Racing to defend yourself and follow the rules

June 13, 2024NewsroomSaaS / Shadow IT security

Recent cyberattacks on the supply chain are prompting cybersecurity regulations in the financial sector to tighten compliance requirements, and other industries are expected to follow suit. Many companies still lack effective methods for managing related, time-sensitive SaaS security and compliance tasks. Free SaaS risk assessment tools are an easy and practical way to provide visibility and initial control over your SaaS and Shadow AI development. These tools now offer incremental updates to help security professionals achieve their company’s budget or maturity level.

Regulatory pressure, the proliferation of SaaS and AI, and the increased risk of data breaches or leaks via third-party applications make SaaS security one of the hottest areas for practitioners to learn and implement. The new regulations will require robust third-party SaaS risk lifecycle management, which begins with SaaS discovery and third-party risk management (TPRM) and ends with requiring CISOs to report incidents in their supply chain within 72 hours. Financial cybersecurity regulations such as NY-DFS and DORA are based on similar risk mitigation principles, although they use different terminology.

Lessons that can be learned from SaaS financial security requirements

Security professionals who understand the cyber compliance requirements of the financial sector are better equipped to manage SaaS risk and support various other compliance frameworks. These basic principles, broadly divided into four stages, are expected to be reflected in many industries. They provide an excellent template for safe SaaS use that should be learned as a security best practice.

*Mapping NY-DFS requirements to four SaaS security steps

1. Third party risk detection and management (TPRM)

The SaaS security journey begins with identification and mapping All third party services used by the organization. These services should be assessed for their business importance and impact on non-public information (NPI), and compared to the supplier’s reputation assessment (external risk assessment). While many companies focus solely on “sanctioned applications” reviewed during the purchasing process, this approach has not kept pace with the rapid adoption of SaaS and how it is being used in organizations. A comprehensive security policy should also cover “shadow IT,” which refers to unapproved applications adopted by individual employees, as well as free trials used across teams. Both types of applications often expose NPI and provide backdoor access to a company’s most confidential resources.

2. Establishing and enforcing risk policies

After assessing risk, security teams must establish clear policies regarding approved and unapproved SaaS providers and the types of data that can be shared with cloud-hosted services. Improved user education is key to ensuring everyone understands these principles. Continuous enforcement of regulations is also necessary, which is particularly important in SaaS environments. The average employee uses 29 different applications and changes them frequently. Many companies still rely on periodic reviews and manual processes that can miss enforcement of Shadow IT and added applications even minutes after a SaaS audit. It is important to note that CISOs are responsible for any security incidents related to SaaS applications introduced late or used by employees.

3. Reducing the attack surface

The focus then shifts to managing the attack surface and reducing the number of approved vendors. SaaS security posture management (SSPM) solutions are powerful for this complex but critical step. This includes strengthening initial configurations of SaaS applications, with a regulatory focus on multi-factor authentication (MFA), implementing and managing access rights to human and non-human identities through user access reviews. Advanced teams also monitor unused tokens and over-privileged applications and manage information sharing. These aspects are critical to SaaS security, but are only partially covered by regulation.

4. Detecting and responding to incidents

Despite all steps to reduce risk, third parties may still experience breaches. Wing’s research found that nearly all 500 companies it audited used at least one compromised app last year. Financial regulators require CISOs to report supply chain incidents promptly (within 72 hours for NY-DFS and by the next business day for DORA). The interpretation of these requirements remains to be validated, and many CISOs rely on good practices from their vendors to report incidents. In a market of 350,000 different SaaS applications and the challenges of Shadow IT, robust support services are essential to quickly recover from incidents and maintain compliance.

SaaS security for everyone

Organizations vary in their level of SaaS security maturity, risk appetite, and investment in security workforce and tools. Wing Security offers a free tool for beginners to detect and assess the risk of your organization’s most frequently used SaaS applications. They recently updated their core foundation layer to automate time-intensive, mission-critical tasks for security teams. This new level includes deep IT discovery, policy setting and enforcement, and seamless employee education about SaaS providers. Starting at $3,500 per year for smaller organizations, the basic tier offers a cost-effective entry point into SaaS security, with further upgrades available to increase protection use cases and reduce the cost of regulatory tasks.

For many companies that don’t yet use full SaaS security solutions, scalable tiered models provide an easy way to detect threats and quickly show ROI. More advanced organizations will want the Pro or full Enterprise tiers to effectively address and manage all four common compliance steps described above.