Hyper-Automated SaaS App Mesh Security (Sounds More Complicated Than It Is)

This article was written by Ed Amoroso and Chris Wilder.

As cybersecurity industry analysts, we’ve been trained to look for outliers and originality. And with nearly 4,000 commercial vendors in our TAG Cyber Research as a Service (RaaS) database, we can assure you that outliers and originality do not come often. Many of the vendors we hear from seem manufactured from a Mad Libs game of security terms: Distributed GRC for Mobile, Virtualized SIEM for ICS, Decentralized IAM for SMBs, and so on.

So, when a genuinely original cybersecurity solution emerges on our Zoom screens, we notice. This past week, we met Yoni Shohet , Founder and CEO of Tel Aviv-based start-up Valence Security . Valance recently announced that it had raised a $7 million seed round from private and institutional investors. The company has also built a who’s-who of cybersecurity investors and board members in a short amount of time.

As Yoni’s presentation unfolded, we had that awesome moment as industry analysts when you set down your coffee to listen more carefully. If you read the title of this blog, you get the general idea of the Valence emphasis, but perhaps it would be helpful to break things down a bit.

To start, recognize that today there is considerable attention on the securing of applications, but little focus on application-to-application and system-to-system security, or on how non-human workloads interact with an organization. This is a gap in most enterprise protection schemes.

The Valence platform addresses this gap via a so-called business application mesh that emerges across SaaS infrastructure. At first glance, this mesh, which is a distributed system of interdependent apps, might look ad hoc. But when you dig in more closely, which is what Valence does, things start to make more sense. Or at least that’s the hope. When things don’t make sense – well, that's when you must take action.

Suppose that some enterprise is using MS365, SAP, DocuSign, Salesforce, and Workday. In the old days, these apps would be hosted on servers in a physical data center. But today, they are implemented as workloads on SaaS-hosted systems – and their interconnection forms a dynamic network. The network extends via app marketplaces that support connection to additional third-party services and apps. Valence refers to this whole thing as a mesh – and the metaphor seems to work.

Driving the communication is something called hyper-automation. It’s a term that is sadly invented by analysts, which is why it makes little sense. (What’s the difference between automation and hyper-automation? Do the electrons move more quickly?) Anyway, the management, administration, coordination, computation, and data sharing between the SaaS apps is what creates this dynamic distributed mesh network.

As you’d expect, two things can happen when you review the details of a hyper-automated app mesh: Either you become satisfied that every dependency, sharing, and connection is exactly as expected - which is unlikely. Or, more likely, you will find that certain interactions are not as expected.

In our discussion with Valence, Yoni shared that many customers discover shadow SaaS-to-SaaS connections. That’s valuable, especially because such unknown IT remains a significant challenge for SecOp teams. Valance has apparently also found success supporting vendor risk management by ensuring alignment between the level of access third parties have compared to the internal business and risk assessment requirements.

Traditional analyst buckets don’t fit this capability, which is why we like it so much. It has valuable aspects of emerging SaaS Security Posture Management (SSPM), and it extends Attack Surface Management (ASM) into the SaaS infrastructure. But in the end, enterprise teams shouldn’t concern themselves with categories. They should buy what can help them – and we think this business application mesh solution is an excellent idea.

Admittedly, we haven’t run the tool, and we have not spoken with users of the Valence solution (yet). But this is a promising technology with considerable upside for enterprise security teams who've watched their SaaS applications sprawl across their virtual Intranet. In fact, for many employees, day-to-day work life is a game of selecting which application buttons to click for which functions.

Have a look at Valence and let us know what you think. We look forward to your feedback.