Smartsheet enhances enterprise-grade security for scale

As the SVP for Engineering at Smartsheet, Gihan leads our Platform teams, which focus on our identity, access, and policy space, our data integration workflow platforms, and on scaling our sheet infrastructure. Throughout his 18-year career, Gihan has worked in multiple startups in this space, from data center automation and virtualization platforms to highly-scalable workflow and messaging platforms. Gihan joined Smartsheet in 2018 as part of the Converse.AI acquisition, where he was a co-founder.

Last year, I wrote how Smartsheet committed to empowering our customers as they embark on a never-ending journey of scale. Another equally important priority is providing our customers with enterprise-grade security, governance, auditing, reporting, and administration capabilities that can scale as their organizations’ needs grow. That’s why we’re not content just being a leader in the Collaborative Work Management (CWM) space — we strive to be the CISO-preferred platform for Enterprise CWM.

At Smartsheet, we rely on our own product as our primary work management platform. So we know first-hand that remaining vigilant across security and governance is critical. Today I want to share more about our key areas of focus, new releases, and some exciting sneak peeks into our roadmap around all things security, governance, and administration! Let’s dive in.  

Enhanced reporting with the new Plan Usage report in Plan Insights

In response to valuable feedback from our users who expressed the need for more insights into their Smartsheet plans, we introduced Plan Insights in February 2023. Initially featuring the connected user report, this provided users with a detailed breakdown of user types, total connected users, and user growth within a plan.

Continuing our commitment to enhancing the data available to our users, we upgraded Plan Insights in late 2023, replacing the connected user report with the more comprehensive plan usage report. This report offers essential metrics and intricate details about plan and billing information. It now includes expanded user reporting, shedding light on the usage of core assets such as sheets, reports, dashboards, and workspaces. This empowers users with the data necessary for assessing licensing needs, understanding asset distribution, and gaining a holistic view of Smartsheet utilization in their plans.

Furthermore, our efforts extended to introducing Advance Capability reports for Data Shuttle and Dynamic View. These reports, showing details of both licensed customers and those evaluating these capabilities, furnish valuable insights like usage metrics, the number of active views/workflows created, and evaluation details. This facilitates informed decisions regarding premium application usage and potential purchases.

Our commitment to providing comprehensive insights doesn't end there. Future enhancements are in the pipeline, promising to deliver usage and trends for forms, automations, formulas, files, and proofing. Users can evaluate the efficiency gains and cost savings achieved by automating repetitive tasks and fostering collaboration within the context of work in Smartsheet. We are dedicated to continuously enhancing the Smartsheet experience by putting insightful data at your fingertips.

New and improved Safe Sharing experience

The Safe Sharing experience has undergone a significant revamp to streamline the process of entering, auditing, and managing secure sharing so System Administrators can dedicate less time to managing sharing permissions for your plans.

Since January 2024, this revamped Safe Sharing policy experience has been at the fingertips of our Enterprise customers. To make the experience even more straightforward, we've integrated sheet functionalities into our admin functions. Now, System Administrators can effortlessly handle, audit, bulk import, sort, and search through trusted domains and email addresses. This enhances data governance and enterprise manageability by making it easier for System Administrators to understand which external users and domains can access their organizations’ data.

Upon activation of the Safe Sharing policy by a licensed SysAdmin, two Safe Sharing sheets are automatically generated in a dedicated "Admin Settings" workspace, facilitating the management of domains and email addresses.

By incorporating sheets into the new Safe Sharing experience, we open up the possibility to integrate core Smartsheet functionalities tied to sheets (like automation, searching, filtering, etc.) into the new experience as well. Admins gain access to a suite of tools for adding workflows, auditing the activity log and cell history, performing bulk additions or removals of rows, leveraging our DataShuttle capability for automated bulk updates, and utilizing sheet APIs on the Safe Sharing sheets to cater to specific organizational needs.

This holistic approach not only simplifies the Safe Sharing process but also empowers System Administrators with a comprehensive set of tools, ensuring efficient management and customization of sharing permissions within their plans. Our commitment is to provide a powerful and user-friendly experience, transforming secure sharing in Smartsheet.
 

Securing and standardizing cross-organizational collaboration

Smartsheet stands out as a powerful tool for fostering collaboration among users within and outside organizations. Yet, as collaboration scales up, so does the associated risk. Consider scenarios where external partners change affiliations or contracted resources mishandle their login credentials. Given our leadership in the Enterprise CWM market, safeguarding our customers' data remains our top priority.

While having direct control over the security and access policies of external users may not always be feasible, we prioritize empowering users with complete control over how collaborators access assets. In line with this commitment, we've recently rolled out two robust security features exclusively designed for our Enterprise Plan customers: “Require Corporate Accounts” and “Require MFA.” These features serve to reinforce security measures surrounding external collaboration, putting the power of control firmly in customers’ hands.

