AppOmni and DoControl announced software-as-a-service offerings this week. Pictured: Visitors crowd the cloud computing services presentation at the CeBIT technology trade fair on March 2, 2011, in Hanover, Germany. (Photo by Sean Gallup/Getty Images)

Two companies came out with announcements in the past day that seek to help businesses more effectively manage security across SaaS apps, underscoring an increased interest in securing software-as-a-service environments.

On Wednesday AppOmni announced its Developer Platform, which promises to help organizations extend visibility and ensure consistent protection across all of their SaaS applications and any custom SaaS app built in-house. The AppOmni Developer Platform will be available to select partners this June, with broader availability later in 2022.

DoControl on Thursday announced it raised a $30 million Series B funding round to build out its SaaS data access control solution. The company aims to harness user interactions and API access across SaaS apps and feed it to no-code workflows that automatically identify, respond to, and remediate threats stemming from SaaS data policy violations. DoControl promises to eliminate the enterprise threats created by departing employees, third-party vendors, and cross-team collaboration. 

AppOmni and DoControl are expanding an organization’s ability to secure SaaS applications, said Jack Poller, senior analyst at the Enterprise Strategy Group. Poller said while a cloud access security broker (CASB) acts as a security gateway between the user and the SaaS app, the CASB only has visibility and control over user authentication and data in motion. Poller said AppOmni and DoControl leverage SaaS app APIs to gain visibility into the inner workings of the apps, and thus can provide more controls to enhance security.

“For example, to reduce the risk of sensitive data exposure, a security team could create a policy to automatically expire file-sharing links after 30 days for the marketing group,” Poller explained. "With AppOmni, these types of policies can be defined programmatically. DoControl provides a no-code environment to develop policies as workflows that can include multiple user interactions: instead of arbitrarily expiring all shares, and possibly disrupting critical projects, the policy could ask the user if the share was still needed, and automatically keep or expire the share based on the user’s response. These types of fine-grained policies can increase security by addressing the unique use cases specific to different types of SaaS apps.”

Frank Dickson, program vice president for security and trust at IDC added that as the industry moves from infrastructure-as-a-service (IaaS) to SaaS, it cedes greater levels of responsibility for security to the cloud providers. However, Dickson said we don’t cede all responsibility as our SaaS providers do not provide control and security for the users that access the application — essentially identity controls — and for the data placed in the application. 

“Responsibility for managing identity, roll-based access, authentication and data access remains with organizations,” Dickson said. “Tools that provide data access visibility across SaaS applications are rare. Qualys was one of the early innovators in the space with its Qualys SaaS Detection and Response offering. SOC teams need the visibility for threat detection. InfoSec professionals need the visibility for governance and compliance. It’s definitely an area that is seeing product innovation.”