BetterCloud
  • SaaSOps
    • What is SaaSOps?
    • SaaSOps Community
  • Solutions
    • SaaS Discovery
      • App Discovery
      • Spend Reporting
      • Usage Analytics
      • SaaS Management
        • User Lifecycle Management
        • Spend Optimization
        • Application Configuration
        • Visibility & Auditability
        • SaaS Security
          • Least Privilege Access
          • File Security
          • Insider Threat Protection
    • Integrations
      • Integration Center
      • Featured Integrations
        • Azure AD
        • Box
        • Dropbox
        • G Suite
        • Namely
        • Office 365
        • Okta
        • OneLogin
        • Salesforce
        • Slack
        • Zendesk
  • Customers
  • Resources
    • Content Library
    • Blog
    • Community
    • Weekly Live Demo
  • Company
Menu Close
  • SaaSOps
    • What is SaaSOps?
    • SaaSOps Community
  • Solutions
    • SaaS Discovery
      • App Discovery
      • Spend Reporting
      • Usage Analytics
      • SaaS Management
        • User Lifecycle Management
        • Spend Optimization
        • Application Configuration
        • Visibility & Auditability
        • SaaS Security
          • Least Privilege Access
          • File Security
          • Insider Threat Protection
    • Integrations
      • Integration Center
      • Featured Integrations
        • Azure AD
        • Box
        • Dropbox
        • G Suite
        • Namely
        • Office 365
        • Okta
        • OneLogin
        • Salesforce
        • Slack
        • Zendesk
  • Customers
  • Resources
    • Content Library
    • Blog
    • Community
    • Weekly Live Demo
  • Company
Support Login BetterCloud app.bettercloud.com BetterCloud for G Suite g.bettercloud.com Request a Demo
  • Support
  • Login
    • BetterCloud app.bettercloud.com
    • BetterCloud for G Suite g.bettercloud.com
  • Request a Demo

Why BetterCloud?

Users as the New Perimeter:
How BetterCloud Secures Today’s Digital Workplace

Executive summary

TABLE OF CONTENTS

SaaS is creating a new generation of security threats

Why is SaaS creating new security risks?

This is the new reality of the digital workplace

Real-world examples of data exposure via SaaS apps

A new perimeter: The user interaction is the next frontier for security

Why BetterCloud?

A new Zero Trust model for the digital workplace

About BetterCloud

While the explosion of SaaS brings plenty of benefits, it also gives rise to a new generation of security threats. Today users are accessing, sharing, and exposing SaaS data in new ways you might not even be aware of—and it’s happening more frequently. As the world continues to shift to SaaS, the security landscape is evolving. Perimeter-based security is now obsolete. Though identity-based security came next, it’s only half the battle. The next security frontier is one that follows the user and their interactions with data, and the only way to do so is via APIs. With deep API connections that enable IT to monitor user behavior, system configurations, and data activity across SaaS applications, BetterCloud fundamentally changes the way you manage and secure mission-critical SaaS applications. As a pioneer in the SaaS Operations Management space, BetterCloud allows you to secure user interactions across your digital workplace.

Download the Full PDF >>

SaaS is creating a new generation of security threats

Born out of a desire to work on the go—on any device, from any location, at any time—SaaS applications have transformed the way we work.

Gone are the days of homogeneous environments, where a single vendor powered a company’s infrastructure and enterprise application needs.

Instead, today organizations are embracing heterogeneous environments, where their business needs are fulfilled by a wide assortment of best-in-breed cloud apps from multiple vendors. They are free to pick and choose their cloud applications.

In 2017, companies used 16 SaaS apps on average, up 33% from the previous year. In fact, 73% of organizations say nearly all (80%+) of their business apps will be SaaS by 2020.

But while the explosion of SaaS brings plenty of benefits, it also gives rise to a new breed of insider threats. It creates new attack vectors and data leakage points that current or former employees can easily exploit (either accidentally or purposely).

BACK TO TOP^

Why is SaaS creating new security risks?

There are three main reasons why SaaS creates new security risks:

  1. End users have a lot of freedom and power when using SaaS apps (and as a result, IT and security teams are losing control)

    More than ever before, end users are empowered with countless ways to collaborate and interact with data and other users.

    With SaaS apps, users can share data freely with just about anyone inside or outside the org: colleagues, partners, customers, contractors, even competitors. They can share documents, calendars, spreadsheets, and presentations publicly on the web, meaning anyone on the Internet can find and access them, since this data is scraped and indexed by search engines.

    They can create public links to files in seconds. They can add themselves to distribution lists and groups. They can adjust permissions and sharing settings on their own.

