Macnica
Tsubasa Iwasaki

With the spread of telework and the shift to DX, business systems have moved to the cloud. Cloud services have advantages such as being easy to introduce and being highly compatible with telework, and their use by companies is rapidly increasing.
According to the "Telecommunications Usage Trend Survey" released by the Ministry of Internal Affairs and Communications, more than 50% of companies have introduced telework.
The use of cloud services is also increasing year by year, and in the latest survey in 2020, 89.0% of companies answered that ``cloud services have been effective,'' indicating that cloud services are indispensable for companies. It has become something that cannot be.

Reference: Results of 2020 communication usage trend survey
https://www.soumu.go.jp/menu_news/s-news/01tsushin02_02000164.html

Looking at the business scene, many companies are using CRM, online storage, groupware, online conferencing systems, etc., and business efficiency has improved dramatically.

On the other hand, as the use of SaaS increases, incidents of information leakage have been reported in many companies both in Japan and overseas. Since the beginning of this year, it has been reported that a certain automobile company had millions of pieces of personal information published on the Internet for about 10 years, resulting in an information leak.

This incident occurred because personal information was stored on a cloud server and was configured to be accessible from the Internet.

What this shows is that the information leak incident was caused by factors such as incorrect settings due to the cloud settings not being properly managed.

So what measures should be taken to prevent such accidents?
Although these incidents can be countered from a variety of perspectives, in this column we will focus on how to prevent accidents due to incorrect settings for SaaS cloud services used in business settings.
We believe that it is desirable to take concrete measures in the following three steps.

• Monitor configurations and visualize risks
  This is the first step in protecting your SaaS from incidents. Monitor and visualize the current settings to understand the current setting status.
• Analysis and evaluation of visualized risks
  We analyze and evaluate the visualized results, including the business impact of improving security risks.
• Prioritize and make decisions for configuration improvements
  Based on the results of the analysis and evaluation, we comprehensively judge the necessity of setting improvements, the impact on users, whether risks are acceptable by comparing them with internal security policies, etc., and if we determine that improvements are necessary, we prioritize them and make improvements. to hold.

These are the three steps necessary to prevent accidents caused by incorrect SaaS settings. To do all of this, you will need knowledge of SaaS and security, and it will require a lot of effort.

If you have any concerns or concerns about implementing countermeasures, please contact each CSIJ member company.

As other countermeasures, in recent years a solution called SSPM (SaaS Security Posture Management) has emerged that specializes in SaaS configuration deficiencies and implements continuous configuration audits.

Macnica handles an SSPM product called Adaptive Shield, so if you are interested, please feel free to contact us.

*Adaptive Shield
https://www.macnica.co.jp/business/security/manufacturers/adaptiveshield/adaptiveshield.html

*This article is a reprint of an article published in the CSIJ column on September 28, 2023.