Introduction: What are CIS Critical Security Controls® and Safeguards and how do they apply to Software-as-a-Service (SaaS)?
Welcome to our series of blog posts of how to apply the CIS Controls™ to your SaaS posture. As the controls weren’t specifically written for SaaS applications, not all of them apply to SaaS and where they do apply it may not always be immediately clear how.
What are the CIS Controls™?
The CIS Controls are named after the Center for Internet Security which releases them. They are a list of controls which a panel of experts in the world have put together in order to set a security baseline for all kinds of IT systems. The controls are directly derived from defenses developed against real world attacks.
There are 18 of those controls with a number of them being itemised into so-called Safeguards. The 18 controls as listed on the CIS website are as follows:
Control 2: Inventory and Control of Software Assets
Control 4: Secure Configuration of Enterprise Assets and Software
Control 7: Continuous Vulnerability Management
Control 8: Audit Log Management
Control 9: Email and Web Browser Protections
Control 10: Malware Defenses
Control 12: Network Infrastructure Management
Control 13: Network Monitoring and Defense
Control 16: Application Software Security
Control 17: Incident Response Management
Control 18: Penetration Testing
It is probably already evident from this list that not all of these can be applied to SaaS applications where a third party controls both the infrastructure and software stack. However, a number of the controls and safeguards can still be applied to your SaaS applications and help you improve your security posture.
The CIS groups the controls into Implementation Groups 1-3 (IG1, IG2 and IG3). The groups build on each other with IG2 assuming IG1 having been implemented already and IG3 assuming the same for IG2.
IG1 is labelled “essential cyber hygiene” setting a baseline which CIS considers appropriate for small and medium-sized enterprises who have limited resources and whose main concern is business continuity. The assumption is that the data protected isn’t particularly sensitive and largely pertains to the business’s staff and finances.
IG2 is recommended for slightly more complex business structures which have dedicated IT staff, multiple departments and may have some compliance requirements. The main goal here is to avoid loss of public confidence over breaches.
IG3 is meant for organisations who hold very sensitive data, most likely employ information security teams and are subject to compliance requirements and potentially regulatory oversight. The impact of a breach for such a business is expected to be significant and affects public welfare.
This series will only address controls and safeguards which fall into IG1. A later series may address IG2 and IG3 to support organizations which have already achieved IG1. The posts are broken up into addressing a digestible number of controls and safeguards per post, skipping over those controls and safeguards that do not apply in the context of SaaS.
The application of controls and safeguards to SaaS summarises the official guidance of all controls and safeguards that apply as appropriate in the immediate context. You can download the complete official guidance from the CIS website.
So, let’s dive into applying these controls to SaaS with Part 1: Inventories.