Protect Your

SaaS Apps &

Data: Enterprise
SaaS Security
Technical Guide

 Table of Contents

Introductio

Backgroun

Architectur

DoControl’s Event-Driven Architectur

Solution Overview: How it Work

Onboardin

Inventor

Alert

Organizational Postur

Critical Capabilitie

Use Case

SaaS Data Access Contro

94k
SaaS Misconfiguration Preventio

SaaS Data Loss Prevention (DLP

SaaS-to-SaaS Governanc

Insider Risk Managemen

Incident Respons 61%

Compliance Enablemen

Case Studie

81%
The Return on Investment (ROI) for Security Automatio

Summar

About DoControl

1 docontrol.io | contact@docontrol.io
Introduction

The ease and rapidity with which Software as a Service (SaaS) applications can be deployed and adopted has enabled businesses to

become more agile, and scale at a faster and more efficient rate. While offering many benefits such as quick onboarding, remote working

and minimal operational management, these applications have also placed a considerable burden on security teams. It is now their

responsibility to monitor applications, identities (internal and external users), configurations and devices across an organization’s

technology estate to mitigate the risk of cyberattacks and breaches.

SaaS Security Platform (SSP) solutions offer security teams the necessary tools to effectively address the challenges associated with the

widespread adoption and utilization of SaaS applications. Securing complex and diverse SaaS environments requires a centralized

approach, given the fragmented nature of standard SaaS ecosystems. SSP solutions need to be lightweight, enterprise-ready, and feature

automated remediation in order to support SaaS utilization at scale. This technical white paper provides a comprehensive overview of

DoControl's SSP and approach to securing business-critical SaaS applications and data.

Background

Each SaaS application can have hundreds of global settings, such as whether MFA is required, which files can be shared, or whether

recording is permitted during video conferencing. Native security controls within each application are often lacking and inconsistent, as

these applications are primarily a business enablement tool. When multiplied by thousands or tens of thousands of employees, security

teams must first discover all the users who are using each application. They must then become familiar with each application’s specific

rules and configurations, and ensure compliance with company policies. With such a high volume of user roles and permissions, devices,

SaaS-to-SaaS access, configurations, and data sprawl, security teams require centralized visibility to monitor them all, identify issues,

and remediate them in a way that doesn’t negatively impact the business.

The speed of change that SaaS applications bring is incredibly difficult to manage. SaaS apps are dynamic and ever-evolving, with

settings requiring continuous modification for security updates, app feature enhancements, the addition or removal of employees, and

updates to user roles and permissions. Furthermore, the amount of data that is generated within a modern organization’s SaaS

application estate is unmanageably high, and continues to increase as the business scales. Continuous compliance updates to meet

industry standards and best practices challenge modern organizations (i.e. NIST Cybersecurity Framework (CSF), SOC2, ISO/IEC, MITRE

ATT&CK, etc.), and require a regular cadence of checks and modifications. Organization’s need to partner with SSP technology providers

in order to adopt SaaS applications and services at scale, while upholding their end of the shared responsibility model in the cloud. 

Architecture

DoControl revolutionizes the security of SaaS environments with a modernized approach; delivering a unified, automated, and risk-aware

SSP. The solution effectively safeguards vital business data while enhancing operational efficiency and enabling increased productivity.

DoControl excels in its core competency of safeguarding business-critical SaaS applications and data through automated remediation.

From a centralized secure control point, security teams can implement robust data access controls, detect misconfigurations in SaaS

services, uncover service mesh vulnerabilities, manage identity and application permissions, and ensure proper governance over shadow

applications (i.e. 3rd party OAuth applications). The DoControl Platform is built upon three foundational tenants: 

Discovery and Visibility: Discover all connected SaaS applications to the core SaaS stack. Identify issues of non-

compliance for the entire SaaS application estate to ensure security policies are effectively enforced. Expose a full

SaaS-to-SaaS application mapping and comprehensive inventory of 1st, 2nd and 3rd party applications (i.e. installed

users, drive access, drive-wide permissions, and more). IT and Security teams can gain a strong understanding of the

riskiest SaaS platforms, applications, and users exposed within the SaaS estate.

