Since 2016, the National Cyber Security Centre (NCSC) has been tasked with making the United Kingdom the safest place to live and work online. The organization offers practical guidance, incident response services, aids in recovery, and distills lessons learned from cyber incidents into valuable guidance for the future.
The Cyber Security Breaches Survey is used to inform government policy on cyber security. It found that 32% of UK businesses experienced a cyber attack in 2023. With UK businesses feeling the pressure of cyber attacks, it’s no wonder that they are looking for guidance in securing their SaaS stack.
In June of 2023, the NCSC published its guidance for securely using SaaS applications. As one would expect, it places a great deal of emphasis on access control, user authentication, devices, malware, and data leakage protection. These are critical areas to secure SaaS applications and are a core part of Adaptive Shield’s SaaS Security Posture Management platform. In this article, we look at some of the recommendations offered by the NCSC and the way Adaptive Shield enables British organizations to stand up to the challenges of SaaS security.
Monitor Users
It’s telling that nearly one-third of the NCSC’s guidance is directed at managing users. Identity is the new perimeter, and poor user management can lead directly to unauthorized access and data breaches.
Through its identity and access governance tools, Adaptive Shield ensures that the NCSC’s guidelines are enforced. It monitors users to identify those who must be offboarded as soon as possible and checks that each user – internal and external – is authenticated when entering the application.
The NCSC recognizes that high-privilege users, such as admins, are popular targets, and recommends managing “administrative users and their privilege to mitigate the risk of compromise and the impact of misuse.” Adaptive Shield’s Monitor identifies high-privilege users acting anomalously, enabling it to catch threat actors posing as an admin and prevent insider threats.
The NCSC also recommends role-based access control (RBAC) for all non-admins, to ensure that users are only able to access materials they need to perform their role. By following the principle of least privilege (POLP), organizations reduce their attack surface, as users with limited access whose accounts are breached provide less data to threat actors.
Adaptive Shield enables user management through its User Inventory. Security teams can see each user within their SaaS stack, the applications they have access to, and whether they have admin rights. When the number of admins exceeds a predetermined threshold, Adaptive Shield alerts the team that their posture is less secure.
Maintain a High-Security Posture
The NCSC notes the importance of an app’s security posture, pointing out that updates to the SaaS introducing new features could reset existing configurations back to the company default. Even when settings don’t change, new features within the application may bypass existing security controls, requiring security teams to further secure the application to maintain their posture.
Adaptive Shield’s continuous, automated configuration monitoring ensures that any changes that weaken posture are identified immediately. App owners or security team members can restore the application to its previous posture level, keeping the data within the app safe.
Manage Content
Some SaaS applications contain a tremendous amount of content, which is used throughout the organization. The NCSC recognizes two dangers in content. The first concern is resources that contain malicious content within the file.
Users can’t be blamed for assuming anything within the corporate SaaS is free of malware and doesn’t contain malicious links. After all, the materials weren’t downloaded off the internet or emailed from an unknown sender.
The NCSC recognizes the fallacy of that thinking. Without monitoring, users can intentionally or unwittingly share applications with malicious content embedded within. Adaptive Shield ensures that the security settings set to flag these documents are configured correctly, so that any user attempting to download a file with malicious content is aware of the risk.
The NCSC is also concerned about data leakage. While files often do need to be shared, controls must be put into place to prevent anyone from accessing confidential and proprietary information. Adaptive Shield reviews the settings governing file sharing as well, preventing users from sharing files without some type of user authentication. The platform addresses concerns relating to guest access, externally exposed data, and sharing configurations, all of which add layers that limit the potential of data leakage.
Track Devices that Access the Stack
According to the NCSC, unsecured devices can be used to compromise access to a SaaS application. Devices that are unmanaged, have critical vulnerabilities on them, or use out-of-date operating systems can contain spyware that provides threat actors with access to an application.
Adaptive Shield’s device inventory connects with endpoint protection tools, to provide insight into the devices that access SaaS applications. Those devices are further correlated with users, increasing the richness of the user-device data. High-privilege users accessing applications with unsecured devices may find their access revoked until their device is upgraded and meets corporate policy.
Control SaaS-to-SaaS Access
The NCSC is concerned with third-party services that integrate with the core SaaS applications. These service identities, as the NCSC refers to them, must be managed strategically to reduce the attack surface they create. For example, granting a video conference tool integration the ability to view a calendar for easier scheduling makes sense. However, security teams should consider the risk of granting it access to the user’s mailbox and cloud storage drive, which will be used to send out invites and save videos but could be exploited in unwanted ways by threat actors.
While these applications may not be malicious, if given excessive scopes, they do represent a risk. Threat actors may take over the application and would have the same level of access granted to the application.
Adaptive Shield protects against such third-party app risk. It provides visibility into every application that is connected to the core SaaS application, assigns a risk level based on the scopes granted to the application, and sends alerts when apps are granted high-risk scopes. Security teams can make informed risk-benefit decisions on each application.
Detect Threats From Within the Applications
Access control tools and policies are a powerful force to prevent access, but some threat actors do find an access point in the application. This may be due to successful phishing attacks on a user with an app that can be accessed directly from the internet, or an inside threat starting to make a move on company data.
NCSC advocates monitoring for security incidents to detect any wrongdoing. Adaptive Shield’s Identity Threat Detection and Response (ITDR) capabilities continually scan audit and activity logs, identifying patterns of behavior that are either anomalous to typical user behavior or are threatening. Through ITDR, Adaptive Shield is able to detect threats taking place and alert security teams of an incident in the process.
NCSC’s Guidance
The NCSC’s approach to cloud and SaaS security will help organizations within the United Kingdom and abroad recognize the challenges in securing their SaaS applications. Clearly, constant monitoring of thousands of configurations across the SaaS stack is a task best suited for an automated monitoring tool.
Adaptive Shield’s SaaS Security platform is the leading SaaS security tool on the market today. It delivers unprecedented visibility into the SaaS environment, across the broadest number of applications. Through the Adaptive Shield platform, organizations can rest assured that their SaaS applications are secure.