Professional Documents
Culture Documents
Table of Contents
Introductio
Backgroun
Architectur
Onboardin
Inventor
Alert
Organizational Postur
Critical Capabilitie
Use Case
SaaS-to-SaaS Governanc
Case Studie
81%
The Return on Investment (ROI) for Security Automatio
Summar
About DoControl
1 docontrol.io | contact@docontrol.io
Introduction
The ease and rapidity with which Software as a Service (SaaS) applications can be deployed and adopted has enabled businesses to
become more agile, and scale at a faster and more efficient rate. While offering many benefits such as quick onboarding, remote working
and minimal operational management, these applications have also placed a considerable burden on security teams. It is now their
responsibility to monitor applications, identities (internal and external users), configurations and devices across an organization’s
SaaS Security Platform (SSP) solutions offer security teams the necessary tools to effectively address the challenges associated with the
widespread adoption and utilization of SaaS applications. Securing complex and diverse SaaS environments requires a centralized
approach, given the fragmented nature of standard SaaS ecosystems. SSP solutions need to be lightweight, enterprise-ready, and feature
automated remediation in order to support SaaS utilization at scale. This technical white paper provides a comprehensive overview of
DoControl's SSP and approach to securing business-critical SaaS applications and data.
Background
Each SaaS application can have hundreds of global settings, such as whether MFA is required, which files can be shared, or whether
recording is permitted during video conferencing. Native security controls within each application are often lacking and inconsistent, as
these applications are primarily a business enablement tool. When multiplied by thousands or tens of thousands of employees, security
teams must first discover all the users who are using each application. They must then become familiar with each application’s specific
rules and configurations, and ensure compliance with company policies. With such a high volume of user roles and permissions, devices,
SaaS-to-SaaS access, configurations, and data sprawl, security teams require centralized visibility to monitor them all, identify issues,
and remediate them in a way that doesn’t negatively impact the business.
The speed of change that SaaS applications bring is incredibly difficult to manage. SaaS apps are dynamic and ever-evolving, with
settings requiring continuous modification for security updates, app feature enhancements, the addition or removal of employees, and
updates to user roles and permissions. Furthermore, the amount of data that is generated within a modern organization’s SaaS
application estate is unmanageably high, and continues to increase as the business scales. Continuous compliance updates to meet
industry standards and best practices challenge modern organizations (i.e. NIST Cybersecurity Framework (CSF), SOC2, ISO/IEC, MITRE
ATT&CK, etc.), and require a regular cadence of checks and modifications. Organization’s need to partner with SSP technology providers
in order to adopt SaaS applications and services at scale, while upholding their end of the shared responsibility model in the cloud.
Architecture
DoControl revolutionizes the security of SaaS environments with a modernized approach; delivering a unified, automated, and risk-aware
SSP. The solution effectively safeguards vital business data while enhancing operational efficiency and enabling increased productivity.
DoControl excels in its core competency of safeguarding business-critical SaaS applications and data through automated remediation.
From a centralized secure control point, security teams can implement robust data access controls, detect misconfigurations in SaaS
services, uncover service mesh vulnerabilities, manage identity and application permissions, and ensure proper governance over shadow
applications (i.e. 3rd party OAuth applications). The DoControl Platform is built upon three foundational tenants:
Discovery and Visibility: Discover all connected SaaS applications to the core SaaS stack. Identify issues of non-
compliance for the entire SaaS application estate to ensure security policies are effectively enforced. Expose a full
SaaS-to-SaaS application mapping and comprehensive inventory of 1st, 2nd and 3rd party applications (i.e. installed
users, drive access, drive-wide permissions, and more). IT and Security teams can gain a strong understanding of the
riskiest SaaS platforms, applications, and users exposed within the SaaS estate.
Monitor and Control: Perform application reviews with business users through ongoing interaction and engagement
(i.e. via Slack). Assign a risk-index to each application to enable the assessment and evaluation of the SaaS estate.
