Page 173 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 173
NIST (National Institute of Standards and Technology)
NIST’s Cybersecurity Framework (CSF) combines a host of approaches to dealing with cyber security
threats, including setting up procedures, training, defining roles, auditing, and monitoring. While it’s true
that much of NIST’s recommendations have been geared towards the classic legacy critical infrastructure
security challenge, the CSF and its updates SP 800-53 can help organizations better respond to the risks
that occur in SaaS-based work environments.
An SSPM solution helps incorporate these recommendations into an organization’s SaaS environment
in an easy-to-use fashion, by taking complex controls – such as “Network Access To Non Privileged
Accounts” (SP 800-53 IA-2 (2)) – and turning it into tangible configurations that can be monitored and
remediated across all SaaS platforms. The same is true for multi-configuration requirements such as
NIST CSF PR.AC-7, which demands not only identifying the authentication method, but also matching it
to asset risk. Only an advanced SSPM solution can provide the required depth of visibility into
authentication methods by user and device from a risk perspective.
SOC 2
Whether you are a public or private company, businesses are placing increasing value on SOC 2
compliance. Unlike SOC 1, which centers on internal controls for financial reporting, the purpose of the
SOC 2 report is to evaluate an organization’s information systems, specifically regarding security,
availability, processing integrity, confidentiality, and privacy, over a period of time.
When a company conducts SOC 2 audit, it must run security checks across its SaaS stack. These checks
will look for misconfigured settings, lack of privacy controls, lack of modern security methods, and lack of
access controls.
Managing SaaS Security Posture
The NIST CSF and SP 800-53 standards and compliance mandates like SOC 2, each in turn help a
company demonstrate its commitment to security and protecting data. But adhering to NIST and SOC2
is far more challenging in the growing world of SaaS.
It requires businesses to demonstrate the ability to continuously monitor security across their entire SaaS
environment, many of which are growing at a breakneck speed. There is a misconception that achieving
and maintaining compliance in this new realm is the SaaS provider’s responsibility — the reality is that
while SaaS providers put the necessary security measures in place, the responsibility for using them falls
to the customer and its security team.
This introduces a variety of new challenges. First and foremost, security teams that are stretched thin are
now burdened with the massive undertaking of knowing every application, user, and configuration and
ensuring all are compliant with industry and company policies. Just imagine being asked to manage
50,000 users over just five SaaS apps. That would require the security team to manage 250,000
identities. Further, SaaS environments aren’t static, they are dynamic and continually evolving as
173