Revolutionizing Cloud App Security: Nudge Security’s Innovative Approach

  • Podcasts
  • Petri Dish
  • Revolutionizing Cloud App Security: Nudge Security’s Innovative Approach

LISTEN ON:

In this edition of Petri Dish, Petri’s Editorial Director, Russell Smith, talks to Russell Spitler, Co-Founder and CEO of Nudge Security, a leader in cloud and SaaS protection. In this insightful discussion, we explore Nudge Security’s innovative strategies and technologies that are transforming how businesses safeguard their digital assets. Discover how Nudge Security is setting new standards in app security, addressing today’s challenges of managing access to SaaS applications in the cloud.

πŸ”— Links and resources

Nudge Security
Nudge Security review on Petri.com

πŸ“– Transcript

Hello and welcome to this edition of Petri Dish. My name is Russell Smith. I’m Editorial Director of Petri.com and today I’m glad to welcome Russell Spitler, who’s Co-Founder and CEO of Nudge Security. Welcome by the way, how are you doing today?

Great to be here, thank you for having me.

Thank you. And today we’re going to be talking about security surrounding applications in the cloud. So I think a lot of our viewers are going to be familiar with authentication in terms of Active Directory. So for them that probably means Kerberos and NTLM authentication, but things like OAuth for authentication of users to cloud apps might be a little bit of a mystery to them. So, can you tell us a little bit about that and what are the potential problems that organizations might face with it in terms of Azure Active Directory or Microsoft EntraID it’s now called?

Yeah, so I think this is probably the crux of the problem that we’re trying to solve at Nudge, which is in the past when we thought about authentication, that was really about a user signing into a system and in Kerberos and NTLM are both authentication protocols. How do I assert who I am without sharing any secrets over the wire that can be intercepted, replayed, etc. But now when we move to more SaaS based applications where the exciting things for users are not just authenticating and signing into those applications, but sharing that data across these accounts, we’ve introduced new protocols like OAuth, and that’s really more of an authorization protocol. So which application has the right to access my data across other accounts, or in a lot of cases that people typically see, assert my identity from another provider such as EntraID or sign in with Microsoft, sign in with Google, and do that in a repeatable fashion, not only in interactive fashion when a user is signing into that website, but also in an offline fashion. How do I grant this application the rights to see all of my Microsoft OneDrive files in perpetuity until I revoke that access?

That’s really what OAuth is designed for, not only doing that authentication aspect with third-party provider, but ultimately providing that access and that ongoing authorization to datasets within those applications across different accounts.

Okay, so what problem exactly is Nudge Security addressing?

So, when we started, we really focused on this massive sprawl of SaaS applications that organizations are built on today. When you think about your technology stack, it’s nice to dream that somebody in IT or security is centrally defining what that stack technology is. But the reality is every employee brings their old favorites from their last job, they’re bringing and reaching for the new tool that’s going to make them 10 times more productive, they’re finding some glue that allows them to OAuth a couple of accounts together to create some automation that will save them time. And as a result, centralized organizations no longer really have a good understanding of what technology runs their business. That’s what we sell. We’ll give you insight into every account every employee has ever created.

We’ll give you insight into how they authenticated what data is within those accounts. And then we’ll give you repeatable actions to scale your technology governance so you actually can ensure that you’re off boarding employees running through the right processes when new accounts get created and your applications get introduced and sort of re-centralize that visibility across the technology that you’re using. So do you think that administrators who are probably more used to Windows Server Active Directory for instance, do you think that they understand really how OAuth works and all of this stuff in entry ID surrounding application consent and grants and all the implications of the default settings?

So I would never say that a Windows Server admin doesn’t understand anything, which is a well-worn lesson working with a lot of very smart people out there in the industry. But what I would say is that the risk has shifted and their awareness of that risk might not reflect their modern reality. So as you think about protecting or locking down your environment, typically that’s been defined by what laptops do I own, what servers do I own, what are the hard assets that I’m protecting the data on. Today it’s really an ephemeral mess. It’s all of these accounts spread out across the cloud.