    Of course, all of this freedom is by design. It’s what makes SaaS such a boon to productivity. But it’s also exactly why it is very easy to expose data through these interactions, either intentionally or unintentionally.

    SaaS is a double-edged sword.

    The very beauty of SaaS—the ability to collaborate, the ease of sharing data—is also its ugliest and most dangerous security risk.

  2. SaaS creates dangerous blind spots—hidden security threats that many IT and security professionals don’t even know exist

    Because SaaS is so new, everyone’s sort of “figuring things out as they go.” Not enough time has passed for official certifications or industry best practices to exist. There is no foundational level of knowledge yet, no ITIL for SaaS. In fact, 78% of IT professionals are just getting started managing SaaS apps or teaching themselves.

    As a result, IT and security teams are unaware of emerging security threats (aka blind spots) that accompany SaaS applications. Specifically, these blind spots refer to new avenues for data exposure and leakage.

    Many teams are surprised to discover that these blind spots exist. Others suspect that data exposure is happening, but don’t know how to get visibility into it or fix it.

    In fact, on a recent webinar poll, we found that 86% of IT professionals think (or aren’t sure if) they have confidential or sensitive data exposed. Additionally, 76% of IT professionals believe that former employees still have access to their organization’s data.

    This is not IT or security’s fault. In this nascent space, you don’t know what you don’t know. Visibility is murky. We call them “blind spots” because IT and security teams currently lack the tools to get insight into them.

  3. File sharing permissions and configurations are complex. They also vary widely across SaaS apps

    In 2018, the Kenna Security research team discovered a widespread misconfiguration in Google Groups that exposed sensitive information. (More details on this later.)

    The reason for the misconfiguration?

    “Due to complexity in terminology and organization-wide vs group-specific permissions, it’s possible for list administrators to inadvertently expose email list contents,” Kenna Security’s Dan Mellinger wrote. “In practice, this affects a significant number of organizations.”

    The terminology and permissions in collaboration software are confusing, no doubt. There are dozens of permission settings for both end users and admins alike. It’s easy to see how someone could make a mistake:

    One mistake—one simple misconfiguration—can easily expose data.

    For example, someone might select “Public on the web” thinking that it has the least friction. After all, with no sign-in required, it’s the path of least resistance. But in doing so, they might fail to consider the security implications of making a file or group public on the web. (Anyone on the internet can find and access it.)

    How can your average end user or admin be expected to understand and navigate all of these complex permissions securely?

    Adding to this confusion is the fact that SaaS apps all have different terms for their admin roles and distribution lists. There is no common nomenclature, no standard set of rights across apps. There are dozens of options, and they all differ from app to app.

    For example, here’s a look at the types of pre-built admin roles in a few SaaS apps:

    A Brief Overview of Administrative Roles Across SaaS Applications

    Even with these distinctions, an admin role might include privileges you weren’t even aware of. For example, a Services Admin in G Suite can manage services like Calendar, Drive, and Docs, but they can also manage Chrome and mobile devices.

    As companies adopt more SaaS apps with varying UIs and permissions, the complexity will only be compounded.

BACK TO TOP^

This is the new reality of the digital workplace

Put another way, this is the new reality of the digital workplace:

Users are faced with all kinds of privacy and access settings across multiple apps on multiple devices. Their interactions—and their options for collaboration—are nearly limitless. This makes it easier for users to make innocent mistakes, or for nefarious employees to act badly. This also makes it all but impossible for IT and security teams to have full control over all their SaaS data.

As more and more users interact with data in SaaS apps, the chances of data leakage increase. In fact, it’s already happening.

Request a demo to see how BetterCloud can help secure your digital workplace.

BACK TO TOP^

Real-world examples of data exposure via SaaS apps

Often, data exposure happens unintentionally in SaaS apps because of simple misconfiguration errors. Here are some real-world examples.

Dozens of companies leak sensitive data thanks to misconfigured Box accounts

In March 2019, security researchers found that dozens of major tech companies and corporations had inadvertently exposed sensitive data through Box. Employees were sharing public links to files in their Box enterprise storage accounts.

Researchers found bank account and Social Security numbers, passwords, employee lists, and financial data like invoices, receipts, and customer data.

“Many employees may not know the sensitive data they share can be found by others. Worse, some public folders were scraped and indexed by search engines, making the data found more easily,” wrote TechCrunch’s Zack Whittaker.

Kenna Security finds widespread misconfiguration in Google Groups

In 2018, the Kenna Security research team discovered a widespread misconfiguration in Google Groups that exposed sensitive information.

