Back to the blog

Does blocking access force SaaS into the shadows?

While blocking may make you feel more secure, the truth is that it’s likely incentivizing more risky behaviors.

When I demo Nudge Security for technology leaders, they’re often taken aback by just how much SaaS visibility the product is able to provide with one simple integration: all of the SaaS applications ever used across an organization, user accounts (including who the first user was), authentication methods, SaaS-to-SaaS permissions granted, resources and billing information, and even SaaS security events. 

After they get over the initial shock of just how fast and easy it can be to surface all of their shadow IT, the conversation sometimes goes like this:

Them: 

“Wow, so, uh…can I block all of this stuff?”

Me:

🤦‍♀️ 

I mean, yes of course, you could use this incredible SaaS inventory to revoke and block access to every unsanctioned SaaS application you find. But, should you? As the great 20th-century chaotician Dr. Ian Malcolm once said, “your scientists were so preoccupied with whether or not they could that they didn’t stop to think if they should.”

For the past 20 years, we’ve used perimeter-based security technologies like firewalls, proxies, and CASBs to block “the bad internet” and yet, we have more shadow IT than ever. It begs the question, is blocking access to unsanctioned SaaS still an effective way to curb shadow IT? Was it ever really effective?

The power of security nudges

We studied the above question in earnest, consulting some very smart psychologists from Duke University to design and conduct research on human behavior vs. cybersecurity controls. In our experiment, when we blocked SaaS access, 67% of participants said they would look for a workaround. Such workarounds often involve using unsecured networks and personal devices or credentials, driving corporate data deeper into the shadows. In contrast, when we allowed access to unsanctioned SaaS and followed up with a nudge requesting more info about the SaaS usage, we saw compliance rates more than double.

As it turns out, nudging may be more effective at driving desired SaaS security outcomes than blocking. And yet, we still see newer SaaS security startups continue to make the same “lock and block” mistakes of the past 20 years. Other SaaS security providers would have you believe that you can secure your entire SaaS estate and eliminate shadow IT with just a small group of security experts automating policy rules behind the scenes. You can’t. And at Nudge Security, we’re certainly not on a mission to re-create the firewall.

Now, that’s not to suggest that you can just open the floodgates of SaaS and walk away. I’ll concede that, in some cases, being able to automatically shut down unsanctioned SaaS access makes sense. For example, say a remote worker connects your GitHub account to a free, sketchy-looking SaaS tool hosted in a country that raises the eyebrows (or blood pressure) of the CISO. In this case, being able to detect that tool and quickly revoke access is a good thing.

But somewhere along the way, the notion of “the bad internet” morphed from truly malicious and grossly unsecure websites to its current state of “any SaaS application used without prior knowledge and approval from the IT security organization.” I recently listened to a CISO describe (with bravado) how he blocked Google on the corporate network just to tease out all of the unsanctioned Google Drive users, as if he were flushing rats out of a burrow. 

A unique SaaS security challenge for CISOs

The reality is that today the vast majority of unsanctioned SaaS use is for legitimate work purposes, whether it’s the employee rewards app rolled out by your local HR team in Germany, the data visualization tool a product manager just connected to your CRM, or the free version of the learning management system your sales enablement team is evaluating. All of these technologies can help move the business forward. Should all be put on hold, accounts destroyed, and wrists slapped just because employees failed to jump through the right hoops and wait two to four weeks to receive an official blessing from a centralized IT security governance team?

Ultimately, CISOs have found themselves between a rock and hard place. On one hand, the old (and now reinvented) approach of blocking and revoking access is difficult to maintain in today’s environment, and may actually lead to more shadow IT. On the other hand, CISOs can’t afford to ignore shadow IT, as they’re still ultimately responsible for securing the entire SaaS estate, managed and unmanaged, which faces mounting threats like social engineering and SaaS supply chain attacks.

In building Nudge Security, our goal has been to help CISOs walk this fine line—to enable employees to adopt the SaaS tools they need, when they need them, while also providing the visibility, context, and oversight that IT, security, and compliance teams need. We realized that the best opportunity to address shadow IT and SaaS sprawl at scale is to engage the same people creating it: your employees. We reimagined SaaS security and access governance, aligning it to how modern workers actually adopt and use SaaS technology. Using automation and a bit of psychology, Nudge Security helps workers to adopt and use SaaS securely and in compliance with organizational policies, without manual intervention from the IT or security team.

How Nudge Security helps

As employees introduce SaaS into your organization (from any location, network, or device), Nudge Security discovers it, classifies it, and contextualizes it with our own security insights, SaaS supply chain mapping, and risk scoring. This SaaS asset discovery and inventory is used to trigger automated response actions. (We call these playbooks.) But, instead of the response simply being the blunt hammer of “always block,” our response actions include automated employee outreach (nudges) that are more productive and more friendly: 

  • “Hey, looks like you just created a Dropbox account. We prefer Google Drive. Can you please use that instead?”
  • “You just created a Figma account. Can you let us know how you plan to use this and what types of data you’ll add to it?
  • “You just started using Hubspot. Help protect our organization by enabling multi-factor authentication.”
  • “Do you still need access to this Github account? Please respond as part of our regular SOC 2 access review.”

At face value, these are pretty simple, lightweight requests, delivered with specific context rather than generalized reminders during annual security awareness training. At scale, they can significantly bolster your SaaS security posture and save weeks (months!) of manual effort on the part of the central IT and security teams. And if you’re skeptical that your workers won’t respond, well, let me remind you of our research results: security nudges showed an 83% compliance rate compared to a 32% compliance rate for blocking access.

At risk of using way too many epic movie references in one post, I’ll summarize things this way. The new generation of emerging SaaS security solutions is kind of like “the Force.” You can use it for good, or you can use it for evil. You can use SaaS asset discovery to nudge employees toward better security decisions and behaviors (i.e. these are not the SaaS you’re looking for) or you can use it to strong-arm your employees into submission with an imperial death grip approach to SaaS security (i.e. I find your lack of compliance disturbing). 

May the force…well, you get the idea.

Related posts

Report

Debunking the "stupid user" myth
in security

Exploring the influence of employees’ perception
and emotions on security behaviors

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

Text link

Bold text

Emphasis

Superscript

Subscript