We don’t have a server that we can go ensure that the right security protocols are being followed upon because it’s largely defined by the shared trust that we have across these different systems that are out there. And so when we think about this evolving landscape and this evolving set of systems that we need to be responsible for, I think that has sort of changed overnight. And I think a lot of people are starting to come to a realization that a lot of the things that they’ve done for the last 10 to 20 years no longer wholly apply or there are new techniques that they need to bring into the picture in order to address the sprawl of SaaS services that runs their business today.

So, we recently reviewed Nudge Security on Petri and I was very interested in the way that it works. I didn’t really know anything about how OAuth works in Enter ID to be honest. So as I understand, users can essentially just sign up for SaaS services under the default settings and create an account and potentially expose the organization to some kind of risk if that’s not being monitored or you don’t have the necessary insights. But I thought the way that Nudge dealt with getting that overview by using email was quite interesting. One of the things that did come into my mind is that if an organization is giving Nudge access to its email, for instance, one of the questions that I think a lot of admins and organizations are going to have straight off the bat is, well, what about privacy? How do you guarantee privacy? What is Nudge able to see and what you might say to an organization about that to put their minds at rest? Yeah, so there’s really two parts to that that I’d like to address. Certainly in terms of privacy, email is a very sensitive resource in every organization. And in fact, part of the power of our solution is because of the flows that go through that email. There’s a few things that people often come to terms with in our conversations.

First is you’ve already granted that access to other services, namely Microsoft in a lot of cases, but also perhaps Proofpoint or Mindcast or Abnormal where they’re monitoring all of the email flows going into your organization as a method of anti-spam, you know, phishing detection, etc. Now, when you look at us using that same control point that you’ve already granted to these other security platforms, what we’re doing is actually much more reduced. We’re only looking at the incoming machine generated emails, the things that we have a high confidence of coming from these SaaS providers.

And then we’re analyzing it in such a way we’re extracting the metadata, number storing, messages, etc., which allows us to drastically reduce that sort of privacy concern, not only because it’s something that we’ve already established a precedent for, but also because we’re looking at a very narrow set of communications. We’re not looking at employee-to-employee communication, outbound communication, anything along those lines, which we’ve already done for those other providers. Now, the real question is, well, why do you need to do email to do this? And a lot of people, when they think about, well, what are all the SaaS services my employees are using?

They reach for solutions such as, you know, DNS or a network proxy, or maybe even sort of the cloud defender agent that Microsoft provides. And when you look at those solutions, ultimately, you have two challenges. One is employees are working from all over the place. They are working from all sorts of different types of devices. Sitting between that employee and the internet is a very challenging task to do 100% of the time. And so the second challenge when that happens is even if you are able to do that, the level of fidelity that you get is very minimal. Each one of those applications has a protocol that’s evolving on a daily, weekly, monthly basis, in order to actually understand that, not only do you need to get deep insight into what that communication is, but you need to understand what that protocol, you know, that API looks like, what actions are being taken.

All of that makes for an insurmountable problem when just focusing on the more traditional approaches. We went with the email-based approach because we have two highly scalable opportunities there. One is we don’t need to have an understanding of these applications before we detect them. The second is we’re taking advantage of the design pattern, which is in the economic model of all these SaaS services. As soon as you sign up for an account, that app has one objective. That’s to get you to use the product more. And the only universal communication mechanism that they have that’s out there is email. And so we have this massive historical record that not only we can analyze historically looking back in time, but on an ongoing basis that doesn’t depend on what device or network you’re on in order to detect these services.

So really we see that as a much higher benefit than necessarily a assumed risk as a result of using that as the way of monitoring, detecting, and ultimately controlling these SaaS applications. Yeah, I love the way that Nudge Security uses email. I think it’s a great solution to discovery. Could you, once everything set up, could you give me a few examples of maybe of the most useful reports for IT administrators and what they might discover? Yeah, absolutely. So a couple of the great reports that we have right off the bat is first of all, what apps are out there?

Particularly recently, a lot of sensitivity around the use of generative AI. I can give you a report showing you what percentage of employees in your organization are using those applications, who’s created accounts, and then what apps are actually being leveraged, which departments are using what types of technology. I can show you all of the accounts that have been created with an email and password as opposed to signing with Microsoft or using a single sign-on approach. All of that allows you to quickly and efficiently have an understanding of what technology is in use. Ultimately, when it comes down to it, that helps retire a lot of the sort of reactive work a lot of administrators deal with. When somebody comes to you and say, “Hey, I need access to Heroku,” and you’re sitting there saying, “I don’t even know if we have Heroku. Who runs that? Why would we use that? That’s horrible technology.”