They found 9,600 organizations with public Google Group settings and determined that 31%, or 3,000, of them were leaking “some form of sensitive email.” These organizations included Fortune 500 companies, hospitals, universities, television stations, and U.S. government agencies.

This is just a sampling of what they found:

  • Re: Document(s) for Review for Customer [REDACTED]. Group: Accounts Payable
  • Re: URGENT: Past Due Invoice. Group: Accounts Payable
  • Fw: Password Recovery. Group: Support
  • GitHub credentials. Group: [REDACTED]
  • Sandbox: Finish resetting your Salesforce password. Group: [REDACTED]
  • RE: [REDACTED] Suspension Documents. Group: Risk and Fraud Management

“Apart from exposing personal and financial data, misconfigured Google Groups accounts sometimes publicly index a tremendous amount of information about the organization itself,” wrote security journalist Brian Krebs.

The Kenna Security team pointed out that “the possible implications include spearphishing, account takeover, and a wide variety of case-specific fraud and abuse.”

But this wasn’t the first time that data exposure was discovered via Google Groups.

RedLock finds hundreds of Google Groups exposing PII and private emails

The same thing happened in 2017, when another team of researchers discovered hundreds of companies exposing PII and private emails through the same simple misconfiguration error in Google Groups. (The groups were created with the “Public on the Internet” sharing setting rather than “Private.”)

Among the data that was publicly exposed? Employee salary compensation, sales pipeline data, and customer passwords.

Simple misconfiguration errors, whether in SaaS apps or cloud infrastructure, can have potentially devastating effects, the research firm emphasized.

This type of data exposure is by no means an isolated incident. It’s happened again and again, in various forms, over the past few years as SaaS adoption has skyrocketed.

Corporate data slips out via Google Calendar

It happened years ago with Google Calendar, when sensitive corporate data from McKinsey, JPMorgan Chase & Co., and Deloitte was inadvertently made public using Google’s popular calendar service.

“Google Calendar gives users the choice of keeping calendar entries private or publishing them for the world to see, but some Google Calendar users appear to be sharing their calendar information without realizing it,” wrote PCWorld’s Robert McMillan.

Dial-in number and passcodes were found for weekly internal communication meetings, compliance meetings, and more.

“This is pretty much exactly the kind of recon necessary to start doing industrial espionage,” wrote security researcher Robert Hansen. “Weekly meetings that discuss key internal information? Not looking good. Sometimes you see major leaks in the least likely places.”

Stanford University exposes PII for thousands of employees due to misconfigured permissions

It happened in 2017 at Stanford University, when misconfigured permissions on file-sharing platforms exposed personal information for students and thousands of campus employees. (Stanford uses multiple online file sharing platforms, including Box, OneDrive, and Google Drive.)

A similar breach happened at the University of Oklahoma when private and sensitive student records were unintentionally made public on mail servers due to “a misunderstanding of privacy settings.”

The U.N. exposes sensitive data on public Trello boards (and Google Drive and Jira)

It happened with Trello (a project management web app) in 2018.

A security researcher discovered that the United Nations inadvertently exposed passwords and other sensitive information on misconfigured public Trello boards.

The exposed data included credentials for a U.N. file server, an internal conferencing system, and an internal web development platform. The researcher discovered the data leak through Google searches, which turned up on public Trello boards.

The researcher found a total of 60 Trello boards. In addition, he discovered several Google Docs and Google Drives, as well as sensitive information on the U.N.’s Jira account.

A federal tech team is blamed for a data breach tied to Slack

It happened in 2016 when a federal tech team connected Google Drive and Slack, unaware that doing so would let Slack automatically index and store their Google Drive documents.

A federal report accused the team of a data breach, finding that over 100 Google Drive accounts were reportedly accessible by internal and external users, potentially exposing PII and proprietary information.

A spokesperson referred to the incident as a “misconfiguration in one of our collaboration tools.”

Users accidentally share sensitive docs publicly on Microsoft’s Docs.com

It happened in 2017 when hundreds of users unwittingly shared sensitive docs publicly using Microsoft’s Docs.com. That’s because Microsoft set any documents uploaded to the document sharing site as public by default—something that many users were unaware of.

Researchers discovered medical data (including one physician’s treatment logs and photos), Social Security numbers, bank account numbers, and login and password information.

Samsung’s GitLab instance spills highly sensitive source code and secret keys

It happened in 2019 when Samsung accidentally leaked highly sensitive source code, credentials, and secret keys for several internal projects, including its SmartThings platform.

Engineers were using a GitLab instance to share and contribute code for various Samsung projects. However, it was “spilling data because the projects were ‘set to public’ and not properly protected with a password, allowing anyone to look inside at each project, access, and download the source code,” wrote TechCrunch’s Zack Whittaker.

