SaaS security measures depend on the management department, and manual operations approaching the limit

As a leader of Japan's leading ICT company, NEC Corporation (hereafter referred to as "NEC") has been active for more than 120 years since its founding. has contributed to In the 2025 Mid-term Management Plan announced in May 2021, NEC presents the future vision to be realized in 2030, "NEC 2030 VISION." We aim to create social values such as safety, security, fairness, and efficiency, and to realize a sustainable society in which everyone can fully demonstrate their humanity. Mr. Satoshi Miyamoto, senior professional in the Corporate Transformation Division CI SO Management Office, said, "In the medium-term management plan, we are promoting DX for transformation to the future. Our policy is to give back to society the DX that we have practiced in-house, placing it at the core of .In order to realize that, and in order for our company to be trusted by society, security is one of the most important matters. It is positioned as a support for our DX.We are currently aiming to build a zero-trust security platform that is both robust and flexible."

By the way, in promoting DX, the company was rapidly expanding the use of SaaS applications in-house. Of course, when using it, security measures were sufficiently implemented, but it was gradually becoming difficult to keep up with the speed of DX promotion. Under such circumstances, around 2021, security incidents due to improper SaaS settings were reported one after another in Japan and overseas. Mr. Yuta Goto of the CISO Management Office of the Corporate Transformation Division said, "Fortunately, the Company have not encountered such a problem. However, although we conduct a thorough examination at the time of introduction, we wonder if the secure settings can be maintained during the operation phase. , When new services and functions were added, there was concern about whether the settings could be checked continuously,” he recalls.

The company's SaaS operation was investigated by each SaaS operation department based on external references to determine what constitutes a secure setting. As a result, there is a problem that the security baseline differs depending on the department. In addition, SaaS has a mountain of setting items, and it was impossible to keep checking everything manually.

Evaluated for its track record overseas and the abundance of compatible SaaS, and the usability of the dashboard is also attractive

To address these issues, NEC was looking for a mechanism to ensure the secure operation of SaaS, when Macnica introduced them to Adaptive Shield, an SSPM (SaaS Security Posture Management) solution for SaaS configuration audits. "We regularly exchange information with Macnica, and Adaptive Shield was introduced to us in April 2021. We wanted to ensure the security of the major SaaS among the hundreds of SaaS we use in-house, and Adaptive Shield was a perfect match for that need," said Miyamoto. The key factors in deciding to adopt the solution were its track record at major companies around the world, as well as the wide range of supported SaaS, the many check items, and the ease of use of the dashboard.

"Adaptive Shield has an overwhelming number of security audit items, and it was excellent in that it explained why each item was necessary and how to correct it. In addition, how many high-risk items remained, etc. It was also very attractive to be able to grasp the summary information at a glance on the dashboard.In addition, the operability that considers actual usability, such as the flexibility of setting permissions according to the service used, was also a point of evaluation." Mr. Goto)

The company will conduct a PoC in July 2021. It was conducted in a test environment and a production environment for major SaaS such as Microsoft365, Box, Salesforce, and ServiceNow that are actually used company-wide.

“As a result of conducting a PoC in the production environment, the atmosphere within the company, which had been somewhat skeptical about the SSPM tool, changed completely. By visualizing the existence of risks, we again understood the necessity of introduction.” (Mr. Miyamoto)

Objective and comprehensive evaluation of settings is possible, and the current status is also visualized on the dashboard

NEC will officially adopt Adaptive Shield in December 2021. From the beginning of the following year, it will be rolled out in stages, targeting SaaS used by 100,000 users of the NEC Group. There are two major ways to use the system: auditing and constant monitoring. Regular audits are conducted quarterly and four times a year. The presence or absence of setting errors is identified and used to formulate a response plan. For constant monitoring, we use the alert function to send an alert to the person in charge when there is a change in SaaS settings, etc., and determine whether security measures are necessary. Mr. Goto talks about the effect of the introduction as follows. “Until now, many aspects of operation depended on the knowledge and know-how of each person in charge, and there was concern about whether or not the settings were truly secure. It's great to be able to visualize comprehensive evaluations numerically.For example, regarding the management method of SaaS settings, if the numerical target is 100%, what percentage of the current situation has been achieved and what percentage remains? With the dashboard, it is now possible to manage at a glance whether it is necessary to correct the setting values." Mr. Miyamoto also explains the importance of the dashboard as follows.

“Rather than checking it with some tool and reporting it as a PPT document, it is more reliable as an objective numerical value to show the real-time status directly on the Adaptive Shield dashboard.

Also, by clarifying the items that should be prioritized, I believe that we can implement proactive measures, in other words, aggressive security, rather than reactive measures as we have done in the past.” Also, Adaptive Shield With the introduction of , it is now possible to automatically audit the setting work performed by each SaaS operation department according to a unified standard, so it is possible to keep up with SaaS updates without spending man-hours. It became possible. This has led to improved quality and a significant reduction in operational load.

Practices of 100,000 users are referenced and provided as a unique NEC service

Going forward, NEC aims to increase the number of targeted SaaS, and as a Macnica partner, utilize Adaptive Shield as a product and widely offer it as its own service. Ayumu Minobe, a professional in the Cyber Security Business Division, said, ``We have compiled the knowledge and know-how we gained from this experience of implementation and operation into a reference and released it as a ``SaaS Security Settings Management Professional Service'' in February 2022. Although it is aimed at enterprise customers, the response has been great and we have already proposed it to many customers."

In this service, "SaaS security risk visualization assessment" to identify risky settings according to security standards, "SaaS setting improvement support" to support review of settings based on the assessment results, and risks associated with adding SaaS functions and changing settings. We provide “SaaS security operation support” that regularly checks and reports on Mr. Minobe said, "While the use of SaaS is rapidly increasing due to the introduction of telework, there are many cases where operation is performed without being aware of the risks such as setting errors. We want to improve security," he said.