Monitor and Control: Perform application reviews with business users through ongoing interaction and engagement

(i.e. via Slack). Assign a risk-index to each application to enable the assessment and evaluation of the SaaS estate.

Create pre-approval policies and workflows that require end users to provide a business justification to onboard new

applications. IT and Security teams can quarantine suspicious applications, reduce overly excessive permissions, and

revoke or remove applications or access.

2 docontrol.io | contact@docontrol.io
 Automated Remediation: Automate security policy enforcement across the SaaS application stack that prevents

unsanctioned or high risk application usage, and remediates the potential risk those apps might expose (i.e. invalid

tokens, extensive or unused permissions, listed vs. not listed apps, etc.). IT and Security teams can automatically

reduce risk exposure related to application-to-application interconnectivity (i.e. automatically suspend or remove

potential malicious applications) by implementing Security Workflows.

DoControl’s Event-Driven Architecture

DoControl is built upon an event-driven platform, utilizing APIs and webhooks to seamlessly integrate with SaaS applications. By

aggregating pertinent metadata sources, the solution empowers security teams to establish precise Security Workflows that

effectively mitigate the risks associated with cyberattacks and breaches in SaaS environments. DoControl ensures comprehensive

asset management and provides complete visibility into the SaaS estate, capturing all users, groups, domains, assets, and

applications (both sanctioned and unsanctioned). The solution goes beyond surface-level data, extracting the business-context of

each SaaS user interaction and activity. This enables security teams to gain a holistic understanding of their organization's SaaS risk

exposure and automatically implement mitigations over time

Solution Overview: How it Works

Onboarding

Integrating SaaS applications can be performed in just a few simple clicks. The onboarding process involves granting the necessary

permissions to ensure the appropriate functioning of the solution. In order to gain visibility into the application and its activities,

'Read' permissions are required. This allows DoControl to access and analyze relevant data and events within the SaaS application.

In order to effectively enforce actions and implement automated remediation measures, 'Write' permissions are necessary. These

permissions enable DoControl to proactively respond to security incidents and enforce security measures on behalf of the

organization. Integrating the organization’s suite of business-critical SaaS applications is the first step to providing a centralized,

secure control point across disparate application environments.

Inventory

All end-user activity events, including create, view, share, edit, and more, are seamlessly transmitted from the connected SaaS

applications into DoControl. Within this process, DoControl enriches the incoming event metadata, ensuring that it does not have

access to the raw content. This enrichment is achieved by leveraging historical and aggregated data points, allowing for a

comprehensive understanding of the event context, without compromising data privacy.

A full mapping and inventory is displayed to include

Users: All internal and external users who can access, share, and manipulate data stored in the organization's integrated SaaS
application

Shadow A pplications: Interconnected internal, first-party and 3rd party application

Assets: Exposure for each asset (i.e. what is shared, and with whom) across business-critical SaaS application
Groups: Internal or external users either imported from the integrated SaaS applications, or created as custom group
Domains: DoControl categorizes domain types as ‘internal’, ‘external’ or ‘trusted’ in order to manage external collaborators who

have access to dat

Trusted IPs: Trusted IP ranges (Classless Inter-Domain Routing (CIDR) can be managed and used as conditional rules in Security
Workflow

De partments: A set of internal users imported from the integrated Human Resources Information System (HRIS) tool

Once policies have been defined, incoming events are matched against the conditions that have been established within each

workflow. In the event of a match, a new policy execution ‘instance’ is created to execute the defined workflow actions (i.e. wait,

notify, approve, enforce, flow control, remediate, etc.). DoControl’s Security Workflows provide the automated remediation

necessary to consume SaaS applications and services at scale.

3 docontrol.io | contact@docontrol.io
Alerts

DoControl generates automated alerts, powered by proprietary machine learning (ML) models, to provide valuable insights into

anomalous user behavior across all integrated SaaS applications. The Alerts page serves as a centralized hub where users can access

information on each alert, including details about the actor, targets, and the specific asset involved. It also allows for efficient filtering of

alerts based on specific criteria. Furthermore, users can directly link to the assets associated with the alerts and perform necessary

remediation actions. 

