Innovation Sandbox finalist and Valence Security Founder Yoni Shohet discuss the new SaaS-to-Saas attack surface produced by the proliferation of shadow integrations between SaaS apps. Today users are typically SaaS admins and often okay SaaS App requests to access other apps like their Calendar, Email, or SalesForce.
Yoni explains how automation tools for non-developers are expanding the problem, with no-code orchestration, ChatGPT, and Generative AI-producing integration apps, not to mention the explosion of developers and CI/CD pipelines.
Yoni explains the magnitude of the problem with so many exposed APIs, allowing common SaaS apps, identity providers (IDP), and shadow connections in your SaaS software supply chain. Valence Security’s approach to mapping the SaaS-to-SaaS mesh is discussed as well as their brand of remediation which includes an education step for the user.
Yoni Shohet can be found on LinkedIn.com/in/yonishohet or Twitter @yonishohet.
Valence Security can be found at Valencesecurity.com on LinkedIn.com/company/valence-security or on Twitter @Valencesecurity.
Send feedback to host Paul Shomo on Twitter @ShomoBits or connect on LinkedIn.com/in/paulshomo.
Innovation Sandbox finalist and Valence Security Founder Yoni Shohet discuss the new SaaS-to-Saas attack surface produced by the proliferation of shadow integrations between SaaS apps. Today users are typically SaaS admins and often okay SaaS App requests to access other apps like their Calendar, Email, or SalesForce.
Yoni explains how automation tools for non-developers are expanding the problem, with no-code orchestration, ChatGPT, and Generative AI-producing integration apps, not to mention the explosion of developers and CI/CD pipelines.
Yoni explains the magnitude of the problem with so many exposed APIs, allowing common SaaS apps, identity providers (IDP), and shadow connections in your SaaS software supply chain. Valence Security’s approach to mapping the SaaS-to-SaaS mesh is discussed as well as their brand of remediation which includes an education step for the user.
Yoni Shohet can be found on LinkedIn.com/in/yonishohet or Twitter @yonishohet.
Valence Security can be found at Valencesecurity.com on LinkedIn.com/company/valence-security or on Twitter @Valencesecurity.
Send feedback to host Paul Shomo on Twitter @ShomoBits or connect on LinkedIn.com/in/paulshomo.
And today in the modern decentralized IP model, where every business user is adopting and managing their best of breed SaaS, IT and security don't really have the full control and visibility into all the changes that are made within these applications. So for example, business users can start creating different configurations in their own applications, like I'm a salesperson, I connect gong to my Salesforce and granted access to read all my opportunity data in order to help optimize my sales processes. Or maybe I connect a Calendly to my mailbox, whether it's Office 365 or Google Workspace to help schedule a calendar event. Or if I'm a developer, I can plug in a new GitHub integration to optimize the CSV process. Eventually, this creates a lot of interconnectivity between my core SaaS applications and more shadow and third party vendors that are not precisely to approved vendors that the organization has decided to do business with. The genealogy of cybersecurity is a new kind of podcast. Here we'll interview notable entrepreneurs, startup advising cisos, venture capitalists, and more. Our topic, the problems of cybersecurity, new attack surfaces, and innovation across the startup world. Welcome. I'm your cybersecurity analyst, Paul shomo. My name is yoni. I'm one of the cofounders and the CEO of valence. I started focused on helping organizations secure their self applications from a various risks such as third party integrations except the data shares and others. By helping you identify misconfigurations within course of applications and then applying based on that, automated remediation that helps to collaborate with the business users to reduce risks associated with self applications over time. Yeah. And you've been in cybersecurity for a long time yourself though, correct? Yeah. So Varus is my second cybersecurity startup before I started a company called the SCADA fence focused on industrial IoT cybersecurity. And beforehand, they served for several years and this morning intelligence forces in various cyber related positions during the military service and so then for the last couple of decades in the cybersecurity world yeah. Well, congratulations on making innovation sandbox. Congrats. Thank you very much. Appreciate it. So I really want to I want to really want to bring the audience in to understand the big picture of how your problem sits and how important it is. So let's say we picture a Fortune 500 company. Now they have their own cloud infrastructure. It's their cloud infrastructure is likely sitting in Google, AWS, Azure, but they have hundreds of SaaS applications. And if it's a Fortune 500, sometimes I've heard even thousands. There's a lot of SaaS applications, right? And in the past, the past few years coming through competitions like innovation sandbox, we've seen products that just add like a light level of protection, like the posture management. Directly on these SaaS apps. But when I look at your materials and your website, it looks like you're saying that there's a large mesh of control points or leakage points between these SaaS apps. Could you kind of describe what you're being calling the shadow SaaS assess integrations problem? Yeah, definitely. So I think if we think about that option of staff, so each business within the organization, IT, HR, finance, sales, marketing, development, Intel, their own group of SaaS applications. Developers have GitHub, IT, have okta, sales have Salesforce, marketing has a HubSpot, the HR has the workday and it goes on and goes on. For each one of these applications, we have the business users that are leveraging these apps. And today in the modern decentralized IT model, where every business user is adopting and managing their best of breed SaaS, IP and security don't really have the full control and visibility into all the changes that are made within these applications. So for example, business users can start creating different configurations in their own self applications like a salesperson, I connect gong to my