CIS Controls™ for SaaS – Part 3: Secure and Audit

You are reading the third post in our series on applying CIS Controls™ to SaaS. If you are only joining now, here is what you have missed:

• Series: What are CIS Critical Security Controls® and Safeguards and how do they apply to Software-as-a-Service (SaaS)?

• CIS Controls™ for SaaS – Part 1: Inventories

• CIS Controls™ for SaaS – Part 2: Account and Access Control Management

While SaaS takes away many controls that you would be responsible for in on-premise and even cloud systems, account and access control management largely still remains your domain as the user. As the security of the infrastructure and the software itself lies with the SaaS provider, account and management become the most important responsibility of yours when it comes to essential hygiene.

Control 4: Secure Configuration of Enterprise Assets and Software

In Part 1 we chose to not treat SaaS as a software asset because CIS clearly makes the assumption that the organization has full control over the software version, deployment, etc. However, when we treated the SaaS applications as service providers, we did not cover configuration to the extent it is often available and necessary in SaaS applications. As SaaS applications often have a default configuration that is leaning towards convenience even to the point of sacrificing essential security hygiene (e.g. not requiring MFA). So, we’ll use Control 4 as a guide essential security hygiene in SaaS as well. For a limited number of SaaS appllications CIS has published a CIS Benchmark™ which define a specific base configuration.

Safeguard 4.1: Establish and Maintain a Secure Configuration Process

Many SaaS applications allow extensive configuration regarding e.g. multi-factor authentication (MFA) enforcement, conditional access rules, temporary privilege escalation, file sharing restrictions, etc.. A good configuration takes the user needs into account and balances them against the need for the organization to keep the data secure. Excessive locking down of SaaS applications may be counterproductive, encouraging users to make use of unauthorized SaaS applications to circumvent the excessive controls.

The chosen configuration should be documented and preferably monitored (and possibly also enforced) by an automated process.

Safeguard 4.3: Configure Automatic Session Locking on Enterprise Assets

Wherever possible and practical, persistent sessions should be disabled in SaaS applications or the maximum length of a session limited to no more than 24 hours.

Safeguard 4.6: Securely Manage Enterprise Assets and Software

Avoid SaaS applications where changes to security configurations cannot be audited reliably. Where use of such SaaS applications is unavoidable, keep the configuration separate from the SaaS application and regularly determine any deviations, record them and remediate them resetting the configuration back to the approved settings. If possible, use an automated process to execute this.

Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software

While in SaaS applications the root or administrator account is often used as an ordinary user account, if you don’t use it regularly to not secure it well and not let it go dormant. Ideally, you want to only use it when performing administrative tasks that require the privileges but make sure to secure it well and use it regularly.

Control 8: Audit Log Management

Safeguard 8.1: Establish and Maintain an Audit Log Management Process

In SaaS there is always an increased risk of assuming that everything is managed on your behalf including all logging and auditing. However, while the SaaS provider will likely take steps to monitor the infrastructure and anything related to deployment, making sure that you log and audit access to your tenant is your responsibility.

The official guidance suggest that as a minimum you document how audit logs are collected and reviewed and how long they are retained for. If you already have such documentation for your non-SaaS assets, ensure that your SaaS applications are aligned with the same ruleset. Review the documentation annually or whenever major organizational changes require re-alignment.

Safeguard 8.2: Collect Audit Logs

Some SaaS applications will offer logging and audit functionality as a feature. Check what logging and audit functionality exists in your SaaS application and upgrade your subscription if necessary.

If there is no logging or auditing configuration within the SaaS or it does not provide sufficient functionality or retention, consider an external solution which integrates with the SaaS application and keeps an audit log externally. You may also want to consider such a solution as a way of securing a second copy of logs.

Safeguard 8.3: Ensure Adequate Audit Log Storage

While storage limits aren’t usually an issue in SaaS applications, ensure that any limitations on your subscription do not result in any misaligned with the documented retention rules. If the SaaS application’s storage does not meet your requirements, consider an external logging or log backup solution.