When the "Require Corporate Accounts” policy is activated by System Administrators, external collaborators will be required to log into Smartsheet using their corporate credentials or Single Sign-On (SSO) to access any shared asset within the account. System Administrators can further enhance security by enabling the "Require MFA" policy. This mandates that external collaborators validate their identity using multi-factor authentication (MFA) to access a plan's assets. In cases where standard MFA isn’t feasible for external collaborators via their identity provider, Smartsheet will enforce an email-based time-based one-time password (TOTP) when assets are accessed. Additionally, there’s flexibility to exclude certain trusted domains and email addresses from these policies through exemption lists, coupled with the new Safe Sharing policy experience.

These enhancements not only fortify data security but also standardize the authentication process for external users, reinforcing our commitment to fostering a secure environment conducive to enterprise collaboration. Looking ahead, in late April 2024, we plan to further enhance this experience by enabling SysAdmins to send notifications to workspace Admins when these policies are modified, ensuring transparency and accountability in the security management process.
 

Centralizing control and improving authentication security

In many organizations, each department typically operates with a separate Smartsheet plan. In such a scenario, System Administrators inherent complexities and security risks involved in managing multiple logins or Single Sign-On (SSO) configurations across these diverse departments or plans. Moreover, the challenge extends to users being shared with Smartsheet assets in plans belonging to different organizations, where the System Administrator might lack control.

The use of less secure authentication methods, like email/password combinations, introduces an additional layer of risk, especially in our dynamic threat landscape. A case in point is Microsoft's revelation in its 2023 Digital Defense Report, where they highlighted blocking an average of 4,000 password-based attacks per second in the previous year. This underscores the critical need for robust security measures in the face of evolving threats.

In our ongoing commitment to enhancing security, we have initiated a scalable policy management project, and one of its pivotal phases involves migrating the login policy to the domain level. Last week, we introduced an important enhancement exclusively for System Administrators in Enterprise Plans: the capability to enforce SAML-based SSO at the domain level. This strategic feature empowers organizations to standardize security protocols, centralize control, and streamline the SAML setup process directly within the Admin Center, simplifying the procedure to a single comprehensive step.

Looking forward, our roadmap includes significant milestones. By mid-2024, we will replace the less secure password-based login method with an advanced email TOTP (time-based one-time password) login option, further fortifying authentication security. Subsequently, in late summer of 2024, we are set to transition the Google and Azure SSO login methods to the domain level. These concerted efforts align with our goal to elevate the Smartsheet security posture by steering users towards industry-recommended SSO-based authentication mechanisms and phasing out less secure password-based logins.          

Eliminating asset transfer and access challenges with plan-level ownership

As the usage of assets grows within an organization, managing ownership of assets becomes a bit complicated. The current model of assets owned by the users adds extra management overhead, particularly when crucial stakeholders or asset owners depart from the organization. Therefore by moving to a model where assets are going to be owned by the plan, we will be eliminating any need to move assets between users.

As part of this change, we are removing the concept of an asset Owner – all the asset Admins will have necessary privileges to manage the life cycle of an asset, including responding to access requests. This enables secure, faster collaboration and by removing the single owner bottleneck. We are also introducing a new Admin role called the Plan Asset Admin to handle asset request scenarios when Owners or Admins are unavailable. Plan Asset Admins will also possess the ability to rename, delete, or assign permissions to an asset, preventing assets from getting orphaned. If no asset Admin/Owner is defined, and no Plan Asset Admin is specified on a plan, asset access requests will be directed to the SysAdmin, ensuring a reliable chain of users to keep work progressing.

These changes are currently in the Early Adopter Program (EAP) and will be available to all customers in the coming weeks. Later this year, we plan to eliminate the concept of an "Owner" on assets as assets are owned by the plan, thus completing the shift to the plan-based asset ownership model.

What’s next

Security and scale is a journey that never ends. We are continuing to focus on how we can improve the security posture for our customers as they continue to scale their use of Smartsheet by: 

• Enhancing the look and feel of various login and access-related Smartsheet notification emails to improve readability and increase the odds of appropriate action being taken for each notification.
• Adding a new sharing permission level between “Admin” and “Editor” to support scenarios that necessitate a level of access between the two.
• Adding support for service accounts, allowing customers to generate API user access tokens that are recognized and honored by Smartsheet APIs.

We hope this provides a peek at the work we are doing "under the hood" to bolster our security, governance, reporting, and administration offerings so that organizations can scale work and processes worry-free.

Get even more insight into how Smartsheet provides a revolutionary platform to support your company’s work at scale — and learn about additional innovations we’re excited to share. And if you’re curious for a deep dive into Smartsheet documentation on security, privacy, compliance, and reliability, check out our Trust Center. 

Want to know when these enhancements go live? Get notified in real time by subscribing to the product announcements channel in Smartsheet Community or our product release news. If you’re not a customer yet and can’t subscribe, go ahead, then give us a try.

We always want to hear from you and work with you. If you want to talk to our Product and Engineering leadership about these topics, please reach out to your CSM or sales representative.