CIS Controls™ for SaaS – Part 4: Data Protection and Recovery

You are reading the third post in our series on applying CIS Controls™ to SaaS. If you are only joining now, here is what you have missed:

• Series: What are CIS Critical Security Controls® and Safeguards and how do they apply to Software-as-a-Service (SaaS)?

• CIS Controls™ for SaaS – Part 1: Inventories

• CIS Controls™ for SaaS – Part 2: Account and Access Control Management

• CIS Controls™ for SaaS – Part 3: Secure and Audit

While SaaS takes away many controls that you would be responsible for in on-premise and even cloud systems, account and access control management largely still remains your domain as the user. As the security of the infrastructure and the software itself lies with the SaaS provider, account and management become the most important responsibility of yours when it comes to essential hygiene.

Control 3: Data Protection

Safeguard 3.1: Establish and Maintain a Data Management Process

As legal frameworks require more and more knowledge of what data is stored where, so it can be disclosed and deleted as the legal framework requires, it is imperative to establish clear guidelines as to what data can be held in what SaaS applications. Furthermore, external sharing of data should be restricted to approved SaaSes.

The acceptable use of SaaS should be documented for all users within the organization and programmatically enforced wherever possible. The official CIS guidance suggests here that you cover “data sensitivity, data owner, handling of data, data retention limits, and disposal requirements” within the context of your organization. It also suggests annual reviews as well as reviews that are triggered by major changes in context.

Safeguard 3.2: Establish and Maintain a Data Inventory

While Safeguard 3.1 establishes acceptable use, this Safeguard is an inventory of actual use. This likely requires an automated process in order for the inventory to stay up-to-date. Ideally, the inventory is structured such that it enables the organization to respond to requests for the data stored about a specific person as is increasingly required by legal frameworks.

The official guidance makes the concession that this inventory may be restricted to sensitive data as the absolute minimum and once again suggests at least annual review prioritizing sensitive data.

Safeguard 3.3: Configure Data Access Control Lists

Applying a least privilege system is as important in SaaS as it is in endpoint, on-premise and cloud systems. No user should have access to any data they do not need access to. This may mean that the use of specific SaaSes is restricted to specific roles and teams within the organization but also that users do not have excessive permissions in the SaaSes they are authorized to use.

Safeguard 3.4: Enforce Data Retention

It is a common pitfall in SaaS usage that data retention and prevention of catastrophic data loss is seen as the SaaS application provider’s obligation. However, while SaaS providers are likely to hold backups for disaster scenarios which fall into their domain (e.g. hardware failure), they are not likely to safeguard your data specifically. Furthermore, any retention of data associated with disabled or deleted user accounts is usually only provided to the extent a contractual agreement requires it. Such contractual agreements may not guarantee sufficient retention to satisfy legal obligations or allow comprehensive forensic investigation of incidents after the fact.

The official guidance emphasises that “both minimum and maximum timelines” need to be covered.

Safeguard 3.5: Securely Dispose of Data

Wherever SaaS providers allow you to configure data disposal to align with your requirements under applicable law, you may need to make such adjustments. However, some SaaS providers may not be able to meet the requirements imposed on your organization by law and should therefore not be authorized for use.

Control 11: Data Recovery

There is a common misconception that SaaS applications come with extensive backups of the customer data they contain. However, while SaaS providers tend to make provisions for disaster scenarios where they may lose customer, they don’t tend to offer per-tenant recovery. As a rule of thumb, if you have full authority over the data, the responsibility to back up that data is also yours.

Safeguard 11.1: Establish and Maintain a Data Recovery Process

The data recovery process should already have been included under Safeguard 3.1 above. The recovery process needs to document recovery scope, priorities and backup security. Just as the data management process, the recovery process should be reviewed annually and whenever major changes may require re-alignment.

Safeguard 11.2: Perform Automated Backups

Determine what data you could lose e.g. through account compromise, ransomware or mere use error and ensure that this data is backed up automatically and regularly. The minimum backup frequency should be weekly. However, depending on the sensitivity and business value of the data. You may also want to keep a history of backups to be able to recover an earlier state if data corruption is detected with a delay and the latest backup mirrors the same corruption.

Safeguard 11.3: Protect Recovery Data

As the backups contains data of the same sensitivity as the SaaS application itself, ensure that the protections of the backups match those of the original data, e.g. encryption and data segregation.

Safeguard 11.4: Establish and Maintain an Isolated Instance of Recovery Data

To ensure that backups are highly available, keep more than one copy of your backups. This might mean keeping backups in multiple cloud accounts or both on-premise and in a cloud account. The clearer the separation between the backup locations the better.