Upvest, a cloud-native German fintech, needed a scalable and user-centric way to secure SaaS apps and reduce third-party risks from a complex ecosystem of OAuth integrations. They found their solution in Push.
Upvest, a fintech company that provides investment infrastructure to financial organizations, needed a way to secure the cloud identities, apps, and third-party integrations that make up their core infrastructure as a SaaS-first organization.
Push helped Upvest get high-fidelity data on their SaaS estate while engaging with users directly in the browser to guide their security choices.
Upvest now has a unique source of telemetry to use for automating the management of SaaS and identifying security issues.
Business challenge
Operating in the highly regulated German financial services environment, Upvest has carefully built a culture of security throughout its workforce.
“Security is all of our responsibility and we democratize it to every department in the company,” explains Sebastien Jeanquier, chief security officer at Upvest.
When Jeanquier joined the financial technology startup five years ago with a background in security consulting and penetration testing, he had a rare opportunity to build a security program from the ground up based on what he’d learned from years of red teaming.
“I really wanted to move somewhere where I was going to be able to build as greenfield as possible to take what I saw as the best practices from every security domain,” he says.
As a cloud-native company, Upvest must demonstrate security mastery of its entire cloud ecosystem in order to meet internal requirements and regulatory standards. In seeking out a tool to secure cloud apps and identities, Upvest needed a solution that would meet its high standards and fit its user-centric culture.
Technical challenge
Meeting a high bar for security and regulatory compliance
Operating in Germany and the EU, Upvest holds multiple banking licenses with BaFin, Germany’s financial regulator, and is bound to Germany’s strict privacy standards, in addition to GDPR, so finding technical solutions that support these regulations is paramount.
“Our original product was in the blockchain space. We’ve since pivoted into the more traditional finance space. But if anything, our security requirements and our compliance and regulatory controls actually have only gone up,” Jeanquier explains.
For Upvest’s security team, a top-of-mind goal was how to get their arms around the full portfolio of cloud identities, SaaS apps, and OAuth integrations that represented core business assets.
“We’re SaaS native. We don’t have any other applications internally. And so this was going to represent an almost existential problem for us in the future if we didn’t tackle it now.”
“Being a regulated entity, it means that we need to be able to demonstrate the fact that we have considered everything from a regulatory standpoint, a compliance standpoint, a pure security standpoint, and a data protection standpoint,” says Jeanquier. “And so shadow IT is something that we were keen to get ahead of. We’re SaaS native. We don’t have any other applications internally. And so this was going to represent an almost existential problem for us in the future if we didn’t tackle it now.”
Challenge of managing third-party integrations
The Upvest team was particularly concerned about the potential for a fast-growing tangle of OAuth integrations. They had been looking for solutions that would allow them to quickly see and take action on these third-party app integrations.
“Any user can go to pretty much any service and grant it access into your environment,” Jeanquier says. “And unless you’re keeping tabs on it, it’s very easy for some really small application run by three people somewhere to just request excessive access. It's that supply chain risk that could end up resulting in a lot more compromises than we would otherwise see if we were being attacked directly.”
“Unless you’re keeping tabs on it, it’s very easy for some really small application run by three people somewhere to just request excessive access.”
The Upvest security team was also focused on finding and securing any non-SSO identities in their environment, which could pose a significant risk if an offboarded employee retained access to business systems or data.
The team quickly found that existing tools such as Google Workspace weren’t purpose-built for the kind of context and scalability they needed in order to make efficient and informed security decisions about their SaaS accounts and third-party integrations.
“We could have dug down and written some custom tooling to try and identify what's being used by whom, and doing a regular batch job of trying to identify what they're doing,” says Jeanquier. “But I didn’t really see any good solution for tackling this at scale.”
Desire to preserve a positive security culture
The team also needed a solution that would fit their company culture. They didn’t want to limit the possibilities for employee innovation by outright blocking access to apps and integrations.
“It’s really about trying to engender as much as possible that culture of awareness.”
But they needed to be able to monitor for excessively permissioned, untrustworthy apps and remove them — while communicating security best practices to employees.
