How to discover SaaS use without invading employee privacy

Prevention isn’t always the answer

As a security team, our job is to help our company achieve its goals by taking risks securely. Simply using a computer represents a risk over the more traditional pen and paper, but the productivity gains clearly outweigh the risk; so the security team ensures the business takes that risk securely. Outright prevention - i.e. not using a computer - in this case, makes no sense.

Of course, within how the computer operates we might choose to prevent some functionality in the name of security, but the principle remains the same - prevention usually requires a trade-off against productivity.

Detection, but at the cost of privacy

When a base level of security became more common (through better awareness, accessible knowledge, and sensible vendor defaults), attackers shifted to using techniques that couldn’t be prevented because the business relied on the underlying tools - a malicious Word doc, a sneaky PowerShell script, a dodgy PDF.

Now prevention wasn’t an option, the security team had to monitor usage for malicious activity. But monitoring comes at a cost. To detect when malicious activity happens, the security team needs to monitor all activity, including legitimate activity. So, while a detection approach doesn’t restrict what a user can do, it comes at the cost of their privacy.

Building trust with your users

In either case, when introducing security controls you should aim to justify and explain this decision to your users, remembering that security’s job is to help them do their jobs securely - it shouldn’t be for them to figure out how to do their jobs within the confines of what the security team has decided is OK. A security team should be more like the secret service, than the prison service.

Although, of course, many employees won’t have much interest in the motivations of their IT/security team, maintaining this attitude will help you build and keep trust with them. With trust in hand, employees will be less likely to try to work around your controls.

SaaS - the new frontier

In recent years, our computers are mostly just windows to the Internet - many users access their email, video conferencing, productivity suites and more via their browser (or Electron apps pretending they aren’t browsers).

And, as is often the way, we’re relearning the same lessons as before. Should employees be allowed to sign up for and use arbitrary SaaS platforms? Should employees be allowed to add arbitrary apps into Microsoft 365, Google Workspace, or other SaaS platforms?

Regardless of your answer, your coworkers have already spoken and it’s almost certainly already happening. A report from G2 stated that 80% of workers admit to using SaaS applications at work without getting approval from IT. If you want to enable your colleagues’ productivity, prevention, it would seem, isn’t an option.

The risks of SaaS

So how do we secure the company in this new way of working? We still have plenty to consider.

We can start thinking about SaaS not just as an allow or not to allow, but taking a more flexible and pragmatic approach, asking questions like::

• What kind of data users are entering into these third-party platforms?

• How much do we trust the controls the third-party has in place?

• Are those controls appropriate for the data? 

• Is this platform redundant with the other services we use (e.g. “we use Google Drive, not Dropbox”)? 

• Does IT or security need to manage accounts for joiners/leavers?

• Does this platform impact our compliance? (e.g. does storing this data on this platform compromise our GDPR status?)

No one said it would be easy 🙃 and it’s easy to see why many organizations initially opt to simply try to block users from using such systems. Assessing each application can be daunting using traditional third-party security assessment techniques - we’ve written a short guide on how to approach security auditing in a world of SaaS, which you might find useful.

But the first step in managing this new world is through visibility. Knowing the problem is half the battle and we published an article about how to manually find the SaaS apps your employees are using. The problem is, a lot of them are either error-prone or quite invasive, potentially collecting your users private activity. In the trade-off of security versus privacy, we think that’s a bit too far and will likely damage the trust you’ve built with your coworkers.

Monitoring SaaS use without compromising privacy

Our approach at Push is to deploy our browser extension to our users’ browsers which is configured with the domains we use for work (e.g. @pushsecurity.com). The browser extension only monitors logins where an @pushsecurity.com email address is used, which we can reasonably assume means the platform is being used for work reasons.

We share this with employees up front during the onboarding process and, if you click on the browser extension, it also lets you know which domains it’s monitoring:

This helps our users understand why we are monitoring which SaaS they’re using which in turn makes them aware of the risk we are managing and why.

With this approach we’ve built a comprehensive picture of which SaaS platforms our team is using which has helped us understand where our data lives and which platforms need extra attention to ensure we have all the right controls in place. When our users use a new platform we can reach out to them at the start of their journey to understand what they’re trying to achieve and how we can help them do it securely.

Learn more about how Push can discover SaaS apps your employees are using without compromising their privacy.