Into the multiverse of SaaS instance sprawl

Choose your favorite sci-fi saga set in the multiverse: The Matrix, Into the Spider-Verse, Everything Everywhere All at Once, Loki, any recent Marvel film. They all share a common plot device: our hero peers behind the existential curtain to reveal multiple, parallel universes that exist at the same time. The hero then figures out how to bop around these universes, chasing bad guys and such.

‍

This is not unlike modern IT environments, actually.

‍

‍

When IT security and risk management leaders begin to peer behind the curtain of their corporate IT estates, they often discover a multiverse of cloud and SaaS instances running in parallel, usually in siloes. For example, a sales team decides to evaluate Zendesk without knowing that a support team is already using it. An acquisition results in multiple, redundant instances of Salesforce, Workday, and other business-critical apps. A contractor creates an individual Dropbox account outside of the company’s managed Dropbox environment. The list goes on.

‍

As if SaaS sprawl weren't already a big enough challenge, the proliferation of SaaS instances compounds this issue exponentially. When an organization uses multiple instances of a single SaaS app, several critical problems can emerge:

1. Increased Risk: Each instance adds to an organization's attack surface. Without proper visibility and oversight, unmanaged or shadow instances can expose sensitive data and become targets for cyberattacks. For example, in the recent Microsoft Midnight Blizzard incident, threat actors exploited a "non-production test tenant" that had trusted access to sensitive data.
2. Higher Costs: Duplicate and siloed instances lead to unnecessary SaaS spending. Organizations may pay for multiple subscriptions of the same app, reducing their negotiating leverage and inflating operational costs. Instances left abandoned create additional waste.
3. Governance Challenges: Effective identity and access governance, including user onboarding and offboarding, access reviews, and SSO enrollment, become unmanageable without comprehensive visibility into all instances in use.

‍

Instance discovery is the key to managing SaaS sprawl and risk.

The first problem we solved with Nudge Security was getting visibility of all SaaS apps and identities everywhere modern work happens. Done and dusted.

‍

From the start, we’ve used our patented email discovery method to detect sprawl and shadow tenants across cloud infrastructure (IaaS), code repositories, and artifact hosting, summarized in our attack surface dashboard. And, we’ve helped customers bring rogue and abandoned AWS accounts under centralized governance with our playbook automation.

‍

‍

Still, we saw the need and the potential to extend our SaaS discovery method even further to capture deeper insights into SaaS instances like subdomains (think: company-prod.datadog.com), Notion Workspaces, GitHub Organizations, Slack Projects, and much more. To date, we’ve been capturing many of these instance types as resources within an app.

‍

In today’s product release, we updated Nudge Security to display some instance types (namely, instances defined by a unique subdomain) in an Instances tab a SaaS app. We’ve also begun to associate individual users with the SaaS instances they have access to. And, through our integration with Okta, we can discover and enrich our understanding of which specific instances are managed through SSO, which is also captured in the new instance inventory. Check it out in the demo below:

‍

‍

Instance discovery unlocks new possibilities for SaaS security and governance.

This is just the beginning. By establishing a solid foundation for instance discovery and management, we can begin to explore interesting use cases such as:

1. Shadow instance detection: Similar to identifying unmanaged or rogue AWS accounts, effective instance discovery can reveal various types of "shadow instances" that operate outside an IT organization's control, including those used for testing or experimentation.
2. Instance sprawl management: Detecting multiple, redundant SaaS instances allows organizations to work toward consolidating instances under a single enterprise-managed environment, which can yield more favorable pricing, reduce costs, and streamline governance.
3. Access management for individual instances: Integration with identity providers like Okta enables more granular control over user access to specific SaaS instances, offering more precise identity and access management and visibility into who has access to critical data.
4. Improved access controls: Similarly, having a deeper understanding of user access to specific SaaS instances bolsters other access management workflows, including compliance access reviews, least privilege access management, and employee offboarding.
5. SaaS security posture management: Robust instance discovery is a key starting point to ensure that all instances in your environment are being effectively monitored by your SSPM or other SaaS security investments.
6. Detect attacker-controlled tenants: Certain SaaS services could be exploited by a threat actor by registering a look-alike tenant for an organization, sending invites to employees to join the tenant and then tricking them to give API or Oauth access that the attacker then controls.

‍

Interested in learning more?

Find out how else Nudge Security can help you meet your SaaS security and governance goals. Start your free 14-day trial today.