Understanding SaaS Security: Insights, Challenges, and Best Practices

Jim Love

Welcome to Cybersecurity Today. Our topic today is SaaS, or software as a service. Security SaaS software has been around for a long time now, believe it or not. I worked on this in the early 2000s with my buddy Marc Langlois, and we tried to convince HP and our management at DMR that you could deliver applications over the Internet. We got thrown out of a lot of offices. We got a laugh, not a sum. And then salesforce.com came out. And it's not that we were profits. Logically, SaaS was an inevitable progression of the buy versus build contest in software. And once that battle had been won, once people thought it was better to buy than build SaaS was inevitable. Once the technology caught up. The idea is simple. You avoid the capital cost of development or of purchase. You pay a relatively low monthly payment for software that's always up to date. And not only does someone else do the development and the maintenance, but, and this is what would make SaaS inevitable, they do the hosting too. And that was only part of the equation. Theoretically, you were purchasing the best development team, they specialized in this and they could do it better and not just cheaper. And the costs were shared and the development team was shared, so they had more and more experience. But in reality, the real reason SaaS caught on was cost. You could buy a relatively sophisticated application on your credit card and many people did. So SaaS turned into a bit of a nightmare for it and eventually for security. This was shadow it on steroids for many reasons, and I'm sure we'll discuss these today. And while we might have bought SaaS thinking we were getting better development, a lot of us started to realize the security side didn't always live up to that. Now, we've done a lot over the years to try to manage that, but as I've pointed out, we're in a second wave of SaaS now, an avalanche of AI software. So when this report crossed my desk, I reached out to try and get someone to talk about it. And that report that we're talking about is called the state of SaaS security. And it was developed by the Cloud Security Alliance. They're dedicated to defining standards, certifications and best practices. They put out the State of SaaS Security Report Trends and Insights for 20, 25, 26. They're an independent organization, been around since 2008. And I managed to get the sponsor of the report or the company that sponsored the report to, to come in and talk about this. It's my guest is Yanni Shawat. He's the CEO and co founder of Valence Security and Valence, of course is the sponsor of the report. But this was done independently. Welcome, Yanni.

Yanni Shawat

Thank you, Jim. It's great to be here.

Jim Love

Did I get it right on the report? This is an independent report. You guys paid for it, but that was, it was done by an independent group.

Yanni Shawat

Yes, CSA did the entire report. We were just supporting and sponsoring it.

Jim Love

Just providing the money. What a. Well, somebody asked it. Right? Yeah. Now I want to talk about you first of all, because I got a little bit on your bio. First of all, how old are you young Mando? I need to know you. You're an entrepreneur. You've got your BSc in math when you were 19. So you were the guy who was sober in university as opposed to me. Okay.

Yanni Shawat

Allegedly.

Jim Love

And then you went into the Israeli Defense Forces as a cybersecurity team leader. Yep. Can you tell me a little bit about that? I think we're all curious about what that means. You're 19 or so, you graduated, you're in the, the defense forces and they put you on a cybersecurity team. What was that like?

Yanni Shawat

Yeah. So in Israel you have a mandatory military service at the age of 18. Also the legal drinking age is 18, unlike in the US so you can. The statement wasn't 100% correct in terms of. But like I still had a year of eligibility. I did go through an atypical route where I started when I was 16 during high school. Imperialism was only started by bachelor's in math through a program in the university. And then by the age of 19 I delayed my army service and then I joined the army basically a year later and served for almost six years in the Israeli intelligence forces across various cyber operations positions. Did my officer school there as well. I finished my service as a captain managing few teams in various positions across my service during those almost again six, six years. What why and probably the main reason why we see a lot of entrepreneurs in cybersecurity companies come out of Israel is that at a very young age you're given a lot of responsibility in very tech focused areas related to security. That the equivalent of what you're able to do probably in the US is only when you're about 30 and then your mid 20s, you're, you finish your service and you're hungry and you experience the highest level of, of basically of your capabilities and you broke any type of glass ceiling across your, your, the early stages of your career and you're looking to just do more of that and going into a corporate organization and just doing a day job seems so boring and seems it doesn't really allow you to fulfill your full potential. And similar to me, a lot of Israelis, when they get to that stage, they just look for their next, next big challenge. And prior to go through that entrepreneurship path and founding a company and I went through a similar path and eventually started my first company very shortly after I finished my military service.

