This guest post from PwC examines the Biden Administration’s recently released Cybersecurity Strategy and its implications for SaaS security.
On March 1, 2023, the White House announced the new U.S. Cybersecurity Strategy. While this may take some time to fully digest and implement, it’s worth a quick look at this strategy to understand key components.
This article is not intended to be a deep dive interpretation or implementation guide to addressing this new strategy. Rather, it is focused on looking at this strategy with a lens on the growing reliance and proliferation of SaaS applications used across many public sector and private sector entities.
First, let’s review the five pillars that the strategy is focused on, enhancing and building across public and private sectors:
- Defend critical infrastructure;
- Disrupt and dismantle threat actors;
- Shape market forces to drive security and resilience;
- Invest in a resilient future; and
- Forge international partnerships to pursue shared goals.
Clearly, these are critical components of addressing cybersecurity risks on a global basis. Each has implications on national security, how the private sector operates, and how virtually every citizen in the global economy thinks about their privacy.
Trying to address each of these for bespoke, on-premises systems will take a very focused approach for each of the unique configurations of logical security components (e.g., network, operating systems, applications, data repositories, etc.) and physical security (e.g., facilities, site security, surveillance, etc.). These will fall squarely on those that own these systems, ranging from U.S. government agencies to those in the private sector, such as public and private companies.
An interesting area that is shared across many public and private sector entities is the “as a service” solutions that are increasingly expanding their footprints. These include Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). With the increased push to leverage these technologies via the internet, it’s evident that focus will need to be placed on cybersecurity in each of these areas.
“The Internet has transformed our world. In a single generation, it has revolutionized the way we innovate, communicate, and share information on a global scale, catalyzing unprecedented advancements in human prosperity, equality, and connectivity. Upon this Internet backbone, we have built a flourishing digital ecosystem, combining systems and technologies with our economies, our societies, and ourselves.
In doing so, the digital ecosystem has come to reflect the values of its architects and its users. Technologies have promoted democracy, free speech, innovation, and equality. But they also have been misused to enable transnational repression and digital authoritarianism; steal data and intellectual property; distribute disinformation; disrupt critical infrastructure; proliferate online harassment, exploitation, and abuse; enable criminals and foster violent extremism; and threaten peace and stability.”
— National Cybersecurity Strategy, March 2023
Much of the new strategy talks about collaboration between the public and private sector, along with collaboration among nations and international partners. Another key area of collaboration is that between SaaS providers and the organizations (public and private) that utilize those systems. SaaS applications commonly contain critical business information needed for operations and the underlying data. That data is where the “secret sauce” and highest risks are typically presented.
As Brendan O’Connor, CEO and co-founder of AppOmni, noted: “SaaS is the OS of business, and securing that OS is vital. The challenges that we faced with endpoint security, such as what employees are doing and what they’re connected to, are equally concerning for protecting SaaS data. As SaaS environments grow, the exposure to risk escalates considerably.”
This underscores a key principle that SaaS providers and SaaS users have to embrace: a shared responsibility over cybersecurity.
According to Bob Clark, PwC Cyber, Risk & Regulatory Principal: “Shared responsibility is a common principle across all ‘as a service’ cloud-based solutions and in particular SaaS enterprise applications. The concept is rooted in the fact that SaaS providers take cybersecurity seriously and have offerings to protect their user organizations. That said, there are aspects of all SaaS applications that the user organizations will need to configure and address as part of their responsibilities as stewards of the data that resides on SaaS enterprise applications.”
Identifying what the shared responsibilities are between the SaaS provider and user organization will require attention and mapping of the following considerations:
- Key cyber / data risks and mitigation techniques available within the respective SaaS solutions;
- Clear understanding of how the user organization is leveraging the technology;
- Who are the key stakeholders for each risk; and
- What data is being collected, processed, and transferred.
These considerations culminate into one significant and maybe obvious question: How can the SaaS application be configured to provide confidence that cybersecurity risks are being mitigated?
Understanding how to configure and secure SaaS applications is the crux of this discussion. Each SaaS will offer various ways to protect and defend against cybersecurity risks. The challenge is that each SaaS app will vary based on the considerations mentioned above. As SaaS solutions do not use a common security framework, your security and IT teams can’t master the security settings for one SaaS platform and easily apply them to another. Monitoring these for continued defense presents another challenge.
To manage the risks that SaaS solutions present, an organization needs to put a programmatic process in place to monitor their configuration and security settings across their SaaS solutions. Organizations also require insight into the hundreds, if not thousands, of integrations and connections to their SaaS applications. Threat actors frequently exploit vulnerabilities in connections to enterprise SaaS platforms as a means to exfiltrate highly sensitive data.
“Before customers begin working with us, we find that their security or IT teams have not approved more than half the integrations into their SaaS environment,” O’Connor added. “This creates a tremendous amount of risk as organizations give attackers a ‘side door’ into their most sensitive data. Without proper visibility, guardrails, and automations in place, security teams simply can’t do their jobs effectively.”
As O’Connor notes, the costs of doing this work manually are typically higher than most will accept. There is a growing number of automated solutions that can deliver centralized visibility, unmatched data access management, and security controls to protect data across every type of SaaS application. Some of these solutions are more mature than others, so it’s important to understand the breadth of SaaS applications they can integrate. But the most common gap in leveraging an automation solution is the technical knowledge required to configure and secure the application and resident data as these may change based on how the SaaS application is leveraged. This again points back to the concept of shared responsibility.
To summarize, the new U.S. Cybersecurity Strategy highlights a number of key areas where both the public and private sectors need to collaborate to address cybersecurity risks. As the adoption of “as a service” — in particular, SaaS — applications increases, the collaboration between SaaS providers and user organizations becomes increasingly important in addressing cybersecurity and data risks. Getting to the right mitigation techniques, configuration, or security, is a key part of that collaboration, and user organizations are responsible for understanding, configuring, and monitoring their SaaS applications.