In late 2020, the security team at Rakuten received a tip from a security researcher that a Salesforce misconfiguration was exposing the private data of nearly 1.5M customers. By the time they went public with the news of the breach, they learned that the misconfiguration had remained undetected for almost five years.
Rakuten is hardly alone in experiencing security failures from SaaS application settings. As businesses go remote, move to the cloud, and become more agile, security teams are swimming in SaaS user permission and configuration changes that they have no way of keeping track of. With accelerated digital transformation efforts, these SaaS systems have widespread access to vital and sensitive company and consumer data.
Today we’re delighted to announce our investment in the Series B for AppOmni, the leading software platform for SaaS application security. We’d like to share why we think AppOmni’s solution is an important pillar of enterprise security in the era of SaaS and distributed workforces.
AppOmni Secures Cloud Applications
AppOmni tracks cloud applications’ configurations, permissions, and activities to detect vulnerabilities and anomalous behavior. Configuration changes can come from the cloud providers themselves, often introducing new settings and behaviors that have security implications. Even when customers are able to track their own configuration changes effectively, keeping up with each vendor’s myriad frequent changes is an untenable task.
The company is targeting three security aspects of enterprise SaaS environments:
- Business users buy and configure applications without involving IT, despite the access these apps have to mission critical data sources.
- Even experienced IT administrators can unintentionally create vulnerabilities from misconfigurations, especially when their users prioritize convenience over security.
- Enterprise SaaS environments are dynamic, making finding and fixing every vulnerability a near impossibility.
Before AppOmni, security teams lacked a useful view into how SaaS apps themselves affect security. After all, many SaaS applications are like operating systems with thousands of permissions and many interconnected external applications. Even if a security professional could subscribe to and monitor all the changes users and admins are making day by day, they still don’t always know which settings are benign and which aren’t. AppOmni goes deep into an application and maps each permission, setting, and data type onto an ontology. As permissions are changed, the AppOmni system reviews changes and surfaces the most risky ones. These alerts are fed into an organization’s existing security operations, often a SOC, and triaged by analysts.
AppOmni might flag something like a user in the engineering department given access to credit card transactions. This might be expected — but it also could be a regulatory infraction if that user shouldn’t have access to those records. Organizations can specify the types of things that are important to them and apply custom policies specific to their organization.
The AppOmni team is already working with several of the world’s largest companies, giving confidence to future customers that their product can handle the most complex of situations.
Strong Team and Strong Traction
We’re excited to be working with AppOmni’s co-founders Brendan O’ Connor (CEO) and Brian Soby (CTO). Brendan has long been on the forefront of cybersecurity as the former Chief Trust Officer (CSO) at Salesforce and Security CTO at ServiceNow. Brian similarly had a long career in security including on the Salesforce product security team. AppOmni is attracting a growing team of senior security professionals with the collective experience crucial for success in this new product category. Their rapid growth during 2020, in spite of the Covid-induced macroeconomic slowdown, points to just how much CISOs need a solution like AppOmni.
The future of enterprise security is greater complexity as SaaS deployments increase, employees work from more locations, and compliance needs grow in importance. A dedicated solution for monitoring cloud application security and enforcing policy plays an important role in protecting enterprises from new threats — and the even bigger problem of employee mistakes.
Eric Anderson contributed to our investment in AppOmni.