Jim Love

Yeah. Which is. I think this is amazing. And the, one of the things. And I don't want to diminish this, I don't want to be trivialize anything. War is not good. But you say to people when they're starting out in cybersecurity and they're freaking out, they're worried about whether they're going to make a mistake, you say, look, it's not life or death, but in the army, it actually is like you're getting a hell of an experience and a hell of a responsibility in some of those cases.

Yanni Shawat

And at a very young age, at least in Israel, it's at a very young age, which really builds you up for a very mature career at a very early stage of your career path, which I think highly contributes to that. What you do matters a lot and you get a lot of responsibility because again, everybody around you are more or less at the same stage of their career path.

Jim Love

So the image I have is that there's a street in a city in Israel and there's just like cybersecurity companies like all the way down there, but there, there are a lot of companies. So you are, you're. There's a big industry there now. I would say I, I wouldn't, I don't know if I'd say it's the leading place in the world, but pretty darn close in terms of cybersecurity development. What's that living there with all of that going on?

Yanni Shawat

I think definitely compared to the size of the population, it's definitely leading. I think it's really, it's create, created a very strong ecosystem. We, because it's a small country and because everybody knows everybody and you're two phone calls away from getting to whoever you want to talk to within the Israeli ecosystem, you're able to really, to encourage you and to all the time find new ways to go beyond what you thought was your limits beforehand. And I think this really encourages the entrepreneurship, encourages people to explore these options and also creates the right ecosystem of support so you don't feel like you're by yourself or the first person that has to do something, you have somebody to consult with, you have people that will push you forward and you also have obviously also the sense of competitiveness because a lot of our competitors are Israeli based and a lot of companies that we see emerging within the cybersecurity industry, whether if they're former colleagues or people that I had some sort of engagement with in the past and that obviously also boosts up that entire and really endorses all this entire ecosystem.

Jim Love

So this is your second company that you've co founded. Did I get that right from your bio?

Yanni Shawat

Yes. So I started my first company right after my military service. It was, the company was called the State Offense. It was focused on the industrial IoT cybersecurity, basically securing the shop floor environments and critical infrastructure and manufacturing organizations. That company was acquired by Honeywell and afterwards I started the valence about four years ago which is focused on SaaS security, our topic for today. And I feel like after my first experience, it's almost the only thing I can imagine myself doing and moving forward, just continuing through this route and leveraging or enjoying the level of excitement that I have or just experiencing every day entrepreneurship experience and the ability to actually feel like I'm leveraging all my entire skill set on the day to day basis.

Jim Love

And so why focus on SaaS?

Yanni Shawat

Yeah, so when we started in 2021 and we were looking, Shlomi, my co founder, myself, we were looking for problem spaces throughout our ideation phase. It was a bit after the SolarWinds attack campaign. One of the things that attackers did there is really they focused on third party vendors which they hacked into them, installed from them, APIs and service accounts or service access that they had in order to gain access to their, to their customer base. For example, they hacked an email security company and they leveraged their tokens in order to steal emails from their customers. And when we started talking to CISOs and to security executives that we interviewed throughout our ideation phase and we asked them what do you do with all these API tokens that have access to your business applications? We got a very repetitive answer of we have no idea, we don't know. Even if they're generated, we have no inventory of them and we can't really track them. And we double clicked on that. We really focused on that problem space as our initial focus. And the more we spoke and engaged with customers around their problem problems with Microsoft 365, Google Workspace, Salesforce, GitHub, Okta and different SaaS applications, we realized that they have no idea what's even configured within these applications. Because if you compare the modern adoption of SaaS compared to what you probably saw in the early 2000s is that today SaaS is really adopted and managed outside of IT and security. So the admins of Salesforce are in sales, the admins of workday are in HR, the admins of GitHub are in engineering. The security teams really lost touch with what's actually going on within these applications. And when you couple that with the fact that SaaS has been and become very complex platforms.

Jim Love

Right.

Yanni Shawat

It's not just simple UI that has two buttons and you have one task that you do with it. These are complex platforms with a lot of abilities to integrate, to automate, to integrate, create gen AI processes and just create complete platforms within one application. So the complexity, together with the distributed administration really pulled us towards really focusing more and more on SaaS security as a primary focus area.

