Safety Detectives: Please share your company background, how you got started, and your mission.
DoControl: DoControl is a SaaS security company. In 2019, our co-founder and CEO Adam Gavish worked as a product manager on the Google Cloud Security and Privacy team in charge of the user experience for their heavily regulated customer base (FedRAMP, CJIS). In talking with customers, he realized that in order for them to onboard to Google Cloud, they needed to learn, set up, and maintain dozens of different security controls and policies; to keep data access secure, remain compliant, and prevent admin misconfigurations.
This is why we started DoControl. We help organizations balance between SaaS security and business enablement. And we prevent data breaches in the most popular SaaS applications, from Google Drive to Slack to Dropbox and many, many more. DoControl provides IT and security teams with the automated, self-service tools they need for data access monitoring, orchestration, and remediation within SaaS applications.
SD: What is the main service your company offers?
DoControl: Data access controls and governance over critical SaaS applications being leveraged to drive business enablement. We identify exactly where critical data is exposed and apply consistent data access controls across those apps—regardless of the application’s native capabilities—ensuring data can be safely accessed by all internal and external users.
DoControl identifies anomalous activity across the SaaS estate to automatically close vulnerabilities and proactively stop threats before they do irreparable damage. With DoControl, our customers can adopt the SaaS applications required to drive the business forward in a secure way, while reducing your operational costs and liability risk.
SD: What is something unique that helps you stay ahead of your competition?
DoControl: Automated risk remediation of data overexposure is unique to DoControl. There are other SaaS application security vendors out there, but their focus is more on the configuration, operations, management—and other aspects of securing SaaS application environments. At DoControl, we first provide visibility into all the different users and identities leveraging SaaS, as well as each event and activity by each individual user (both internal users and external collaborators). We then help our customers establish a baseline of data access across the entire stack of SaaS applications to understand typical SaaS activity and identify anomalous data access. Lastly and most importantly, we automate secure workflows and risk-remediation through dynamic policy enforcement to help balance corporate security with business enablement.
Beyond feature/functionality uniqueness, as a solution, DoControl is able to extend Zero Trust to the SaaS data application layer. Most organizations today have adopted the concept of Zero Trust, and as such have introduced (or in some instances already had in place) security tools and technologies that supported the concept of “never trust, always verify.” The DoControl solution provides granular data access controls that support Zero Trust models and strategies.
SD: Your company focuses on “ZERO TRUST DATA ACCESS” – can you explain what that is, and what sets it apart from from “zero trust network access”?
DoControl: DoControl Zero Trust Data Access (ZTDA) takes the principle of least privilege and the concept of micro segmentation and extends it throughout SaaS application environments, which are one of the most critical data sources for an enterprise attempting to align to the Zero Trust model.
We deliver a single security strategy that takes Zero Trust beyond the identity, network, and device levels. The DoControl solution provides the granularity required to assume implicit trust is not granted to any user inside or outside the organization, further down the stack and deeply ingrained into the SaaS application data layer.
Continuous monitoring across all SaaS events and activities provides a baseline understanding of normal activity, and automatically identifies anomalous data access events. Granular data access control policies allow for consistent enforcement of least privilege access across the SaaS applications being leveraged by the organization. Workflows are triggered automatically based on end-user activity that is matched against rich micro-segmentation of users, collaborators, groups, assets, domains, and much more.
ZTDA moves security closer to critical resources that drive the modern business forward. What sets us apart from Zero Trust Network Access is the fact that we are delivering a deeper, more granular set of preventative controls. ZTNA is providing a secure connection to users and identities, but once that connection is brokered, those users have that ability to interact (access, manipulate, and share) sensitive company data that lives within SaaS apps. This is where DoControl comes into play.
SD: What do you think are the worst/top cyberthreats today?
DoControl: One of the biggest threats today is the evolving state of remote/hybrid working environments. Most organizations made the necessary adjustments to keep their business afloat, but having a strong security posture and enabling business continuity is an ongoing effort. Attackers now realize that most organizations have made these adjustments, and are looking for new vulnerabilities in these working environments to exploit. SaaS applications are one of the many technologies that were quickly adopted to enable the business, it’s important that organizations are tightening up the security of these and other technologies that were brought into the fold.
SD: What your #1 tip for CISOs for 2022?
DoControl: Narrowing it down to one is difficult. Finding the right balance between technology, people and process is fundamental in today’s threat landscape. Adopting an “assume breach” mentality to your security programs is also important, placing your focus on breach recovery and not just breach prevention. Another thing is to take a risk-based approach, focus on remediating the most risk first and then scale out from there.