The FIPCO partner Cynet has introduced SaaS (Software as a Service) Security Posture Management (SSPM).
Here are several important best practices that all SaaS customers should practice. Many of them can be implemented or made easier by the use of automated tools or “SSPM” solutions:FIPCO will perform an Information Security Assessment which will review the Bank’s Information Security program, policy and other pertinent documentation. IT Operations, risk assessment and Governance, as well as General IT Controls will be audited to provide evidence that controls have been implemented. The IT Audit will focus on the Bank’s overall information security program, management oversight and IT environment, which may include the following areas:
Detect rogue services and compromised accounts—according to recent studies, organizations use over 1,900 unique cloud services on average, many of them unknown or unmanaged by the organization due to shadow IT. Identify all cloud services and prioritize them according to the data they store and their impact on the business.
Apply identity and access management (IAM)—role-based IAM solutions can help ensure that users never gain access to resources they do not need to perform their jobs. IAM tools use access policies to determine what applications and files each user is allowed to access. Organizations can apply this type of role-based permission to data and ensure that end users can see only the data they are authorized to view.
Encrypt cloud data—encryption methods turn data into meaningless code that cannot be accessed by unauthorized users. Most regulatory entities require that organizations encrypt sensitive data, when it is at rest in storage repositories and while it is in transit as it moves between environments. SaaS vendors typically provide some form of encryption—but you must ensure encryption is enabled and working correctly.
Enforce data loss prevention (DLP)—DLP tools monitor sensitive data in SaaS applications and outgoing transmissions. These tools can block unauthorized transmissions of sensitive information, preventing leaks and theft. You should also use DLP solutions to prevent users from downloading sensitive data to personal devices, and block unauthorized attempts to access, download or delete the data.
Monitor collaborative sharing of data—collaboration controls can help detect granular permissions on the files shared with a wide range of users, including external users who use a web link to access files. The goal of collaboration controls is to prevent employees from intentionally or inadvertently sharing confidential documents via tools like team spaces, email accounts, and storage services like Dropbox and Google Drive.
Audit the security of service providers—According to a recent Cloud Adoption and Risk Report, (https://www.dlt.com/sites/default/files/resource-attachments/2019-09/Cloud-Cloud-Adoption-%2526-Risk-Report-2019_0_13.pdf) 70% of surveyed respondents said they trust their SaaS provider’s security, but only 8% of those SaaS vendors actually met basic security requirements. For example, only 10% provided encryption of data at rest, and only 18% supported multi-factor authentication. It is critical to audit providers, evaluate their compliance certifications, and their data protection, access control, and other security capabilities.
What is SaaS Security and Why is it Important?
SaaS security practices and tools help organizations secure corporate data and user privacy in subscription-based cloud applications. SaaS applications often hold a large amount of sensitive information. These applications allow many users to gain access to information from a wide range of devices and locations. This can introduce major privacy and security risks.
The term “security posture” refers to the security status of all IT assets within an organization. This includes code repositories, Software as a Service (SaaS) applications, hardware assets, networks, data pipelines, all information, and services.
SaaS Security Posture Management (SSPM) solutions offer tools and automation capabilities that can provide visibility into the security posture of SaaS environments and make it easier to remediate security concerns in those environments.
SaaS providers follow the shared responsibility model. This means the SaaS vendor is responsible for protecting the underlying infrastructure, network traffic, operating systems (OS), hypervisor, and applications. The SaaS customer is required to protect user access and data—this is where SSPM solutions come in, providing the visibility and tooling required to adequately manage and protect user access and data in SaaS environments.
SSPM solutions may cover some or all of the following aspects of SaaS security:
SaaS security is different
While security and IT teams are generally familiar with tools and practices designed to protect Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) environments, SaaS security requires a different approach.
SaaS applications serve different teams with varying degrees of technical expertise. Additionally, the majority of organizations use multiple SaaS applications, each with a different security structure and different levels of complexity. This can turn SaaS security into a complex and time consuming effort.
Minor involvement by security teams
In some cases, the engagement between security teams and the businesses units using SaaS applications is brief. For example, the security team may be brought in to assess the application and provide a report, and the engagement may stop there. This type of limited interaction between end users and security teams may lead to a poor security posture that leaves the organization exposed to critical security and compliance risks.
In other cases, SaaS applications are managed by an internal team focused primarily on operational functionality. This team may not have the tooling, skillset, or time required to properly secure SaaS applications. Some organizations may bring in an additional role or team to take over security responsibilities, but because there is no clear owner, security may not be implemented consistently.
These challenges emphasize the need for an automated solution that can identify, alert, and even automatically remediate SaaS security issues.
Does Your Organization Need Saas Security Posture Management?
Many critical business systems are being migrated to SaaS. According to a Gartner report, (https://www.gartner.com/en/newsroom/press-releases/2021-04-21-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-23-percent-in-2021) worldwide spending on SaaS is as much as 48% higher than the spend on infrastructure as a service (IaaS) and 106% higher than platform as a service (PaaS). Many organizations rely on a similar set of popular, strategic SaaS applications to implement common business functions. Samples of some of the most popular and common SaaS applications include; Salesforce, Microsoft 365, HubSpot, Netflix, Zoom, Zendesk.
The SaaS trend means security teams must manage and secure applications that they have no control over. Cloud security is a shared responsibility between cloud providers and customers. Most enterprise SaaS applications provide some security controls, but customers need to properly configure these applications and prevent configuration changes over time.
Security posture management may seem simple at first glance, but it can quickly get very complex, even for a small to medium organization, not to mention for a large enterprise:
SSPM solutions can help with this complexity, by continuously assessing security risks and managing the security for SaaS applications. With SSPM, security administrators can easily understand the configuration of each application, see how to achieve a secure configuration, and ensure that applications are configured according to best practices.
At a minimum, SSPM should be able to report how SaaS security settings are currently configured and provide suggestions to reduce risk. Ideally, SSPM should be able to comprehensively test an application according to security benchmarks and perform automatic reconciliation and reconfiguration.
SSPM Features and Capabilities
Here are several key features every SSPM solution should provide:
What is the Relationship Between Cloud Access Security Brokers (CASB) and SSPM?
A Cloud Access Security Broker (CASB) is a broadly adopted security solution, which acts as a bridge between end users and cloud providers. It improves visibility over application traffic, and applies consistent security policies across on-premise, SaaS, PaaS, and IaaS environments.
Many CASB vendors are adding SSPM and cloud security posture management (CSPM) to their products. There are three advantages to the convergence between CASB and SSPM solutions:
SaaS Security Posture Management with Cynet 360
An SSPM solution ensures that SaaS applications are properly configured to protect them from compromise. The solution continuously monitors SaaS applications to identify gaps between stated security policies and actual security posture, letting you automatically find and fix security risks in SaaS assets, and automatically prioritize risks and misconfigurations by severity.
SSPM Overview Video:
SSPM General brochure:
Contact FIPCO for more information or to arrange a demonstration at firstname.lastname@example.org.