Recent supply chain cyber-attacks are prompting cyber security regulations in the financial sector to tighten compliance requirements, and other industries are expected to follow. Many companies still don't have efficient methods to manage related time-sensitive SaaS security and compliance tasks. Free SaaS risk assessment tools are an easy and practical way to bring visibility and initial control to SaaS sprawl and Shadow AI. These tools now offer incremental upgrades, helping security professionals meet their company budget or maturity level.
Regulatory pressure, SaaS and AI proliferation, and increased risk of breaches or data leaks through 3rd party apps, make SaaS security one of the hottest areas for practitioners to learn and adopt. New regulations will require robust third-party SaaS risk lifecycle management that begins with SaaS service discovery and third-party risk management (TPRM) and ends with the requirement from CISOs to report incidents in their supply chain within 72 hours. Financial cyber regulations like NY-DFS and DORA rely on similar risk reduction principles despite using different terminologies.
Lessons to Learn from Financial SaaS Security Requirements
Security professionals who understand financial sector cyber compliance requirements are better equipped to manage their SaaS risk and handle various other compliance frameworks. These underlying principles, broadly categorized into four steps, are expected to be replicated across multiple industries. They provide an excellent template for using SaaS safely, which should be learned as a security best practice.
*Mapping of NY-DFS Requirements to Four SaaS Security Steps |
1. Third-Party Discovery and Risk Management (TPRM)
The SaaS security journey starts by identifying and mapping all third-party services used by the organization. These services need to be assessed for their importance to operations and their impact on non-public information (NPI), and they should be compared to a vendor reputation score (an outside-in risk evaluation). While many companies focus only on "sanctioned applications" vetted during the purchasing process, this approach doesn't keep pace with the quick adoption of SaaS and how it is used in organizations. A comprehensive security policy should also cover "shadow IT," which refers to the unsanctioned apps adopted by individual employees, as well as free trials used across different teams. Both types of applications commonly expose NPI and provide backdoor access to the company's most confidential assets.
2. Setting and Enforcing Risk Policies
After assessing risk, security teams need to establish clear policies regarding approved and non-approved SaaS suppliers and the types of data that can be shared with these cloud-hosted services. Streamlined user education is crucial to ensure everyone understands these policies. Continuous enforcement, which has a particular significance in SaaS environments, is also required. The average employee uses 29 different apps, with frequent changes. Many companies still rely on periodic reviews and manual processes that can overlook the enforcement of shadow IT and applications added even minutes after a SaaS audit. It is important to note that CISOs remain accountable for any security incidents related to these late-onboarded or employee-used SaaS applications.
3. Attack Surface Reduction
Next, the focus shifts to attack surface management and reducing the number of approved providers. SaaS Security Posture Management (SSPM) solutions are powerful for this complex yet critical step. This includes hardening the initial configurations of the SaaS apps, with regulatory emphasis on multi-factor authentication (MFA), onboarding, and managing access rights for human and non-human identities through User Access Reviews. Advanced teams also monitor unused tokens and over-permissive applications, and manage information sharing. These aspects are critical to SaaS security but are only partially covered by regulations.
4. Incident Detection and Response
Despite all risk reduction steps, third parties can still experience breaches. Research by Wing revealed that nearly all 500 reviewed companies used at least one breached application in the past year. Financial regulators require CISOs to report supply chain incidents quickly (within 72 hours under NY-DFS and by the next business day under DORA). The interpretation of these requirements still needs to be tested, leaving many CISOs reliant on their suppliers' good practices when reporting events. With a market comprising 350,000 different SaaS applications and the challenges of shadow IT, robust supporting services are necessary for speedy recovery from events and compliance.
SaaS Security for Everyone
Organizations vary in their levels of SaaS security maturity, risk appetites, and investments in security labor and tools. Wing Security offers a free entry-level tool to discover and assess the risk of an organization's most used SaaS applications. They recently updated their entry-level Basic Tier to automate labor-intensive tasks critical for security teams. This new tier includes deep shadow IT discovery, policy setting and enforcement, and seamless workforce education about SaaS suppliers. Starting at $3,500 a year for smaller organizations, the Basic Tier offers a cost-effective entry point into SaaS security, with further upgrades available to enhance more protection use cases and reduce regulatory task costs.
For many companies not yet using full SaaS security solutions, scalable tiering models provide an easy way to uncover risks and quickly show ROI. More advanced organizations will want Pro or full Enterprise Tiers to efficiently address and manage all four of the typical compliance steps detailed above.