One of our customers inadvertently exposes thousands of patient records publicly

We often see these accidental misconfigurations first-hand during implementation meetings with new BetterCloud customers. We helped one customer discover a Google Group named “Payroll” that allowed external people to join (prompting their IT manager to blurt out, “Nooooo”).

Another customer, a nationwide behavioral health center with 50 domains, had publicly shared documents in Drive containing patients’ names, Social Security numbers, and stay histories.

But SaaS apps can also be an avenue for malicious behavior. One common theme seen in the headlines? Trade secret theft. SaaS makes it extraordinarily simple to access confidential data and share it with competitors.

Two ex-Zynga employees take 14,000+ sensitive, highly confidential Drive files to a competitor

In 2016, gaming company Zynga sued two of its former employees for stealing confidential information and taking it to a rival gaming startup.

According to court documents, forensic analysis revealed that ex-employee Massimo Maietti “proceeded to download 10 Google Drive folders… Maietti took over 14,000 files and approximately 26 GB of extremely sensitive, highly confidential Zynga information.”

Those documents allegedly included “hundreds of detailed design specifications,” “unreleased game design documents,” and “financial-related information.”

The Uber vs. Waymo battle: An ex-employee steals trade secrets from Google Drive

And let’s not forget about the Uber vs. Waymo trade secrets trial in 2018. Waymo, which was Google’s self-driving car project, alleged that an ex-employee, Anthony Levandowski, stole trade secrets and took them to Uber.

Gary Brown, a security engineer at Google, testified that Levandowski downloaded 14,107 files (9.74 GB of data) before leaving the company.

But specifically, Brown testified that he used Google Drive log data to discover that Levandowski exported several confidential and proprietary documents from Google Drive to a personal device. According to court documents, some of these files had names like:

  • “Chauffeur TL weekly updates – Q4 2015” [“Chauffeur” was the name of Google’s self-driving car project]
  • “Intensity Calibration”
  • “Assembly Flowchart SOP”

Like the Zynga example, these files contained highly sensitive information that should not have ended up in a competitor’s hands.

One of our customers discovers a former C-suite exec sharing proprietary research with their competitor

One of our customers discovered that a former C-suite executive was taking proprietary research with her to a top competitor. One of their strategy executives shared Dropbox files with her new work email days before she left the firm. The documents contained years of studies and proprietary research that she planned to employ at the rival company.

If these interactions were happening at your organization, would you have a way to know about them? Or be able to remediate them quickly?

Request a demo to see how BetterCloud can help you detect and mitigate incidents like these.

BACK TO TOP^

A new perimeter: The user interaction is the next frontier for security

As the world continues to shift to SaaS, the security landscape is evolving. New tools are needed to mitigate emerging risks.

Perimeter-based security is obsolete

According to Forrester, there’s an old saying in information security:

“We want our network to be like an M&M, with a hard crunchy outside and a soft chewy center.”

For years, this M&M was the traditional network security model.

It relied on the “hard crunchy outside”: a secure perimeter that prevented unauthorized users from infiltrating organizations, applications, and data. Employees’ devices and work all lived within the physical walls of the office on a corporate network.

To protect this network and fortify their fortress, IT teams used network access controls (NACs) and firewalls to inspect traffic. This moat around the castle protected the “soft chewy center,” which contained all of the company’s most critical assets and confidential data.

This security model intrinsically trusted everyone already inside the perimeter. It assumed they didn’t pose a threat—their actions were not malicious, and they were cleared for access. Meanwhile, it assumed anything outside the perimeter was untrusted.

And for a while, perimeter-based security worked.

Historically, the early perimeter was a literal, physical one—the room where mainframes were installed. Companies controlled who had authorized access to the room, and by doing so, they could allow trusted users in.

Then as computers became networked together and VPN came on the scene, security tools became more sophisticated to protect the network perimeter. To keep bad actors out, IT and security teams turned to intrusion detection systems, endpoint device security, web filters, antivirus programs, proxy servers, and more.

But as Forrester points out, this traditional concept of a “secure perimeter” is not enough—especially as the volume and value of data increases.

“For today’s digital business, this perimeter-based security model is ineffective against malicious insiders and targeted attacks. Security and risk (S&R) pros must eliminate the soft chewy center and make security ubiquitous throughout the digital business ecosystem—not just at the perimeter,” wrote Forrester analyst John Kindervag.

Why is perimeter-based security ineffective?

