AiThority Interview with Tim Bach, VP of Engineering at AppOmni
Hi Tim. Tell us about your journey and how you arrived at AppOmni.
I’ve been in the security industry for the past eight years and have been fortunate to work on a variety of security problems during that time. I started my career at Salesforce where I initially focused on Product Security as well as security reviews of third party integrations. It was at Salesforce that I started to spend more and more time focusing on the Security Engineering function, which I look at as a way for security teams to build force multiplying technology that gives their teams and decision makers better data and tools to secure their organizations. After Salesforce, I spent some time working on Apple’s security engineering team thinking about similar challenges before the lure of solving SaaS security challenges I’ve seen companies of all shapes and sizes deal with throughout my career brought me to AppOmni.
How can companies secure their SaaS applications in a modern digital business world?
The first SaaS applications were accessed only through an organization’s network. But SaaS applications have quickly evolved into complex platforms. There are now many additional access points to SaaS data that happen outside the network, such as 3rd party applications that connect through oAuth, IoT connections, and external users.
Unfortunately, SaaS security hasn’t kept up. We most often see enterprises using a CASB (cloud access security broker) plus periodic pentesting. If an enterprise uses a CASB, it’s missing all access that happens outside of the network. And if the enterprise is doing periodic manual pentesting, it’s getting only a one-time snapshot of the environment that changes as soon as new users are added, a configuration is changed, or a new update is released by the vendor. This is why we’re seeing so many recent breaches coming from third-party apps – they are usually completely unknown and unmonitored by enterprise security teams.
To fully secure SaaS environments, security teams need tools that continuously monitor all SaaS access points and configurations.
What kind of precautions should application development teams take while designing an app for Salesforce or other marketing platforms?
Developing against SaaS platforms like Salesforce, ServiceNow, and others today can be nearly as full-featured and complicated as developing traditional, stand-alone applications. With this flexibility comes increased responsibility on the development team to adhere to best practices and perform proper security testing of their applications during development.
As an example, many SaaS applications including Salesforce put the responsibility of enforcing access controls on the third party application’s code, not on the base platform. This caveat of the shared responsibility model is well documented, but not always understood or acted upon by development teams, and may not be easily identified by SaaS administrators installing third party applications.
Another safe option is to make use of the platform-provided low-code or no-code application development tools, which put more of the onus for security back onto the shared code provided and maintained by the SaaS platform. This comes at the expense of some flexibility, design choices, and feature capabilities – so it is still incumbent upon the developer to choose the right development strategy.
Tell us more about your remote workplace collaboration tools and how you see the future of such apps in the growing competitive tech space?
The increased adoption of remote workplace tools that we saw in 2020 will continue into the foreseeable future. As companies – and more importantly their employees – continue to recognize that geographic location is less and less a factor, the hub-and-spoke model of employment will become more commonplace.
This will necessitate continued adoption of remote workplace collaboration tools like Slack, Zoom, GSuite, etc. as well as their interconnectedness with business critical applications such as Salesforce, ServiceNow, and others. This adoption will continue to grow even as we return to travel and in-person collaboration, as the norm will now be distributed teams.
How has the COVID-19 pandemic impacted cloud services?
One of the most notable impacts of the pandemic, and the resulting shift to remote work in early 2020, was the acceleration of migrations to cloud services that were already planned or underway. Almost overnight, changes that may otherwise have been implemented over the course of multiple quarters were put into effect, pushing more business processes, workloads and sensitive data into cloud services.
Even as the importance of having proper security monitoring and controls on cloud services increases, security teams aren’t immune from the transition. Security teams, like the rest of the business, are adjusting to remote operations as well, which can itself necessitate new or newly expanded cloud services.
In my experience, most security teams are well suited for this as they’ve already had to utilize similar capabilities to distribute operations teams in different geographies allowing for a follow-the-sun, always-on model – now they are shifting to an even more distributed model.
That said, the core security challenges of a move to the cloud are the same for security teams as they are for the businesses they are securing. More data and workloads in the cloud means additional systems with sensitive data to secure. Most notably, over the past year we’ve continued to see danger in the proliferation of third party cloud-to-cloud connections and over-provisioned users and applications.
Why does AppOmni stand out in the industry?
We help organizations tackle some of the most important SaaS vulnerabilities that are often overlooked by security and IT teams. While traditional cloud security tools monitor network access, the breaches that we’ve seen recently are stemming from non-network access points, such as third party applications connected to SaaS environments, over-provisioned users, and/or public access portals. AppOmni was designed to unceasingly monitor all of these non-network data access points as well as configuration settings for third party applications and both internal and external users to SaaS systems.
What is one question you wish every CISO would answer?
How many third-party apps are connected to your SaaS environment and do they have access to your sensitive data? Do they have permission to manage users and change configurations?
Our data shows that the average enterprise has 42 third party connected apps with access to data. Most were unknown to security teams. I think that getting visibility and control over these apps is one of the most crucial steps security teams need to take.
Tag a person from the industry whose answers would like to read here:
Madhu Chamarty, BeyondHQ
Thank you, Tim! That was fun and we hope to see you back on AiThority.com soon.
Tim Bach is a VP of Engineering at AppOmni
AppOmni is the only SaaS CSPM solution that gives teams all the tools they need to be successful – from security posture management to monitoring and detection to continuous compliance.
To properly secure and manage the use of critical SaaS applications, Security, Compliance, and IT teams need a comprehensive solution that enables immediate visibility, proactive posture monitoring, normalized event streams, and effective compliance tooling. AppOmni is that solution.
Founded in 2018, AppOmni empowers Security, Compliance, and IT teams with unique capabilities across all phases of a mature Cloud Security Posture Management (CSPM) program. Unlike traditional security and management tools, AppOmni deeply understands SaaS applications and provides immediate visibility, management, and detection capabilities. The company’s leadership team brings expertise and innovation from leading SaaS providers, high tech companies, and cybersecurity vendors.