Back to the blog

How SaaS discovery is useful in a merger or acquisition

Five ways Nudge Security's patented SaaS discovery can help you gain the visibility you need, secure your newly expanded SaaS estate, and plan for the future.

For anyone who has been through a corporate merger or acquisition, you know that things can get…messy. Just like moving in with a new partner, the two entities need to figure out what they each have, what they actually need, who’s going to do what in the new combined household, and adjust to new routines. This is especially true when it comes to combining tech stacks in today’s SaaS-fueled organizations, where just answering the first question of “What do we actually have?” is extremely challenging.

‍

Here are five ways Nudge Security can help you gain the visibility you need, secure your newly expanded SaaS estate, and plan for the future.

‍

1. Build an accurate SaaS inventory.

If either organization has a SaaS inventory, it’s likely to be in spreadsheet form and out of date given the dynamic nature of SaaS adoption. Instead of slogging through spreadsheet purgatory for the next 3 months to update and combine the inventories, you can very quickly gain a full (and continuously updated) inventory for both organizations with Nudge Security.

‍

‍

Not only will you see which apps are in use across your newly combined workforce, you’ll also have important context at your fingertips to help you understand how important or entrenched each app is, quickly answering questions like:

  • When it was first introduced (and by whom)?
  • What type of app is it (project management, AI, dev tools, etc.)?
  • How many people have accounts?
  • When was the most recent user added?
  • Is it managed via SSO or IdP?
  • Who is the technical owner?

‍

With this visibility, you can now identify business critical applications and start creating a roadmap for tech stack rationalization.

‍

2. Mitigate risks from unmanaged cloud accounts.

For modern organizations, the majority of intellectual property, sensitive data, and core business processes reside in cloud service provider environments like AWS, Azure, GCP, or similar cloud platforms. These resources are particularly hard to keep track of given the ease with which new cloud assets can be created for test environments, proofs of concept, and other experimental work. Mergers are a dynamic time and will likely result in shuffling of teams and responsibilities, increasing the risk of orphaned or forgotten cloud accounts while priorities and resources are shifted.

‍

  • As part of its SaaS discovery, Nudge Security discovers cloud accounts that form the backbone of the modern tech stack. In the inventory produced by Nudge Security, you’ll also collect important details and events related to cloud environments: Root user and user accounts created, including account aliases and account numbers
  • Billing data to help gather the full picture of cloud spend
  • Cloud services and regions
  • Usage and security alerts and more

‍

‍

With this data, your newly merged entity can ensure that all cloud assets are enrolled in central cloud governance organizations and properly secured and avoid paying for accounts that are no longer needed.

‍

3. Identify cost savings opportunities.

The typical goal of a merger or acquisition is to benefit from economies of scale in order to deliver products and services more efficiently. The newly combined SaaS estate is likely a key area where efficiencies can be gained by identifying applications where the organization now qualifies for more advantageous pricing and consolidating apps with redundant or overlapping capabilities.

‍

Nudge Security can help with both of these scenarios, along with other cost-saving measures like identifying and reallocating inactive accounts and providing employees with a directory of approved apps to choose from so they don’t “go rogue” and add licenses for duplicative tools.

‍

‍

Read more about 5 ways Nudge Security helps you save money.

‍

4. Manage employee transitions securely and efficiently.

As the new organization takes shape, employees are likely to see changes in roles and responsibilities, they may exit the organization, and new roles may need to be created to help manage the transition. It’s critical that employee access to SaaS applications is updated along with these changes to keep the organization secure and running smoothly. Nudge Security includes several capabilities to help manage these transitions effectively.

‍

Automate employee offboarding.

Nudge Security provides a step-by-step guide and automates critical steps of employee offboarding, including commonly overlooked steps like revoking OAuth grants, resetting passwords for unmanaged accounts, and transitioning ownership of critical resources. Learn more about how we can help you automate IT offboarding.

‍

‍

Update technical owners.