  • Working from anywhere, any time. Because devices and data are not hosted on-premises anymore, the idea of creating a network in a corporate data center and protecting it with a firewall is no longer relevant. The shift to the cloud means that the perimeter has dissolved. The concept of a 9-5 on-site employee, using an on-premise solution, is obsolete. Employees no longer just work at work. They don’t use one device, either. They use a panoply of unmanaged devices—smartphones, mobile devices, tablets, Chromebooks, wearables, etc.—from multiple locations outside the LAN. With the advent of SaaS, they expect to be able to start work on one device and pick it right back up on another, at any time, from anywhere. This means that the traditional perimeter is an abstraction—something that no longer exists in practice.
  • The lateral threat. Perhaps the biggest challenge to network security is lateral movement. Once attacks like malware, ransomware, or hackers breach the network and find their way inside (e.g., through a successful phishing attack or address spoofing), they have free reign to move laterally. The same goes for endpoints. For example, WannaCry, NotPetya, and Bad Rabbit malware all used lateral movement to spread globally in 2017. “Using a single entry point—generally, the most vulnerable device—hackers were able to quickly take down unpatched systems,” according to Dark Reading. Each endpoint connecting to the corporate network can access sensitive data and represents a potential point of ingress for attackers. Once a bad actor is inside corporate firewalls, they have unrestricted, uninspected access to valuable, sensitive business data. This kind of vulnerability essentially renders the traditional perimeter-based model ineffective.
  • Implicitly trusting users inside the perimeter. The “castle and moat” approach assumes that everyone inside the perimeter is trusted. But in the age of SaaS, that’s no longer true. Your users might have the best intentions, but the way SaaS apps are designed—for openness and collaboration—means that users might be doing dangerous things without ever knowing it. Or perhaps you do have malicious users who are conducting nefarious activities without your knowledge. Knowing that users are authorized (i.e., trusted) to access the app and interact with data isn’t enough. You need to know what they’re doing. You need visibility into their interactions. Without that, you have no way of knowing if data exposure or suspicious activity is occurring.

Tools that focus on protecting endpoints and perimeters are looking in the wrong places—securing the wrong things. They’re no longer effective in the digital workplace.

All of these shifts and macro changes have created a perimeter-less world. As a result, we’re shifting to a different security model—one that requires a new way of thinking.

Identity-based security came next, but it’s only half the battle

Because there was no “wall” left to secure, a new sort of perimeter emerged.

IT and security teams began shifting their focus from the network to the identity of a user instead. Before granting access to corporate data, they turned to identity as a means of verification: Are you really who you say you are?

Enter: identity and access management (IAM).

By centrally managing user identities and controlling their access to resources, IAM was a new way to reduce the risks of both internal and external data breaches. In the past few years, we’ve seen cloud security strategies incorporate IAM and, more recently, identity-as-a-service (IDaaS) tools. By locking down access controls and establishing least privilege access, and also adding adaptive authentication and contextual controls, they ensured that only authorized users had access to the appropriate systems or data at the right time.

With tools like multi-factor authentication (MFA), privileged identity management (PIM), single sign-on (SSO), privileged access management (PAM), and directory extensions, identity-based security tightened the authentication protocols in place.

And while IAM is effective in mitigating data breaches, that’s only the first part of securing your SaaS environment. Once a user is authenticated, security shouldn’t stop there. What they do after their authentication is critical too. That’s where user interactions come in.

The next security frontier: following the user and their interactions

The next security frontier is one that follows the user and their interactions with data.

What are you trying to ultimately protect? Your data. You’re trying to prevent the exfiltration of your confidential business data, your trade secrets and intellectual property, your employee data, your customer data.

Today, all of this lives in your SaaS apps because SaaS is the system of record now.

And who’s closest to that data? Your users. To do their jobs, they’re interacting with all of this data every day: changing, updating, and sharing it continuously. Because of your users, your data is living, breathing, and constantly shifting.

The only way IT and security professionals can secure this “soft chewy center”—the critical assets at the core of the organization—is to secure whatever is closest to that data.

“By placing controls as close as possible to the data store and the data itself, you can create a more effective line of defense,” wrote Forrester analysts.

Similarly, focusing on securing the perimeter isn’t the best strategy against many external threats. “That’s because data-smart companies want to be able to safely give partners, suppliers, and customers access to their networks in order to increase business opportunities.

“As a result of this shift, security needs to rest with the data itself, not just at the network level. The move to the cloud elevates the need for data-level protection,” wrote Dark Reading.

To achieve this, IT and security professionals must follow the user and their interactions with this data. They must focus on the person who’s actually doing things with sensitive data (whether it’s accidental or malicious) and know what they’re doing.

