloud provides all the functions an enterprise needs to discover, manage, and secure all of the SaaS applications, users, and data across your digital workplace.

BetterCloud Discover gives IT teams full app visibility around employee SaaS adoption and deep insights into the scope of sanctioned and unsanctioned applications running within the company’s environment. Additionally, IT departments improve operational efficiency by using auditable spend reporting, which helps teams eliminate redundant applications and reclaim unused licenses for redistribution. Finally, by leveraging new insights on SaaS usage, Discover helps IT and security teams consolidate control over their environment and help mitigate risks in their current security posture.

To learn more about how BetterCloud can help you with giving your full app visibility in your SaaS environment, check out this recent webinar or request a demo.