Jim Love

Yeah. And I think in the same way that SaaS. And you brought up the point quite correctly that you've got these islands of security done by. And I'm sorry, but amateurs, people who are not necessarily trained in security or thinking about how security should be set up, and some very sophisticated security integrations going on and exposures going on with these. That's. I think that's one of the nightmares of the modern CISO is trying to make all of that work. It's hard enough to make it work with a team that you keep coherently together and keep trained. But the other piece of this is the setup. And you mentioned Microsoft 365 and I think everybody, we've got, a lot of people in the audience are fairly technical. Some of them aren't being. I don't think people realize that this SaaS software that you get that comes out of the case is highly insecure. If you just set it up and leave it, you've created a major vulnerability in your organization.

Yanni Shawat

And there's a shared responsibility model between the vendor and the customer. The vendor is supposed to provide, you.

Jim Love

Share the consequences, they share the fees. Yeah.

Yanni Shawat

And potentially they give you the option to make it secure. You need to opt in to a lot of the security features. They don't come out by default because by default these vendors want to encourage you to make the most out of the platform. And making the most out of the platform meaning means that you can leverage a lot of functionalities that security team may not be on board with. And when you think about how that shared responsibility model actually comes into effect, it means that you need to be on top it's your responsibility to be on top of all the different toggles that every platform offers you to make sure that it's adopted in a secure way that you're satisfied with. And I think that specifically for. If you look at, for example, the Snowflake breach that occurred last year, many Snowflake customers were breached because of the fact that they didn't properly enforce MFA multifactor authentication within their applications. And eventually even Snowflake came out with a statement saying, hey, this is. This is your responsibility. Here's how you can configure it. You were supposed to go and click the right buttons. But then it comes back to the fact that you need to know about all your Snowflake tenants, and you need to make sure that you properly click all the buttons and that you don't have surprises of somebody unrolling or removing MFA just for a temporary test and not coming back to it and things like that.

Jim Love

Yeah, and I'm. I'm not. I don't dive on vendors, actually. Maybe I am critic. More critical that I. I let myself think I am. But one of the things I take into. If you go sell any power, any tool to somebody or anything that is dangerous or has a danger and you don't warn them of that danger and make sure that they know to get training or they know to get expertise, you'd be prosecuted. But in software, we could have somebody come and say, oh, yeah, give me your credit card. Take this thing, walk away and not be forced to say, you really need to know about these things, or you really need to talk to somebody. And I get it. Salespeople aren't gonna. Aren't in the mood to push people away from buying software. That's not their job. But I always feel that we got into client satisfaction, I think they call it, or to get people to use the software, we. There's nobody who phones you up to say, I'm the security person. Are you okay? Yep. So there we are. And so that brought you into this now, and you did this report. Do you want to just go over some of the main findings of it? I got what I got out of it. I've got some notes here, too, to go through it. What did you take away from this report?

Yanni Shawat

Yep. So I think the encouraging aspect is that really the focus on SaaS security is increasing. We're seeing more budgets, more focus, higher priorities on the. On SaaS security as a whole. Inherent dangers and risks associated with SaaS are still challenges for a lot of organizations. For example, when we speak a lot with the customers and prospects across the industry. We get a lot of times the flame of oh, I have it under my single sign on or my multi factor authentication and we're good here. Our SaaS is secure because of our strong authentication methods. But still when you go into main sources of breaches and some of the challenges that a lot of organizations have based on the survey, it's still very much related to identities, which is the core aspect of what you can configure within SaaS is eventually related to access, right? You upload your data to these SaaS applications and you need to control how you manage access to the data within the applications, whether if it's through permissions, authentication privileges and just making sure that you have good control over it. Which is still a major challenge across three main areas, which is human identities and non human identities, which are basically automation capabilities that are leveraging tokens and APIs and basically leveraging machine identities for activities and also just data exploited. Think about it, think about the simple use of OneDrive or SharePoint or Google Drive, right? Something most people use on a day to day basis. We share files on all the time because you collaborate with somebody. I have a project, I share with them a file. When's the last time you unshared a file?

Jim Love

Oh God, I. And I have to. Should I be confessing this on the air? We're relatively small organization now, so if people are going to hack me, they're going to do it. But in the olden days when I ran a larger company, it used to scare the crap out of me how much stuff was shared and how we would go about finding out who still had access to what. And the tools are at that time were just garbage. You could not find out where all this stuff was and you might as well just. Here you go. Oh, you're no longer with that company, but we're still sharing the document with you. Not a problem.

