NIST (National Institute of Standards and Technology)

            NIST’s Cybersecurity Framework (CSF) combines a host of approaches to dealing with cyber security
            threats, including setting up procedures, training, defining roles, auditing, and monitoring. While it’s true
            that much of NIST’s recommendations have been geared towards the classic legacy critical infrastructure
            security challenge, the CSF and its updates SP 800-53 can help organizations better respond to the risks
            that occur in SaaS-based work environments.

            An SSPM solution helps incorporate these recommendations into an organization’s SaaS environment
            in an easy-to-use fashion, by taking complex controls – such as “Network Access To Non Privileged
            Accounts” (SP 800-53 IA-2 (2)) – and turning it into tangible configurations that can be monitored and
            remediated across all SaaS platforms. The same is true for multi-configuration requirements such as
            NIST CSF PR.AC-7, which demands not only identifying the authentication method, but also matching it
            to  asset  risk.  Only  an  advanced  SSPM  solution  can  provide  the  required  depth  of  visibility  into
            authentication methods by user and device from a risk perspective.




            SOC 2

            Whether  you  are  a  public  or  private  company,  businesses  are  placing  increasing  value  on  SOC  2
            compliance. Unlike SOC 1, which centers on internal controls for financial reporting, the purpose of the
            SOC  2  report  is  to  evaluate  an  organization’s  information  systems,  specifically  regarding  security,
            availability, processing integrity, confidentiality, and privacy, over a period of time.

            When a company conducts SOC 2 audit, it must run security checks across its SaaS stack. These checks
            will look for misconfigured settings, lack of privacy controls, lack of modern security methods, and lack of
            access controls.



            Managing SaaS Security Posture

            The NIST CSF and SP 800-53 standards and compliance mandates like SOC 2, each in turn help a
            company demonstrate its commitment to security and protecting data. But adhering to NIST and SOC2
            is far more challenging in the growing world of SaaS.

            It requires businesses to demonstrate the ability to continuously monitor security across their entire SaaS
            environment, many of which are growing at a breakneck speed. There is a misconception that achieving
            and maintaining compliance in this new realm is the SaaS provider’s responsibility — the reality is that
            while SaaS providers put the necessary security measures in place, the responsibility for using them falls
            to the customer and its security team.

            This introduces a variety of new challenges. First and foremost, security teams that are stretched thin are
            now burdened with the massive undertaking of knowing every application, user, and configuration and
            ensuring all are compliant with industry and company policies. Just imagine being asked to manage
            50,000  users  over  just  five  SaaS  apps.  That  would  require  the  security  team  to  manage  250,000
            identities.  Further,  SaaS  environments  aren’t  static,  they  are  dynamic  and  continually  evolving  as





                                                                                                            173