How has your Information Security Policy coped with the rise of SaaS solutions?

2020/01/17

According to McKinsey & Co 1, the “next normal” established during the COVID-19 pandemic will accelerate the footprint of SaaS.

SaaS has now reached at least 20% of penetration in all industries. Even for late adopters such as governments, more than one-fifth of all software spending now goes to SaaS. The “next normal” established during the COVID-19 pandemic will accelerate the footprint of SaaS, given the growth of remote working, the rapid deployment of digital solutions, and the lower up-front costs. With more business users switching to SaaS products, now would be a time for organizations to consider:

Have our Information Security Policy and Standards stood the test of time, are they appropriate for SaaS solutions?

Technical staff are often prompted or have KPI’s to update the low level procedures but many companies forget that policies and standards are living artifacts that need to be reviewed and updated to ensure that they’re in line with the risk appetite and changing operating environment. Example:

  • Policy: Security policy requires all users to have named user accounts.
  • Standard: Access management standard (from 2012) specifies Active Directory accounts with a UserID format of Domain/ABC1234.
  • Procedure: Account provisioning procedure creates ServiceNow accounts with email address as the UserID.

The access management standard above is incompatible with most modern SaaS solutions and needs to be updated to reflect the changing operating environment.

Under ISO 27001, an organization is required to have an active Information Security program, which includes actively reviewing and updating your policies.

We’re seeing more organizations undertaking work to extend their Information Security Policy and Standards to include SaaS. But knowing what controls are applicable and implementing them is getting more challenging because many SaaS platforms are not centrally procured and managed by IT, but instead owned and managed within business units.

For example, Zendesk is usually owned by the customer support team and is much better managed by customer support staff than IT. However, with a high staff turnover that often involves external contractors working on different shifts and access to a lot of customer data, Zendesk is a perfect recipe for a security breach. How do you ensure basic security controls such as MFA and SSO are continuously enforced? How do you keep track of privileged access changes? Identification of who has privileged access with and without MFA can be done by point in time audits, but monitoring for changes requires significant manual effort.

How can Detexian help review and confirm your Information Security Policy and Standards are relevant and applicable?

Use Detexian to identify and automate standards compliance:

  • Privileged access
  • User identity configuration
  • Security configuration

for all the major SaaS platforms your business teams use.

You can identify SaaS risk blind spots in minutes of onboarding a SaaS solution to the Detexian Portal, starting with the full list of Privileged Users and Highly Privileged Users and critical security misconfigurations associated with these users such as disabled MFA, non-federation, excessive privileges. You will also have an immutable history of changes for audit and incident investigation purposes should you choose to use Detexian for ongoing security posture management.

Following that, you can work with the business unit heads and SaaS Highly Privileged Users to understand the criticality and sensitivity of data stored in each SaaS and classify the data. Detexian can then help recommend what security controls be reviewed and updated in your policies, that are commensurate with data classification in accordance with best practice standards and applicable regulatory / compliance frameworks (e.g. NIST SP 800-53, ISO 27001, SOC 2 Type 2). Detexian can also provide you with continuous control assessment and reporting capabilities.

With Detexian, you can review and update your Information Management Security Policy and Standards to accommodate the rise of SaaS solutions in a workable sequence that supports your organizations’ business goals without disrupting the business teams which rely on SaaS solutions for their daily operations.

1 “The next software disruption: How vendors must adapt to a new era

Secure what you can't see in the cloud

info@detexian.com
710 Collins Street
Melbourne VIC 3008
Australia
 
9848 Mercy Rd #2
San Diego 92129
USA

Get the latest information about SaaS security misconfigurations

Copyright Detexian 2020 All Rights ReservedTerms & ConditionsPrivacy Policy