Snowflake: Three practical takeaways // Watch Now

Company news

Push it real good: Why I’m excited to join Push’s board

SaaS sprawl is not just a raw increase of apps in-use, but also due to employees self-adopting new apps. Orgs need sensible guardrails for employees.

Software has been eating the world for the past decade. And boy, it turns out that software is still SUPER hungry (like, Audrey II hungry), as we’ve seen countless new SaaS apps spring up across the software ecosystem. This is great news for organizations of all shapes and sizes. Embracing modern SaaS enables employees to be more productive, use the apps they love, and, as many companies have been recently pressured, do more with less. But it’s less of a fun time for security teams that are trying to grapple with this sprawl of shadow IT…and have always had to do more with less!

The sprawl of SaaS apps is not just a raw increase of apps in-use in a modern enterprise (which is often wildly underestimated by CIOs/CISOs), but also the result of bottoms-up adoption of new apps. Driven by the product-led growth (PLG) movement, employees now frequently sign-up in a self-service manner for new SaaS apps and put them immediately into use on an individual or team level, without the traditional review, procurement, and management by corporate IT/security teams. Move fast, and cross your fingers that you don’t break too many things? Push has written about this shift in more detail, which is worth reading. 

These unsanctioned/unmanaged SaaS apps represent a growing attack surface. While the problems of shadow IT are not necessarily new, I would argue that the true security risk, which perhaps was not fully-appreciated previously, has recently come to the forefront through high-profile supply chain compromises. Whether it’s a single user getting OAuth phished, password reuse across SaaS apps targeted by credential stuffing, or a breach of a third-party integration plugged into your Google Workspace or Microsoft 365, the risks are now clear and present.

Work with employees, not around them

Despite SaaS sprawl and the proliferation of related attacks, I’ve always had a belief that users are good-intentioned, want to be productive in their job, and desire to keep their organization secure. We can’t ask users to walk a terrifying tightrope of security (“don’t get phished”, “don’t open attachments”, “don’t click links”, “don’t plug things into your computer”, etc) and still do their actual job effectively. In the modern day, you either design a paved path for your users to be able to move quickly and safely, or you risk the consequences when they go off-roading.

When there is no paved path for those good-intentioned users to get their job done, it’s no surprise that they find creative ways to work around poorly-designed security controls. For example, if an employee has to jump through a lot of hoops to get on the corporate VPN and access an internal Sharepoint instance in order to collaborate with colleagues, they’re likely to just sign-up for and use a self-service Box/Dropbox/Trello tenant. A violation of corporate security policy? Perhaps. A shadow IT risk to the organization? Sure. But they’re not being malicious, they’re just trying to get their job done.

Enter, Push Security. Push is tackling these challenges of shadow IT, helping to simplify SaaS security while meeting users where they are and enlisting them in the solution. Push allows security teams to get complete, real-time visibility into the SaaS apps in use in their enterprise, automates the fixing of any risky issues by involving the end user, and provides real-time guidance to head off new issues before they even happen. See Adam’s blog post for a double-click on all the capabilities of the Push platform.

Push’s vision particularly resonated with me, as it is a natural extension of the user-centric security that we built at Duo. Push allows security teams to go beyond just front door entrance of application access (eg. authentication) and look deeper into latent risks presented by SaaS applications themselves, the data contained within, and their risky app-to-app interconnectedness. And, often, the best first step after identifying the litany of unsanctioned apps in use in your organization is to quickly get the critical ones safely under your umbrella of SSO/MFA (via Duo, Okta, Azure AD, etc), which I know was a common challenge for our many customers at Duo.

CASB and SSPM aren’t enough

Past attempts to tackle these problems, notably CASB vendors, have had limited success. It’s clear the network/proxy-based CASB approach is not a survivable architecture for the modern world of cloud and mobility. Even an API-only integration, the approach taken by some SSPM vendors, is necessary but not sufficient for the scope of the problem space.

For example, it’s not enough to just know that Box is an app in-use by your users. Many organizations that have their corporate Box tenant “managed” with SSO/MFA/etc, but may be unaware of the 10+ shadow non-managed Box tenants that their users have created and are actively sharing documents through. Do you think you have just one Box, Slack, Monday, etc? Push, with its unique architecture of plugging into your SaaS apps as well as interfacing with the user via a browser extension, can achieve this accurate, fine-grained visibility into SaaS usage.

Automate fixes by involving the end user, your employees

Push is also unique in enlisting the end user, not just in identifying the problems of SaaS sprawl, but in remediating discovered issues. This user-centric approach naturally resonated with my experience at Duo. After all, Duo Push and our Security Checkup were just low-fidelity mechanisms to ask your users to engage positively in your security program.

Push takes this philosophy much further with their ChatOps feature, creating a direct, interactive interface to users. Sometimes users just need a gentle push in the right direction, to make good security decisions or improve the organization’s security hygiene. Push can help users adopt existing security controls (eg. MFA), identify risky configurations (eg. malicious mail forwarding), and reduce attack surface (eg. unused or risky OAuth integrations). Interfacing directly with users can increase fidelity (who knows better ground truth than the user themselves), increase remediation speed, and allow your security program to scale without hiring a bunch of analysts to run down endless lists of alerts. Of course, you're not just handing over the keys to the user, but selectively using their superpowers to augment your centralized visibility and control.

In essence, Push has created that paved path to allow your users to move quickly, but also with the appropriate guardrails for when they go off-roading. Maybe those guardrails are a 10-foot reinforced concrete wall for your security-sensitive organization. Maybe they’re a light safety barrier to help try to keep users on track. And maybe your org really embraces speed and employee autotomy, so you just want an “invisible fence” to be alerted when users go off the track. Regardless of your security culture, Push gives you the necessary visibility of your shadow IT to make informed risk decisions appropriate for your business and enact the right controls.

Securing SaaS for everyone, not just large enterprises

Lastly, the explosion of SaaS is not a uniquely enterprise phenomena, but felt by companies of all shapes and sizes. As I experienced at Duo, designing security products for ease-of-use can be a game-changer for small/medium-sized organizations that lack the staff, time, and budget to manage complex security tools. But, whether you’re a SMB or a F500 enterprise, everyone is strapped for resources and wants to maximize the security impact of their limited team, not create more busy-work and alerts to run down. Push has built a platform that is easy to try, deploy, and manage, whether you’re a small business with a one-person security team or a large enterprise looking to scale your SaaS security across tens of thousands of employees.

I felt conviction about Push early on when I first met co-founders Adam, Tyrone, and Jacques in 2021. Not just excitement around the problem space and product philosophy, but a personal resonance with the team. Deep technical founders and security practitioners, fed up with the hamster-wheel-of-pain of detection and response, and eager to battle the status quo of the security industry with a fresh and positive approach. It sure felt familiar! That conviction grew as I observed their early development and progress, when I joined in the seed round led by Decibel last year, and when I saw the customer adoption after their product launch less than a year ago. So, with their recent Series A round, led by Karim Faris at GV, I’m honored to join the board of Push and continue supporting a great team and product.

But, hey, don’t just take my word for it, sign up for free today and bring some sanity to your SaaS security.

Subscribe to get updates from Push
The latest news, articles, and resources, sent to your inbox weekly