Key Take-aways:
- Modern digital workplaces are composed of web browsers and a set of desktop SaaS clients (e.g., Microsoft Teams, Slack, Asana, Notion, and more) that provide access to apps and services
- Enterprise data must be secured across the entire digital workspace
- The built-in DLP capabilities of SaaS services require license upgrades and are usually insufficient; external DLP solutions add cost and complexity
- Seraphic’s digital workplace security uses a single agent and one policy that provides fine-grained protection and control across every browser and other essential apps.
Introduction
The web is the modern digital workplace: a mix of public sites and SaaS apps which organizations rely on so heavily that, according to one Forrester study, employees spend 75% of their working day using a web browser or collaboration app. As organizations have shifted more and more of their IT infrastructure to the cloud, protecting against compromise via the web and securing sensitive data from leakage via the browser have been persistent—and often unaddressed—challenges.
Balancing productivity gains with nascent risk
Organizations initially approached the cloud reluctantly, while individual users were much more likely to embrace it because it helped them get work done didn’t require traditional IT support or involvement from the procurement department. Eventually, it was no longer possible to deny the productivity benefits and SaaS generally—and collaboration apps particularly—became a mainstays of enterprise IT.
Given that virtually all SaaS apps were initially delivered via the web, an unusual development in SaaS adoption was a pendulum swing back in favor of “thick clients”. In an effort to provide a consistent cross-platform user experience, SaaS providers introduced desktop clients that enabled access to services without using a browser.
This change caused the phenomenon once known as “shadow IT” to morph into something better described as “shadow collaboration”: a scenario in which employees may be using sanctioned services but—just like email in the early days of the Internet—with new ways to connect, collaborate, and share data with external parties. Unlike email, however, these new services lack an important component: centralized gateways that could serve as chokepoints for content inspection and the application of policy.
The large ecosystem of collaboration apps also gave rise to another variant of shadow collaboration in which employees used one sanctioned tool for internal collaboration and another semi- or unsanctioned tool for collaborating with external users such as customers or partners.
In both cases, these new apps either severely limited the visibility of web-centric DLP solutions or rendered them completely ineffective.
Limited built-in control
Typical SaaS services may not offer much in the way of native DLP capabilities, may require customers to move to a more expensive license tier to enable DLP, may depend on external DLP solutions (priced and billed separately), or some combination of all three. It is common, for example, to require admins to write DLP rules using Regular Expressions (RegEx) which trigger alerts that require admin intervention (i.e., they don’t support any automated blocking and/or removal of sensitive data). In other cases, the DLP capabilities work only with a limited subset of content or file types. For example, one of the most popular collaboration apps will apply DLP policies to the content of files created by a handful of related applications at one license tier but requires a license upgrade to apply policies to the text of chats.
Perhaps the biggest limitation of the DLP capabilities in most SaaS apps is that there is no uniformity or standardization: the onus is on the admin to translate written corporate policies into rules or configurations for each different service using the policy definition framework of that service and then maintain parity between them, creating significant operational overhead and potentially limiting effectiveness.
External DLP solutions
As data sharing migrated from email to web-based storage to desktop SaaS apps, DLP solutions were migrating to cloud delivery and organizations were migrating to hybrid work. This diffusion of both infrastructure and the users it was intended to protect forced DLP solutions to adapt by building traffic-steering clients for their proxies and adding API connectors to integrate with SaaS services via the backend. Despite improvements, proxy-based solutions remained hampered by a variety of factors including encryption, complex and unreliable integrations to detect unsanctioned services, and a limited ability to enforce traffic steering on unmanaged devices. The use of APIs filled some of the gaps but those integrations were restricted by the capabilities exposed by individual SaaS vendors. Moreover, API-based DLP is reactive in nature. When an event occurs, the SaaS app may push a notification or the DLP solution may pull the information via a query. In both cases, the details of the event are received after it has happened. This makes API-based solutions valuable for auditing and forensics, but ill-suited to real-time enforcement of organizations’ policies. API-based solutions also offer no protection for unsanctioned services, as the necessary integration—by definition—has not been configured.
Introducing the Seraphic Enterprise Suite
Using the same technology that has enabled organizations to apply robust and fine-grained DLP policies to secure corporate data in browsers, the Seraphic Enterprise Suite now protects the rest of the digital workplace including essential apps like Asana, Microsoft Teams, Notion, and Slack. Just as Seraphic has transformed every browser into a delivery vehicle for security and governance, the desktop apps of popular SaaS services can now be part of an organization’s security stack rather than risk to be mitigated and managed. The new capabilities include the ability to:
- Selectively enable and disable user actions such as copy/paste, file upload and download, and screen capture
- Dynamically redact sensitive data to prevent it from being displayed, as well as inspect the content of files that are shared within and between apps
- Analyze and audit users’ activity, as well as forward events to log aggregation systems
Seraphic simplifies the enforcement of DLP policies across the entire digital workspace. Here is a short demo:
For more information, visit our DLP Use-case page or schedule a demo.