Yanni Shawat

There still are, unfortunately. And I think that what we see is that the user experience of these SaaS applications make it very easy to share files externally. Two clicks and it's out. Then you can share open with a link because that's easiest. You don't need to think about least privilege and who actually needs access to it. You can just create an anonymous public link, but it never encourages you to unshare a file. It's not built into the user experience. And what we find is that about 94% of external file shares in our customer tenants are not really accessed by the external Collaborators. So they're just sitting there shared. Other people can access it, nobody actually needs it. And it creates a lot of challenges of just over data exposure within the environment.

Jim Love

I understand we have to do it. I've never been able to figure out why they're not timed where you share a file for 48 hours. And the company BlackBerry here actually tried to do some really good work. And I think some people did some work on sharing, but I don't know where that's gotten to. And maybe I don't know enough about it, but it seems like a massive hole in security. But there are more like we digress. There are more. You talked about multifactor authentication. Your report says like almost 50% of the SaaS breaches are linked to weak MFA protections. That didn't surprise me. It dismays me, but it didn't surprise me.

Yanni Shawat

Yeah, I think eventually today attackers realize that a lot of organizations think that MFA is the silver bullet to protect their attack identities. But there's way around, there's ways around it. If your MFA requires just code in the phone. And that's something hackers obviously tackle with trying to get access to swing swapping and stuff like that. If, if it's something that they can leverage, like MFA fatigue where they call into your employees and say, hey, I'm from it, I need your code. Can you give it to me now? I just send it to you to your phone. It's just like a technical issue. People give it a token theft. Like eventually when I log into my SSO in my browser and somebody gets access to that token in my browser, they can leverage it now in other devices as well. So there's a lot of methods to try to breach it and just it's the first line in defense. But it can't be the only defense you put in because you need to afterwards make sure that least privileges is enforced, that nobody has access to things that they don't need access to. And eventually that you also monitor the activities that these user perform. So you're able to detect, oh, somebody's doing something abnormal. Somebody's potentially is going through an account takeover attack. And this is something that we should focus on and try to remediate or to mitigate in terms of potential risks.

Jim Love

Okay, I get a quiz you on the study. And I hope I didn't, I hope I didn't let you. Hope I let you finish your summary. But this here's something that just jumped out at me. Okay. And I'll just go through this. People are really concerned about SAS, I think your report says something like 86% of organizations is a top priority. And Then surprisingly about 80%, 79% said they expressed high confidence in these programs. And then about half of them think report that organizations. The report actually says organizations report that employees sign up for SaaS applications without securities involvement and 58% of them are struggling to enforce proper privilege levels. This seems to be a bit of a, of a contradiction. On one hand somebody's pretty, this is getting our attention, we're paying a lot of attention to it. On the other hand we've got these really big weaknesses. Is that.

Yanni Shawat

Yeah.

Jim Love

Do you find that sort of split personality in organizations?

Yanni Shawat

Maybe we should have asked the confidence level question at the end and not at the beginning after they answered all the other questions. No, but I think that's the reality. The reality is that eventually organizations have a lot of confidence that their SaaS is secure because of many different reasons. Whether if it's because they think the vendor just provided to them secure because they have MFA or a single sign on in force, whatever the reason is. But they don't realize the multi layers of risks that are associated with potential misconfigurations and also shadow adoption of these tools. If you think about when deepsea came out a few a couple of months ago and it came out in a boom and everybody was interested and curious about oh, what's Deep seq? What's this new gen AI capability that everybody's talking about? It good? Is it bad? We found it adopted across almost all our customer base and notified all our customers. Hey, this is in the news. Just so you know, here are all the users that adopted Deep SEQ within your organization. I think that was the quickest time period mediation I've ever seen our customers go through because they were concerned not only because of the Chinese ties to a Deep Seq, but also just because it's a new gen tool. People are feeding at company data and they have no control over it. So there's always new things that pop up that people are concerned and should be concerned about it. But I do think that the kind of the contradiction that you mentioned between the confidence versus the reality may be because they just didn't when they answered the question, they answered it at the beginning without thinking about, okay, but what about this and that we're already asking throughout the questionnaire and that maybe that again, note yourself next time to ask that at the end.