“It’s really about trying to engender as much as possible that culture of awareness,” Jeanquier says. “Awareness not just for our end-users, but also for us as a team across both security and IT, and trying to encourage as much as possible our processes to be followed.”
Solution
Upvest chose Push because the product provided a unique browser agent-based approach to solving the problem of shadow SaaS and identities, while also aligning strongly with Upvest’s security culture.
As an early customer, Jeanquier also embraced the opportunity to provide input on product direction and use cases.
“We very much shared the vision of what it is we were trying to tackle in terms of a security challenge in the modern-day SaaS world,” he says.
Meeting employees where they work
With Push, the Upvest security team was able to maintain their user-centric approach to security by getting the rich contextual information they needed on the apps, accounts, and third-party OAuth integrations being used across their workforce — without having to resort to outright blocking.
Push’s guardrails features, including the ability to communicate security policy directly with employees using that appear in the browser, were a perfect fit for Upvest. These messages help reinforce security policy and prompt secure behavior right at the point of access: The app signup or login screens.
“You can write as much policy as you want, but ultimately users are going to jump over the lowest hurdle,” Jeanquier says. “The Push browser extension gives you a seat on the user's side where you can start to enforce some of these best practices.”
Shedding light on shadow IT and non-SSO identities
Push’s use of a browser agent was also a key differentiator for Upvest because the approach provides a high-fidelity source of information.
“From my perspective, I think a lot of value comes from the browser extension. There is a lot that you can do both in terms of passive guardrailing as well as active education that can only happen at the browser level.”
Upvest was able to monitor employee SaaS account creation and logins in real time and identify apps in use across the business that were not approved or had not been reviewed by the security team. The Push browser agent also supplied the login methods used to access these accounts, so that the Upvest team could track their SSO coverage and identify non-SSO apps. This was information they otherwise had no way of collecting.
“From my perspective, I think a lot of value comes from the browser extension,” Jeanquier says. “There is a lot that you can do both in terms of passive guardrailing as well as active education that can only happen at the browser level.”
A scalable way to meet regulatory requirements
To balance Upvest’s user-centric security culture with their stringent regulatory requirements, they also needed a scalable way to reliably identify and review every cloud app used across the business — without getting in employees’ way.
“Because of the regulatory landscape, it won’t fly for you to suddenly decide that you want to use a specific file-sharing app for something.”
Push provides them with insights into not just which apps and integrations are being used, but also the specific details about which users, which accounts, which login methods, and how recently a login was observed. This context allows Upvest to quickly act on newly adopted apps that aren’t approved for use, and to have a complete picture of their estate when performing app reviews to meet compliance standards.
“Because of the regulatory landscape, it won’t fly for you to suddenly decide that you want to use a specific file-sharing app for something. And that you just go and log in and start using that for company data,” Jeanquier says. “The regulatory requirements mandate that we have assessed every app from the perspective of data protection, confidentiality requirements, assessed the vendor themselves, and so on.”
Essential building block for security operations
With a focus on agility and efficiency, the Upvest security team also sees the telemetry provided by Push as a valuable input to their security operations and automation efforts.
They are currently exploring how to use Push’s REST API and webhooks to build detections for security incidents and to automate basic SaaS and account management tasks.
“This kind of automated security orchestration is the way forward with regards to orchestrating very specific and rapid responses to very clear-cut security signals.”
“Push is uniquely positioned to be able to expose certain actions and practices to us as a team which could then allow us to say, okay on the basis of this particular type of action which we consider to be a very strong signal, let us know and we’ll do something off the back of that using some automated workflows,” explains Jeanquier.
“This kind of automated security orchestration is the way forward with regards to orchestrating very specific and rapid responses to very clear-cut security signals.”
Sebastien Jeanquier is the chief security officer at Upvest and established the company’s security engineering; security governance, risk, and compliance; and IT functions. Previously, he led security consulting, incident management, and penetration testing teams for organizations in the U.K., the U.S., and Australia.
Upvest is a financial technology startup that provides Investment API infrastructure to financial organizations and neobanks. Upvest is headquartered in Berlin, Germany, and was founded in 2017.
