Ensuring SaaS Security in ISO Compliance

Originally published by Adaptive Shield.

The International Organization for Standardization (ISO) sets standards across various industries. As an internationally recognized standards organization, its two information technology security standards - ISO 27000:2018 and ISO 27001:2013 - can be used to help build out a strong security posture.

SaaS security is critical to ISO compliance in the modern business world. However, with all the non-stop developments in the organization's SaaS stack, from updating and modifying configurations to discovering SaaS-to-SaaS access and securing devices etc., it can become overly burdensome for a security team to handle. SSPM solutions come to answer this pain by providing proactive, deep, continuous and automated monitoring & management capabilities. (SSPM solutions can also offer security checks per compliance framework so the security team can easily see where their posture is compliant or needs remediation.)

This blog will take a deep dive into understanding the ISO compliance standards, with its two recent yet different versions, and how SSPM can help security teams ensure ISO compliance.

What is the difference between ISO 27000:2018 and ISO 27001:2013?

Simply put: ISO 27000:2018 gives you goals to accomplish while ISO 27001:2013 outlines the steps you have to take to achieve those outcomes.

ISO 27000 sets out the following fundamental principles of your security program:

• Information security awareness
• Responsibility assignment
• Management commitment
• Societal value enhancement
• Risk assessment and risk tolerance review
• Incorporating security as essential to networks and systems
• Active security incident detection and prevention
• Comprehensive approach to information security management

ISO 27001 focuses on best practices and establishing an Information Security Management System (ISMS) that consists of policies and procedures. It includes five processes for achieving these security fundamentals:

• Establishment
• Implementation
• Operation
• Monitoring
• Review
• Improvement

The 10 ISO 27001:2013 Clauses

A lot of this sounds fairly vague, and it is. ISO takes a risk-based approach to establishing an ISMS, but that doesn’t mean you’re on your own.

The first three clauses give you the basic terminology and scoping. It’s clauses four through ten that start to get into some more detail. These are:

• Clause 4: Organization’s Context
• Clause 5: Leadership
• Clause 6: Planning
• Clause 7: Support
• Clause 8: Operation
• Clause 9: Performance Evaluation
• Clause 10: Improvement

Again, this is fairly high-level, even though ISO gives detailed definitions within the clauses. The real work of getting ISO compliant is found in Annex A which lists 114 controls aligned to ten clauses.

Where SaaS Security Fits into ISO Compliance

The problem with understanding the importance of SaaS security within the ISO context is that ISO never specifically mentions SaaS apps. Since it acts as a risk-based framework, you need to start by identifying the risks that SaaS apps pose, then put the controls around them.

Going into all the controls listed in ISO 27001 would be too long for this post. However, you can get a general sense of how SaaS security - and SaaS Security Posture Management (SSPM) - fits into your ISO compliance plans with a few examples.

Access Control

Under Access Control, you need to ensure that all users are assigned the appropriate access needed to complete their job functions.

Ensuring SaaS security under this requirement can be challenging because you need to make sure that you meet the following sub-requirements:

• Access control policy: establish, document, and review access requirements
• Management of privileged access right: restrict and allocate privileged access
• Review of user access rights: Regularly review access to ensure compliance with the access control policy
• Removal or adjustment of access rights: Remove access rights for all employees and external party users
• Information access restriction: limit access according to the access control policy

Example

Permission drifts occur when a user has certain permissions as part of a group membership, but then gets assigned a specific permission that is more privileged than what the group has. Over time many users get extra permissions. This undermines the idea of provisioning using groups.

SSPM Can Help

SSPM gives you a way to govern users’ cloud access by:

• Discovering all SaaS users, including partners and guests
• Continuously measure each user level of exposure
• Identify users with excessive permissions
• Trim unused permissions and deprovision inactive users
• Identify and disable insecure user authentication methods

Operations Security

Operations security is the process of ensuring correct and secure operations for all information processing facilities. In cloud environments, managing operations security becomes more difficult because you often lack visibility.

Ensuring SaaS security under this requirement can be challenging because you need to make sure that you meet the following sub-requirements:

• Documented operating procedures: document and make operating procedures available to all users who need them
• Change control management: Control all changes to the organization, business processes, and information processing facilities and systems that affect information security
• Capacity management: Monitor, tune, and ensure that resource use maintains system performance requirements
• Controls against malware: Protect against malware using the appropriate detection, prevention, and recovery controls
• Event logging: record user activities, exceptions, faults, and events
• Management of technical vulnerabilities: Monitor systems for exposure and take measures to address risks
• Information systems audit controls: Plan activities in a way that minimizes business disruption

Example

OAuth is an extremely common action that users take, but implementation mistakes can lead to attacks. You need to make sure that you have the appropriate documented operating procedures for onboarding new applications that use OAuth. Further, cybercriminals can use misconfigurations, like the sending OAuth application phishing emails, as part of their ransomware attacks.

SSPM Can Help

SSPM gives you the ability to run continuous security checks for all SaaS apps in use, in addition to the SaaS-to-SaaS access, so that you can:

• Monitor for misconfigurations for all global setting, user specific settings, and user privileges
• Prioritize and automate remediation
• Log all events to track user activities, exceptions, and faults across the SaaS environment
• Disseminate risk context and remediation to each SaaS respective owner
• Limit business disruption with unobtrusive monitoring

Compliance

This requirement focuses on avoiding legal, statutory, regulatory, or contractual obligations.

Ensuring SaaS security under this requirement can be challenging because you need to make sure that you meet the following sub-requirements:

• Privacy and protection of personally identifiable information (PII): Protect PII as required by relevant legislation and regulation
• Independent review of information security: Engage in an external audit at planned intervals to review ISMS implementation
• Compliance with security policies and standards: Regular review by managers or app owners to ensure appropriate security policies, standards, or other security requirements are in place
• Technical compliance review: Regularly review information systems to make sure they meet with the organization’s information security policies and standards

Example

Default configurations can lead to PII leaks as seen in the 2021 Power Apps portal issue that Microsoft fixed. Knowing what default configurations create a compliance violation and monitoring to ensure that you fix issues is key to compliance.

SSPM Can Help

SSPM can help you get compliant by:

• Continuously monitoring for misconfigurations for all global setting, user specific settings, and user privileges
• Mapping configurations, user privileges, and other compliance mandated controls to standards and regulations
• Alerting you to misconfigurations that lead to compliance violations
• Prioritizing and automating remediation
• Disseminating risk context and remediation to each SaaS respective owners, track progress, validate and monitor risk reduction.