Mar 19, 2024
Mar 19, 2024
Frameworks such as NIST CSF, SOC2, and ISO/IEC 27001 are intended to improve an organization’s cybersecurity posture and demonstrate program maturity to potential customers. At least in theory. However, in practice, there’s a thin and widening crack below the surface—shadow SaaS—and overreliance on these frameworks may create a false sense of security.
If you knew the frozen lake you were standing on had hidden cracks underneath the ice, would you still stand on it? Likely not, as there’s a risk of it breaking and exposing you to the bitter cold water below.
Similarly, cybersecurity frameworks are much like our hypothetical frozen lake.
Frameworks such as NIST CSF, SOC2, and ISO/IEC 27001 are intended to improve an organization’s cybersecurity posture and demonstrate program maturity to potential customers. At least in theory. However, in practice, there’s a thin and widening crack below the surface—shadow SaaS—and overreliance on these frameworks may create a false sense of security.
And to be clear, we’re not saying the frameworks are faulty or shouldn’t be used. Rather, it’s the language ambiguities and variances in how the frameworks are interpreted that create the gaps. An organization can be fully compliant on paper, but still have significant vulnerabilities.
In other words, strength on the surface doesn’t always equate to a secure foundation.
Understanding how common cybersecurity compliance standards vary in intent vs. practice can help strengthen your organization’s security posture and enable more focused conversations about how to mitigate the risks that arise from the proliferation of shadow SaaS.
Let’s explore where some of the hidden cracks lie.
In a perfect world, all tech requests would go through IT and security teams would evaluate the risk potential before adding a new app to the company’s tech portfolio. But, as we know, the world is made up of less-than-perfect people, and our human nature is to survive and thrive, including in our jobs.
SaaS companies offer many apps for free or make it easy to start trial subscriptions, and employees are indulging to improve productivity and outcomes. In fact, 41% of employees use apps outside of IT’s visibility. When unvetted apps sneak past established processes, it creates a crack small enough to seem harmless, but wide enough for bad actors to enter.
Many companies do not seem to apply cybersecurity compliance standards to cover the cracks in practice. Rather, compliance with these standards typically focuses on known SaaS usage—what’s above the surface—not the hidden apps in the shadows below. For example, the SOC2 security trust principle requires organizations to protect against unauthorized access. Though you could argue that the principle indirectly refers to shadow SaaS, it’s common practice for organizations to demonstrate access controls only for the systems they are aware of. Unless a company does a comprehensive discovery of apps employees have initiated on their own, shadow SaaS leaves a crack in their security foundation.
It’s hard to inventory what you don’t know exists. And, since shadow SaaS falls outside the purview of IT, it’s overlooked.
ISO/IEC 27001 includes verbiage about managing information assets, controlling access, and maintaining an inventory of information assets and information processing facilities, but it does not specify the extent to which organizations must identify the assets. Here again, we encounter a gap in the spirit of a framework and the implementation of the standard.
It’s not uncommon for organizations to focus on the larger, more visible assets, and skip the granular tracking of every SaaS account that exists, especially those acquired without IT approval. As a result, the inventory and management of assets will be only a partial view. Since the inventory doesn’t include unsanctioned SaaS accounts, registration and de-registration controls will also be incomplete, reporting only on what is known. Though the intent of ISO/IEC27001is to strengthen an organization’s information security management system (ISMS), because the inventories aren’t comprehensive, the benefits from this standard won’t be either.
According to Gartner research, 69% of employees admit to intentionally bypassing a company’s cybersecurity guidance, and 90% did so knowing that their actions would increase the organization’s cyber risk. As humans, we’re free spirits. In contrast, cybersecurity frameworks like NIST are structured, broad-stroked guidelines, that miss the nuances of human behavior—AKA another crack.
While NIST CSF does encourage organizations to identify, protect, and detect cybersecurity risks, and the “identity” function could be interpreted to include all software, most organizations place an emphasis on general asset management and risk assessment practices rather than detailed tracking and management of every software application.
Similarly, CM-11 is designed to manage the installation of software by users and mitigate the risks from unauthorized or unmanaged software installations. In theory, the principles should also apply to user-provisioned SaaS. But in practice, companies typically use this control to restrict or forbid the actual installation of software, overlooking unsanctioned SaaS in which no software is installed. And when the rules aren’t explicitly stated, the free spirits will interpret them on their own, acting as their own CIO.
The previous three cracks we’ve highlighted aren’t from security and IT teams failing to do their due diligence. Comprehensive discovery to uncover shadow SaaS can be time consuming and is a never-ending process, adding to the challenges of already overworked, overstressed, and under-resourced teams. Given this, it’s a natural response for teams to focus on the governance of known software. However, shadow SaaS risks still exist, and the longer they go undetected, the more they proliferate. And just like our hypothetical lake, cracks eventually lead to an incident, which can have serious consequences with other industry regulations, like GDPR, FINRA, HIPAA, PSI-DSS, and others.
So what’s the answer?
The intention of cybersecurity frameworks is to bolster cyber resilience; however, inconsistent practices in how the standards are applied are leaving gaps, which must be addressed to achieve a more secure foundation.
To truly improve cyber resiliency means extending beyond the written requirements of the cybersecurity frameworks. Advanced SaaS discovery tools factor in unpredictable human behavior and the nuances of SaaS adoption, using identity-centric controls instead of relying on controlling the network, endpoint or application. And that’s exactly what Grip Security provides.
With Grip, you can proactively address SaaS sprawl and shadow SaaS, gaining visibility into unauthorized SaaS operating outside of traditional security controls so that it can be governed appropriately. Grip also provides a panoramic lens into your SaaS security risks uncovering the vulnerabilities that industry frameworks fail to address.
Despite your best efforts, employees will always access web-based tools, start trial subscriptions, and download new tools on the sly. You can’t control the behavior of free spirits, but you can control their access. Using identity as the key control point allows you to confidently secure all SaaS applications, repair the hidden cracks in your security foundation, and empower employees to embrace SaaS adoption, without the associated risks.
For more on shadow SaaS and compliance risks, download the free guide, “Compliance Gaps from Shadow SaaS: A Modern IT Dilemma.” Or to see how Grip can help you identify, manage, and remediate the risks posed by unsanctioned SaaS, book a demo now.
Request a consultation and receive more information about how you can gain visibility to shadow IT and control access to these apps.
Fill out the form and we’ll send you our Datasheet.
Give us a test drive.
Fill out the form and we’ll get in touch with you.
Fill out the form and watch webinar's video.
