Simplifying SaaS security


Security evidence you need to win deals from financial institutions

As new information security regulations are coming into effect around the world, the way we do business with regulated industries is also changing. The financial services industry is leading the way in firming up vendor security assurance requirements, from self-attesting to providing evidence of accountability, processes, systems and controls in place. 

This means if you are a supplier and vendor to a bank, an insurance company or a superannuation fund, the cost of doing business will have gone up for you. How is that so?

With the rapid adoption of SaaS solutions across all industries and businesses, the tooling available to assess, report and uplift any organization’s security posture in a SaaS-first world has not kept up. This means the time and effort required to provide evidence of accountability, processes, systems and controls being in place have significantly increased. 

Every SaaS is unique in its configuration. Office 365 alone comes with a dozen dashboards and thousands of settings. Understanding user configuration and differences across multiple SaaS platforms, then keeping track of unauthorized changes is crucial to secure data. Most businesses do this manually if they do get to it. It’s a colossal waste of productivity time and resources. Then tracking what the changes mean for the organization’s security posture in terms of compliance standards such as GDPR or PCI-DSS is almost impossible. 

This is made complex when most SaaS solutions are managed by business units, without centralised cyber risk oversight. To be clear, at Detexian, we absolutely believe business units procuring and managing their own SaaS solutions is the way forward. Zendesk is better managed by the customer support team than by IT; Salesforce by the sales and marketing department, and so on so forth. However, centralized cyber risk oversight is required for executives to stay on top of security and compliance risks especially when things can unknowingly change. One of our customers is ISO 27001 certified and working towards SOC 2 Type II compliance. Up until recently, the IT Director would have to expend significant efforts to gather all the business heads in a room and spend an entire day to go through periodic privileged access audits across their SaaS footprint. This was so challenging to do when their staff base was growing fast that it didn’t get done frequently enough. Another customer of ours disabled OneDrive sharing for all their users. But when Microsoft released a new version, OneDrive sharing was automatically turned on, via which users then started sharing documents externally. It took a while for IT to realize this issue, making it very challenging for them to roll back OneDrive sharing. Refer to our recent post on SaaS risk blind spots for further examples as to why this stuff is hard. 

“By 2024, 70% of IT organizations will lack the relevant roles, skills and tools to support SaaS-enabled digital transformation.” - Gartner

What security evidence do you need to show to financial institution customers?

Many financial institution customers require third-party vendors to have some or all of the following certifications which are relevant to the services being provided. Providing upon request and showing a history of certification gives evidence of systematic testing and compliance which adds to the reputation of the vendors. Almost all certifications have detailed requirements in the relevant standard and require a third-party auditor 

  • to assess compliance against the applicable standard,

  • prepare a detailed report of any weaknesses or deficiencies and then,

  • issue a certificate of compliance once remediation work is completed.

For examples: 

  • PCI Certification - Proof of internal controls for handling credit card information 

  • ISO 27001 - Proof of internal information security management system (ISMS) controls

  • SOC 2 Type II - Proof that ISMS controls are operating as intended

  • Penetration test - Proof that software and systems developed have been robustly tested for software vulnerabilities.

If you do not have a third-party auditor or security specialist, the customer will use an internal assessments team to make a call on whether you are compliant. The “acid test” for the complexity of the assessment is answering the following couple of self-assessment questions:

  1. Do you hold or have regular access to personal identifiable information (PII) of your business customers’ customers?

  2. Do you hold or have regular access to your business customers data?

If the answer is yes to either of the above, it’s highly likely your assessment will require submission of proof of compliance.  

What can you do to drive down compliance costs and win more deals from financial institution customers?

Automate, automate, automate.

You do not want to audit SaaS platforms manually one by one every time. It’s a waste of your productivity time and resources. Use Detexian to obtain continuous oversight of:

  1. users’ access and privileges

  2. users’ security configurations

across all the major SaaS platforms your business teams use.

With Detexian, not only do you know who’s got access to which SaaS platforms and with what privileges, you also have an immutable history of changes for audit and incident investigation purposes. The same goes for users’ security configurations such as MFA, SSO, data sharing, and DLP controls.

Your IT team does not need to take back control of SaaS solutions to know what’s going on inside each SaaS in scope or those it is connected with. They can simply add all the SaaS solutions that need to be monitored to the Detexian Portal.

Your IT team can work with the business to negotiate what’s considered essential spending on non-functional security features if the business has to pay extra to acquire these features. For example, if SSO is mandatory but it would cost the business a lot more to get it, the IT team can use Detexian to monitor MFA exceptions.

Establish and enforce baseline security policy for SaaS

With Detexian, you can start your Information Management Security uplift program for SaaS solutions in a workable sequence that supports your organizations’ business goals without disrupting the business teams which rely on SaaS solutions for their daily operations. Refer to our blog on "What is a good baseline security policy for SaaS apps" for our recommendations.

Detexian lowers the skill set required for organizations to secure SaaS and stay compliant with changing regulations. Inquire now for a 28 day free trial.

Secure what you can't see in the cloud
710 Collins Street
Melbourne VIC 3008
9848 Mercy Rd #2
San Diego 92129

Get the latest information about SaaS security misconfigurations

Copyright Detexian 2020 All Rights ReservedTerms & ConditionsPrivacy Policy