How to Follow NCSC’s Cloud Security Guidance for SaaS

By partnering with AppOmni, UK organisations can configure their cloud services and secure their SaaS apps with confidence.

By Brandon Romisher, VP of International Sales, AppOmni

SaaS has revolutionised and scaled the way we connect, collaborate, and innovate. But the SaaS landscape is complex, characterised by frequent updates that can change or deprecate security features over time. The lack of universal standards across SaaS apps also widen security gaps that can threaten an organisation’s SaaS security posture.

Cyber attacks have no physical or geographical borders. Two out of every five UK businesses have experienced cybersecurity breaches or attacks in the last two years.

“[Data] shows fewer businesses are using security monitoring tools to identify abnormal activity which could indicate a breach — suggesting firms are less aware than before of the breaches and attacks staff are facing.”

— Cyber Security Breaches Survey, 2021

To improve businesses’ cyber resilience, the UK National Cyber Security Centre (NCSC) recently launched Cloud Security Guidance to provide security and IT teams with pointers on how to configure and use cloud services to meet their security needs. By applying these refreshed principles and enabling a SaaS Security Posture Management solution (SSPM), your organisation should be protected from common cyber attacks.

Let’s explore the main takeaways from the refreshed guidance.

Key Takeaways From NCSC’s Cloud Security Guidance

Since most security incidents can be traced back to misconfigurations and poor authentication, the NCSC puts emphasis on building strong observability — or visibility — and using automation to configure identity and access controls.

The modern enterprise’s endpoint is now a collection of SaaS apps running on top of a cloud OS, which evolved from a single device on a network. This means security must move to where applications and the data are. However, traditional scanning and monitoring tools like Cloud Access Security Brokers (CASBs) or Secure Web Gateways (SWGs) do not identify or understand the many configuration-related complexities of SaaS.

Each SaaS app today has its own language for system hardening, logging, access controls, API integrations, and SaaS-to-SaaS connections. This is an unscalable task for even the most experienced security teams — who are not fluent in native SaaS security features — to manually translate configuration settings and requirements across hundreds of SaaS apps running within their organisation.

Managing one’s SaaS estate cannot solely rest on the shoulders of security and IT teams. Organisations should consider automation capabilities in SSPM to detect and mitigate potential threats before they become major incidents, freeing up security teams to tackle more critical tasks.

4 Ways NCSC’s SaaS Security Guidelines and AppOmni Match Up

NCSC identified a set of security goals and suggested actions to take in order to configure the use of SaaS apps and mitigate the risks posed by common attacks.

We highlighted 4 of those security goals and ways an industry leading SSPM solution like AppOmni can help configure your cloud services and secure SaaS apps with confidence.

#1 Robustly authenticate users and manage standard user’s permissions in the application

AppOmni can detect over permissioned users and apply the principle of least privilege (PoLP) required to perform job functions. SaaS apps are a favourite attack point for threat actors, knowing they’re often misconfigured and improperly secured. If an attacker is successful in compromising a user with admin privileges, they can exploit those permissions by moving indiscriminately and laterally to grab any sensitive data associated with that user.

SSPM allows organisations to:

  • Enforce the principle of least privileged access to ensure no over provisioned users
  • Mandate MFA across all SaaS apps and block or allow certain IP addresses to prevent attackers from infiltrating your network
  • Enforce single sign-on (SSO) to abide by authentication best practices
  • Gain granular visibility into users’ identity and access permissions and detect configuration drift.

#2 Manage the use of service identities, including automations, integrations, extensions, or add-ins.

More than 42 SaaS-to-SaaS apps are connected into live SaaS environments. Half of those apps, usually installed by end-users, are left unused after 6 months but still retain the ability to access sensitive data. A single attack on one of these SaaS-to-SaaS connections can jeopardise your entire SaaS estate and increase your risk for data leakage and exposure.

An SSPM solution like AppOmni can identify SaaS-to-SaaS connections with overly permissive roles as well as unused apps that retain access to your data. This comprehensive view into your SaaS stack can help in determining the necessity of specific apps and unsubscribe from those you no longer need. Doing so can eliminate costly SaaS expenses.

NCSC notes that activities related to these services be included in your auditing. However, manual SaaS security audits are retroactive in nature and do not provide a proactive security posture or continuous monitoring, which an SSPM solution can provide.

#3 Monitor for security incidents

NCSC recommends using “detection tooling to continuously monitor (or frequently audit) activity logs to increase the chance that you detect unwanted activity.” Security incidents such as sign-ins from unusual IP addresses and changes to a privileged identity, unfolding in rapid succession, often go unnoticed until it’s too late.

Our solution offers out-of-the-box detection rules to identify common cyberattack behaviours and to normalise event logs into a consistent language. This provides security and IT teams with visibility on event streams across your SaaS estate from a single pane of glass. AppOmni can also continuously monitor SaaS policy settings and permissions, automatically delivering alerts when suspicious activity is detected before a significant security incident occurs.

#4 Maintain your security posture over time

SaaS providers often update their apps, either to improve features or to showcase new functionality. Although these updates aren’t intended to be harmful, they may change established security features. A minor update could alter a user’s settings and permission scopes, resulting in higher privilege access than intended. But AppOmni continuously scans for configuration drifts that could increase data exposure or introduce a vulnerability.

As NCSC notes, “if the application is no longer meeting your user’s needs, or a more suitable one has been chosen, you should begin the process to retire your use of this application.”

Final Word on NCSC’s Cloud Security Guidance

The NCSC’s Cloud Security Guidance is a welcome addition to improving organisational cyber resilience both in the UK and abroad. Defending an organisation from SaaS threats is a near impossible feat for security and IT teams to be attempted manually. Given the high frequency of both user and vendor side configuration changes, it’s clear that organisations need a better way to secure their SaaS.

Implementing an industry leading SSPM solution like AppOmni can provide organisations like yours with complete visibility across their SaaS environment and control over user privilege and data access to uphold NCSC’s cloud security guidelines.

Find out how SSPM fortifies your SaaS environment. See AppOmni in action.

Related Resources