Recent cyber-attacks on supply chains are driving stringent compliance rules in the financial industry, with other sectors expected to follow suit. Numerous organizations still lack efficient approaches to handle time-sensitive duties related to SaaS security and compliance. Utilizing complimentary SaaS risk assessment utilities is a straightforward and useful method to enhance visibility and preliminary control over SaaS sprawl and Shadow AI. These tools now present gradual enhancements, aiding security experts in aligning with their organization’s financial plan or maturity stage.
The pressure of regulations, the rise of SaaS and AI, and the elevated risk of breaches or data breaches via third-party applications have placed SaaS security at the forefront for professionals to learn and embrace. Upcoming regulations will mandate resilient third-party SaaS risk lifecycle management starting from SaaS service discovery and third-party risk management (TPRM) to the obligation for CISOs to report incidents in their supply chain within 72 hours. Financial cyber policies like NY-DFS and DORA rely on comparable principles for risk reduction, albeit employing distinct terminologies.
Extracting Insights from Financial SaaS Security Prerequisites
Security professionals well-versed in the compliance specifications of the financial sector are better prepared to manage their SaaS risks and navigate a range of other compliance frameworks. These foundational principles, segmented broadly into four phases, are anticipated to be emulated across various sectors, providing an excellent framework for secure SaaS usage, a crucial security best practice to comprehend.
 |
| *Mapping of NY-DFS Requirements to Four SaaS Security Steps |
1. Discovery and Management of Third-Party Risks (TPRM)
The voyage towards SaaS security commences by recognizing and aligning every third-party service utilized by the enterprise. These services necessitate evaluation for their operational importance and their influence on non-public data (NPI), coupled with a comparison against a vendor reputation rating (an externalized risk assessment). While numerous firms concentrate solely on “approved applications” vetted during procurement, this method fails to keep up with the rapid adoption of SaaS and its incorporation within organizations. A comprehensive security strategy should also encompass “shadow IT,” referring to unsanctioned applications embraced by individual staff members, alongside trial versions utilized across different departments. Both types of applications commonly expose NPI and create clandestine entry to an organization’s most sensitive assets.
2. Formulating and Enforcing Risk Regulations
Post risk assessment, security squads must enforce clear regulations concerning endorsed and non-endorsed SaaS suppliers and the kinds of data allowed to be exchanged with these cloud-based services. Straightforward user education is essential to ensure all comprehend these regulations. Continuous enforcement, notably vital in SaaS settings, is also mandatory. On average, an employee leverages 29 distinct applications, with frequent alterations. Many companies still hinge on periodic evaluations and manual operations that might overlook monitoring of shadow IT and additions of applications even moments post an auditing of SaaS. It’s imperative to acknowledge that CISOs bear responsibility for any security incidents tied to these belatedly onboarded or employee-utilized SaaS applications.
3. Reduction in Attack Surface
The emphasis now shifts to managing the attack surface and curtailing the count of endorsed providers. Solutions like Sensitive SaaS Posture Management (SSPM) serve as robust aids for this intricate yet pivotal phase. This encompasses solidifying the initial configurations of SaaS applications, with regulatory priority on multi-factor authentication (MFA), onboarding, and supervising access privileges for human and non-human identities via User Access Reviews. Advanced units also monitor dormant tokens and overly lenient applications while managing data exchange. These facets hold significance in SaaS security but are only partially addressed by regulations.
4. Detecting and Reacting to Incidents
Despite all risk mitigation measures, third parties may still undergo breaches. A study by Wing indicated that nearly all of the 500 reviewed companies used at least one compromised application in the prior year. Financial regulators mandate that CISOs promptly report incidents in the supply chain (within 72 hours under NY-DFS and by the following business day under DORA). The explication of these criteria necessitates testing, leaving many CISOs reliant on the commendable practices of their suppliers when signaling events. Given the market encompasses 350,000 disparate SaaS applications and the hurdles of shadow IT, dependable auxiliary services are indispensable for swift recuperation from events and adherence to compliance.
SaaS Security for All
Organizations exhibit diversity in their stages of SaaS security maturity, risk tolerance, and investments in security team and utilities. Wing Security extends a no-cost elementary tool for discerning and evaluating the risk associated with an organization’s predominantly utilized SaaS applications. They newly enhanced their fundamental Basic Tier to automate labor-intensive chores cardinal for security squads. This fresh tier encompasses comprehensive shadow IT discovery, policy setting and enforcement, and seamless workforce enlightenment regarding SaaS suppliers. Commencing at $3,500 annually for smaller entities, the Basic Tier furnishes a cost-efficient gateway into SaaS security, with further upgrades accessible to heighten additional protection scenarios and slash regulatory task expenses.
For entities yet to deploy full-fledged SaaS security solutions, scalable tiering structures provide a simple mode to unearth risks and promptly exhibit returns on investment. Advanced entities will find the Pro or full Enterprise Tiers indispensable to efficiently tackle and oversee all four conventional compliance phases delineated earlier.
About Author