Create pre-approval policies and workflows that require end users to provide a business justification to onboard new
applications. IT and Security teams can quarantine suspicious applications, reduce overly excessive permissions, and
2 docontrol.io | contact@docontrol.io
Automated Remediation: Automate security policy enforcement across the SaaS application stack that prevents
unsanctioned or high risk application usage, and remediates the potential risk those apps might expose (i.e. invalid
tokens, extensive or unused permissions, listed vs. not listed apps, etc.). IT and Security teams can automatically
reduce risk exposure related to application-to-application interconnectivity (i.e. automatically suspend or remove
DoControl is built upon an event-driven platform, utilizing APIs and webhooks to seamlessly integrate with SaaS applications. By
aggregating pertinent metadata sources, the solution empowers security teams to establish precise Security Workflows that
effectively mitigate the risks associated with cyberattacks and breaches in SaaS environments. DoControl ensures comprehensive
asset management and provides complete visibility into the SaaS estate, capturing all users, groups, domains, assets, and
applications (both sanctioned and unsanctioned). The solution goes beyond surface-level data, extracting the business-context of
each SaaS user interaction and activity. This enables security teams to gain a holistic understanding of their organization's SaaS risk
Onboarding
Integrating SaaS applications can be performed in just a few simple clicks. The onboarding process involves granting the necessary
permissions to ensure the appropriate functioning of the solution. In order to gain visibility into the application and its activities,
'Read' permissions are required. This allows DoControl to access and analyze relevant data and events within the SaaS application.
In order to effectively enforce actions and implement automated remediation measures, 'Write' permissions are necessary. These
permissions enable DoControl to proactively respond to security incidents and enforce security measures on behalf of the
organization. Integrating the organization’s suite of business-critical SaaS applications is the first step to providing a centralized,
Inventory
All end-user activity events, including create, view, share, edit, and more, are seamlessly transmitted from the connected SaaS
applications into DoControl. Within this process, DoControl enriches the incoming event metadata, ensuring that it does not have
access to the raw content. This enrichment is achieved by leveraging historical and aggregated data points, allowing for a
Users: All internal and external users who can access, share, and manipulate data stored in the organization's integrated SaaS
application
Trusted IPs: Trusted IP ranges (Classless Inter-Domain Routing (CIDR) can be managed and used as conditional rules in Security
Workflow
De partments: A set of internal users imported from the integrated Human Resources Information System (HRIS) tool
Once policies have been defined, incoming events are matched against the conditions that have been established within each
workflow. In the event of a match, a new policy execution ‘instance’ is created to execute the defined workflow actions (i.e. wait,
notify, approve, enforce, flow control, remediate, etc.). DoControl’s Security Workflows provide the automated remediation
3 docontrol.io | contact@docontrol.io
Alerts
DoControl generates automated alerts, powered by proprietary machine learning (ML) models, to provide valuable insights into
anomalous user behavior across all integrated SaaS applications. The Alerts page serves as a centralized hub where users can access
information on each alert, including details about the actor, targets, and the specific asset involved. It also allows for efficient filtering of
alerts based on specific criteria. Furthermore, users can directly link to the assets associated with the alerts and perform necessary
remediation actions.
DoControl supports the creation of workflows tailored to address specific use cases identified through the alerts. Additionally, users can
leverage the alerts to gain deeper understanding of the associated risks and explore available remediation options. These alerts are
triggered for various types of events, such as aggregated events involving a single action by a user, such as unauthorized asset transfers
to personal Gmail accounts or excessive public sharing of assets. They also encompass scenarios such as employees who are about to
be terminated downloading files, and instances of former employees accessing company files.
