There are limits to the checking system for SaaS usage that relies on human resources.

Mizuho Financial Group is a comprehensive financial group that includes Mizuho Bank, whose parent organization is the First National Bank, Japan's oldest bank, as well as Mizuho Trust and Banking, Mizuho Securities, and Mizuho Research & Technologies. Currently, we are aiming to "strengthen DX promotion power" as part of our management strategy, and we aim to leverage the "advanced technology, specialized knowledge, and IT implementation capabilities" of our group companies, including AI, as well as venture companies with high technological capabilities, and other businesses in various fields. We leverage our strong business foundations with large companies that are promoting cutting-edge initiatives, our strategic alliance with Google in the DX field, and our alliances with platform companies to develop new businesses to help society and We aim to create new solutions by connecting our customers with their issues.

The group has introduced and uses many SaaS, some of which have tenant contracts based on departments, etc. Previously, they checked SaaS functions and vendor system operations, but specific usage methods and SaaS settings were carried out on a department-by-department basis.

The company therefore decided to investigate the actual situation regarding SaaS usage and settings, but the task was expected to be a heavy burden. Hiroyuki Okawa, a researcher in the Risk Management Office of the Cyber Security Management Department, said, ``Our group already had many guidelines and multiple checklists, but we had to discuss their operation several times with the person in charge of the user department. "We had to go back and forth repeatedly to get the information we wanted, which was a huge burden on both us and the user department."

Initially, Mr. Okawa planned to prepare an additional cloud configuration checklist (SaaS version) to check specific usage of the user section and SaaS settings. However, using the same method as the existing one is expected to result in a similarly large burden. Furthermore, as the number of SaaS services that will be used increases in the future, manual checks may soon become unsustainable.

In total, the group uses hundreds of SaaS services. Creating a checklist for each SaaS is a difficult task; for example, for a web meeting SaaS, it took about a week, using various benchmarks as reference. In addition, when high-risk settings were discovered in these SaaS, it took a lot of time to understand the impact and take action on the discovered settings.
"Even if we ask a question, if a member is not in the security-related department, the question will have to be asked by the service provider, which inevitably takes lead time. This creates a time lag between when a problem occurs and when a response is taken, increasing the possibility of an incident.In order to solve these problems, we believe it is essential to introduce a tool that can accurately grasp the situation and respond automatically without relying on humans. ” (Mr. Okawa)

Adaptive Shield allows checking according to guidelines

While the Cyber Security Department was considering tools, in the summer of 2021 Macnica introduced the SSPM solution "Adaptive Shield", which performs SaaS configuration audits. Mr. Okawa was creating a checklist in parallel with the selection of tools, and in preparation, he collected information such as major guidelines, CISBenchmarks, and best practices published by SaaS providers.
``We used these guidelines as a reference to pick out items that we wanted to make sure to check, and the fact that Adaptive Shield covered these items was a big point in our evaluation.'' (Mr. Okawa)

In addition to the common checklist, the company has prepared specific checklists for some SaaS products. If these checks were to be performed manually, it would be necessary to look at the checklist, find the relevant parts, confirm them, and copy them into Excel, which could lead to misunderstandings or errors. On this point, if you use Adaptive Shield, settings can be acquired automatically, reducing effort and ensuring accuracy.

The company conducted a PoC for Adaptive Shield in November 2021. As a result, we confirmed that the effect was sufficiently satisfactory, so we decided to officially adopt it in September 2022.
“From a user's point of view, the number one desire is to be able to use the tools necessary for work safely and without any hassle.However, requests from security teams are often in the form of task assignments, so Therefore, we were able to gain their understanding by telling them that we would start implementing a checklist for SaaS, but it would not be a big burden as it would be automated using Adaptive Shield.'' (Okawa) Mr)

Enhanced security when using SaaS, reducing workload and errors

The group's SaaS targets for Adaptive Shield implementation include Zoom, Box, Salesforce, Webex, and GitHub, and are gradually expanding the scope.
"Currently, some tenants are not linked to Adaptive Shield, so we are using it in conjunction with some checklists. Some of the changes in Adaptive Shield's audit items are updated when updating the checklist that we have created ourselves. We also use it as a reference. We regularly check the checklist for tenants that cannot be linked, but there is a possibility that the person in charge will change the settings the next day. For tenants that are linked, we will check the settings using Adaptive Shield. Having continuous auditing and being able to detect changes is a big advantage.As new features are added to SaaS and specifications change frequently, there are many cases where the settings on the SaaS side change before you know it.Not appropriate It's very reassuring to have a system that notifies you in real time when settings change.'' (Mr. Okawa)

Another major accomplishment was the reduction in the burden and mistakes of those in charge. For example, in a SaaS service used by hundreds of users, there are settings for each user as well as global settings. When reviewing settings for each user, it is necessary to check hundreds of users. If done manually, there is a possibility of errors such as oversights.
"By introducing Adaptive Shield, we have been able to reduce the amount of work required for the number of users x number of items x number of departments, and we have also eliminated the possibility of making mistakes. Also, since we can follow configuration changes in real time, users When requesting someone to modify their settings, you can make the request by providing a reason that the other party can understand.'' (Mr. Okawa)

However, in actual operation, the targets of real-time detection are narrowed down. Mr. Okawa said, ``We receive all alerts, but we distinguish between those that should be dealt with promptly and those that are not.This is because even if we ask the person in charge of the department to take action, it may be necessary to "Stopping operations may not necessarily be beneficial to the organization. Therefore, we focus on those for which there is clear evidence, such as the risk of being attacked by a cyberattack if the settings are incorrect." .

Considering expansion of SaaS tenants covered, expecting support for domestic SaaS

Looking ahead, the group will continue to work to ensure that it covers incidents like those that occur at other companies. Mr. Okawa expressed his expectations, saying, ``Although there is a balance with cost, our policy is to expand the number of SaaS tenants we target. Therefore, I would be happy if Adaptive Shield could move forward with support for domestic SaaS.'' ``The same is true for CSPM, but if there is a change in settings on the vendor side, you will have to refer to the manual and deal with it.While checking many SaaS, I have noticed changes (differences in setting items) We will be able to understand overall trends based on the results (e.g.), and we would like to reflect this in the new checklist."