Jim Love

But you brought it around to AI, which I've, I have said is the greatest wave of Shadow it in since the start of it. There are more applications out there now that are powerful and with security holes that you could just drive a truck through. You don't have to be sharp. And by the way you can get AI to help you hack it. It's. Are you seeing an awareness of that at all?

Yanni Shawat

Yeah, I think definitely a lot. It's in the news everywhere and almost every organization we're speaking with either has a policy or enforcing a policy related to Genai adoption. And most genais delivered as SaaS. Right. How do you consume the new AI tools? Nobody's going to. Obviously there are options for on PREM or self hosted but most of them are delivered by default as SaaS. And what we see is that a lot of organizations went through an experiment phase where they said okay, let's see what type of AI is actually needed by the organization. Now they're trying to create more of what it's saying limitations on AI adoption but mostly creating a very clear pace path towards how good AI adoption looks like within the organization. For example, if you want you leverage a note taker on your virtual conference calls. Here's the tool that was already approved and authorized by the security team. Just use it. And then when they, when we help them identify new adoption of a new tool that is not in the approved or sanctioned capabilities and the message is not hey, you cannot do this, we're blocking you. But hey, this is not the sanctioned tools. Please start using this tool because we're not going to allow that tool and just it changes the tone of the conversation when it comes to how a lot of customer, a lot of security teams engage with, with their teams or with their employees within the organization.

Jim Love

Yeah and I've been saying don't try and stop it, you're crazy. If you just, it'll just go underground. People will just tell you or they'll find ways around the cleverest systems to do this. So get out there and say what are you using? How can we find out it's secure. The other piece that I advise people to do it is don't and I understand we want approved versions but don't try and restrict people to the one you think is best. You're going to get killed. They're going to hate you because they got this one that works and it's better than this one that you recommended and then you lose all credibility. But getting out there and making sure that you enhance you, you say look, we're here to make you more secure, not to restrict your development is a Tough conversation. And in fairness, I don't know if a lot of security departments have the staff or the time to properly manage that. So I don't want to be critical because they got a lot of 4400 interruptions per day per person for and so they've got a lot on their plate. How should they manage that? Is that how would you approach it?

Yanni Shawat

Yeah, I think this ties back to the fact that you have shadow adoption of SaaS but also distributed administration of SaaS application. So it's not just who puts their credit card and buys a SaaS application, it's also the highly critical business applications that are just managed outside of IT and security. I think this is the new reality or this is the reality. And team security teams need to adjust and therefore collaboration with your business, whether if it's the SaaS admins or the business users, is key in order to create a successful SaaS security program. You have to create good conversations and good collaboration to deeply understand what the business is trying to achieve and create the best and most secure methods that ensure the business can actually adopt what they need, but also creates the right security controls around it to make sure that you don't create more risks and that the security team, he becomes nervous from that type of adoption. So that collaboration is really key for security teams to be successful because otherwise the business will just find a different way to do it. And the security team, even if they're not accountable for everything the business is doing, they'll still have to see it as something that they'll want to have better visibility and control over as this resurface continues to grow.

Jim Love

So just get back to the report for a second. I tend to wander. You might have noticed we've covered some points, but why should people read the report? There are other insights that they'll get from it if they check this out.

Yanni Shawat

Yeah, I think the main reason to read the report is really to get better education about the real world risks that we're seeing within organizations and real problems that organization challenges that organizations are facing in order to better understand. First of all, to ask yourself if your security program is actually addressing these potential risks and whether or not if you would answer the survey, if you would answer it definitely in terms of the questions, we'll stop the raw questions embedded into it and to help you create better focus on how to improve your SaaS security program internally and also to your point in terms of confidence level versus the reality to make sure that kind of maybe a more of a reality check for security Practitioners to make sure that they're actually focused on what could potentially move the needle and they don't have blind spots when it comes to their SaaS security or SaaS environment overall.

Jim Love

And if you're most, like I said, a lot of my audience are CISOs or people like that, many of them are also managers who might be managing this and trying to stay up to date. If Somebody brings a SaaS application into your environment, one of the things that I would point out is really find out how secure their APIs are. Don't just take this, it's got a REST API or some sort of API. Really check that out, because I think that's a vulnerability area. Are there other questions that people should be asking about security of SaaS from your experience?