DoControl's alerting system is designed to provide valuable insights into attacker techniques and tactics by mapping them to MITRE
ATT&CK. This mapping enables security teams to gain a deeper understanding of the expected behaviors and attack vectors employed
by adversaries. The alerts cover various stages of the attack lifecycle, including initial access, reconnaissance, collection, exfiltration,
credential access, and persistence. Specific attack techniques captured by the alerts include the use of valid accounts, compromised
credentials, data extraction from information repositories, unauthorized data transfers to cloud accounts, unsecured credentials, and
abuse of valid accounts. All of the alert-generated information is conveniently accessible within the DoControl console, allowing for
efficient investigations and the option to integrate with other tools such as SIEM or SOAR for centralized threat management across the
Organizational Posture
DoControl offers a comprehensive view of end-user activity events and asset metadata across all SaaS applications in a single pane-of-
glass. This unified view consolidates data from various departments within the company. The page allows users to customize the display
of posture widgets specific to different applications including Google Drive, OneDrive, and SharePoint. By leveraging this consolidated
view, organizations gain valuable insights into their overall risk exposure, as well as general information regarding users, assets, domains,
and more. The page enables security teams to help identify top exposed asset drives, external users with access to encryption keys, top
4 docontrol.io | contact@docontrol.io
Critical Capabilities
Partnering with DoControl ensures effective data access controls are put in place to mitigate the risks associated with unauthorized
access to SaaS applications and sensitive data. Security teams can establish access control policies based on individual users,
groups, and domains, considering the inherent risk they introduce to the business. This enables the enforcement of least privilege
access at a more granular level, and ensures consistent access control policies thereby limiting access to sensitive resources
exclusively to authorized users. Taking proactive measures with DoControl’s access control policies significantly reduces the potential
DoControl provides robust misconfiguration functionality to effectively manage and secure access to SaaS applications. This entails
detecting policy violations, both manual and automated remediation capabilities, and facilitating compliance with internal policies.
Security teams can vigilantly monitor and auditing user activities within their SaaS estate, which is vital for identifying and mitigating
insider threats, unauthorized access attempts, and suspicious behavior. By leveraging DoControl’s user activity logs, session
monitoring, and behavior analytics, organizations can promptly identify potential security risks within their SaaS environment.
DoControl’s SSP features advanced threat detection and prevention mechanisms. These mechanisms help identify potential security
breaches, as well as provide actionable intelligence and potential remediation paths to security teams, all while avoiding alert
fatigue. DoControl performs end user behavioral analytics, aggregating and normalizing behaviors to gather insights throughout all
identities and entities connecting to business-critical SaaS applications. Real-time monitoring, behavior analytics, anomaly detection,
and integration with threat intelligence sources all contribute to the solution’s robust threat detection capabilities.
DoControl provides full SaaS data loss prevention (DLP) functionality. The solution provides a sophisticated sensitive data scanning
service powered by advanced natural language processing (NLP) tools coupled with ML algorithms. The scanning service extracts
crucial insights, establishes connections, and analyzes text within various cloud-hosted files and documents. Through this process,
key phrases, entities, and sentiment are identified, allowing for further analysis and examination.
The scanning service seamlessly operates across structured, semi-structured, and unstructured data types, ensuring comprehensive
coverage. By leveraging this service, organizations can effectively protect and control access to their data by detecting and
redacting sensitive information. Security teams have the flexibility to classify relevant sensitive information specific to their business
needs, enabling them to establish dynamic DLP policies within their SaaS estate.
DoControl helps ensure strong governance over high-risk shadow applications, which is critical in maintaining secure interoperability
and centralized security management. The solution monitors unused permissions, vulnerable, abandoned, and high data exposure
SaaS applications, whether sanctioned or unsanctioned. DoControl provides the ability to engage with business users to conduct
data access reviews, obtain managerial approvals, implement application justification processes, and issuing notifications of
5 docontrol.io | contact@docontrol.io
Use Cases
DoControl provides security teams with the tools they need to centrally enforce comprehensive data access policies throughout complex
SaaS application environments. Security workflows can be automatically triggered in response to high-risk SaaS events and activity
identified by the platform's anomaly-detection technology. Security teams can create workflows that auto-expire sharing permissions for
assets within SaaS applications, establish self-service or automated remediation for threats, and more. DoControl's Security Workflows can
help organizations manage the overexposure-prevention process and minimize their SaaS attack surface on in an automated fashion.
nefarious characters.