Nothing personally against Heroku, but those are typically the responses you get. Then you spend five or six hours on email or Teams or whatever it might be trying to track down where exactly it exists in the environment. Meanwhile, you’ve got somebody on your support channel saying, “Hey, why haven’t you responded to my ticket yet?” That type of work disappears. That’s stuff that you can now answer in 12 to 15 seconds within our product. A quick search, understand who’s using the technology, how they’re authenticating, who the technical admin is for each one of those. That stuff just disappears. That type of reports end up being immensely valuable off the bat. – Just one quick question. Why Nudge security? Could you quickly explain what a Nudge is?

– Absolutely. Ultimately, when we think about the massive amount of work that comes along with understanding all the technology, figuring out who the admins are, all the pieces of the puzzle that you need to now do, removing access for accounts, ensuring MFA sign up, making sure that the right apps go through the right risk review or legal review processes. This is too much work for a centralized team. What we recognized with this problem is the people creating the problem are ultimately the ones who are most effective at solving that problem. We use the modern principles of behavioral psychology, a lot of nudges, to actually start to engage with those employees and get them to take the small steps that are super easy for them to accomplish that are very logistically challenging for a centralized person to do. You see somebody signing up for Dropbox and your preferred solution is Microsoft OneDrive. We’ll send out a Nudge.

It’ll get delivered to them in context. Ultimately, we’ll say something along the lines of, “Hey, you just signed up for Dropbox. 95% of your co-workers are using Microsoft OneDrive. Can you help us understand why you’re using Dropbox today?” That has proven, and we’ve done some psychological research to actually prove that we see about a 300% improvement in compliance with those nudges, as opposed to a bit more traditional methods such as, “Let me revoke access at the network level for accessing Dropbox,” in which case most people work around that. Right. Yeah, that’s great. I know that Nudge has some time-saving features for off-boarding users, but how big of a problem is it really off-boarding users?

Does it create a big security concern? Aren’t there other IT automation tools at the end of the day that do this kind of thing anyway? This was one of the biggest revelations that we had as we started to actually work with our customers. One of the challenges that most organizations have is they say, “IT off-boarding, that’s easy. I signed into Microsoft. I revoke their sessions. I deactivate their account. I’m done.” Right? Well, ultimately, that typically represents about 30% of the accounts that an employee has created because that Microsoft console is not going to have any insight into anything that employee has signed up with an email and password. As that user is out there and sees Airtable, “Oh, isn’t this a wonderful spreadsheet tool? Let me create an account.” They type in their email. They type in their password. They start pumping in all sorts of business data into that account. That’s not going to be revoked when they leave the organization.

Likely, the person doing the off-boarding doesn’t even know that account exists, much less take the time in order to actually impersonate that user, sign in, reset the password, lock them out of the account. What we do with Nudge is not only can we give you insight into every account they’ve ever created, we can give you insight into the ones they created with an email and password, but we also automate that password reset flow. Leveraging that vantage point of being within that email, we’re able to reach out to applications like Airtable and say, “Hey, Jimmy’s leaving the organization. Please reset his password. We’ll set it to new password,” which we then burn. When you look at how much time that saves, not only can we do a complete job of off-boarding by making sure they don’t have any access to any systems after we leave the organization, but we can do so in a way that’s probably more efficient than your existing process. Really, when I look at those existing tools, they’re great for the tip of the iceberg and they do a great job automating the tip of the iceberg, but then there’s the rest.

That’s really where we come in and where we shine. Absolutely. What I loved about Nudge, because we set this up in our labs and it’s really easy to do. You just connect it to what we used Azure and it connects to various other systems as well, like Google, if I remember correctly. We just gave it permission, walked away, had a cup of coffee, and when we came back, although it was in our test environments, it’s not that huge, but it basically analyzed the whole thing and then we could just start looking at reports straight away. Now, if you compare that to something like Microsoft Defender for Cloud apps, what would you say to an organization?