Upvest, a cloud-native German fintech, needed a scalable and user-centric way to secure SaaS apps and reduce third-party risks from a complex ecosystem of OAuth integrations. They found their solution in Push.
Sebastien Jeanquier is the chief security officer at Upvest and established the company’s security engineering; security governance, risk, and compliance; and IT functions. Previously, he led security consulting, incident management, and penetration testing teams for organizations in the U.K., the U.S., and Australia.
Upvest is a financial technology startup that provides Investment API infrastructure to financial organizations and neobanks. Upvest is headquartered in Berlin, Germany, and was founded in 2017.
Upvest, a fintech company that provides investment infrastructure to financial organizations, needed a way to secure the cloud identities, apps, and third-party integrations that make up their core infrastructure as a SaaS-first organization.
Push helped Upvest get high-fidelity data on their SaaS estate while engaging with users directly in the browser to guide their security choices.
Upvest now has a unique source of telemetry to use for automating the management of SaaS and identifying security issues.
Business challenge
Operating in the highly regulated German financial services environment, Upvest has carefully built a culture of security throughout its workforce.
“Security is all of our responsibility and we democratize it to every department in the company,” explains Sebastien Jeanquier, chief security officer at Upvest.
When Jeanquier joined the financial technology startup five years ago with a background in security consulting and penetration testing, he had a rare opportunity to build a security program from the ground up based on what he’d learned from years of red teaming.
“I really wanted to move somewhere where I was going to be able to build as greenfield as possible to take what I saw as the best practices from every security domain,” he says.
As a cloud-native company, Upvest must demonstrate security mastery of its entire cloud ecosystem in order to meet internal requirements and regulatory standards. In seeking out a tool to secure cloud apps and identities, Upvest needed a solution that would meet its high standards and fit its user-centric culture.
Technical challenge
Meeting a high bar for security and regulatory compliance
Operating in Germany and the EU, Upvest holds multiple banking licenses with BaFin, Germany’s financial regulator, and is bound to Germany’s strict privacy standards, in addition to GDPR, so finding technical solutions that support these regulations is paramount.
“Our original product was in the blockchain space. We’ve since pivoted into the more traditional finance space. But if anything, our security requirements and our compliance and regulatory controls actually have only gone up,” Jeanquier explains.
For Upvest’s security team, a top-of-mind goal was how to get their arms around the full portfolio of cloud identities, SaaS apps, and OAuth integrations that represented core business assets.
“We’re SaaS native. We don’t have any other applications internally. And so this was going to represent an almost existential problem for us in the future if we didn’t tackle it now.”
“Being a regulated entity, it means that we need to be able to demonstrate the fact that we have considered everything from a regulatory standpoint, a compliance standpoint, a pure security standpoint, and a data protection standpoint,” says Jeanquier. “And so shadow IT is something that we were keen to get ahead of. We’re SaaS native. We don’t have any other applications internally. And so this was going to represent an almost existential problem for us in the future if we didn’t tackle it now.”
Challenge of managing third-party integrations
The Upvest team was particularly concerned about the potential for a fast-growing tangle of OAuth integrations. They had been looking for solutions that would allow them to quickly see and take action on these third-party app integrations.
“Any user can go to pretty much any service and grant it access into your environment,” Jeanquier says. “And unless you’re keeping tabs on it, it’s very easy for some really small application run by three people somewhere to just request excessive access. It's that supply chain risk that could end up resulting in a lot more compromises than we would otherwise see if we were being attacked directly.”
“Unless you’re keeping tabs on it, it’s very easy for some really small application run by three people somewhere to just request excessive access.”
The Upvest security team was also focused on finding and securing any non-SSO identities in their environment, which could pose a significant risk if an offboarded employee retained access to business systems or data.
The team quickly found that existing tools such as Google Workspace weren’t purpose-built for the kind of context and scalability they needed in order to make efficient and informed security decisions about their SaaS accounts and third-party integrations.
“We could have dug down and written some custom tooling to try and identify what's being used by whom, and doing a regular batch job of trying to identify what they're doing,” says Jeanquier. “But I didn’t really see any good solution for tackling this at scale.”