Yanni Shawat

I think there are three layers that you typically need to focus on. The first is, first of all, are you going to be able to even identify that somebody brought in your SaaS, the SaaS into your environment? That's the fundamental question. Do you know it exists? Will you discover it on time and will it be part of your inventory? Then the next question you need to ask yourself is what capabilities does each SaaS application offer me to make it more secure in my environment? What are the controls? What are the toggles? What are the functionalities that I can control as a user, as a customer of this SaaS that that will make it more secure, but still fits what my business is trying to achieve? That's really the posture element of one of. It could be related to APIs, but it could be MFA. It could be related to who has admin access, it could be related to how data is shared externally. It can be related to a lot of different functionalities that are built into the platform. Then the third layer is really, okay, let's say I discover the app, I put in the best practices when it comes to security controls, it's as secure as it can get. Breaches could still happen eventually. This is the reality. Breaches could still happen because of a lot of different reasons. Will you be able to monitor the activities within the application and to be able to detect breaches if and when they occur? Suspicious or malicious activities, if and where they occur, in order to make sure that you have proper incident response capabilities for these SaaS applications. So it's a identification protection and then detection response and it's a full lifecycle of really building up your program around each one of these applications.

Jim Love

And just a couple more questions and between you and me, not and 10,000 other people who are listening You're a vendor, you meet a lot of people, you see a lot of things. What are the things in terms of SaaS that make you go, oh my God, please don't do that. What are the things that keep you up at night about what people are doing with SaaS?

Yanni Shawat

Yeah, so I think what really keeps me up like at night when I think about how people like adopt SaaS is really the fact that it's really related to the fact that a lot of people that are less educated about the potential risk are now going in and configuring these SaaS applications to get their job done. They're not doing anything maliciously, but they're just trying to get their job done. And we're seeing it across almost Every business critical SaaS app that there's like surprises and configurations of, oh, I didn't think about this, oh, I didn't think about that. And there's a lot of procedures that could break. For example, a lot of organizations think they got offboarding checked and that there's a process that automates either the off boarding or that helps to just remove contractors or employees that are terminated or quit their jobs in a timely fashion. But there's almost always gaps in it because there is sense of control that a lot of administrators want in terms of how these processes actually occur that eventually translates into a manual processes. And when it comes to manual processes, there's always, there are always going to be gaps and we find it in almost every organization. So I think just that distributed ownership and the fact that, that the people that have the control are not precisely the people that are concerned about security creates a lot of gaps in terms of how organizations are actually ensuring proper security for their SaaS apps.

Jim Love

Yeah. And I will tell you as somebody who had the unfortunate reality of shutting a company down, you don't know how many things you're still paying for and are still connected until you actually go through account by account. I, it shocked the heck out of me because I thought we were pretty good. But there's a lot happening out there that you never. People not only have access, you're still paying for it.

Yanni Shawat

Yeah.

Jim Love

Which is huge in many cases. Anything else that, that that makes you, you just want to tell people, please get this.

Yanni Shawat

So I think we spoke a bit, a bit about APIs, but I think the non human identities, tax surface or risk surface related to SaaS apps is just huge. We see almost a 1 to 10 ratio on every human identity in terms of the number of non human identities that we see in an organization. And we need to realize that these non human identities are anything. If I use Calendly and I give Calendly an access to my calendar, it creates an API, it creates an identity basically for calendly as a machine or as an app to access my data. These applications have no mfa, they have no strong authentication. They are distributed to a lot of third parties that we inherently trust sometimes with a level of access that can administer our SaaS. These critical SaaS applications. This is just a huge risk Surface definitely not well integrated into IAM processes like we see organizations poc four different vendors choose one forget to offboard the other three. And a lot of risks that are associated just with the day to day management of these non human identities. It's probably one of the most definitely top three but one of the most critical services that we see within organizations in terms of. We didn't even think about it. We didn't look at it. We don't have any visibility. The Internet.

Jim Love

It still makes my stomach cringe when I check that box that says you must trust this application because it can delete everything that you. Wow. Yeah. I think that's it. But also the non human identities, not just these. I think this is an extreme risk already. But the second level is we're in the process of bringing non human employees into our environment. Microsoft's already Launched I think 11 security agents this past week that are going to be integrated. And agents by their own nature are things that can perform autonomous tasks. So being able to manage non human identities even goes up a notch now with AI generated employees. That's really what they are. They do tasks within your world. I don't know what else you call them. Yep.

