What UK companies need to know about shared responsibilities for SaaS security
As part of the latest update to Cyber Essentials, the National Cyber Security Centre (NCSC) has added to the requirements for IT infrastructure v3.1. This update brings cloud services (including SaaS) into scope, emphasizing the importance of securing these services as part of an organization’s overall cybersecurity strategy.
For background, Cyber Essentials is a UK government-backed scheme overseen by the NCSC to help organizations demonstrate operational security against common cyber attacks. It also includes an assurance framework and a set of security controls to protect data from internet-related threats.
This article discusses the critical role of SaaS security posture management (SSPM) and continuous controls monitoring in addressing these new requirements. As a CISO or cybersecurity architect, your role in ensuring compliance with the latest guidelines is essential for the safety of your organization’s data.
The New Cloud Services Requirement
According to the latest requirements, organizations that utilize cloud services for hosting their data or services must now include these requirements in their scope. While an applicant organization is responsible for implementing the necessary controls, the division of responsibility differs among cloud service providers:
- Infrastructure-as-a-Service (IaaS) — The cloud service provides virtual servers, and your organization configures and manages them. Examples of IaaS include Amazon Web Services, Rackspace, or Google Compute Engine.
- Platform-as-a-Service (PaaS) — The cloud service delivers and manages the underlying infrastructure, and your organization provides and manages the applications. Examples of PaaS include Azure Web Apps, Heroku, or Red Hat OpenShift.
- Software-as-a-Service (SaaS) — the cloud provider delivers applications, and your organization must ensure that each service is configured securely. Examples of SaaS include Microsoft 365, Dropbox, or GitHub.
Cloud security posture management (CSPM) tools like Wiz can identify cloud network misconfigurations in IaaS environments and secure data stored in PaaS. However, CSPM isn’t equipped to handle the evolving cyber risks that SaaS applications and SaaS-to-SaaS connections present. CSPM is limited to the data stored and used exclusively in your cloud architecture. Organizations that deploy standard and custom cloud applications and store sensitive data into public cloud environments need more than just CSPM.
Additionally, legacy Cloud Access Security Brokers (CASB) and Secure Web Gateways (SWG) solutions can inspect network traffic flowing through the proxy, but since SaaS apps are often accessed over non-corporate networks, they can’t monitor SaaS-to-SaaS connectivity. They generally only provide an “outside in” view of a SaaS app.
Shared Responsibility for SaaS Security: What to Know
SaaS has become the de facto IT operating system for the modern enterprise, where critical data and workflows are hosted across 500 to 1,000 apps. Additionally, with over 2 million freelancers in the UK and many providing business support, third-party access to company systems will continue to rise.
Security and IT teams currently lack visibility and control over SaaS apps. These may appear secure on the surface, but their settings undergo daily changes such as:
- Users being removed and added to systems with improper access privileges
- Vendor updates to features and/or configurations
- New SaaS-to-SaaS connections (e.g., DocuSign connecting to Salesforce)
But which SaaS apps are still active or dormant? What kind of permissions do they have? Is there a full inventory of all SaaS apps, including those installed by users?
While most organizations have policies to perform vendor risk assessments, many fail to implement controls that monitor their part of the SaaS shared responsibility model. Cloud providers are responsible for areas such as securing against malware and maintaining firewalls, but end-users and cloud providers must secure configurations and identity and access controls.
Both requirements demand a security solution dedicated to protecting SaaS apps and SaaS-to-SaaS connections, just as cloud environments require a dedicated cloud security solution.
The Need for SaaS Security Posture Management (SSPM)
Enterprise SaaS apps include complex configuration settings with no universal standards, a frequent source of cyber risk and security gaps.
While secure configurations and least privilege access are essential, they are just some of the necessary components for a comprehensive SaaS security program. Only a robust SaaS Security Posture Management (SSPM) solution like AppOmni can help you understand the level or risk business-critical SaaS apps pose to your organization.
AppOmni was founded to provide a comprehensive view of any organization’s security posture and significantly improve the efficiency of their security team. To fully protect your SaaS data, an SSPM solution should provide:
- Extensive and ever-growing coverage for SaaS apps
- Continuous monitoring of users’ roles and permissions access
- Visibility into SaaS-to-SaaS connections throughout your SaaS environment
- Application-specific and threat detection capabilities that severely limit security incidents’ reach
- Best practices to meet compliance with the latest NCSC requirements and other relevant regulations
Continuous Controls Monitoring: A Must for SaaS Security
To properly address NCSC’s latest requirement, organizations must be ready to perform regular evaluation and verification of the relevant settings in your SaaS apps and systems. These settings can span categories such as authentication, encryption, XSS settings, data access, sensitive permissions assignments, cloud-to-cloud connections, and more. Continuous controls monitoring allows organizations to:
- Detect and respond to critical controls misconfigurations quickly
- Build a SaaS security program that assigns responsibilities across Security, SaaS App Teams, and the SOC
- Demonstrate compliance with the NCSC’s Cyber Essentials Requirements and other regulatory standards
The new Cyber Essentials guidelines demand a comprehensive security program that offers visibility, continuous monitoring, and control over an entire SaaS estate. By implementing a robust SSPM solution like AppOmni, end-user organizations can effectively mitigate the current and anticipated risks associated with SaaS, alleviate security teams from alert fatigue, and stay ahead of the ever-evolving threat landscape.
Find out who has access to your SaaS data and environments with a free risk assessment.
Related Resources
-
Achieving CISA BOD 25-01 Compliance and SCuBA Alignment
Learn how to achieve compliance for CISA’s BOD 25-01 and SCuBA alignment with AppOmni, updated for M365 SCuBA compliance checks.
-
How AppOmni and Cisco Advance Zero Trust SaaS Security
Learn how AppOmni’s SSPM and Cisco’s SSE create a unified Zero Trust security solution, bridging SaaS and cloud service vulnerabilities to protect critical data.
-
What 2024’s SaaS Breaches Mean for 2025 Cybersecurity
In this blog, we take a look at the most impactful SaaS security incidents in 2024 and share insights on what to expect in 2025 for SaaS security.