The
Cloud Security Alliance (CSA) released
Software-as-a-Service (SaaS) Governance Best Practices for Cloud Customers. Drafted by the SaaS Governance Working Group, the
paper provides a baseline set of SaaS governance best practices for
protecting data within SaaS environments, enumerates and considers risks
according to the SaaS adoption and usage lifecycles, and finally,
provides potential mitigation measures from the SaaS customer's
perspective.
The
SaaS environment ultimately presents a shift in the way organizations
handle cybersecurity that introduces a shared responsibility between
producers and consumers. While the domain of cloud adoption and security
continues to evolve, not much guidance is available regarding SaaS
governance and security. This, despite the reality that increasingly,
different departments within an organization (Shadow IT) are
occasionally utilizing SaaS offerings to power their critical business
processes and functions and often storing sensitive data in SaaS
environments.
"SaaS
requires a different security governance mindset. Because SaaS apps
allow businesses to quickly and easily optimize business operations,
adoption has come at the price of security. Few recognize how complex
the configuration and permission settings of SaaS apps can be, which
results in numerous misconfigurations, giving attackers the potential to
access sensitive data," said Amir Ofek, CEO of AxoniusX, the new
innovation unit of Axonius, which sponsored the paper. "By following a
widely adopted security framework, such as NIST CSF, coupled with the
best-practices and recommendations in this document, organizations will
be able to better establish SaaS governance and security processes to
mitigate risk associated with SaaS usage, eliminate misconfigurations,
and gain full control over their entire SaaS environment."
"While
SaaS offers tremendous opportunities for organizations to change the
way they operate, consume innovative capabilities, and offload many of
the operational burdens associated with both creating and maintaining
applications, it isn't without its concerns. As organizations continue
to adopt SaaS-based applications and solutions, traditional
organizational cybersecurity must be updated to reflect this new
operating model. Failing to do so can increase the potential risk and
ramifications of security incidents associated with the consumption of
SaaS," said Chris Hughes, co-founder and CISO at Aquia and project
lead/lead author of the paper.
The
guide defines three necessary components that, when combined into a
cohesive strategy, can provide integrated security for SaaS systems and
solutions:
- Process
security. Protects the integrity of procedural activities to ensure the
input and output of processes aren't easily compromised. These are the
managerial aspects, including policies and procedures, to ensure that an
organization's processes are consistent.
- Platform
security. Deals with the security strength of the platform and the
underlying dependencies of a SaaS service. These include the SaaS
infrastructure, operating systems, and its potential suppliers.
- Application
security. Deals with the security of the SaaS application itself. A
SaaS application can only stay secure if it does not contain exploitable
vulnerabilities and has implemented hardened configurations aligned
with organizational and vendor security best practices, as well as
compliance requirements.
The Software-as-a-Service (SaaS) Governance Working Group aims
to benefit all parties in the SaaS ecosystem by supporting a common
understanding of SaaS related risks from the perspectives of the cloud
customer and cloud service provider. Individuals interested in becoming
involved in future research and initiatives are invited to join the working group.
Download the full report.