Desire to preserve a positive security culture
The team also needed a solution that would fit their company culture. They didn’t want to limit the possibilities for employee innovation by outright blocking access to apps and integrations.
“It’s really about trying to engender as much as possible that culture of awareness.”
But they needed to be able to monitor for excessively permissioned, untrustworthy apps and remove them — while communicating security best practices to employees.
“It’s really about trying to engender as much as possible that culture of awareness,” Jeanquier says. “Awareness not just for our end-users, but also for us as a team across both security and IT, and trying to encourage as much as possible our processes to be followed.”
Solution
Upvest chose Push because the product provided a unique browser agent-based approach to solving the problem of shadow SaaS and identities, while also aligning strongly with Upvest’s security culture.
As an early customer, Jeanquier also embraced the opportunity to provide input on product direction and use cases.
“We very much shared the vision of what it is we were trying to tackle in terms of a security challenge in the modern-day SaaS world,” he says.
Meeting employees where they work
With Push, the Upvest security team was able to maintain their user-centric approach to security by getting the rich contextual information they needed on the apps, accounts, and third-party OAuth integrations being used across their workforce — without having to resort to outright blocking.
Push’s guardrails features, including the ability to communicate security policy directly with employees using that appear in the browser, were a perfect fit for Upvest. These messages help reinforce security policy and prompt secure behavior right at the point of access: The app signup or login screens.
“You can write as much policy as you want, but ultimately users are going to jump over the lowest hurdle,” Jeanquier says. “The Push browser extension gives you a seat on the user's side where you can start to enforce some of these best practices.”
Shedding light on shadow IT and non-SSO identities
Push’s use of a browser agent was also a key differentiator for Upvest because the approach provides a high-fidelity source of information.
“From my perspective, I think a lot of value comes from the browser extension. There is a lot that you can do both in terms of passive guardrailing as well as active education that can only happen at the browser level.”
Upvest was able to monitor employee SaaS account creation and logins in real time and identify apps in use across the business that were not approved or had not been reviewed by the security team. The Push browser agent also supplied the login methods used to access these accounts, so that the Upvest team could track their SSO coverage and identify non-SSO apps. This was information they otherwise had no way of collecting.
“From my perspective, I think a lot of value comes from the browser extension,” Jeanquier says. “There is a lot that you can do both in terms of passive guardrailing as well as active education that can only happen at the browser level.”
A scalable way to meet regulatory requirements
To balance Upvest’s user-centric security culture with their stringent regulatory requirements, they also needed a scalable way to reliably identify and review every cloud app used across the business — without getting in employees’ way.
“Because of the regulatory landscape, it won’t fly for you to suddenly decide that you want to use a specific file-sharing app for something.”
Push provides them with insights into not just which apps and integrations are being used, but also the specific details about which users, which accounts, which login methods, and how recently a login was observed. This context allows Upvest to quickly act on newly adopted apps that aren’t approved for use, and to have a complete picture of their estate when performing app reviews to meet compliance standards.
“Because of the regulatory landscape, it won’t fly for you to suddenly decide that you want to use a specific file-sharing app for something. And that you just go and log in and start using that for company data,” Jeanquier says. “The regulatory requirements mandate that we have assessed every app from the perspective of data protection, confidentiality requirements, assessed the vendor themselves, and so on.”
Essential building block for security operations
With a focus on agility and efficiency, the Upvest security team also sees the telemetry provided by Push as a valuable input to their security operations and automation efforts.
They are currently exploring how to use Push’s REST API and webhooks to build detections for security incidents and to automate basic SaaS and account management tasks.
“This kind of automated security orchestration is the way forward with regards to orchestrating very specific and rapid responses to very clear-cut security signals.”
“Push is uniquely positioned to be able to expose certain actions and practices to us as a team which could then allow us to say, okay on the basis of this particular type of action which we consider to be a very strong signal, let us know and we’ll do something off the back of that using some automated workflows,” explains Jeanquier.
“This kind of automated security orchestration is the way forward with regards to orchestrating very specific and rapid responses to very clear-cut security signals.”
