SaaS governance and security is drawing attention among IT and security leaders. This is good because companies are using more software-in-service (SaaS) faster than infrastructure-in-service (IaaS) offers. Larger enterprises are using 200 different SaaS offers, compared to two or three IaaS providers, and only 30% of companies have some kind of SaaS security solution.
Despite the widespread use of SaaS, it is irresistible with little insight into usage, data storage or access control. That’s why the Cloud Security Alliance (CSA) has been created The best practice of SaaS governance for cloud customers White Paper, for which I was honored to work as its co-head. These are just some of the goal setting shareware that you can use in SaaS Governance.
SaaS Governance Pillar: Discovery, Management, Security
SaaS governance revolves around three main pillars: discovery, management and security. The first step is to list the SaaS used throughout the enterprise. As the old saying goes, you can’t secure what you don’t see or know. The SaaS paradigm makes this significantly harder because there is no physical system like the legacy data center environment and almost anyone across the organization can start eating SaaS with a credit card and a few clicks of a mouse.
Once companies have created an inventory, they can start managing their SaaS costs. This means finding processes to test SaaS vendors for compatibility with organizational or industry requirements around security and compliance, often with structures such as HIPAA, SOC2, FedRAMP and others, as well as internal organizational security requirements.
Finally, companies need to take steps to secure the SaaS they use. While most of the shared responsibility models for the cloud may belong to SaaS providers, it still affects your organizational data, customer trust, and regulatory impact. In the end, you will still be responsible for any security incidents. It expresses itself as understanding the data involved, who has access, and can scan the environment for incorrect configurations, vulnerabilities, and compliance deviations using modern tools such as the SaaS Security Positions Management (SSPM) tool. To think that a SaaS provider is protecting everything is a foolish mistake, but one has often done so. These activities must occur throughout the SaaS cost lifecycle of evaluation, acceptance, use, and decommissioning.
Develop SaaS data protection policy
Companies that use SaaS need to take steps to develop relevant policies and processes that help them manage SaaS usage. These include assessment, acceptable risks, confidentiality requirements, and key risk management activities. It is strongly recommended to conduct a risk assessment before placing organizational resources in the SaaS provider environment. This includes organizational and especially customer data. SaaS consumers must understand what industry certifications SaaS providers have, whether they have been evaluated by third parties, and what the SaaS provider’s supply chain looks like. We have seen SaaS providers and supply chain entities cause cascading events that ultimately affect the SaaS customer.
It is important to understand under which timeline the SaaS provider will offer the level of support – service level agreements (SLAs), for example – and how the SaaS provider operates and maintains its own infrastructure. SaaS providers have industry-leading practices such as software supply chain practice and software delivery – such as continuous integration / continuous delivery (CI / CD) and understanding the importance of supply chain levels for software artifacts. Avoid tampering and poisoning their software releases.
Consumers want to request important artwork such as vulnerability and penetration test reports to understand the SaaS provider’s infrastructure and the security of the hosting environment. Companies will also seek clarification on how SaaS providers use their data. Who in the organization has access to it and under what circumstances? Are they sharing that data with anyone else, and if so, why? Key items such as data encryption and key management practices can provide insight into the privacy of your data in the SaaS provider environment.
Completion is an often overlooked aspect of SaaS usage. Consumers must understand how SaaS providers handle customer data sanitation in the end and end of services in their environment.
Internal SaaS security control
SaaS cost-related security considerations are not limited to SaaS providers. Companies must establish their own roles and responsibilities regarding SaaS costs. Basic technical and administrative controls must be implemented to control access related to the SaaS environment. Everything is effective from monitoring system applications and audit logging, multi-factor authentication (MFA), and monitoring the use of privileged accounts.
Another important area is response to events and business continuity (IR / BC). Companies have become dependent on external as-service providers, including SaaS, but some have updated their IR / BC policies and plan to calculate SaaS usage to know what to do in the event of a SaaS service interruption or security breach. This is despite the fact that, especially for remote-centric organizations, SaaS is often the lynching pin that facilitates business continuity and operations.
SaaS supplier relationship
The CSA’s SaaS Governance Guide contains a section dedicated to understanding SaaS supplier relationships. It addresses the need for a SaaSBOM, a Software Bill of Materials (SBOM), in light of the expanded chain of SaaS and third party services and dependencies. The guide recommends the SBOM format CycloneDX, which can To facilitate A SBOM in the context of SaaS and its underlying components. The case for SBOM is further strengthened with the guidance of organizations such as the US National Telecommunications and Information Administration. Why, Cybersecurity and Infrastructure Security Agency (CISA)), National Institute of Standards and Technology (NIST)), And Open Source Security Foundation (OpenSSF)). It is important to understand the software components and vulnerabilities associated with the applications you are using, and this requirement still exists in the SaaS usage model.
The guide also emphasizes the complexity of the modern digital environment and the existing countless supply chain relationships. This requires organizational policies that address SaaS products as part of a larger organizational cybersecurity supply chain risk management (C-SCRM) program, as directed. 800-161 r1 of NIST. In the context of SaaS, some key considerations are the sole liability role within the organization for each relationship with third parties, the method of assessing the likelihood of events involving those SaaS providers, and even the use of secure scoring and rating tools for vendors.
Taking SaaS governance and security forward
Although most companies have their childhood because it relates to the establishment of mature SaaS governance and security plans, the CSA SaaS Governance Best Practices Guide provides strong vendor-agnostic SaaS governance advice. Companies should dive into these rich resources and align their organizational practices and policies with these best practices to minimize their SaaS cost-related risks.
Copyright © 2022 IDG Communications, Inc.
