SaaS Security: A New Framework for Essential Controls
▼ Summary
– Managing security across multiple SaaS applications is difficult due to varying settings and a lack of focus on individual app-level security in traditional risk assessments.
– The Cloud Security Alliance (CSA) has released a new SaaS Security Capability Framework (SSCF) to establish a standard set of security controls for vendors.
– The framework was created to address the inconsistent security features in the rapidly growing SaaS market, which complicates vendor onboarding for enterprises and product development for startups.
– The SSCF version 1.0 defines security controls across six core domains, including Identity and Access Management, Data Security, and Logging.
– The framework is based on a shared responsibility model, focusing on controls that customers can configure, while avoiding overlap with other security standards like SOC 2.
Managing security across a sprawling portfolio of Software-as-a-Service applications presents a formidable challenge for modern enterprises. With each application operating on its own unique set of settings, permissions, and logging mechanisms, security teams are often left piecing together a fragmented picture of their overall risk posture. Traditional third-party risk assessments frequently fall short, focusing on the vendor’s corporate security rather than the specific security capabilities of the application itself. This gap forces organizations to implement custom solutions, creating extra work and reducing visibility for both security and procurement departments.
To address this critical industry need, the Cloud Security Alliance (CSA) has introduced a new SaaS Security Capability Framework (SSCF). Released in late September, this framework establishes a standardized set of security controls that SaaS providers should integrate directly into their products. Developed with contributions from the CSA’s SaaS Working Group, which includes industry leaders like MongoDB and GuidePoint Security, the SSCF aims to create a common language for securing SaaS environments. This initiative is designed to move the entire ecosystem toward a more consistent and robust security baseline.
Brian Soby, CTO of AppOmni and the framework’s lead author, emphasized its significance. He stated that the SSCF provides a much-needed, consistent standard that will help organizations transition away from outdated risk assessment methods. The ultimate goal is to enable companies to build zero trust principles directly into their SaaS deployments, fostering a more secure operational environment.
The rapid, uncoordinated growth of the SaaS market has historically meant there was no universal standard for application-level security features. The outcome is a haphazard assortment of capabilities from one vendor to the next. One application might offer comprehensive logging and granular access controls, while another provides only minimal security settings. This inconsistency forces security professionals to manage a different set of tools and processes for every application, which inevitably slows down operations and elevates organizational risk.
This problem manifests differently depending on perspective. Large enterprises feel the strain during vendor onboarding, where each new procurement becomes a unique project involving custom questionnaires, lengthy review cycles, and extensive negotiations. Conversely, startups and smaller vendors face the challenge of guessing which security features are essential to pass enterprise procurement checks, often building capabilities in a reactive and piecemeal fashion.
The SSCF is positioned to simplify this dynamic for all parties involved. It offers enterprises a uniform method for evaluating potential vendors, while simultaneously giving software providers a clear understanding of customer expectations long before the sales process even begins.
The initial version of this security framework is structured around six core domains, each tackling a fundamental aspect of SaaS security. One critical domain is Change Control and Configuration Management (CCC), which focuses on safely managing application updates and ensuring a secure configuration is maintained over time. Within these six areas, the framework details specific controls. Some of these are non-negotiable requirements, like mandating Multi-Factor Authentication (MFA), blocking anonymous access, and guaranteeing the delivery of audit logs within a 24-hour window. Other controls function as implementation guidelines, describing security best practices that vendors are strongly encouraged to adopt to harden the application environment.
A central concept of the framework is the Shared Security Responsibility Model (SSRM). This model defines clear, separated roles: SaaS providers must build, maintain, and offer the security controls detailed in the framework. Customers, conversely, are tasked with properly setting up and utilizing those controls to protect their specific users and data within the application. This delineation is key to the framework’s design, ensuring both parties understand their roles in securing the digital environment.
By concentrating only on the controls visible and manageable by the customer, the framework purposefully avoids duplication with existing standards such as SOC 2 or ISO 27001. For example, the security of the underlying infrastructure, like data-at-rest encryption, is solely the vendor’s duty and is addressed by other certifications. This new framework zeroes in on giving customers the necessary tools to directly manage elements like access policies, audit logs, and user activity within the SaaS application itself, empowering them with direct control over their data’s use and access.
(Source: HelpNet Security)