DoControl collects relevant events aligned with core SSPM use cases, including user deactivations, Identity and Access Management (IAM)
F F
activities, and Multi- actor Authentication (M A) events. By analyzing these events, organizations gain insights into user behavior, detect
anomalies, and identify suspicious logins. Integrating with platforms like Google allows for receiving alerts on abnormal login patterns and
potentially malicious access attempts, providing an additional layer of security. Customizable workflows in DoControl streamline incident
mitigation, enhancing incident response times and overall security posture. With event collection and customized workflows, DoControl
empowers organizations to proactively address security threats, manage user access, and safeguard business-critical SaaS assets .
6 docontrol.io | contact@docontrol.io
DoControl uses natural-language processing (NLP) to provide real-time scanning and classification for sensitive data types (including PII,
PCI, and PHI) across all files stored in SaaS applications. DoControl's file-scanning technology detects sensitive information across all
structured, semi-structured, and unstructured data types, then automatically classifies and/or redacts sensitive information according to
the rules/policies that have been established. DoControl's Security Workflows can be customized to solve any use case, including
preventing the sharing of sensitive data types in specific SaaS locations or by/with specific individuals or departments.
SaaS-to-SaaS Governance
resources.
DoControl extends its inventory and asset management beyond the SaaS applications, events, and activities that the platform is already
subscribed to. The solution discovers all sanctioned and unsanctioned 3rd party OAuth applications, which users have installed them, the
drive-wide permissions, and more. Events are correlated to provide the business-context required for security teams to differentiate
between normal and high-risk activity. The risk of a supply chain-based attack is automatically remediated through the suspension or
DoControl closes the insider risk management gap by integrating with modern HRIS tools (i.e., HiBob, WorkDay, etc.) to continually sync the
list of departing and terminated employees. Behavioral analytics and anomaly detection identify inappropriate end-user behavior (i.e.
external sharing of sensitive data with a private email account) and sends a real-time notification to security teams. DoControl's
automated Security Workflows can be initiated in real-time when employment status changes are triggered to block file shares and
Incident Response
7 docontrol.io | contact@docontrol.io
DoControl integrates with industry-standard SIEM and SOAR solutions to provide a data feed highlighting end-user activity and SaaS
access anomalies that present material risk to the business. Anomaly detection mechanisms identify and send real-time notifications for
deviations with end-user "normal" behavior across common user actions (i.e., share, download, delete, upload, etc.). One-click
remediation paths are available to address risky SaaS activity by removing external collaborators' access to an organization's data,
revoking public links, changing data ownership, and more. DoControl simplifies incident response processes through both self-service and
Compliance Enablement
DoControl provides a complete audit trail of all end-user activity and events within SaaS applications to simplify the process of gathering
compliance evidence. To maintain adherence with strict confidentiality mandates, security teams can establish preventative controls
that enforce granular, role-based access to highly sensitive data. DoControl's Security Workflows help provide compliance support by
auto-expiring access to sensitive data, blocking internal and/or external sharing, establishing automated or self-service remediation
As organizations increasingly adopt numerous SaaS applications, IT and security teams face challenges in implementing and enforcing
granular data access control policies across their application inventory. Each SaaS application has its own unique set of security policies,
configurations, and granularity, making it difficult to standardize SaaS security policies consistently. This lack of standardization poses
Traditionally, the process of remediating data access issues that fall outside of established policies has been a manual and labor-intensive
task for IT and security teams. Each remediation effort has been handled on a case-by-case basis. DoControl’s SSP addresses these
challenges by providing automation and centralized management capabilities that enable organizations to standardize security across
their portfolio of critical SaaS applications. DoControl automatically identifies application security misconfigurations and promptly alerts
IT and security teams regarding potentially problematic activities or events within SaaS applications.
