Snowflake: Three practical takeaways // Watch Now

Shadow IT

How to find the right SaaS security solution for your organization

We break down some major SaaS use cases and match them up with solutions that can address them.

As part of your larger cloud security strategy, you’ve likely been asked to focus on how to secure SaaS apps used in your company. The first step to securing SaaS is getting a real sense of what platforms employees are actually using, beyond those that you already know about. Since SaaS is so easy for employees to adopt and start using without any input from IT and security, they’re likely using hundreds of SaaS apps that aren’t even on your radar. The first step in securing something is getting full visibility into what you even need to secure in the first place. 

To help guide folks through how you might do SaaS discovery on your own, we wrote an article about how to manually find what apps employees are using. In it, we explored how to analyze data that you already have on hand to find the unknown apps (shadow IT) used within your business. That’s a pretty significant manual effort, though, and most security teams don’t have the resources to do it. Plus, while these manual attempts can chip away at the SaaS discovery process, none are great at giving you a comprehensive view of SaaS use, nor do they keep up with the constant influx of apps employees are signing up for daily. 

To get truly broad coverage of what SaaS employees are using, you need a large dataset of SaaS apps, the domains associated with them, and this dataset must constantly be updated and expanded to include new apps that are launched every day. 

Unless you can find such a dataset, you must create it. And creating a constantly updated dataset is no small undertaking. That’s why there are so many off-the-shelf solutions and tools that focus solely on SaaS discovery these days. Many say that they are full-scale SaaS security platforms, but what that means isn’t always clear, even after reading product marketing materials. If you were to look at a venn diagram of “SaaS security platforms,” you’d have a giant mess of interlocking circles, with some shared activities amongst all (or most) tools and then vastly different features from that core functionality.

How “good” they are at SaaS discovery really depends on what data they’re using, what they have access to within your environment, the quality of their proprietary datasets (breadth, depth, and timeliness of that data), and how they work with your existing data and tools. To help navigate this mess, we’re sharing some pros and cons of the categories of commercial tools on the market.

To determine which solution you need, you need to consider your tech stack, your specific needs, your risk tolerance, and your short and long term objectives. In this article, we’ll break down some major use cases and match them up with what solutions make the most sense to address them.

You’re a large enterprise interested in securing core SaaS platforms

Working to only secure 20 or so core applications that have already been sanctioned by the security team? A cloud security posture management (CSPM) or SaaS security posture management (SSPM) solution might be the answer you’re looking for, particularly if you’re on the highest tier license for those apps. 

You can make the most of these tools during in-depth investigations or threat hunting exercises. Leverage them to enforce custom SaaS or cloud app policies as well. The caveat with this one is that you’ll need a fairly sophisticated security team to manage, customize, and run SSPM and CSPM tools.

An ideal environment for these solutions is one that has a full SOC capability so that you extend your existing security monitoring and threat hunting coverage into these core SaaS platforms. You’ll be able to secure a small handful of your business critical applications as long as they’re large and well-established platforms. 

The reason you’ll need top-level licenses and well-established SaaS platforms to make these solutions work is because they rely on API data from those SaaS platforms. Those mature APIs provide necessary information about those core apps that CSPMs and SSPMs use to provide security insights you need to manage the risks. Unfortunately, they won’t cover the dozens of smaller SaaS apps most organizations use, and are normally only available on top license tiers.

You’re a more traditional, on-prem enterprise interested in blocking unsanctioned SaaS

If your environment is traditional on-site internal networks and you have mature gateway monitoring technology in place already, a cloud access security broker (CASB) may be your best path to securing cloud apps. CASBs work best if you have no employees working from home or on the road or you’re forcing employees to only access work platforms and internet browsers through your corporate VPN.

CASBs typically pull network data such as DNS, SASE, VPN, proxy, and firewall logs. They may also require that you install an agent on each employees’ devices if you want coverage when they are out of the office. 

With those data sources, they provide good aggregate information about SaaS platforms that are accessed. What they can’t do well is provide any insight into how the SaaS app is being used, by which employees (you typically get IP addresses not user names), and for what purpose - as an example, they are typically not able to tell the difference between opening a SaaS product’s homepage, or actually logging into the application - so you are going to have a fairly large number of false positives. 

A CASB also really makes sense if you’re forced into complying with strict regulatory requirements to block everything until you’re able to do an in-depth due diligence process on each app. If your goal (or need) is to block access to unknown, unvetted, or unsanctioned SaaS at the network level with no exceptions, a CASB might be for you.

You’re a cloud-native company who wants to enable SaaS without introducing too much risk

For cloud-native companies that need better coverage, and are looking for more nuanced controls than network-level blocking, a solution that discovers and secures SaaS through the browser is the way to go. Since employees access SaaS through their browser, it’s a logical step to collect data about who is using what apps through a browser extension. 

The browser approach lets you do true SaaS discovery - so you can find what employees are actually using (not just accessing) and then go about securing those apps. You also don’t need to do much in terms of managing a browser-based solution once it’s set up. It simply runs in the background and surfaces employee SaaS use data into a dashboard. 

By combining browser-level data and robust security APIs from those core business platforms that SSPMs typically tap into, you can get broad visibility of SaaS use in your company for those large in number, but less mature, more up-and-coming apps, and the depth of security data you need for those few core apps that most employees are using. 

The other key benefit of a browser-based approach for SaaS discovery is that you can get incredibly powerful data about who is using the app, how they’re using it, if they’re using security features such as MFA, if they’re reusing passwords across multiple apps, if they’re sharing passwords, when they’ve used it last, and so on. That data is critical when it comes to securing SaaS because the devil truly is in the details. 

If we’ve piqued your interest and you’re curious to see what we can discover about SaaS in your business, try the free browser extension

Consider their data sources  

The critical thing to understand when you’re evaluating if a solution will work for you would be understanding what their data sources are, what weaknesses those data sources inherently have, and what aligns best with your goals. We’ve tried to surface some of that information within the use cases in this article.

So if you’re looking at an EDR that says they can discover SaaS usage, they’ll likely be leveraging endpoint data to detect SaaS use. If you’re looking at CASBs that integrate with your proxy, they’re probably looking at network level data – you get the idea.  


To wrap this up, we’re going to summarize some key points and provide some questions to ask yourself, your team, or even the vendor of the solution you’re evaluating, as you consider what combination of efforts or what tool is right for you. 

Does this solution provide SaaS discovery?

  • Will this tool find what SaaS apps employees are using, including those you don’t already know about? If so, how? 

  • Will the tool be able to differentiate between a user visiting a SaaS website, and actually logging into the app? How will it determine who the user is?

  • If the tool doesn’t provide you with SaaS discovery (finding Shadow IT and the apps employees are using that aren’t on your radar), how will you deal with those apps employees are using without your knowledge?

Does the tool provide enough context so you can manage SaaS risk?

  • Are you getting context about how your users are using apps (are they logging in with social logins or passwords, do they have MFA enabled, are they admins on the app, etc.), or is it only providing generic information about the app?

  • How will you engage employees that already rely on these SaaS platforms, or want to adopt new apps, can you handle that though email or in-person - or do you need something more scalable?

  • Do you need the ability to apply progressive controls, or simply need the ability to block apps entirely?

If you aren’t sure about these questions, why not consider what a user-powered security approach might look like for your organization.

Subscribe to get updates from Push
The latest news, articles, and resources, sent to your inbox weekly