It’s not sufficient to know that your users are authorized to use the apps. Identity-based security is a solid first step, but that’s only half the battle. You need to go beyond that. Next, you also need to know what’s happening inside the apps.

After a user is authenticated and starts using SaaS apps to do their jobs, what are they doing? According to our State of Insider Threats in the Digital Workplace 2019 report, 62% of IT professionals believe the biggest security threat comes from well-meaning but negligent users. Are they accidentally sharing files or calendars publicly? Are they forwarding confidential corporate email to a personal Gmail address without realizing the security implications? Are they sharing trade secrets with rival companies?

In today’s modern security landscape, the new perimeter is closest to the data assets you’re trying to protect, and that perimeter is the user. To stop the security threat where it starts, you must start with monitoring all user interaction activity.

If an employee decides to download thousands of highly confidential Dropbox files, or inadvertently makes a sensitive Slack file public, how would you know about it? You wouldn’t, unfortunately. When it comes to securing SaaS environments, IT and security teams are operating with blinders on. In fact, 75% of IT professionals believe the biggest security challenge lies in cloud storage/file sharing and email.

And that’s exactly why those real-life stories of data exposure and theft made the headlines. These incidents were not detected earlier because IT teams lack the tools to get visibility into these blind spots.

The security focus isn’t on the user and their interactions with SaaS applications right now—but it needs to be.

Many of those incidents likely could have been prevented if IT and security teams had better insight into their users’ interactions. If they had had the ability to receive alerts for massive confidential file downloads, or for public-facing files or groups, they would have at least known this was happening. If they had had the ability to automatically remediate them, they could have probably avoided it altogether.

Insider threats have always been about, well, insiders: the people within your organization. But in today’s SaaS-driven world, the threat from the insider—the user—is more real than ever. Collaboration and openness make SaaS beneficial, and by the same token, they also make it highly dangerous.

As workplace technology continues to evolve, so too must the security paradigm. It’s the users who wield control in these apps and interact with the data every day. The security focus, then, must shift accordingly to the user in today’s security landscape.

Request a demo to see how BetterCloud gives you visibility into user interactions across your digital workplace.

BACK TO TOP^

Why BetterCloud?

BetterCloud can fill that gap. Our platform protects your SaaS data by securing the new perimeter: user interactions. By using APIs, we provide much-needed visibility into blind spots, as well as the ability to remediate violations without sacrificing employee productivity.

But it’s not just the platform. BetterCloud’s teams, technology, and processes are also designed to help you secure this new perimeter. Through our SaaS expertise and strong commitment to security and privacy, we go above and beyond to protect your SaaS environment.

An API-based approach is the only way you can secure user interactions at scale

BetterCloud’s deep API connections enable IT to monitor user behavior, system configurations, and data activity across SaaS applications, and also remediate violations automatically. In fact, we ingest 1,500 data objects/second from core SaaS apps.

An API-based approach is critical because it’s the only way you can see this activity.

You Can Only Secure What You Can See

As the security adage goes, you can only secure what you can see. And what you can see in your infrastructure is determined by the technology (i.e., the security method) for each particular layer.

Endpoint & server level: At this level, agents can give you specific visibility into local activity on devices and servers. It provides control over things like device wiping, lockout time, and malware protection.

Network level: You can see network activity through packet inspection. Traffic is sent through third parties. This type of visibility lets you see where people are going and where traffic is flowing to/from.

Mobile device level: These solutions use APIs for mobile operating systems and let you see what’s happening on the device (e.g., configuration, firmware, password settings, which apps are installed, etc.).

Identity/access level: By using APIs for authentication protocols like SAML and OAuth, IDaaS vendors control access to various apps.

But as the world continues to shift to SaaS, how do you see things that cause data exposure, like setting misconfigurations and negligent user activity?

None of this can be seen at the device, network, or identity level.

You Can Only Secure What You Can See

In order to see (and secure) users and their interactions, you need to use the native APIs for your SaaS apps. Only then can you understand and visualize SaaS data objects. Only then can you govern and manage settings, entitlements, permissions, and configurations across apps. Only then can you monitor for policy violations and automatically remediate them.

“With SaaS, since most of the application hosting responsibility lies with the SaaS provider, the customer responsibilities for SaaS application data and identity security can only be accomplished with what the SaaS vendor exposes controls for—100% via APIs,” wrote IDC’s Frank Dickson.

In the same way that you had to be on an endpoint, on a server, in-line in the network, or on a device, you need to be in the application itself to provide this type of security.

That’s exactly what BetterCloud does. Our deep API integrations provide continuous monitoring and policy enforcement around configurations, settings, and user and administrator activity.