DoControl supports the creation of workflows tailored to address specific use cases identified through the alerts. Additionally, users can

leverage the alerts to gain deeper understanding of the associated risks and explore available remediation options. These alerts are

triggered for various types of events, such as aggregated events involving a single action by a user, such as unauthorized asset transfers

to personal Gmail accounts or excessive public sharing of assets. They also encompass scenarios such as employees who are about to

be terminated downloading files, and instances of former employees accessing company files.

DoControl's alerting system is designed to provide valuable insights into attacker techniques and tactics by mapping them to MITRE

ATT&CK. This mapping enables security teams to gain a deeper understanding of the expected behaviors and attack vectors employed

by adversaries. The alerts cover various stages of the attack lifecycle, including initial access, reconnaissance, collection, exfiltration,

credential access, and persistence. Specific attack techniques captured by the alerts include the use of valid accounts, compromised

credentials, data extraction from information repositories, unauthorized data transfers to cloud accounts, unsecured credentials, and

abuse of valid accounts. All of the alert-generated information is conveniently accessible within the DoControl console, allowing for

efficient investigations and the option to integrate with other tools such as SIEM or SOAR for centralized threat management across the

IT and cloud infrastructure.

Organizational Posture

DoControl offers a comprehensive view of end-user activity events and asset metadata across all SaaS applications in a single pane-of-

glass. This unified view consolidates data from various departments within the company. The page allows users to customize the display

of posture widgets specific to different applications including Google Drive, OneDrive, and SharePoint. By leveraging this consolidated

view, organizations gain valuable insights into their overall risk exposure, as well as general information regarding users, assets, domains,

and more. The page enables security teams to help identify top exposed asset drives, external users with access to encryption keys, top

sharing departments, and former employees with access to sensitive data.

4 docontrol.io | contact@docontrol.io
 Critical Capabilities

Partnering with DoControl ensures effective data access controls are put in place to mitigate the risks associated with unauthorized

access to SaaS applications and sensitive data. Security teams can establish access control policies based on individual users,

groups, and domains, considering the inherent risk they introduce to the business. This enables the enforcement of least privilege

access at a more granular level, and ensures consistent access control policies thereby limiting access to sensitive resources

exclusively to authorized users. Taking proactive measures with DoControl’s access control policies significantly reduces the potential

for data overexposure and exfiltration.

DoControl provides robust misconfiguration functionality to effectively manage and secure access to SaaS applications. This entails

detecting policy violations, both manual and automated remediation capabilities, and facilitating compliance with internal policies.

Security teams can vigilantly monitor and auditing user activities within their SaaS estate, which is vital for identifying and mitigating

insider threats, unauthorized access attempts, and suspicious behavior. By leveraging DoControl’s user activity logs, session

monitoring, and behavior analytics, organizations can promptly identify potential security risks within their SaaS environment.

DoControl’s SSP features advanced threat detection and prevention mechanisms. These mechanisms help identify potential security

breaches, as well as provide actionable intelligence and potential remediation paths to security teams, all while avoiding alert

fatigue. DoControl performs end user behavioral analytics, aggregating and normalizing behaviors to gather insights throughout all

identities and entities connecting to business-critical SaaS applications. Real-time monitoring, behavior analytics, anomaly detection,

and integration with threat intelligence sources all contribute to the solution’s robust threat detection capabilities.  

DoControl provides full SaaS data loss prevention (DLP) functionality. The solution provides a sophisticated sensitive data scanning

service powered by advanced natural language processing (NLP) tools coupled with ML algorithms. The scanning service extracts

crucial insights, establishes connections, and analyzes text within various cloud-hosted files and documents. Through this process,

key phrases, entities, and sentiment are identified, allowing for further analysis and examination. 

The scanning service seamlessly operates across structured, semi-structured, and unstructured data types, ensuring comprehensive

coverage. By leveraging this service, organizations can effectively protect and control access to their data by detecting and

redacting sensitive information. Security teams have the flexibility to classify relevant sensitive information specific to their business

needs, enabling them to establish dynamic DLP policies within their SaaS estate. 