Salesforce and granted access to read all my opportunity data in order to help optimize my sales processes. Or maybe I connect a Calendly to my mailbox, whether it's Office 365 or Google Workspace to help schedule a calendar events. Or if I'm a developer, I can plug in a new GitHub integration to help optimize the CSD process. Eventually, this creates a lot of interconnectivity between my core SaaS applications and more shadow and third party vendors that are not precisely to approved vendors that the organization has decided to do business with. And also this could potentially provide very high privilege access and what we use to consider in the path of administrative access to our core data privileges and course applications. And if we imagine how this builds up within these large organizations and their environments, so we have a network of interconnectivity between these types of applications, what's connecting them are either APIs or product integrations and this type of direct interconnectivity, what the industry calls are they more south or south. Top of that, we have some data shares, right? I can share my GitHub repository to the public. I can share a file to on OneDrive SharePoint, Google Drive and others. I can also create new external collaborators, right? I can invite third party vendors to have identities within myself applications. Eventually, there are a lot of risk services that can increase and expose the organization to external third party vendors through the usage of utilization of the built in native controls of these applications that are intended to help increase productivity, but could also, of course, increase the risk and opportunity for attackers to perform unauthorized access. So say someone has some of the older posture management products, things like that. They have some level of visibility into some of the SaaS applications, obviously. But do they have a point of visibility or control in the this lateral SaaS? Flow of data, this lateral status as SaaS integration space that you're trying to talk about? Yeah. So I think if you look at the evolution of a fast security, the main security solutions that existed in the industry are Caspian, power access security brokers, or identity providers. They're mostly focused on how human users gain access to these SaaS applications. The past has evolved to become from very small and similar applications to more platforms that have complexity built into them. So there are a lot of opportunities for misconfigurations within these platforms. And what most of these or legacy or users to access control solutions like Caspian and identity providers focus on how humans gain access to these applications, they don't focus on what these health applications are configured to perform, and what third party vendors have access to them, and what activities of users perform within these complex platforms to eventually expose our data and a critical information to the outside world. So for example, one of the most famous breaches that we saw with the past couple of years are packs that were focused on GitHub repositories, where what the attackers did is they breached or organizations like Heroku and traverse the iron circle CI, which are very legitimate vendors that most organizations in the world would trust with access to their code repositories. They bring these organizations, they stole their OAuth tokens and API keys, and they leveraged them in order to gain unauthorized access to GitHub repositories of GitHub customers. So without going through the legitimate access to these course applications, they were able to get direct access to a sensitive data leveraging the fact that you can't really put an MSA or a strong authentication on access token or a non human access to these core SaaS applications. So this SaaS assess the shadow connections, these integrations you're talking about. You already mentioned some data that's going through here. So there's code potentially, there's identity information like, what is the typical I mean, are there customer details that are being leaked between or transverse between SaaS applications like from a big picture if I'm worried about if I'm thinking of a data security and trying to map that to my protection detection response, what kind of data are we talking about here? It can be everything. Everything is done there in sales, right? It can be information from our Salesforce tenant. So all the customer and business information can be source code from GitHub repositories. It can be business related information about the latest transactions that are being made from our email clients. We see today that a lot of users just install their own email clients on their computers, grant them access because it's more convenient for them to use these email clients. And basically grant the third party vendor to have access to read and write all their mailbox. So this grants a lot of hypervigilance access to third party vendors that can leverage that to perform very important and to important tasks and to increase productivity, but on the other hand, of course, can also increase the chances of a potential breach and to increase the dependency on our ecosystem of third party vendors. Yeah. Application security has supposedly come along a good bit. There's a lot of there's been the shift left of the code. How safe do you feel like if you were to just as a commentary point of view, the typical SaaS applications, the SaaS vendors that are being used by the enterprise? Are they relatively secure? Are they doing ridiculous things leaking data? What's the state of that at this time? Yeah. So it's always hard to say. Eventually, everybody gets to even GitHub reach directly LastPass was preached over the past couple of last year a few times. We're seeing major vendors getting hacked. I think regardless of how strong our application security posture will be, it tackles will find ways to gain access to a critical information by our vendors and our ecosystem. The most major, the largest breach that we sell over the past couple of years was probably the solar wind campaign. And then from there, there were multiple cases where these breaches occurred and we saw the tacos realize that we're only as weak as our weakest link. And it's easy enough to find somebody that we trust that we shouldn't trust or that we trust that we should trust, but eventually