The Cybersecurity Executive Order 2021: What It Means for Cloud and SaaS Security

Eliana Vuijsje, Marketing Director

In response to malicious actors targeting US federal IT systems and their supply chain, the President released the “Executive Order on Improving the Nation’s Cybersecurity (Executive Order).” Although directed at Federal departments and agencies, the Executive Order will likely have a ripple effect through the Federal technology supply stream. Private companies and enterprises will look to the Executive Order to build their best practices. At a high level, the Executive Order includes information sharing requirements, a push toward cloud and Zero Trust architectures, and enhancing transparency throughout the software supply chain.

Understanding the fundamentals of the White House Executive Order on Improving the Nation’s Cybersecurity

The bulk of the Executive Order focuses on administrative tasks associated with it, including redefining contract language, setting timelines, and defining agency roles and responsibilities. For enterprises that don’t supply technology to the federal government, the Executive Order may feel unimportant. In reality, several of the basic tenets could be used by companies operating outside the federal IT supply chain, including:

What the Executive Order Says

The text of the Executive Order is long and comes with all the regulatory jargon associated with a law. Breaking it down into bite size chunks gives a good overview, though.

Better information sharing

The short, succinct point of this one is that “everyone needs to play nicely and stop hiding behind contracts.” In a nutshell, the Executive Order looks to create a more meaningful information sharing opportunity for agencies and vendors when threat actors find and exploit a vulnerability.

Move to cloud and create Zero Trust Architecture

Although this one mostly speaks for itself, the requirements in the Executive Order created a bit of a panic across the federal space because a lot of the timelines are super short. For example, within 60 days, federal agencies need to:

Finally, within 180 days, they all need to adopt multi-factor authentication (MFA) and encryption both at-rest and in-transit. With agencies adopting Software-as-a-Service (SaaS) applications to modernize their IT stacks, identity and access control configurations, including multi-factor authentication, act as a primary risk mitigation strategy.

Secure the supply chain

Without even needing to list the recent supply chain hacks and breaches, this is the least surprising of all the requirements. Surprising very few people, this section includes several key bullet points:

What the Executive Order Means for Enterprises

For agencies, this is going to take a bit of work. For enterprises, this is likely a harbinger of things to come.  The problem is that while the Executive Order is a great start, the two primary requirements for putting Zero Trust into effect, MFA and encryption, don’t really close all cloud security gaps.

According to the 2021 Data Breach Investigations Report (DBIR) misconfigurations remain a primary threat vector for cloud architectures. The increased use of Software-as-a-Service (SaaS) applications actually trigger two different attack patterns:

According to the DBIR, the basic web application attacks include things like credential theft and brute force attacks. Meanwhile, the Miscellaneous Errors subset also included things like cloud-based file storage being placed onto the internet with no controls. These attack vectors show the importance of SaaS security management to cloud security as a whole. Many enterprises lack visibility into their configurations, and the proliferation of SaaS applications makes manual configuration monitoring nearly impossible. As enterprises continue on their digital transformation journey, configuration monitoring and management will only become more difficult.

Cloud security, even with a focus on establishing a Zero Trust Architecture, needs to incorporate SaaS application security. As agencies and enterprises in their supply chain incorporate SaaS apps, the security risk that misconfigurations pose needs to be addressed.

The Enhance SaaS Security Playlist

As agencies and enterprises start looking for solutions, enhancing SaaS security should be on the “proactive steps to take” list.

Integrate all applications: Travel the Long and Winding Road

Doing the business of your business requires a lot of applications, especially across remote workforces. Despite a potentially long purchase cycle, adding applications to your stack is relatively easy. Your IT team creates some connections to your cloud infrastructure using APIs, then adds the users. People can get down to business.

Managing SaaS app security for the long term is the big challenge. You have a lot of applications, and each one has unique configurations and language. No organization can have an expert in every application language and configuration. If you can integrate all your applications into a single platform that creates a standardized approach to configurations, you’re taking the first step down the long and winding road to securing your cloud infrastructure.

Verify access and enforce policies: Stop Believin’

While Journey might say “don’t stop believin,’” a Zero Trust Architecture means not believing anyone or anything until they provide the right proof. For example, MFA doesn’t work on a system that uses legacy authentication protocols like IMAP and POP3. If you need to secure your SaaS stack and meet these short timelines, you need visibility into all user access, especially Privileged Access holders like super admins or service accounts.

Enterprises need unified policies across all SaaS applications, ensuring continuous compliance. This means the ability to analyze every user’s access across all your SaaS platforms by role, privilege, risk level, and platform with the ability to mix and match as you search so you have the insights you need, when you need them.

Monitor SaaS security continuously: You Oughta Know

The hardest part of SaaS security is that it continuously changes, like employees sharing documents with third-parties or adding new non-company users to collaboration platforms. The problem is that the Executive Order and most other compliance mandates assume that you oughta know about your risk posture because you’re continuously monitoring your security.

You need always-on SaaS security that provides real-time risk identification, context-based alerts, and risk prioritization.

Automate remediation activities: Never Gonna Let You Down

No single human being can manage SaaS security manually.

Manually managing the risks arising from so many users, so many applications, and so many locations will leave the IT department running on espresso and energy drinks and unfortunately, most likely, missing a critical risk.

Automating the SaaS security process in a single cloud-based platform is the most efficient way to manage the process. SaaS platform management solutions meet your security where it lives, in the cloud, so you can automate your security at cloud-speed, reduce risk, and strengthen your security and compliance posture.

Adaptive Shield: SaaS Performance Security Management is the Missing Link

Adaptive Shield provides full visibility into one of the most complex issues in cloud security. This SaaS security posture management solution enables enterprises to continuously monitor for misconfiguration risks across the SaaS estate: from configurations that cover malware, spam and phishing to suspicious behavior, and incorrectly configured user permissions.

Adaptive Shield aligns technical controls with CIS Benchmarks and can map controls’ compliance to NIST 800-53 as well as other frameworks.

The Adaptive Shield SaaS security platform management solution also natively connects with Single-Sign On (SSO) solutions, like Azure, Ping and Okta, to help track MFA use across the organization.

With SaaS applications becoming the rule rather than the exception for modern businesses, cloud security relies on continuously monitoring for risky SaaS misconfigurations.

Find out more about how to prevent misconfiguration risks in your SaaS app estate

This was first published on June 14, 2021 in The Hacker News.

About the writer

Eliana Vuijsje, Marketing Director

Eliana is a marketing strategist with a passion for technology and storytelling. With an MA in conflict management and negotiation and a BA in Communications, Eliana hit the ground running after moving to Israel. Eliana’s work has been featured in places like Slashdot, the RSA conference and Facebook’s PyTorch publications. Since joining Adaptive Shield, Eliana has grown into a SaaS app security lobbyist telling everyone to secure their SaaS app estate. Oh, and she loves steak.