DoControl helps ensure strong governance over high-risk shadow applications, which is critical in maintaining secure interoperability

and centralized security management. The solution monitors unused permissions, vulnerable, abandoned, and high data exposure

SaaS applications, whether sanctioned or unsanctioned. DoControl provides the ability to engage with business users to conduct

data access reviews, obtain managerial approvals, implement application justification processes, and issuing notifications of

organizational policy violations through email or collaboration platforms such as Slack.

5 docontrol.io | contact@docontrol.io
Use Cases

SaaS Data Access Control

Organizations that use multiple SaaS applications lack a

centralized view of the assets stored in each application,

the exposure level of each asset (such as what is shared

and with whom), and the means to take bulk remediation

actions when necessary (such as removing sharing for a

large number of files). Permissions are continuously added

and changed as employees and collaborators carry out

their work, and the overall number of files keeps growing

as the business scales. This creates challenges for

security teams to establish consistent data access

governance across all SaaS applications.

DoControl provides security teams with the tools they need to centrally enforce comprehensive data access policies throughout complex

SaaS application environments. Security workflows can be automatically triggered in response to high-risk SaaS events and activity

identified by the platform's anomaly-detection technology. Security teams can create workflows that auto-expire sharing permissions for

assets within SaaS applications, establish self-service or automated remediation for threats, and more. DoControl's Security Workflows can

help organizations manage the overexposure-prevention process and minimize their SaaS attack surface on in an automated fashion.

SaaS Misconfiguration Prevention

Misconfiguration in SaaS applications poses a significant

problem for companies due to its potential impact on data

security, privacy, and overall operational efficiency. When

SaaS applications are not properly configured, they may

inadvertently expose sensitive data, allowing unauthorized

access or data leakage. Misconfigurations can result in

open access permissions, improper user roles and

privileges, unsecured APIs, or inadequate encryption

settings, creating vulnerabilities that can be exploited by

nefarious characters.

DoControl collects relevant events aligned with core SSPM use cases, including user deactivations, Identity and Access Management (IAM)

F F
activities, and Multi- actor Authentication (M A) events. By analyzing these events, organizations gain insights into user behavior, detect
anomalies, and identify suspicious logins. Integrating with platforms like Google allows for receiving alerts on abnormal login patterns and
potentially malicious access attempts, providing an additional layer of security. Customizable workflows in DoControl streamline incident

mitigation, enhancing incident response times and overall security posture. With event collection and customized workflows, DoControl

empowers organizations to proactively address security threats, manage user access, and safeguard business-critical SaaS assets .

SaaS Data Loss Prevention (DLP)

Employees frequently share Personally Identifiable

Information (PII), Payment Card Industry (PCI) data, and

Personal Health Information (PHI) on overexposed locations

such as public Slack channels and Microsoft Teams chats.

Leveraging the security controls that are native to each

SaaS application does not provide the ability to prevent the

sharing of these data or target them for removal, and file-

scanning offered by traditional Data Loss Prevention (DLP)

solutions creates too many false positives that overload

security teams with inaccurate detections to review.

6 docontrol.io | contact@docontrol.io
 DoControl uses natural-language processing (NLP) to provide real-time scanning and classification for sensitive data types (including PII,

PCI, and PHI) across all files stored in SaaS applications. DoControl's file-scanning technology detects sensitive information across all

structured, semi-structured, and unstructured data types, then automatically classifies and/or redacts sensitive information according to

the rules/policies that have been established. DoControl's Security Workflows can be customized to solve any use case, including

preventing the sharing of sensitive data types in specific SaaS locations or by/with specific individuals or departments.

SaaS-to-SaaS Governance

The Open Authorization (OAuth) protocol enables

application-to-application (i.e., machine identities)

connectivity in SaaS environments. If the tokens involved in

the authentication process become compromised, the risk

of a supply-chain-based attack increases significantly.

Attackers can target these 3rd party OAuth applications to

gain unauthorized access to business-critical data and

resources.