Benefits of the API-based approach

BetterCloud uses APIs—not proxies or agents—to secure SaaS applications. Here are several key benefits to an API-based approach:

Quick deployment

Proxy- and/or agent-based solutions often require implementation consultation and cumbersome setup. It can take several months for proxies to be configured and tested.

With BetterCloud’s API-based solution, deployment is simple and fast. Once you connect your existing SaaS application (like G Suite, Okta, or Office 365) to BetterCloud via an OAuth connection, BetterCloud will immediately begin syncing your data. Within minutes, you’ll be able to see insights and alerts for your domain. Workflow and alert configuration is also simple with our GUI.

No disruption to end users

Whereas proxy-based solutions can slow down network speeds and unintentionally lock users out, IT can safely test and implement BetterCloud without disrupting users’ work. Changes to firewall or network settings, or where you send traffic, are not required.

Striking the right balance between security and collaboration

Furthermore, BetterCloud secures user interactions in a way that strikes the right balance for each business.

It’s a common conundrum in the digital workplace right now: How do you balance IT’s needs for security and compliance with users’ desires for frictionless collaboration?

With limited control in existing tools today, you’re forced to make a painful tradeoff.

If you let users have easy access to absolutely everything, and give them unrestricted sharing capabilities, you’ll end up risking a security breach or compliance violations. On the other hand, if you lock everything down, you’ll end up hindering productivity (and likely encouraging shadow IT). Neither situation is ideal.

BetterCloud helps achieve the right balance. Our API-based platform gives IT the ability to create policies as strict or lenient as they need them to be. In contrast, proxy-based solutions simply block access to or quarantine sensitive documents, without providing the option to take corrective action. This type of “brute force” response is often too broad and heavy-handed. One IT professional we spoke to used this comparison: “With CASBs, we feel like we’re trying to kill a small bug with a sledgehammer.” With BetterCloud’s flexible and precise remediation steps, you no longer have to sacrifice security or employee productivity.

Request a demo to see how BetterCloud secures user interactions across the digital workplace.

Our expertise in the SaaS management & security space is unique

Our 7+ years in the SaaS operations space have given us deep industry knowledge and comprehensive experience. Over 2,500 customers look to us as the SaaS management and security experts. They continually receive SaaS best practices and guided expertise from our:

Expert Advisory Group

Our professional services team is here to help with your implementation process. They share SaaS best practices—learned from years of experience, working with thousands of customers—to ensure your environment is completely secure. They can provide setup, training, and quality one-on-one consultation as you deploy BetterCloud to ensure success with your investment.

Here’s what customers say:

Customer support team

Our customer support team includes Okta Certified Professionals, Box Certified Professionals, and G Suite Certified Administrators. They provide world-class technical assistance (sometimes proactively, before you even submit a ticket).

In fact, they have a 100% customer satisfaction score and a less than 10-second average first response time on chat.

Here’s what customers say:

Customer success team

Our customer success team provides strategic guidance to maximize the value of our platform, ensuring success with BetterCloud and your team goals. Dedicated to customer satisfaction, they deliver personalized product trainings, business reviews, and strategic SaaS management and security guidance.

Community & content

We are passionate about building and sharing SaaS expertise through our community. Every year we bring together hundreds of IT professionals for Altitude, our customer summit, to define best practices for SaaS management and security. Additionally, thousands of modern IT professionals belong to our Slack community, BetterIT, where they can talk tech, ask questions, and learn from each other.

The same goes for our content. To provide guidance for IT professionals, we published a book featuring the first-ever SaaS management framework (reviewers on Amazon love it). Over 100,000 IT professionals subscribe to our expertly curated daily newsletter, the Monitor, to read the latest news on SaaS, IT, and tech. We also routinely publish research that explores the latest SaaS trends and challenges. Our research has been featured in CIO, The Wall Street Journal, Business Insider, Forbes, and more.

We ingrain security and privacy into everything we do

BetterCloud’s dedicated security team has only one responsibility, and that’s the security and privacy of our platform and our customers. Our security team performs engineering tests and educational campaigns to mitigate attacks and instill a culture of security.

BetterCloud is certified for a number of compliance standards and controls, and undergoes independent third-party audits to test for data safety, privacy, and security.

Our platform is built and hosted exclusively on Google Cloud Platform (GCP). This allows us to take advantage of Google’s world-class physical and infrastructure security. Our platform exclusively leverages single sign-on (SSO) technologies for authentication, meaning that we never create, give, or store passwords for our customers.

