 
╔═══════════════════════════════════════════════╗
║  $ cat security/architecture.md               ║
╚═══════════════════════════════════════════════╝

# Security Architecture

Cloudflare + GCP stack design, ingress hardening, infrastructure security

> Addressing Shadow SaaS with a SASE-Driven Approach

2025-10-10

If I were asked to design a way to bring shadow SaaS usage under control in a remote, cloud-native organization, I’d avoid a full Zero Trust rebuild and instead apply SASE-driven visibility and identity enforcement.

The idea is simple: discover what’s in use, classify the risk, and make sure every tool ends up under a measurable control path — integrated, proxied, or at least monitored.

1. Understanding the Problem

Shadow SaaS appears wherever teams need speed.
Tools get adopted without security review, creating unmanaged identities, exposed data flows, and inconsistent offboarding.

Typical issues:

No SSO/MFA or direct IdP integration
Orphaned accounts and shared credentials
Hardcoded API keys or service accounts
Untracked data transfers between SaaS tools
Little visibility into OAuth grants and usage scope

These risks don’t stem from bad intent — they’re the byproduct of autonomy and cloud convenience.
The goal isn’t to block SaaS; it’s to make secure usage effortless and visible.

2. My Approach

The workflow I designed follows a simple, repeatable logic:

1. Discover → 2. Assess → 3. Integrate → 4. Enforce → 5. Monitor

Each SaaS application moves through this process, landing on the strongest control it supports.

1. Discover

Gather evidence of SaaS activity from multiple angles:

DNS / proxy logs — outbound connections to known SaaS domains
Financial data — expense records revealing subscriptions
IdP logs — OAuth grants and unrecognized applications

The result is a living inventory of both sanctioned and unsanctioned tools.

2. Assess

Once identified, applications are ranked by:

Integration depth (how embedded they are in workflows)
Usage metrics (number of active users, data exchanged)
Data sensitivity (PII, credentials, source code, etc.)

This forms a risk matrix to prioritize which SaaS apps need attention first.

3. Integrate

If the app supports SAML, OIDC, or SCIM, integrate it with the existing IdP (e.g., Okta, EntraID).
This enables consistent SSO, MFA, and automated provisioning/deprovisioning.

If the app lacks native IdP support:

Wrap it behind Cloudflare Access as an identity-aware reverse proxy.
- Users authenticate through the IdP, and Cloudflare enforces policy before reaching the SaaS.
- Traffic and identity are logged for auditing.

This maintains identity-centric access control even for legacy or non-standard apps.

4. Enforce

For SaaS that can’t be proxied, shift enforcement to the network edge using Cloudflare’s Secure Web Gateway (SWG) and CASB:

Detect and classify new SaaS tools in real time
Apply data loss prevention (DLP) rules to uploads/downloads
Block or alert on access to high-risk services
Maintain a record of sanctioned vs. unsanctioned use

This ensures that even unintegrated tools are still visible and governed.

5. Monitor and Review

Each cycle feeds back into the inventory and risk matrix:

Are new SaaS apps appearing?
Did integrations drift or break?
Are DLP or policy exceptions increasing?

Automation ties everything back to the IdP lifecycle — access is provisioned, adjusted, or revoked based on HR or identity events.

3. Control Hierarchy

Every SaaS tool ends up somewhere on this spectrum:

Control Level	Example	Control Method
Integrated	Supports SAML/SCIM	IdP SSO + Lifecycle
Proxied	No native SSO	Cloudflare Access (Identity Proxy)
Monitored	Public SaaS / cannot proxy	Cloudflare SWG + CASB (DLP, alerts)

There’s always some measurable control — never an invisible app.

4. Why SASE Fits This Problem

Traditional IAM focuses on login events, not continuous usage.
SASE extends enforcement to where access actually happens — between the user and the SaaS platform.

Key advantages:

Identity and network policies combined at the edge
Real-time SaaS discovery and traffic inspection
Global consistency for distributed teams
Works with existing IdP — no architectural rebuild

This model gives the organization visibility and control without forcing every SaaS tool to support modern identity standards.

5. Implementation Path

A realistic rollout would look like this:

Pilot: onboard a few key SaaS tools via Cloudflare Access, validate experience.
Visibility Expansion: deploy SWG for outbound monitoring and CASB for automated discovery.
Policy Enforcement: apply DLP and access controls for higher-risk categories.
Automation: integrate SASE events with IdP and HR systems for lifecycle triggers.
Continuous Review: feed findings into the risk matrix and adjust policies.

6. Measuring Progress

Practical metrics to track maturity:

% of SaaS with SSO + MFA
Reduction in unmanaged SaaS month-over-month
Mean time to revoke access after offboarding
Number of SaaS apps with DLP policies applied
Coverage of CASB discovery reports

7. Outcome

A SASE-driven model provides a realistic way to bring shadow SaaS under governance:

Continuous discovery and classification
Identity-aware control for non-integrated tools
Network-level DLP and monitoring for everything else
Unified logging for compliance and forensics

This approach doesn’t attempt a full Zero Trust transformation — it builds toward it, one SaaS tool at a time, ensuring visibility, control, and gradual improvement without disruption.