Given that 90% of SaaS applications are introduced outside of the IT team, there’s a good chance that the person who can actually add and remove users and adjust permissions sits outside of the IT team. And, application ownership is likely to change as roles and responsibilities change. Nudge Security includes a built-in workflow that “nudges” application owners to confirm if they are still the right contact, or to provide the new owner if responsibilities have changed. Instead of a flurry of Slack and email messages to figure out who owns what, you can automate it through Nudge Security, and always know who the right person is to contact for which SaaS app.

‍

‍

Streamline application access requests.

In many organizations, employees have no way of knowing which tools are approved for use, and which are not, which contributes to SaaS sprawl. Nudge Security makes it easy to create and share an app directory with employees, so everyone in the org can view a comprehensive list of approved applications and request access. Access requests are routed directly to each application's technical owner, whether or not that person sits within IT, removing the need for IT to be the "event forwarder" between users and app owners, while still retaining visibility and centralized governance.

‍

‍

5. Improve security vigilance.

Attackers know that mergers and acquisitions can create opportunities to use social engineering tactics to gain access to systems and sensitive information. Nudge Security helps you monitor for these types of exploits so you can react quickly to limit the potential damage.

‍

Manage OAuth risks.

Today, any employee has the power at their fingertips to string together multiple SaaS applications and data using no-code / low-code integrations leveraging OAuth grants. This creates a complex mesh of SaaS applications that attackers are taking advantage of to move laterally across the SaaS supply chain. 

‍

Even under “normal” operating conditions, it’s hard for security teams to properly assess and mitigate the risks posed by OAuth grants. In the midst of a merger, where disparate systems are brought together, it could become downright impossible to do this manually.

‍

Our tutorial provides an overview of key steps for analyzing OAuth grants and assessing potential risks, along with an overview of how Nudge Security provides the context you need to simplify this process.

‍

Get alerted immediately of SaaS breaches.

When your CEO asks, “Are we using that SaaS app that was just breached?” you want to be able to answer quickly and confidently. (And ideally, you will have already notified end users, reset passwords, and taken other actions in response). However, when trying to get your arms around a newly consolidated tech stack, this is not a simple question. 

‍

This is where Nudge Security really shines. When a SaaS application used in your organization suffers a breach, Nudge Security will immediately notify you so you can take appropriate actions in response. And, you’ll have the full list of users at your fingertips, so you don’t have to resort to Slack or email threads to track down all impacted users.

‍

Additionally, Nudge Security will notify you of 4th party breaches—those impacting SaaS providers used by your SaaS providers. Recent high-profile breaches at Circle CI, Okta, and Slack reflect a growing trend in attackers targeting enterprise SaaS tools with the goal of infiltrating their customers. So, even if you don’t directly use the application that was breached, you could still be in the blast radius of an attack. 

‍

Nudge Security is the only SaaS security solution that can notify you of 4th party breaches so you can reach out to your SaaS providers and ensure they have taken appropriate steps to mitigate ripple effects.

‍

Identify anomalous activity and compromised credentials.

Social engineering tactics often result in compromised credentials, meaning attackers can simply log in using an employee’s account. 

‍

"The bad guys don't break in, they log in." —Steve Zalewski (watch Overshadowed Episode 9)

‍

Nudge Security helps defend against these threats by detecting events that can indicate an account takeover attack, including widely resetting passwords, locking accounts, or disabling MFA. Additionally, Nudge Security can alert you when credentials associated with your users are exposed in a third-party data breach so you can take proactive steps to ensure passwords are reset and other mitigating actions are taken. 

‍

Take the next step.

Our mission at Nudge Security is to help IT and security professionals everywhere regain control over SaaS security and governance. When you’re in the midst of consolidating your tech stack after a merger or acquisition, this is more challenging than ever. But we’ve got good news for you. When you start a free trial of Nudge Security, you’ll get a full inventory of all SaaS accounts ever created by anyone in either organization, within minutes of starting the trial. No agents, browser plug-ins, network proxies, or waiting to gather data. Start your free trial now.

Related posts

Report

Debunking the "stupid user" myth
in security

Exploring the influence of employees’ perception
and emotions on security behaviors