Bringing Order to Chaos: Automating Policy Enforcement for SaaS
November 8, 2017
5 minute read
Between information sprawl, publicly shared files, and data breaches, SaaS applications can create chaos.
But because it’s so new, there’s no blueprint for IT professionals that outlines how to manage and control this chaos.
Our founder and CEO David Politis recently hosted a webinar called “Bring Order to Chaos: Automating Policy Enforcement for SaaS.” In this webinar, he describes how automating policy enforcement through BetterCloud can enhance security and streamline operations—and bring order to your SaaS environment.
If you missed it, no worries. Here’s a recap of what we covered.
IT is facing a lot of chaos in SaaS environments, and their hands are tied.
As SaaS adoption continues to skyrocket, SaaS app users (not IT) are gaining more control. Users can control file sharing settings, create their own groups, install third-party apps by themselves, etc. All too often this results in headline-worthy data breaches like the ones above. Unfortunately, native admin tools are not powerful, granular, or sophisticated enough for IT to manage their SaaS environments properly.
To rein in this chaos, IT needs policies.
Policies are guidelines that you don’t want users to violate. If they are violated, you must take some sort of action to remediate it. (And ultimately, the remediation should happen automatically.)
Best practice: Follow these five steps to create and execute policies effectively.
- Define – First, determine exactly what you want your company policies to be, whether they’re around onboarding, sharing settings, compliance, etc. Spend time with your security, executive, and HR teams to figure this out. For many companies, this is the most difficult step.
- Investigate – Dig around in your environment and explore. What’s in compliance, and what’s in violation?
- Notify – If there are items or employees who have violated a policy, let the appropriate people (e.g, end users, executives, security, or HR personnel) know. At this point, it’s very common for teams to circle back to Step #1 (Define) to modify their policy definitions and get more specific.
- Remediate – Take action to fix the violation. Again, you may need to tweak your definitions some more and add whitelists, blacklists, etc.
- Enforce – The pinnacle is when you can automatically remediate your violation—and therefore automatically enforce your policy from start to finish. Once that policy is taken off your plate, that’s when you can bring order to chaos.
Best practice: These are the top 10 must-have policies.
This list of must-have policies that we compiled is based on conversations we’ve had with thousands of customers. These types of policies are what best-in-class organizations have up and running in their SaaS environments.
- Onboarding and Offboarding – There are different policies for different employees. An executive’s offboarding process will differ from an IT manager’s offboarding process. Are you including all the appropriate steps in each policy? Are you removing all access to data in the offboarding process?
- File Access and Activity – How many files are users sharing, downloading, deleting, etc.?
- User Security – Is a user forwarding corporate email to a Yahoo account? Are there suspicious concurrent log-ins for the same user from multiple locations?
- External Users – Who outside your org has access to your data (e.g., consultants, freelancers)?
- Administrator – Who has super admin access?
- Connected Devices – Which devices have access to your data?
- Groups – Which groups are publicly visible? Which users can view and post in groups?
- License and Storage Management – How many licenses are currently suspended or unused right now? Could you recycle those licenses and save money?
- Data Integrity – Is the data that’s stored in your apps correct? Do users have the correct title, address, department, etc.? Are they in the right groups?
- Third-Party Applications – Which third-party apps have access to your data, and what kind of access do they have?
These are best practices, and they take time to set up. We don’t expect everyone to have every policy implemented.
38% of viewers are not enforcing these policies at all.
During our webinar, we polled our audience and asked: Are you currently enforcing the policies we just outlined?
These were the results:
Yes, I enforce some, but I want to enforce more – 54%
No, I don’t enforce these, but I’m eager to – 36%
Yes, I enforce some and that’s all I need – 8%
No, I don’t enforce these and I don’t think it’s valuable – 2%
Yes, I enforce all of them – 0%
Example of a file sharing policy
Here’s how you’d think about a file sharing policy, step by step:
92% of viewers find these policies valuable and relevant for their organization.
We also asked our audience: How valuable are the capabilities described in this webinar for your organization?
These were the results:
Very valuable, I’m ready to get started – 57%
I value these capabilities, but need more information – 35%
This seems valuable, but not relevant to my situation – 7%
I don’t see value in this yet – 0%
Live demo: Offboarding policy
Here’s David demonstrating how you can run a comprehensive, automated workflow that takes care of multiple offboarding steps, such as: transferring ownership of files to a user’s manager, suspending them from Zendesk, removing them from their Dropbox team, removing them from their groups, removing their Office 365 licenses, and creating a Zendesk ticket to summarize the whole event.
To watch this video on YouTube, click here.
Live demo: Google Groups privacy policy
Here’s David demonstrating how you can run a workflow to ensure that your Google Group permission settings are within policy:
To watch this video on YouTube, click here.
Live demo: Slack two-factor authentication policy
Here’s David demonstrating how you can run a workflow to ensure that all your admins have two-factor authentication for Slack set up:
To watch this video on YouTube, click here.
To watch the entire recording of this webinar, head to https://www.bettercloud.com/monitor/webinar-bring-order-to-chaos/.
For more information on how you can create policies and automated workflows for your SaaS environment, visit https://www.bettercloud.com/product.