Yanni Shawat

And you have to give them privileges to do these tasks. These privileges are typically my privileges and not just the basic privileges that every user has. And then that just. And they have access to data and everything else and just creates a huge attack surface or resurface that, that you need to address.

Jim Love

So I always, and I do thank you for this you but my guests are most gracious when they come in. They've got their own products and services and I always tell them this ain't a commercial buddy, but feel free to talk about your own product through this piece because I think that's fairness. You developed it for these reasons. What are the solutions? What should we be doing?

Yanni Shawat

Yeah. So what Valence does is we give you a very comprehensive SaaS security platform that allows you to discover, protect and basically monitor your business. Critical SaaS application so we start with shadow IP discovery. We'll create an inventory of all your different SaaS applications within the organization. Then we can natively integrate out of the box to over 100 different SaaS apps so we can start pulling information about their configurations and how well they secure basically SaaS security, posture management or SSPM. It's similar to what TNAPs and CSPMs do in the cloud space or infrastructure we do for SaaS. And from there we go into a threat detection and response and being able to monitor user and administrative activities in order to help organizations to be able to respond to breaches if and when they occur. This really helps to build that entire all the different layers that are required almost according to any different security standard or security framework. Am I able to identify, am I able to protect and then to detect and respond capabilities and really create a comprehensive view of your SaaS ecosystem.

Jim Love

Wow. Yeah. And where do you go from here? What's your, what is the next development that we'll be seeing in this?

Yanni Shawat

Yeah. So I think the more we see genai deliver the SaaS, the more this will become inherited aspect of SaaS security. So genai security for sure they're continuing to innovate when it comes to how do you, how are you able to discover all your SaaS apps? Because it's always a whack a mo game cross organization and you need to be very clever in how you try to catch shadow adoption and covering just more and more SaaS applications and more and more business spaces that are use cases that are important for our customers.

Jim Love

And the I think maybe if you get the report, is there some sort of best checklist or something that someone could work for, work from to try and evaluate their risks. Is there anything that you bring to mind or is that in fairness and I full disclosure, we're not getting paid by your company. So I'm asking this legitimately. Is that a service that a company like yours provides is to help people assess where they are in terms of SaaS?

Yanni Shawat

Yeah. So some of the main benefits of our platform is that it's agentless and it's very easy to implement. It typically requires an API or service account access to your SaaS to your business critical SaaS and from there very quickly we can generate a report of a risk assessment of your SaaS applications, which is a process that can take anywhere between hours or a couple of days in a very efficient way to create visibility in terms of risks to your specific problems. Instead of I can sell anything in my demo environment, but really gives a organization's a viewpoint into their actual risks and what actually was configured within their environment. Which makes it much more of a concrete discussion around do I have a problem? Rather than is this a nice report that I should be concerned of?

Jim Love

Great. Yeah. And so is it. And I didn't even look at your product. Is your product a SaaS application? Yes. Yes.

Yanni Shawat

It's delivered a SaaS and it's 100% SaaS.

Jim Love

I'm only kidding. My guest today has been Yanni Show It. He's the CEO and co founder of Valence Security. Thank you so much. This has been a great conversation. I hope we can do it again.

Yanni Shawat

Thank you.

Jim Love

And that's our show. I'm redeveloping our website at Tech Newsday ca. So the shownotes have been a little lax in the past little while. I'll try and get these up so that you can get a link to that report. I think it's actually decent and worth worth reading. But if you're watching this on YouTube, there'll be a link to the report in the comment section. Thanks a lot for spending the time with us. I hope this was a really good topic. I hope you enjoyed it. If you didn't, or if you did, why not let me know? Editorialechnewsday ca. You can reach me there. You can find me on a SaaS application, LinkedIn. I get this for social media, but my sense of irony is always there. You can reach me on LinkedIn. A lot of people do. Or if you're watching this on YouTube, just put a comment right under the video. I answer each and every one. Thanks for spending your time with us this weekend or whenever you listen to podcasts. You had other things you could be doing and you spent it with us. So thank you very much. I'm your host, Jim Love. Have a great weekend.