The explosion in the number and variety of SaaS apps used by enterprises has created both opportunities and challenges. While the cybersecurity department’s mission is to ensure that their security hygiene remains intact, they need an accurate and comprehensive understanding of the potential attack surface of their SaaS stack.
By Maor Bin, CEO & Co-Founder, Adaptive Shield
As organizations continue to grow their SaaS environments, new challenges emerge which have them asking some critical new questions: How can I comply with the major industry standards and manage a SaaS security audit? How do I keep customer, partner, and employee data protected throughout the SaaS stack? There are standards and compliance mandates available, like National Institute of Standards and Technology (NIST) and Service Organization Controls (SOC), which have been created to help organizations ensure the highest security hygiene. And when it comes to SaaS app security, these frameworks and processes can be achieved with support from a SaaS Security Posture Management (SSPM) tool.
NIST (National Institute of Standards and Technology)
NIST’s Cybersecurity Framework (CSF) combines a host of approaches to dealing with cyber security threats, including setting up procedures, training, defining roles, auditing, and monitoring. While it’s true that much of NIST’s recommendations have been geared towards the classic legacy critical infrastructure security challenge, the CSF and its updates SP 800-53 can help organizations better respond to the risks that occur in SaaS-based work environments.
An SSPM solution helps incorporate these recommendations into an organization’s SaaS environment in an easy-to-use fashion, by taking complex controls – such as “Network Access To Non Privileged Accounts” (SP 800-53 IA-2 (2)) – and turning it into tangible configurations that can be monitored and remediated across all SaaS platforms. The same is true for multi-configuration requirements such as NIST CSF PR.AC-7, which demands not only identifying the authentication method, but also matching it to asset risk. Only an advanced SSPM solution can provide the required depth of visibility into authentication methods by user and device from a risk perspective.
Whether you are a public or private company, businesses are placing increasing value on SOC 2 compliance. Unlike SOC 1, which centers on internal controls for financial reporting, the purpose of the SOC 2 report is to evaluate an organization’s information systems, specifically regarding security, availability, processing integrity, confidentiality, and privacy, over a period of time.
When a company conducts SOC 2 audit, it must run security checks across its SaaS stack. These checks will look for misconfigured settings, lack of privacy controls, lack of modern security methods, and lack of access controls.
Managing SaaS Security Posture
The NIST CSF and SP 800-53 standards and compliance mandates like SOC 2, each in turn help a company demonstrate its commitment to security and protecting data. But adhering to NIST and SOC2 is far more challenging in the growing world of SaaS.
It requires businesses to demonstrate the ability to continuously monitor security across their entire SaaS environment, many of which are growing at a breakneck speed. There is a misconception that achieving and maintaining compliance in this new realm is the SaaS provider’s responsibility — the reality is that while SaaS providers put the necessary security measures in place, the responsibility for using them falls to the customer and its security team.
This introduces a variety of new challenges. First and foremost, security teams that are stretched thin are now burdened with the massive undertaking of knowing every application, user, and configuration and ensuring all are compliant with industry and company policies. Just imagine being asked to manage 50,000 users over just five SaaS apps. That would require the security team to manage 250,000 identities. Further, SaaS environments aren’t static, they are dynamic and continually evolving as employees are added or removed, new applications are onboarded, and permissions and configurations are updated.
Taking these factors into account, it’s unrealistic to expect security teams to continuously ensure all configurations are enforced company-wide and ensure they meet compliance standards without an automated tool.
This is why SSPM is so vital. With an SSPM solution, organizations can map out all the user permissions, encryption, certificates, and security configurations available for each SaaS application. This provides visibility into user privileges and sensitive permission and allows teams to correct any misconfiguration in these areas, taking into consideration each SaaS application’s unique features and useability. As a result, whether a company has twenty-five SaaS or 500 apps, they can more easily comply with their company standards and industry-standard such as NIST and compliance mandates such as SOC 2.
If you are planning to introduce SSPM or are already using one, I recommend making sure the solution can compare your SaaS security misconfiguration checks with the major industry standards — and that you have the ability to build your own custom company policy.
About the Author
Maor Bin is the CEO and Co-Founder of Adaptive Shield. A former Cybersecurity Intelligence Officer in the Israel Defense Forces (IDF), Bin has over 16 years in cybersecurity leadership. In his career, he led SaaS Threat Detection Research at Proofpoint and won the operational excellence award during his IDF service. Maor can be reached online at https://www.linkedin.com/in/maorbin/ and at our company website https://www.adaptive-shield.com/.