CIS Controls™ for SaaS – Part 1: Inventories
You are reading the second post in our series on applying CIS Controls™ to SaaS. If you are only joining now, here is what you have missed:
Just as a heads-up before we jump into applying CIS Controls to SaaS, the controls are not addressed in order but rather grouped logically in a way that makes sense for application to SaaS. If you are looking for a specific control, you can use the links in the intro post.
The CIS Controls start off with recommendations to inventory both your hardware and software. However, while SaaS is software, it is software that you only use as a service. Therefore, it makes no sense to apply Control 2 (Inventory and Control of Software Assets) to SaaS. Instead, CIS has a control for service providers which recommends building an inventory for service providers the same way. As you cannot secure aand protect what you do not know you have, we will start off with the control regarding service providers.
Control 15: Service Provider Management
Safeguard 15.1: Establish and Maintain an Inventory of Service Providers
Document what SaaS applications are in use in the organization, who is considered the owner of the application (department and/or person) and what data may be stored in the SaaS. Depending on the jurisdiction you are operating in, you may want to restrict certain sensitive data to SaaS applications which make guarantees about where the data is stored. Furthermore, you may not want to allow sensitive data to be stored in SaaS applications which do not support minimal hygiene (e.g. support effective MFA).
The official CIS guidance suggest reviewing the inventory annually or when significant changes occur. However, in the context of SaaS, changes to the “shadow inventory” occur very frequently (i.e. staff signing up to new SaaS applications without approval). As such, automated monitoring or, failing that, at least quarterly reviews may be necessary to ensure adequate protection of the organization’s data.
The further safeguards listed under Control 15 do not fall into implementation group 1 and we will skip over them here.
Control 1: Inventory and Control of Enterprise Assets
As this control applies only to physical assets, it is not relevant to SaaS. However, there is a notable exception to this rule (see below).
Safeguard 1.2: Address Unauthorized Assets
Devices may have access to corporate data in SaaS applications via the device makers’ SaaS bridges. These are applications like “Apple Internet Accounts” or Samsung's “My Files” which allow devices of the respective manufacturer indirect access to corporate data in the SaaS.