Based on our experience supporting and assessing various companies, we have found that Google Drive, Box, and Dropbox are the top
three SaaS applications that frequently exhibit security misconfigurations and policy violations triggering a significant number of
automated workflow interventions through DoControl's Security Workflows. These interventions have proven to be time-saving for
organizations, as they eliminate the need for manual interventions and effectively identify violations that would have otherwise been
8 docontrol.io | contact@docontrol.io
Medium companies experienced an average of 4,825 workflow executions per month, saving an estimated 402 hours of manual
remediation efforts.
Large companies experienced an average of 13,285 workflow executions per month, saving an estimated 1,104 hours of manual
remediation efforts
Overall, automated workflow executions provided an average cost savings of USD $179,450.
--
*Based on DoControl’s audit, the average workflow execution saves an organization 5~ minutes.
**The dollars saved calculation is based on the average cost of a security persona at USD $100 (annual salary $180,000 divided by 1,800 working hours per year).
Summary
The importance of prioritizing the security of SaaS applications and data cannot be overstated. SaaS applications typically house
sensitive and confidential information, including customer data, intellectual property, and financial records. Failure to adequately secure
this data can lead to breaches, resulting in financial loss, reputational damage, and potential legal consequences.
Moreover, the widespread accessibility of SaaS applications makes them attractive targets for cybercriminals and malicious actors.
Without robust security measures in place, unauthorized access, data theft, or malicious activities become more likely. Compliance
requirements and data protection regulations necessitate stringent security measures to avoid penalties associated with non-
compliance. By prioritizing the security of SaaS applications and data, organizations can ensure the confidentiality, integrity, and
availability of their data, thereby enabling safe and secure operations in the digital landscape.
DoControl helps organizations navigate through this challenging landscaping by providing the automated, self-service tools their security
teams require for SaaS remediation. The solution uncovers all SaaS users, 3rd party collaborators, assets/metadata, OAuth apps, groups,
and activity events. From there, security teams can create granular SaaS security policies to reduce the risk of data overexposure and
exfiltration. We take a unique, customer-focused approach to the challenge of labor-intensive security risk management in complex SaaS
environments. DoControl has no agents, no inline redirections, and no slow response times as commonly found in Cloud Access Security
Modern businesses partner with DoControl to secure business-critical applications and data, drive operational efficiencies, and enable
business productivity:
8 docontrol.io | contact@docontrol.io
Secure Business-Critical Applications and Data: DoControl provides foundational controls (i.e. access controls, data
loss prevention, service mesh, misconfiguration, etc.) enabling organization’s to take a risk-based approach to securing
SaaS environments. The solution provides both preventative controls and detective mechanisms to secure sensitive
Drive Operational Efficiencies: DoControl provides a unified SaaS security strategy to address decentralized, complex
SaaS ecosystems. DoControl breaks down both silo’d and manual approaches to SaaS security, delivering a centralized,
fully automated approach to streamlining processes and unlocking precious time and resources for IT and Security
teams.
Enable Business Productivity: DoControl positions security as a business enabler, whereby organizations can scale
security inline with their business acceleration and growth. Extending the principle of least privilege beyond the identity
layer allows end users to drive business enablement in a secure manner. DoControl enables modern businesses to go-
to-market faster and uphold their end of the shared responsibility model in the cloud.
About DoControl
DoControl is an agentless, event-driven SaaS Security Platform (SSP) that secures business-critical SaaS
applications and data. DoControl helps organizations expose their SaaS risk, remediate it quickly, and
automatically remediate over time through granular, no-code workflows. DoControl’s SSP uncovers all SaaS
users, third-party collaborators, assets and metadata, OAuth applications, groups, and activity events.
DoControl helps reduce risk, prevent data breaches, and mitigate insider risk without slowing down business
enablement. To learn more about DoControl, visit www.docontrol.io, read the DoControl blogs, or follow us on
9 docontrol.io | contact@docontrol.io