SpinSPM / SSPM for Google Workspace™

Today, we are talking about SpinSPM, our SSPM solution for Google Workspace™.

There are three components that are part of SSPM, posture management, risk assessment, and user audit.

With SSPM, Spin is taking a two-prong approach, addressing internal and external vulnerabilities.

Those internal vulnerabilities being misconfigurations, filling misconfiguration gaps, and taking an automated proactive  approach at monitoring misconfiguration Drift, being performed by users.

Here in our Posture Management section, this is all about those internal vulnerabilities.

We provide our customers with a rating of their SaaS environment as a whole, as to how secure it is.

A lot of organizations struggle to understand the security of their SaaS environment with SpinSPM, we can accomplish that.

At a high level, I can see our posture summary. How are we getting the score that we are?

And I can see from a historical perspective, when I first initiated SpinSPM and installed it, whole install is about seven to eight minutes. Where was I posture score-wise?

And of course, how much have I improved?

And lastly, at a high level, when it comes to standards of CIS, ISO 27001 series, SOC 2 or NIST 2, how am I stacking up?

Am I fulfilling a lot of controls that are in line with these standards?

Coming here to our controls option here, these are the in house created security recommendations to harden and improve the security of this SaaS environment.

Each control has a point value associated to it.

When controls are fulfilled, those points are then contributed to your overall posture score.

In this case, looking at all of these controls, we can filter and say, shows all controls, mapped to NIS too, or perhaps SOC 2, and we’ll be able to see those controls, and if we click into a control, we’re greeted with an understanding of what this control is all about.

What does it suggesting that we do on our admin console ?

If we don’t know how to fulfill a control, we can reference the actions page, which is a step by step guide on exactly how to fulfill this control in the live environment.

The whole purpose here is to know what you don’t know, with SSPM, think of this as a flashlight into your SaaS environment to be up to date with the industry best practices, understanding misconfigurations, monitor misconfiguration drift and overall not to only just have high visibility, but have action ability as well.

This is where Spin wins against SSPM solutions.

Yes, every solution, they generally give a ton of visibility, but where they lack is the action ability.

They tell you what you don’t know, but they don’t tell you how to fix it.

With SpinSPM, we’re giving you that visibility and we’re complementing it with equal amounts of action ability.

Coming into a risk assessment, this is all about the external vulnerabilities, full visibility, actionability, automation, and education, around all third party extensions and applications, understanding the risks associated to them, having them visibility, having that education and then, of course, having actionability to remediate and block list or allow list extensions or applications.

We can understand the services that these extensions are applications are tied to by filtering by service, the permissions that they require of your users, their category, are they time wasters?

Are they for productivity?

Are they for accounting?

What it may be?

And compliance, to which degree of compliance do these extensions are applications claim to be?

Coming back to overview page were greeted with a high level understanding of the total ops that Spin is discovered in our SaaS environment, having access to our SaaS environment, whether it’s coming from Android, iOS, native chrome, browser extensions, whatever it may be.

It’s important to emphasize here that Spin is not an agent based solution.

Spin is completely agentless, and API based.

Come into our All Apps section.

Now we’re seeing all of the connected extensions or applications to our SaaS environment.

We can see the score here, closer to zero, more risky, closer 100, the safer.

When we click into an extension or an application, we’re going to be greeted with an understanding of what it’s all about, and an AI summary telling us why it’s as risky as it is.

If we want to understand on a deeper level, the risk associated two extensions or applications, and the permissions that it’s requiring of your users, that’s when you can reference the security scope.

This is a culmination, of factors, 20 plus factors that are used to determine risk associated to extensions and applications.

We can click into security risk, be greeted with an understanding that, hey, the domain has a verified history.

Great.

There’s no data user data transmitted.

That’s all fine and good.

However, there’s four vulnerabilities that have been found.

Two of them are the high severity, the other two are a big medium severity.

Let’s investigate that.

Coming into our vulnerabilities, Spin is showing you the vulnerabilities that we have detected, and even links to GitHub to show you the progress on them being patched.

And of course, this browser requests full access permissions to your data.

Are you comfortable with that, yes or no?

That’s the very simple question that’s Spin Risk Assessment is providing for our customers, that they haven’t been able to ask themselves before.

That simple question.

Chiefly because they didn’t have full visibility into all of their extensions or applications, they didn’t understand how many had access to their SaaS environment.

Secondly, they don’t have the education around what is or is not a risky extension or application.

They now do.

And thirdly, they didn’t have the action ability to remediate this by allow listing or block listing, much less have automation come into play, and be able to proactively revoke access to extensions or applications that maybe have external communications to AI engines, DeepSeek, GenAI, whatever it may be, or if it’s requiring certain permission sets of your users, we can automatically revoke access or globally, if an extension or application is beneath a 30 risk score, for example, we can automatically revoke access.

We can also streamline approval processes for organizations looking to allow some or all of their extensions or applications.

When a user goes to bring in an extension or an application, a new log will appear, showing the user trying to utilize it, the risk score of the extension application, what the extension application is?

And of course, when we click into this event, we can write from the UI understand the risk associated to those extensions or applications, and choose to approve or deny this request.

More than that, our end users can communicate with the IT team by saying.

I would like to get access.

Whatever it may be, and justify why they need to be able to utilize this extension or application.

When it comes to proactively understanding risk associated to extensions and applications with database, we are giving access to our customers, to our entire registry of over $400,000 assessed extensions and applications, where any organization can come here, type in the extension application name, or ID, and be greeted with an understanding of the risk associated to those extensions or applications.

At a high level, I can click on AdBlock here, a very popular one, utilized by users.

Adblock Plus, Free AdBlocker, and understand the risk associated to it before I’ve even given it access to our SaaS environment.

Being that we’ve covered external vulnerabilities, cutting into a hybrid apart of SSPM, is our user audit, just like with extensions and applications, how we are assessing the risk of those, we are doing the same thing on a user by user basis, showing you your top riskiest users.

We can click into Victor Smith here and have an understanding of how much storage they’re consuming from our backups, where they’re logging in geographically, user’s exposure, and of course, actions that they’re performing on the SaaS or Spin environment. Incidents, what security policies or automation rules have I created on Spin that this user’s breaching, the exact extensions or applications that this user’s utilizing, the data they have access to, and to whom they’re showing the data with, and whether or not that data contains anything sensitive, and lastly, posture.

There’s three breach configurations, and it looks like these are the three controls that this user is deviating from, therefore performing misconfiguration drift.

This has been SpinSPM for Google Workspace™.