Last week, cloud computing company Shadow confirmed a data breach involving customers’ personal information. The hacker claims to have access to the data of more than 530,000 customers. According to an email from Shadow CEO Eric Sèle, the hacker managed to download this data from a software-as-a-service (SaaS) provider’s API. This is just a recent example in a long list of data breaches that have affected companies of all sizes.
And if you’re a tech CEO, you probably don’t want to be in that position. In the current regulatory landscape, you often have to notify privacy watchdogs and navigate regulatory obligations. More importantly, you risk losing the trust of your clients when you notify them of the breach.
That’s the reason why Zygon caught my attention. This new French startup reviews all the SaaS applications used by your team — and it doesn’t just focus on official services as it can identify shadow SaaS services that some teams have been quietly using without telling the IT department.
At first, I thought Zygon could be particularly useful as a cost saving service. As many VC firms are still passing on deals that would have made sense a few years ago, some startups are actively reviewing their SaaS contracts to see if they can cancel a few subscriptions and extend their runway.
But the startup wants to go beyond this initial usage and build a security startup for your SaaS services. Zygon recently raised a $3 million seed round with Axeleo Capital leading the round, Kima Ventures and several business angels also participating.
Visibility on shadow IT
After the initial inventory process, Zygon customers get a dashboard with all the SaaS applications with the number of users per application.
“We are using the metadata of employee emails, we go through the entire email history and detect those that are related to a SaaS usage,” Zygon co-founder and Chief Product Officer Kevin Smouts told me.
For SaaS applications that are connected to the official identity management solution, such as Okta, Zygon isn’t going to be particularly useful. But some SaaS startups have been particularly successful in recent years because it takes just a few minutes to create an account and get started.
They are taking advantage of that by promoting bottom-up adoption with freemium plans, self-service usage and virality features. Dropbox, Zoom or Notion are popular examples of this trend.
And SaaS sprawl creates three different issues for businesses — security, legal and costs.
Instead of building integration with every single SaaS product on earth, Zygon is using the same approach and decentralizing security across the organization. Zygon encourages you to designate SaaS admins. From now on, they are in charge of the usage of a specific tool in the organization.
They get recommendations when it comes to security configuration tasks, multi-factor authentication and more. For popular application, IT departments can take over as admins, prioritize the rollout of SSO authentication to control account orchestration and more.
More generally speaking, Zygon brings some sort of control over SaaS usage. If someone has multiple accounts for the same service, Zygon can flag that. If several employees are sharing an account, Zygon can also identify that. And if a company wants to comply with SOC 2 and ISO frameworks, Zygon can mitigate risks by minimizing the attack surface.
Zygon can be particularly useful when someone quits or when there is a wave of layoffs. It can list services that are still active even after an employee has left the company.
“In the current situation, IT is only in control of a very small number of SaaS applications. And most accounts remain active for a very long time after employees’ departures — in the current context of layoffs, these are gaping security holes. We go further by detecting which SaaS applications have APIs or access keys that also need to be ‘rotated’ in the event of an employee departure,” Smouts said.