DoControl: Automating SaaS Data Security Policy Enforcement
Way back when, a nightly public service announcement on TV intoned, “It’s 10 p.m., do you know where your children are?”
Today, the question might be asked about the vulnerabilities present in your company’s SaaS applications. And the answer might be equally eye-opening.
New York-based DoControl offers an automated way to monitor and remediate security vulnerabilities in major software-as-a-service applications. It provides a way to centralize enforcement of least privilege and expand zero trust principles to the SaaS data layer.
“We help [organizations] understand first of all, how much data they have stored in SaaS applications like Google Drive, Microsoft SharePoint, Slack, GitHub and so on, said CEO Adam Gavish.
“And then how the data is exposed internally and externally. It could be across different departments — finance, engineering — could be to vendors they don’t work with anymore, personal accounts by former employees and so on. We quantify the technical debt so they can visualize and explain it internally to leaders and most importantly remediate that exposure, fix it.”
Any number of people, including employees and vendors or partners, might have access to a Google Doc — your company’s client list or sales figures, for instance. And who goes back later to remove that access when an employee leaves or a partnership ends?
Visibility Plus Remediation
Applications are connected to the DoControl platform through a secure OAuth flow that allows DoControl access to the metadata and change logs of each system in near real time.
The platform creates a central inventory of both sanctioned and unsanctioned SaaS applications, users, external vendors, partners and others who have access. It can determine whether multifactor authentication is enabled with each application and offers continuous monitoring of data access to address the risk of both internal and external misuse of data.
“The first thing that we do in a demo is plug in their apps, and we show them. We say, “OK, look, you’ve got just in Google Drive, for example, 200,000 documents or PowerPoints or whatever, and did you know that 10% of them have a link that anybody can access on the internet?” explained Sam Adler, DoControl vice president of marketing.
He calls that a lightbulb moment for many companies.
“Granted, a lot of them might be drafts of some blog that marketing wrote, or most of them it probably doesn’t matter, right? But what if one of them has PII? What if one of them has [another risk factor]? Unfortunately, some of the companies have come to us have already had an incident. And the stinger was right there in one of those documents.”
The platform provides no-code conditional logic workflows that standardize data access policies across all the applications, many of which cannot be achieved natively in each individual application.
DoControl also offers a catalog of templates for customizing security workflows for a specific application or use case.
For instance, you can set up a workflow that looks for publicly accessible documents containing personally identifiable information (PII). It can be set to remove the sharing function or ask the owner for a yes/no confirmation on sharing.
Its Slack/Teams bot notifies the appropriate people when issues arise.
Clients can use one-click actions for common uses such as removing all permissions for specific external collaborators, changing data ownership and making certain data private.
The events-driven infrastructure also alerts on suspicious activities providing business context, risk mapping and clear remediation paths. Suspicious activities might include suspected human error, potential data exfiltration, excess access by OAuth apps and more.
Expanded Capabilities with OAuth
The company grew out of Gavish’s experience as a product manager on the Google Cloud Security and Privacy team working with regulated clients, such as government agencies that had to set up and apply multiple different security controls and policies before using Google Cloud to secure data access and remain compliant.
Google set up a service called Assured Workloads to handle all that for them, which became the inspiration for DoControl, which set out to expand the idea to SaaS applications.
“With the recent OAuth launch, we now extend the coverage to include every third-party plugin or add-on. … So if I’m an organization, and I have employees who use Google Drive, now we also cover all the third-party apps installed on top of Google Drive,” Gavish said.
The company has raised $45 million, most recently a $30 million Series B in April led by Insight Partners. (Insight Partners also owns The New Stack.) DoControl’s backers include CrowdStrike’s early-stage investment fund, the CrowdStrike Falcon Fund, and others.
“Every modern company has to deal with the risk of unmanageable SaaS data access, where sensitive company, employee and customer data are stored within popular enterprise applications,” Stephen Ward, managing director at Insight Partners, said of the investment.
“DoControl offers a rare combination of asset management, security automation and remediation actions that eliminate the risk of exposure created by a lack of SaaS data protection capabilities.”
So far the company has focused on securing the top 15 enterprise SaaS applications including GitHub, Slack, DropBox and others. The new funding will allow the company to expand on that and build a more powerful API that security teams can use to integrate with applications that DoControl isn’t already supporting.
Gavish said the tool is highly customizable. Some companies want a lot of automation; others want to be notified of risk and have a human handle it.
“[At Google] I saw many of our customers using when using a CASB (cloud access security broker) solution, which is fantastic. But it’s very much hardcoded to provide them hundreds of different security policies out of the box, but they were very much opinionated, not easy to tweak and tailored based on specific business needs,” he said.
DoControl is just a tool, he said; customers decide how much automation suits their needs.