DoControl extends its inventory and asset management beyond the SaaS applications, events, and activities that the platform is already

subscribed to. The solution discovers all sanctioned and unsanctioned 3rd party OAuth applications, which users have installed them, the

drive-wide permissions, and more. Events are correlated to provide the business-context required for security teams to differentiate

between normal and high-risk activity. The risk of a supply chain-based attack is automatically remediated through the suspension or

removal of unauthorized SaaS applications.

Insider Risk Management

Human Resources (HR) and security teams work in silos, but

their ongoing work has reciprocal effects. For example,

when HR managers initiate employment status changes for

departing employees, security teams should be made aware

so they can closely monitor these high-risk individuals.

Employees that are terminated or made redundant increase

insider threat risk and the propensity for sensitive data

exfiltration. HR and security platforms are often

disconnected, which increases the likelihood of sensitive

information leaving with a departed employee.

DoControl closes the insider risk management gap by integrating with modern HRIS tools (i.e., HiBob, WorkDay, etc.) to continually sync the

list of departing and terminated employees. Behavioral analytics and anomaly detection identify inappropriate end-user behavior (i.e.

external sharing of sensitive data with a private email account) and sends a real-time notification to security teams. DoControl's

automated Security Workflows can be initiated in real-time when employment status changes are triggered to block file shares and

prevent departing employees from exfiltrating data stored in business-critical applications.

Incident Response

Modern SaaS environments are characterized by constant

exchanges of data and files across content collaboration tools like

Google Drive, Box, Dropbox, and Slack. As a result, security teams

are inundated with security alerts and detections to analyze. The

lack of business-context for each alert creates a high number of

false positives, makes identifying high-risk activity a significant

challenge, and increases Mean Time to Detection (MTTD) for actual

threats to the business.

7 docontrol.io | contact@docontrol.io
 DoControl integrates with industry-standard SIEM and SOAR solutions to provide a data feed highlighting end-user activity and SaaS

access anomalies that present material risk to the business. Anomaly detection mechanisms identify and send real-time notifications for

deviations with end-user "normal" behavior across common user actions (i.e., share, download, delete, upload, etc.). One-click

remediation paths are available to address risky SaaS activity by removing external collaborators' access to an organization's data,

revoking public links, changing data ownership, and more. DoControl simplifies incident response processes through both self-service and

automated remediation capabilities.

Compliance Enablement

Modern businesses must balance business enablement with

the need to comply with various security regulations, such as

Payment Card Industry Data Security Standard (PCI DSS),

General Data Protection Regulation (GDPR), and more. For

cloud-first organizations, remaining compliant across all

sensitive data stored in SaaS applications is a complex

challenge. Security teams must manually review and analyze

SaaS activity to determine the right remediation paths, which

is an incredibly labor-intensive process at enterprise-scale.

DoControl provides a complete audit trail of all end-user activity and events within SaaS applications to simplify the process of gathering

compliance evidence. To maintain adherence with strict confidentiality mandates, security teams can establish preventative controls

that enforce granular, role-based access to highly sensitive data. DoControl's Security Workflows help provide compliance support by

auto-expiring access to sensitive data, blocking internal and/or external sharing, establishing automated or self-service remediation

paths for non-compliant SaaS activities, permissions, and more.  

The Return on Investment (ROI) for Security Automation

As organizations increasingly adopt numerous SaaS applications, IT and security teams face challenges in implementing and enforcing

granular data access control policies across their application inventory. Each SaaS application has its own unique set of security policies,

configurations, and granularity, making it difficult to standardize SaaS security policies consistently. This lack of standardization poses

scalability challenges and hinders the establishment of a robust security posture.

Traditionally, the process of remediating data access issues that fall outside of established policies has been a manual and labor-intensive

task for IT and security teams. Each remediation effort has been handled on a case-by-case basis. DoControl’s SSP addresses these

challenges by providing automation and centralized management capabilities that enable organizations to standardize security across

their portfolio of critical SaaS applications. DoControl automatically identifies application security misconfigurations and promptly alerts

IT and security teams regarding potentially problematic activities or events within SaaS applications.

