SaaS applications have become “the go-to” for how we work every day, providing more productivity, accessibility, and flexibility. But the rise in SaaS adoption brings drawbacks, like an increase in SaaS security risks. For one, IT and security teams often lack visibility into the entire SaaS application stack and into specific application controls. And without that visibility, it’s impossible to ensure the critical data processed by SaaS apps is protected.
The Cybersecurity and Infrastructure Security Agency (CISA) recognized that SaaS usage is only increasing, which is why the agency published the Secure Cloud Business Applications (SCuBA) project to provide some clarification around how to manage SaaS risk. Although the framework targets agencies in the federal civilian executive branch, CISA hopes the private sector will use it as a model to help control the complexity around SaaS.
Securing cloud services is part of CISA’s role in implementing President Biden’s Executive Order 14028, “Improving the Nation’s Cybersecurity”. The executive order was designed to protect the nation’s critical infrastructure from further attacks by modernizing its cybersecurity posture.
With the SCuBA framework, CISA is looking to properly address SaaS security risks, including visibility gaps that have hampered the collective ability to effectively understand and manage cyber risk across federal civilian agencies. SCuBA’s primary goal is to protect federal information created, accessed, shared, and stored in these environments.
The release of the SCuBA framework comes at a time when the threat landscape continues to evolve for both the public and private sectors. It provides much-needed SaaS governance guidance, as well as a better understanding to manage and mitigate SaaS security risks.
The current state of the federal SaaS landscape
As federal civilian agencies continue to modernize, they’re increasingly adopting SaaS applications for the promise of greater scalability, cost savings, and accessibility. And because federal civilian agencies have such complex digital infrastructure, managing SaaS risk is so much harder. The challenges include understanding which SaaS apps are being used and if they’re properly managed, securing sensitive data stored and shared across the SaaS app stack, eliminating redundant applications, and ensuring a SaaS app is FedRAMP compliant.
For the Centers for Medicare and Medicaid Services (CMS), SaaS is already an important component to its digital transformation.
“Software as a Service (SaaS) will likely become the more prevalent way of using software,” said Shawnte Singletary, CMS’ deputy director of the division of security and privacy compliance, in an interview with PlanetOIT. “This means less downloading and installing on endpoint devices like laptops or phones and more access through API or direct connection through the internet.”
In the same interview, CMS said its transition to the cloud grew from 13% in 2015 to 75% in 2022 and was driven by software development, IT management, collaboration, and security.
Going forward, CMS is looking at ways to inventory SaaS applications on its network, assure SaaS apps adhere to configuration requirements and security policies, and establish policies and procedures for evaluating and approving SaaS apps. In fact, CMS already uses Axonius Cybersecurity Asset Management to help comply with new and existing cybersecurity regulations, guidelines, and mandates that require ongoing asset visibility.
For federal civilian agencies like CMS, the strategic shift from on-premise to SaaS applications provides numerous benefits like taking the technology burden off IT and security teams to the cloud service provider. Yet the burden still falls on agencies to be aware and educated on SaaS risk. And the SCuBA framework provides important context around the fundamental protections to secure and harden SaaS applications.
Understanding the SCuBA framework and how modern SaaS management helps
With the SCuBA project, CISA is taking the initiative to ensure SaaS applications (public, private, or hybrid) are secure at all levels. CISA’s guidance can help federal civilian agencies take on a proactive approach to identify potential cybersecurity threats, as well as safeguard, monitor, and maintain their environments.
In an interview with Federal News Network, Vincent Sritapan, CISA’s Cyber Quality Service Management Office section chief, explained the SCuBA framework is a baseline of cyber standards for common cloud services like collaboration tools.
“Our key objective is really around enabling secure cloud business applications and accelerating key shared services. We look to, in this case, provide architectures, security configurations, really to offer fundamental protections for cloud business applications,” he said. “Within federal civilian agencies, we’re providing them with both the security and visibility necessary to identify and detect adversary activities in their cloud environments.”
The SCuBA framework offers suggestions on how to secure SaaS applications. The goal is to bring federal civilian agencies and the industry to the same minimum level of guidance to help adopt the necessary security and resilience practices when they use cloud services.
SaaS applications bring a lot of complexity to the digital infrastructure, and trying to understand what’s needed in the SCuBA framework only adds more challenges. And a modern approach to SaaS management can help agencies know what’s happening by providing them cyber visibility (both operationally and technically) to detect attacks and compromises.
For identity, credential, and access management (ICAM), CISA is aiming for strong administrative controls and the lowest level privilege to help “close the loop” so only users that follow the agency’s desired security posture can access data. CISA has previously recommended that agencies turn to SaaS Security Posture Management (SSPM) solutions for help addressing SaaS risk, which connect to APIs to identify unnecessary user accounts, excessive user permissions, and more.
SSPMs or SaaS management solutions, like Axonius, suspicious or inactive user accounts can be suspended and app-to-app connections that have access to sensitive company data can be removed. By suspending unneeded user accounts, agencies can both reduce security risk of potential account takeover and optimize SaaS spend by rightsizing licenses.
CISA is currently developing and testing the minimum viable security baselines (with automation in mind) to speed up SaaS adoption. Axonius SaaS Management can help agencies determine whether products have been vetted and are FedRAMP compliant, and can be under consideration for enterprise-wide use. It can also optimize the settings and configurations of SaaS applications around user permissions and session duration, multi-factor authentication, and access to sensitive data for guest users and more.
A critical part of the SCuBA framework is making sure federal civilian agencies have their cloud services generate logs for visibility, asset management, and incident response to initiate alerting and threat detection. Axonius SaaS Management can help agencies gain visibility into human and entity behavior in SaaS applications over time, as well as detect anomalies and suspicious behavior that may denote apps or users were compromised. It aggregates log data from across various sources, like Okta and Google Workspace, to identify suspicious activity, events, and complex behavioral patterns. Axonius SaaS Management can also distinguish anomalous login activities that deviate from a user’s normal activity and other baselines.
By leveraging a modern approach to SaaS management, federal civilian agencies can act on the guidance from the SCuBA framework more effectively. More importantly, they have a place to start to gain valuable insight into their entire SaaS stack.
The future impact of the SCuBA framework on SaaS security
CISA, which collaborated with cloud vendors to develop the SCuBA framework, expects to do the same going forward as it continues to update the SCuBA framework as technological advances occur. The agency will build on its current knowledge of cloud providers and SaaS applications to provide guidance based on understanding threats and related efforts.
There are a lot of frameworks that already exist, and making sense of them isn’t easy. But it’s important to remember frameworks are only a guide, not a rule. Even with all the benefits that SaaS applications bring, they’ll continue to complicate our lives. And the goal is to secure them as much as possible.