Security Guidance
7 minutes

Navigating SaaS Posture Management in an Era of Evolving Regulatory Compliance

Yesterday, Obsidian announced the next-generation of our SaaS Security Posture Management (SSPM) solution that delivers increased customizability, extended breadth to increase the security posture across all applications in their ecosystem (not just core SaaS applications), and the ability to secure 3rd party SaaS integrations. 

I’ll let my team talk about the details of these products over the course of this week. Individually, and together, these products are pushing the limits of what’s possible in the SaaS security space—a space, in my opinion, that has been underinvested for the last decade or so. 

But SaaS security is only part of the equation that needs to be solved. 

The other part is something relatively unsexy, yet foundationally important to most organizations, especially financial institutions, insurance companies, and those in healthcare: regulatory compliance.

Compliance is a pain in the SaaS

Application deployment today is also more distributed than it has ever been. As organizations continue to increase their reliance on cloud technologies, moving away from on-premises data centers to hybrid and cloud-based workloads utilizing IaaS, the IT compute and application layer has become increasingly decentralized. Today, more than ever, organizations have workloads deployed in IaaS and SaaS environments. This “cloud first” strategy is a great thing, but has had the unintended consequence of distributed ownership across the enterprise. Applications are deployed with relative ease by HR, IT, security teams, and even employees.

Many compliance programs today are manual in nature requiring analysts to pore through settings and alerts across a variety of SaaS applications to assess whether they require investigation. In fact, the security leader of a leading national retailer, a customer of Obsidian, told us his team was spending up to 40% of their time per month reviewing and following up on alerts before using our product. 

Often today, compliance workflows have many layers drawing from employees in different departments.  Here is one example:

It doesn’t exactly flow like water, does it?

What’s lacking is a translation layer between the folks who identify compliance violations and those who have the power to fix them.

Evolving legislation is not making things easier

Whether it is the National Cybersecurity Strategy, which calls for, in some sectors, “new authorities” to set regulations that can drive better cybersecurity practices at scale, Gramm-Leach-Bliley Act (GLBA) updates, or new state privacy laws, there are lots of new requirements coming down the pike. Many have implications for SaaS security.

Here are three examples:

  • The New York Department of Financial Services (NYDFS) has proposed rules that update its cybersecurity regulations. The influential agency wants to mandate, for example, role-based account controls (RBAC) to limit user access privileges. This has big implications for the administration of SaaS applications because admins will need to know what access users have and when to deactivate access when users leave or get a new role.
  • The U.S. Federal Trade Commission’s (FTC) Safeguards Rule, like increasing numbers of compliance regulations, mandates the use of multi-factor authentication (MFA) “for any individual accessing any information system.” Again, big implications for SaaS apps because a policy isn’t enough. You have to know where the policy is and is not enforced, which could be tricky if you have branch locations internationally.  The latest version of the rule gives covered organizations until June 9, 2023 to comply with the rules.
  • Enforcement of the California Privacy Rights Act (CPRA) begins this summer and expands on consumer protections.  Firms that do business in California that achieved $25 million in revenue the prior calendar year or processes data of more than 100,000 customers may be covered. One unique aspect is that CPRA gives employee data similar protections as customer data.  If that data is stored in Workday or Salesforce, for example, it needs to be protected. Four more states will have new or expanded privacy laws enacted by the end of this year.

What we need

Organizations in regulated industries must be agile in the face of regulatory chaos and surging SaaS threats. Adapting SSPM strategies for this new era requires the adoption of automation, embracing collaboration to include more stakeholders in the regulatory compliance process, and continuously advancing the strength of controls and policies.  All the while dealing with economic and competitive pressures. It is no easy task.

Obsidian views the future of SSPM as being able to help customers solve these challenges particularly via automation, collaboration, and by enabling continuous SaaS compliance.  Let’s take a look at these three core features:

Automation provides 24/7/365 monitoring that manual cannot

Continuous monitoring vs spot checks

It is time to end manual compliance monitoring.  Automation offers a ton of benefits that its manual counterpart cannot. In fact, the essence of automated monitoring is eyes always watching for SaaS compliance violations without the need for sleep, food, or vacation days. Manual monitoring by staff cannot compete. 

Manual monitoring may be good for static items. SaaS is dynamic. Users, admins, their privileges, and activity are constantly changing. Compliance monitoring needs to be able to keep up.

Single source of truth

Automation is good for more than just monitoring.  An automated compliance tool hosted on a SaaS platform negates the need for a maze of separate spreadsheets and instead offers a single interface that allows all employees to work off the same playbook. 

Control consolidation

An organization’s collection of technical controls typically come from three sources: independent frameworks or regulations like NIST, SOC 2, and HIPAA, custom controls, and other recommended controls. The total number of controls and policies can add up becoming unwieldy especially when a single control applies to multiple standards.

We believe the smartest approach for organizations is to throw all of their controls into a single pot with a single interface.  This simplifies management and helps avoid duplication of effort. If a new compliance requirement gets enacted that has 20 mandatory controls, for example, rather than start from scratch to input all 20 into the platform, a user would only have to input unique controls that do not currently exist in the system.

Platform updates

Finally, a compliance tool is only as good as how up-to-date it is with the latest best practices and standards.  Automation should make it easy to update with new recommendations and then have them monitored globally.

SaaS compliance tools must be collaboration tools 

Compliance is a team sport that comes with technological and business culture hurdles. Evaluating and acting on risk assessments must include insights from across an organization. At their heart, SaaS compliance tools are collaboration tools that keep IT, security, risk, and HR teams on the same page in terms of policies and policy enforcement. 

Information sharing

How can a compliance tool foster information sharing? On-demand reporting capabilities and automated ticketing are ways. I think security threats are so existential that shared responsibility models will actually come to fruition with teams coalescing under the leadership of the Chief Risk Officer. 

In effect, from a security perspective, all these units will merge into one, and compliance tools must be ready to support that. 

SaaS compliance is a lifecycle

Obsidian believes that the best way to maintain a strong SaaS compliance posture and to validate that posture with external auditors is to think of it as a loop where constant updates make the tool continuously stronger.  My colleague, Dennis Faire, explains this in more detail here.

We can help

Automation, today, is now helping organizations gain more control over their SaaS and compliance postures at a time when businesses can feel squeezed between more sophisticated, frequent threats and governmental regulations that are imposing change too. We empathize with all of the people involved in navigating these changes, but are also equally confident we can help.  Reach out to us to chat

Also, if you want to join a rockstar team dedicated to solving complex engineering and product problems to help make the impact of SaaS breaches a thing of the past, I’m hiring on my team.