Based on our experience supporting and assessing various companies, we have found that Google Drive, Box, and Dropbox are the top

three SaaS applications that frequently exhibit security misconfigurations and policy violations triggering a significant number of

automated workflow interventions through DoControl's Security Workflows. These interventions have proven to be time-saving for

organizations, as they eliminate the need for manual interventions and effectively identify violations that would have otherwise been

missed through manual monitoring.

8 docontrol.io | contact@docontrol.io
 Medium companies experienced an average of 4,825 workflow executions per month, saving an estimated 402 hours of manual

remediation efforts.

Large companies experienced an average of 13,285 workflow executions per month, saving an estimated 1,104 hours of manual

remediation efforts

Overall, automated workflow executions provided an average cost savings of USD $179,450.

--

*Based on DoControl’s audit, the average workflow execution saves an organization 5~ minutes.

**The dollars saved calculation is based on the average cost of a security persona at USD $100 (annual salary $180,000 divided by 1,800 working hours per year).

Summary

The importance of prioritizing the security of SaaS applications and data cannot be overstated. SaaS applications typically house

sensitive and confidential information, including customer data, intellectual property, and financial records. Failure to adequately secure

this data can lead to breaches, resulting in financial loss, reputational damage, and potential legal consequences. 

Moreover, the widespread accessibility of SaaS applications makes them attractive targets for cybercriminals and malicious actors.

Without robust security measures in place, unauthorized access, data theft, or malicious activities become more likely. Compliance

requirements and data protection regulations necessitate stringent security measures to avoid penalties associated with non-

compliance. By prioritizing the security of SaaS applications and data, organizations can ensure the confidentiality, integrity, and

availability of their data, thereby enabling safe and secure operations in the digital landscape.

DoControl helps organizations navigate through this challenging landscaping by providing the automated, self-service tools their security

teams require for SaaS remediation. The solution uncovers all SaaS users, 3rd party collaborators, assets/metadata, OAuth apps, groups,

and activity events. From there, security teams can create granular SaaS security policies to reduce the risk of data overexposure and

exfiltration. We take a unique, customer-focused approach to the challenge of labor-intensive security risk management in complex SaaS

environments. DoControl has no agents, no inline redirections, and no slow response times as commonly found in Cloud Access Security

Broker (CASB) solutions. 

Modern businesses partner with DoControl to secure business-critical applications and data, drive operational efficiencies, and enable

business productivity:

8 docontrol.io | contact@docontrol.io
 Secure Business-Critical Applications and Data: DoControl provides foundational controls (i.e. access controls, data

loss prevention, service mesh, misconfiguration, etc.) enabling organization’s to take a risk-based approach to securing

SaaS environments. The solution provides both preventative controls and detective mechanisms to secure sensitive

data residing within business-critical cloud applications.

Drive Operational Efficiencies: DoControl provides a unified SaaS security strategy to address decentralized, complex

SaaS ecosystems. DoControl breaks down both silo’d and manual approaches to SaaS security, delivering a centralized,

fully automated approach to streamlining processes and unlocking precious time and resources for IT and Security

teams.

Enable Business Productivity: DoControl positions security as a business enabler, whereby organizations can scale

security inline with their business acceleration and growth. Extending the principle of least privilege beyond the identity

layer allows end users to drive business enablement in a secure manner. DoControl enables modern businesses to go-

to-market faster and uphold their end of the shared responsibility model in the cloud.

About DoControl

DoControl is an agentless, event-driven SaaS Security Platform (SSP) that secures business-critical SaaS

applications and data. DoControl helps organizations expose their SaaS risk, remediate it quickly, and

automatically remediate over time through granular, no-code workflows. DoControl’s SSP uncovers all SaaS

users, third-party collaborators, assets and metadata, OAuth applications, groups, and activity events.

DoControl helps reduce risk, prevent data breaches, and mitigate insider risk without slowing down business

enablement. To learn more about DoControl, visit www.docontrol.io, read the DoControl blogs, or follow us on

Twitter and LinkedIn.

Try Free Demo

9 docontrol.io | contact@docontrol.io