they made some kind of a mistake, and it becomes really what we call this mesh of effect that they can influence anybody within that network. So in the cloud, everything, these SaaS applications, pretty much everything is distributed to build with microservices that are talking to each other. Even authorization, now we have identity as a service, reaching across a lot of assets. And we talk about a control plane or an identity plane. And it sounds linear. It sounds flat, but I listen to you talk. It sounds like it's more like a complicated mesh with a lot of lateral connections in like a maze, almost like, could you kind of describe that flow of identity and why that's an issue? Yes. I think today in the modern world, we want to automate as much as possible when we think of it as much as possible. And as such we're starting to identify what are the day to today manual tasks that students have to perform and to try to find automation that we can put in place that will help scale these processes. So what we see today is that when organizations try to leverage things like no code low code, or Zapier, and Microsoft power platform, it really helps to scale the business to define this as a manual task that we don't want to do again. So we can programmatically define how that looks like. And they set and forget it using tools in the cloud that have high privilege access across the organization. So in the IT context, maybe that is a user offboarding. Identify that the user is no longer in the HR system, I automatically provision it from my IDP. But to do that, the platform that does that integration or connection needs to read all the users in HR and to be able to add and remove users in my IDP. So there are a lot of small business aspects that today are required to move and shift towards tasks and towards automation and towards the digital world. And as such, we're starting to see more and more of these use cases that organizations are utilizing to improve their internal processes, but also to create more of this leak or connection of identities and data sources across the board between all these critical points because it's not where it's not that we have everything centrally managed within one half application, but we need all these different points to be connected and work together. And whether it's a human taking data from one place to another or it's an API call that is doing a programmatic automatically, it doesn't really matter at this point. So you mentioned a few things. IDP mentioned, okay, so you have identity providers, you have software developers, now the rise of DevOps, everyone's becoming a software developer, they're building things out of GitHub. So you have a lot of in your customers, people building connections, maybe they're coding their DevOps, you have people sharing. So is this is this also getting worse because with the cloud and the digital transformation, everyone's more technical. Like the typical employee is like doing things to the IT infrastructure that we never saw in the past. Is that kind of part of the problem? Yeah, definitely. I think IT is being decentralized. I don't think IT can block and deny users from adopting their best to bring technologies. I also don't think they should because it blocks the innovation and everybody wants to be enabled. Nobody wants to block I think what one of the challenges that we help address with our platform and valence is that we recognize that it went through an entire decentralization process, but security teams are still managed in central way, right? They're still centrally managing everything from a viewpoint of government. Governance viewpoint. And what we hope security teams do is decentralize those sort of recommendation process, right? Because if the user in the marketing department is in charge of stalling and deploying their best marketing tool, it only makes sense that they will have the best context to help secure these platforms. But you need to work with them and you need to make sure that they're involved. They understand the risk that they can help influence that risk, a remediation process. Because you can't just tell them, no, you can't use it or just decide for them. You have to ask them before you do encounter because otherwise you can break business critical processes. And you need to also explain to them that there's a collaboration element here that can really help remediate these risks. I can imagine talking to your centralization cybersecurity being centralized still and the cloud obviously being decentralized. I can imagine some of your customers before they get a product like yours. They have to secure a tax surface that's hundreds of SaaS applications. That's got to be overwhelming considering the amount of configurations and misconfigurations, even a single SaaS application, let alone the hundreds that they really need to secure. So in most cases, they don't even know what SaaS applications they have. In this case, they know what is managed by identity provider or what are the kind of core software applications? Once they start leveraging our platform, they sort of discover, oh, I didn't know we're using that. Oh, I didn't know it wasn't that. I didn't know this is connected here. And it's not only what they're using, but interestingly enough, we also find a lot of film, PLCs, legacy solutions. Nobody needs anymore. Which is interesting because if you imagine how an evaluation process looks like, you test, let's say, three, four vendors, you can't them all access because you want to see how they're performing. You choose one, and you work with it. The vast majority of companies in the world never go and off board these unnecessary vendors, right? Which is common practice if I a user quits or terminate or terminate a user, we go and remove all their access to our tenants or to our applications. But when we stop working with a vendor, most teams in the world go and awkward and send it, especially if the organization or the department that is onboarding the vendor is the business unit rather than the security. Security is not always 100% with that. In many cases, they also have issues with their field off boarding of vendors. Yeah. That's an interesting problem that I know people are thinking about. So you're obviously securing SaaS applications. You're securing configurations, and there's been there's been product