Hi SME (Small and Medium Enterprise) folks. You are front of mind for us here at YeshID.
We have some questions for you: Do you know which applications your employees use at work? Is it a top priority for you to know the answer?
Because we think you should care (surprise!). And here’s why:
Why visibility matters
Knowing your application footprint is important for three reasons: managing costs, passing compliance, and implementing baseline security hygiene.
When you are an SME, costs matter. A lot. Visibility lets you answer: “why are we paying for three different <insert cloud app category name here> tools?.” That’s a great opener for a discussion on cost management.
Compliance is a sneaky and expensive requirement. If you do business online, you’ll want to be insured against <name your online risk> so you’re going to need Cybersecurity Insurance. And you will have to answer questions like “Do you use 2-Factor authentication to secure all cloud provider services that you utilize” with the correct (and honest) answer, “Yes.” To do that, it is kind of important to know what your cloud provider services are.
Finally, from a security perspective, among more than 20,000 security incidents and 5,212 confirmed data breaches in the 2022 Verizon Breach Data Report, stolen credentials accounted for nearly 50% of attacks. They attribute more than 80% of successful web application attacks to stolen credentials.
If you don’t know how and WHERE an employee’s corporate identity is being used more-or-less in real-time, and if their identity is stolen you won’t find out until Bad Things™ happen. If you have continuous, real-time visibility you can have better control. Which means you reduce your likelihood of damage from a breach. Which is a Good Thing™.
Why visibility is hard
“Visibility is hard” is a side-effect of vendors making cloud applications easy to access.
When we talked to people at SMEs and we asked: Do you know all the applications people in your company use? We usually get answers like: “I think we have a spreadsheet somewhere,” or “I think finance knows,” or “Kinda, but it’s in my head.” Sometimes we hear, “We don’t know.” Rarely do we hear “We know.”
Which makes sense. Since the early 2000s, when web-based applications started to boom, they made it easy to sign up. With free trials, in-product Master Service Agreements (MSAs), and online payments, any employee with a credit card and a pulse can get a helpful application with a few clicks. IT folks dubbed this “Shadow IT” because users were buying IT applications in the shadows where the IT people couldn’t see.
IT knows the applications that are part of the corporate portfolio of approved apps. Finance has information somewhere about what applications the company is being billed for. This, of course, assumes that web applications cost money. If they are free – there isn’t a record from finance–and yet the apps have the ability to access corporate data. And if a user has signed up with a password and not an IDP, there is no record of registration except the “Welcome email”–until it’s deleted.
So how can I get better visibility?
If you’re a large company you might lock down your domain so people can’t sign up for new services without IT knowing, and pay money for a SaaS discovery tool to make sure you’ve got everything. That’s OK if your company is compliance-driven.
But if you’re an SME then you’re probably looking for a more balanced approach that allows you to move fast with confidence. You don’t want to lock down, slow down, or pay for unnecessary tools. Rules can be more relaxed–until compliance makes you tighten them. You might have some areas of your business that need stricter policies than others.
Visibility, without slowing down is one of the problems that YeshID is working on. We want to make it easy and cost-effective to have both visibility and security no matter what size your company.
While you’re waiting for our solution, here are some things you can do gain visibility without busting your budget:
- You can use your Google or MSFT admin console to see what OAUTH or SAML grants have been given to what applications.
- You can import the data into a spreadsheet so that you can more easily track and manipulate it.
- You can talk regularly with the finance team (or different department leaders) to find out what departments are signing up for which applications.
- You can ask people to periodically self-report whenever they sign up for a new application.
If you want to learn more about YeshID or chat with us about Identity & Access Management, please reach out to us and subscribe to our mailing list!