Because I guess that’s going to be much more complicated to set up, because everything that Microsoft creates is much more complicated to set up. If you were looking at both these solutions, what would you say to an organization in terms of the functionality and ease of setup and all these things if you were to compare the two products? Yeah, absolutely. First and foremost, we try to do things in a way that’s as simple for our end-user as possible.

If you’re in a Google Workspace environment, we set up as a Google Marketplace app. If you’re in a zero environment, we set up as your enterprise AD app. Ultimately, that’s a couple clicks, a grant, that’s issued. Now, when you actually get into the meat of that, what we’re then doing is we’re analyzing all your email history. All the history that you have been carrying with you for years, we’re actually able to go back through that and look at all the historical activity that your employees have done. Now, the benefit of that, as you remarked, is you had a cup of coffee, came back, and there was a dashboard with all sorts of information in there.

That allows us to actually deliver that time to value and deliver that with all of that historical archive as part of the solution we’re able to initially present. When you compare that with an alternative that’s more network-based, such as Windows Defender, perhaps it’s already deployed, the agent’s already out there, great, I turned it on.

Ultimately, you need to wait to observe that user interacting with that service in order for it to show up on that report. That, as you well know, may be cyclical. I might only sign into my state of Utah tax registration once a year during tax season. We won’t know that account’s even there, contrasted with where we stand with a Nudge product. Now, ultimately, it also comes back to those challenges we talked about before. Knowing that I resolved github.org through my Windows Defender for Cloud agent, great. What did you do when you were there? Did you create an account? Were you looking at marketing material? Were you looking at an open source project?

Did you create a new repo and clone over source code from something within your environment? That’s the level of granularity and detail that we can get you from that email-based detection, as opposed to just looking at the network-based detection, which is really very limited in terms of DNS resolution, ultimately. You don’t really get the fidelity of results that you need in order to actually understand what your risk is, what’s actually going on, what you need to worry about, what you don’t need to worry about, and what you need to talk to those users about. Yeah, I guess that’s a really important fundamental difference between how the two products work. Yeah.

Okay, could you tell us about what’s in store for the future? Any big plans for Nudge security in terms of features functionality that you might let us have a bit of a sneak preview of, so to speak?

Absolutely. So, we’re really excited about where we stand. Ultimately, what we can do, and as you sort of remarked, is within less than an hour, we’ll give you that system of record, what technologies and use, whose access and that technology, what functionality is providing, who the admin of all those services are. As we look to the future, we see no end of value that we can deliver there, whether it’s making you more efficient in your risk assessment processes for those, making it more efficient for your end users to discover technology that’s already in use and gain access to that technology, whether it is providing more granular controls around the sort of scopes that are issued within those OAuth grants. If you want to have a policy related to applications that can read email, which differs from policies that are related to applications, which just have ability to sort of see my username and sign in, we can start to make that a reality with Nudge security.

So, we’re really looking at making this a more scalable solution for people who are dealing with these everyday challenges of what technology is my organization using, which technology should they be using, and how do I deal with this new reality of employees introducing new applications every day. And ultimately, we’ve been working with a large number of customers over the last year in order to help refine that vision and make it easier and easier for people to get things that they need done more scalably accomplished within a short amount of time without a huge amount of centralized work that I know IT admins already have too much of. Okay, great.

So, where can viewers find out more? Absolutely. Everything that I just discussed, we believe strongly in making it easy for people to self-service. So, if you go to www.NudgeSecurity.com, not only can you get live product demos, you can sign up for a free trial, two weeks, completely unfettered access, no credit card required or anything along those lines. You can actually experience the product for yourself, but that website is an incredible resource for self-educating on the challenges that we see in this modern environment, as well as getting your hands on the product and seeing it for yourself.

Great. All right, so I’ll put the link to Nudge Security in the description for this video below. I’ll also put a link to Aidan’s review for Petri.com if you’d like to take a look at that. But that’s it. That’s all we have time for today. So, I’d like to thank you again, Russell, for joining us. Thank you so much. It’s been a pleasure to be here. And thanks everybody for watching and we’ll see you next time.