The National Institute of Standards and Technology (NIST) is one of the leaders in developing cybersecurity practices. Part of the U.S. Department of Commerce, NIST develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of the U.S. industry, federal agencies, and the broader public.
NIST’s guidance and specific standards help organizations eliminate risks and ensure the safety of all company data. However, NIST has yet to examine and provide specific guidance on the SaaS ecosystem. Despite the lack of SaaS-specific guidelines, NIST has influenced how businesses tackle the growing challenge of SaaS security.
The perfect example is NIST’s Guide to a Secure Enterprise Network Landscape. Released in November 2022, the guide examines the shift from on-premise networks to multiple cloud servers. Although the guide doesn’t address SaaS applications directly many of the principles it discusses can be applied to the SaaS ecosystem.
The three keys
NIST stresses the importance of scale – businesses must expand their security tools to address the volume, velocity, and variety of today’s applications. Next, the tools must be integrated with all of the SaaS applications. This is critical to achieving total coverage of the complete SaaS ecosystem.
NIST’s last key is automation, specifically when it comes to monitoring apps. Businesses operating with a SaaS ecosystem must ensure that the configurations for every user account with access to the application are secure. This is vital and can’t be achieved manually. Consider that a typical big business has hundreds of apps and millions of hundreds of thousands of configurations to secure. Attempting to monitor them manually is an impossible task.
SaaS security tools integrate with each application through its API. it monitors configurations and can quickly identify “drift,” where configurations shift over time. Drift creates new gaps in security, which bad actors can leverage to cause severe damage. The right tools will provide 24/7 ongoing monitoring and issue alerts when new risks are identified.
NIST stresses the need for enhanced threat detection and prevention. In the world of SaaS security, contextual data is key to identifying threats, especially those stemming from humans and machines using verified credentials. Here’s why.
Contextual data can illuminate illogical patterns in travel or spikes in failed authentication attempts that are connected to the same IP address for multiple accounts. In another case, there could be instances when automated tools are being employed to test weak and common passwords against known usernames or to find third-party applications that are not only malicious but have functionality that is overprivileged.
The new perimeter
NIST recognized the limitations of network perimeter-based protections. Today’s SaaS perimeter is a combination of employee devices and user credentials. Securing SaaS applications requires SaaS security tools that can integrate with endpoint security offers. This ensures that the security team is notified when SaaS apps are accessed using low-hygiene devices. They can work with device owners to ensure that their devices meet certain criteria, such as fully updating the operating system and software to ensure that necessary patches have been installed.
In addition to user devices, SaaS security requires securing user credentials. A compromised ID will provide threat actors with easy entry and immediate access to the business’s data.
This is why adopting a zero-trust approach enters the equation. A zero-trust approach must be required for all users and all access. Ideally, this access must be granted via a single sign-on integrated with an enterprise-managed identity provider (IdP). The IdP allows businesses to control all of the user accounts of employees. From there, a final measure is to deploy a strong phishing-resistant MFA authenticator which can fend off most modern phishing campaigns.
The capabilities outlined throughout this article can be found on SaaS Security Posture Management (SSPM) platforms which feature security checks and configuration capabilities that help protect businesses in the new and expanding world of SaaS. And this is not a coincidence. The capabilities outlined, which are tied directly to the NIST recommendations, enable organizations to confidently secure their growing SaaS ecosystems using solutions capable of identifying threats and building a better security posture.