We’ve also taken steps to keep our application online and accessible at all times, as well as provide a relatively unusual level of transparency in an effort to assure our customers that our platform is designed and deployed with security in mind. Software development for our platform undergoes numerous reviews to ensure that security is embedded into every release—from ideation, to deployment into production, to ongoing operations—to make sure our platform is defended against attacks.

Read more about our security and compliance measures.

BACK TO TOP^

A new Zero Trust model for the digital workplace

By securing SaaS apps, BetterCloud also helps round out the new Zero Trust model in the digital workplace.

As discussed earlier, the traditional perimeter no longer exists. As a result, many organizations are turning to the Zero Trust model to combat lateral threat movement and secure their data.

The bedrock of Zero Trust is the principle of “never trust, always verify.”

To prevent data breaches, every service request must be properly authenticated, authorized, and encrypted end to end.

Zero trust model for a digital workplace:
device trust, user trust, app trust

This new Zero Trust model in the digital workplace needs API-based security at each layer.

Zero Trust in the digital workplace starts with “trusting” devices and endpoints. To do so, you’d turn to EMM agents for device/endpoint management (e.g., device access and tracking, data encryption enforcement, etc.).

Next, you have to “trust” your user—i.e., their access to their SaaS apps. To do this, you’d turn to IAM solutions to help with identity and access management.

But once your devices and users’ access are controlled, you have to round out the Zero Trust model by also securing your users’ interactions inside SaaS apps. After device trust and user trust comes app trust.

To manage and secure your users’ activity inside applications, you’d turn to a SaaS Operations Management tool like BetterCloud.

BACK TO TOP^

About BetterCloud

BetterCloud fundamentally changes the way you manage and secure mission-critical SaaS applications. As a pioneer in the SaaS Operations Management space, BetterCloud allows you to secure user interactions across your digital workplace.

Our journey here

BetterCloud was born out of a need to secure critical business data in the cloud.

We started in 2011 by focusing on the security and management challenges with Google. In 2016, we expanded to support additional mission-critical SaaS applications, including Slack, Dropbox, and Salesforce.

In 2019, we introduced the BetterCloud Platform APIs: the only platform to monitor user interactions and remediate policy violations across all of your cloud applications. This extends the capabilities of our existing platform to all of the applications that power your business and adds new capabilities for script creation, collaboration, and security.

In the last year, our platform monitored over 170 billion events, identified 550 million public files, and automated 2 billion actions—saving companies 67,000 hours of manual work.

Learn more about our journey here.

Securing user interactions

Using a custom alerts interface, BetterCloud listens for the events that signal a potential security threat or policy violation. When an alert is triggered, BetterCloud automates a sequence of administrator actions in the native application to remediate the policy violation, notify relevant teams and users, and secure your environment before anything can happen.

By centralizing mission-critical SaaS applications, BetterCloud is able to enrich the data from SaaS providers to present a complete view of your users, data, and applications across your environment. BetterCloud’s alerts then equip you to find the specific events in your environment that would normally go undetected, such as settings changes, administrators added, or suspicious user behavior.

Solutions

Customers leverage BetterCloud in a multitude of ways to secure their SaaS environments:

Automate onboarding and offboarding

Provisioning and deprovisioning users is just the tip of the SaaS iceberg. BetterCloud automates all of the granular actions necessary to fully onboard and offboard users and ensure corporate data is secure in the process.

Data protection

BetterCloud listens for any changes in application configurations, document settings, and privileged access, and immediately reverts potential threats with automated workflows.


Identify blind spots

BetterCloud listens for suspicious user interactions, such as mass file downloads, access to unauthorized applications, or multiple failed logins, and creates policies to automate IT and security’s response when these events occur.

If you’d like to learn more about how BetterCloud can help secure user interactions and elevate your digital workplace, request a demo here.

BACK TO TOP^

BetterCloud
  • Product
  • Customers
  • Security & Compliance
  • Partners
  • Events
  • Do Not Sell My Info
  • Support
  • Help Center
  • Community
  • Support
  • Help Center
  • Community

Contact

(888) 999-0805
info@bettercloud.com

Headquarters
330 7th Avenue
4th Floor
New York, NY 10001

Technology Office
Piedmont Center Six
3525 Piedmont Road
Atlanta, GA 30305

San Francisco Office
95 3rd Street
San Francisco, CA 94103

  • Monitor
  • Statement of Purpose
  • Academy
  • Modern Workplace Innovators
  • BetterIT
  • Company
  • Leadership
  • Board
  • Our Team
  • In The News
  • Careers
  • © Copyright 2021 BetterCloud, Inc. All rights reserved. Various trademarks held by their respective owners.
  • Privacy Policy
  • Master Subscription Agreement