How to de-risk your critical identity infrastructure with Nudge Security’s new SSPM capabilities

Earlier today, we announced the launch of new SaaS security posture management (SSPM) capabilities available to all Nudge Security customers and trial users as part of our complete SaaS security and governance solution. Our new SSPM capabilities for Google Workspace and Microsoft 365 continually monitor your identity infrastructure for critical misconfigurations and risks related to users, groups, and integrations.

‍

In this post, we’ll explain how you can use Nudge Security to find and fix such issues to help strengthen your SaaS security posture.

‍

And, you can join us on September 19th for a live demo.

‍

What is SaaS security posture management (SSPM) anyway?

SaaS security posture management is the continuous process of detecting, prioritizing, resolving, and reporting on potential security risks related to an organization’s SaaS ecosystem. Risks often include missing or misconfigured security settings native to a SaaS application as well as risks associated with SaaS user identities (e.g., MFA disabled), permissions or entitlements (e.g., over-privileged access), data sharing policies, or integrations with other services or “non-human identities.”

‍

The goal of SSPM is to help security organizations protect their SaaS attack surface data by ensuring that their SaaS assets are securely configured and protected at all times. This is no easy feat considering the highly dynamic nature of SaaS services. App provider-side changes, end user actions, and integration failures can all lead to “drift” away from an ideal state, which SSPM solutions address through continuous SaaS security monitoring.

‍

The big problem we see with conventional SSPM solutions on the market is that they often start (and end) with an API integration with a SaaS application. While this authenticated connection affords deeper visibility into an app environment and may enable some automation in resolving misconfigurations or other risk, it also carries a number of limitations:

• SSPM customers must already know about the SaaS apps they want to monitor, and have access to them. But you can’t manage what you can’t see, which is why shadow SaaS discovery must come first as part of any SSPM solution.
• The number of API integrations an SSPM solution offers is limited. At most, SSPM solutions support a few hundred apps, compared to the 100,000+ SaaS apps Nudge Security has catalogued to date. Security teams need alternative, unauthenticated ways to monitor and protect the long tail of SaaS (and new GenAI apps) not currently covered by SSPM solutions.
• Automated remediation is more of a dream than reality. APIs are limited and inconsistent from provider to provider, meaning most remediation tasks still require hands on keyboard. Also, findings may require context, discussion, and decision making to resolve. Without a way to manage this process at scale, security teams end up with a growing backlog of findings to work down on their own.

‍

Given these limitations, we took a different approach to SSPM, building on the foundational capabilities and design principles of our platform.

‍

Nudge Security’s unique approach to SSPM

Nudge Security stands apart from conventional SSPM solutions in several key ways:

1. We tackle SaaS security at the root of the problem with our patented approach to SaaS discovery.
2. We include SSPM as part of a complete SaaS security and governance solution. This approach enables you to address critical risks in SaaS apps connected to Nudge Security while also effectively managing risk across your entire SaaS attack surface without relying on a library of API integrations.
3. We leverage a core design principle of Nudge Security: engaging the right SaaS stakeholder at the right time with context-aware guidance and tasks. Our nudging workflows are ideal for resolving open findings quickly by distributing resolution tasks to SaaS owners and end users while maintaining centralized oversight.

‍

By avoiding the limitations of an API-based approach and distributing difficult-to-automate resolution tasks to the right people, Nudge Security offers near-immediate time to value with every setup. We can discover and inventory the full extent of your SaaS estate—including both known and unknown applications.

‍

Here’s how to get started with Nudge Security’s SSPM solution:

‍

1. Set up & configure SSPM.

Nudge Security’s SSPM capabilities leverage the same integration point as our SaaS discovery: a single, lightweight API connection with Google Workspace or Microsoft 365. So, for our customers already using Nudge Security, there’s no setup or configuration required to get started with SSPM. (Bonus: there’s no additional cost either.)

‍

If you’re new here, learn more about our Google Workspace and Microsoft 365 integrations.

‍

2. Detect misconfigurations and identity risks.

Nudge Security continually monitors your Google Workspace or Microsoft 365 environment and generates findings for:

• Misconfiguration risks such as unrestricted groups, email forwarding rules, and missing SSO.
• Identity risks such as suspicious email rules, inactive privileged accounts, and delegated inbox access.
• Integration risks such as unused OAuth grants with privileged access, active integrations associated with inactive users, and unapproved grants with risky scopes.

‍

We summarize findings in a posture dashboard, which gives you an overview of your overall posture and coverage and helps you monitor resolution efforts and your SSPM progress overtime.

‍

‍

3. Assess and prioritize SSPM findings.

Not all SaaS risk is created equal. That’s why Nudge Security defines a risk category and risk severity for each finding, so you can filter and prioritize resolving the most critical risks first. Our posture dashboard displays top findings and users with the most findings to make it easy to get started.

‍

When you click on any finding, you’ll see the context you need to assess the finding and decide whether to fix it or accept the risk.

‍

‍

4. Resolve SSPM findings with nudge workflows.

The real kicker about managing your organization’s SaaS security posture is that the IT and security team may not even have the right access to the apps in question, let alone the time to log into every app to fix issues. That’s why our approach centers on distributing resolution tasks to the right people at the right time.

‍

For each finding, Nudge Security shows you which resolution actions are available and auto-assigns a resolution owner based on the nature of the finding and the resource checked. For example, a finding related to a misconfiguration in Google Workspace would be assigned to the Google Workspace technical contact, whereas a Google account with MFA disabled would be assigned to the account holder (user) to resolve. You also have the option to re-assign the finding to another user.

‍

From the findings detail panel, you can nudge the resolution owner with simple, context-aware remediation guidance. When the resolution owner confirms the fix (or asks for help), it’ll appear on the finding timeline and activity feed in the posture dashboard.

‍

Confirmed-fixed findings move into a “verifying” status. Upon the next check, Nudge Security will mark these findings as either resolved or re-opened if the fix did not pass the rule check.

‍

With this approach, you can orchestrate and oversee resolution efforts instead of doing all of the work yourself.

‍

‍

How to get started with SSPM from Nudge Security

We’re just getting started with SSPM, and you should, too! With just a few minutes of setup, you can have a totally free assessment of your identity infrastructure security posture.

‍

Start your free, full-featured, 14-day trial of Nudge Security to get started.

‍

And, you can join us September 19th for our "SSPM-tember" product demo showing how it all works.