solution categories that have done that before. How much of your product is really focusing on the communications or the integrations, the shadow connections between SaaS apps and how much is just I'm going to secure give you secure lockdown configurations of least privileges and some control and visibility across the major touch points of SaaS applications. So how different are you really from, say, you know, some of the more mature posture management products? Yeah. So the difference between what we're doing and what the more password management solutions are doing. So we have also posture management capabilities built into the platform. So we look at best practices, security configurations, how do you enable the right to toggles within your SaaS platform to improve its security? But the main difference is that we go beyond that. Because of the types of problems that we solve, like file share, externally on Google Drive, OneDrive, or SharePoint, or third party integrations, OAuth connected applications, and third party apps. I managed identities and other issues that are more tied, not only to the administrative changes, which is typically what a posture management solutions do, but also related to the business users. They make the main difference that we have compared to other vendors in the space, is the ability to help solve the problems. I think again and again, we've heard from security teams that they want to go beyond visibility. Just seeing a problem is not enough that they want to be able to remediate and solve these risks. And our ability to help facilitate that remediation process that could be automated or it can be automatic. It can be at any scale of automation that the organization wants is a game changer in terms of the ability to say, okay, I don't really see the problem, but now I have not only an increase in graph or risk, but I see also increasing graphs of discrimination because of the effectiveness of the security program that they implement. Sure. Are you more on the detection response site where you're bringing back information at some points of visibility about what's happening? Are you more on the protection you know? Let's automate protection lock things downside. Are you bringing back data about what the SaaS applications are doing and storing it like a data Lake, or is it more just that front making sure that frontline protection is in place? Yeah. So it's a little bit of both. So we store a lot of the configurations of activity logs, which allow the security to use to visualize and understand what's going on. And what was going on can be, hey, you have a security configuration here that could lead to a bridge or, hey, you had this activity here that indicates you may have been breached. So we go both before and after the actual breach has occurred. Okay. Makes sense. I mean, I imagine right now, so obviously you know, it was both referenced. There are products that kind of have attempted to lock down configurations of SaaS. But in terms of a visibility point to see these lateral SaaS shadow connections, I'd imagine most of your customers just have zero visibility there at all. Is that accurate? Pretty much, yeah. Yeah. And then so in order for you to do your product to do its job and develop it, you have to have across these SaaS applications a pretty robust set of interoperability and APIs that give you the proper visibility and control. Is that relatively mature? Is that what ends up being the end goal of pushing the cybersecurity mesh architecture is in practice that the consequence of that that they're providing you all the APIs you need to do what you do? I'm kind of asking you to explain cyber mesh because people are so terrible at explaining it. Yes, I think there are a lot of dishes today the different teams are pushing, we're calling problems, some of the problems that we're solving more SaaS mesh in the garden, I think is referring to the cyber mesh more of the fact that there are so many different security tools that I would need to connect to each other to provide the full picture, right? And I think there are a lot of security tools that we need to work together to be effective, but we're seeing in practices that once you need to jump between different tools and to create a workflow, in many cases, you can create very simple and straightforward use cases. But once you want to go through those complex workflows and to be, for example, we secure dozens of SaaS applications, right? So for each one of these specifications, there's specific workflows to help remediate risks within now for third party vendors to start to look and say, okay, I take data from a posture management tool and then I collect it to a store or connected to here and create these types of complex test and that these workflows tend to break. And you can cover basic and straightforward type of use cases there, which are great and they're important. But it creates a glass ceiling in terms of its ability to be efficient over time. So I think there's still a lot of room for standardization and common ground to enable this to be more scalable in terms of really effective range. And we haven't mentioned you have. I haven't mentioned the buzzword supply chain security, which is obviously a big deal. And it includes a lot of things, includes code security you know. There's so many components to it, but the third party integration between SaaS. This is kind of a new I haven't seen someone focus on this. You have to be one of the first to focus on that aspect of supply chain security, correct? Yeah, definitely. So not many companies focus on it. We actually started away from supply chain as part of our messaging because I think it confused too many people with software supply chain. I think they own the term supply chain and we can't really use it. But definitely, this is modern supply chain. We connect together different SaaS applications that we buy rather than options that we build. And it's very similar to dependencies and code just with complete end to end software that we don't manage. Good stuff. Thank you for coming on. So how can people find you on the web? Yeah, so LinkedIn is probably the best way. Why when I SHO, HET, Amazon Twitter, they lived in probably the best way. And your company's securities website is valence security dot com. They live in security dot com. Yeah, VALENCE security dot com. Great.