Site Search
Security business menu
Security business
HOME
To be elected
cause
Service
Handling Manufacturer
Examples/reports/
Blog/Glossary
Seminar/
video on demand
Event/Seminar
video on demand

Falcon Shield

Falcon Shield

Ensuring SaaS Security to Achieve ISO Compliance

The International Organization for Standardization (ISO) develops standards for various industries. ISO is an internationally recognized standards organization and has two information security standards that you can use to build strong security: ISO 27000:2018 and ISO 27001:2013.

In today's business world, SaaS security is essential for ISO compliance. However, from updating and correcting configurations, to detecting SaaS integrations, to securing devices, enterprise SaaS is constantly changing, making it very difficult for security teams to keep up. The SSPM solution addresses these issues by providing proactive, automated, and continuous monitoring and management. (SSPM also performs security checks per compliance framework, so security teams can easily see which parts of their security posture are compliant and which need improvement.)

This article provides a better understanding of ISO compliance standards and the different versions of the standard, and explains how SSPM can help security teams ensure ISO compliance.

What is the difference between ISO 27000:2018 and ISO 27001:2013?

Simply put, ISO 27000:2018 establishes goals to be achieved, while ISO 27001:2013 outlines the steps that need to be taken to reach those goals.

ISO 27000 sets out the following core principles for an organization's security program:

  • Information Security Awareness
  • Allocation of responsibility
  • Management Commitment
  • Improving social value
  • Risk assessment and risk tolerance considerations
  • Implementing security as an integral part of networks and systems
  • Actively detect and prevent security incidents
  • A comprehensive approach to information security management

ISO 27001 places emphasis on best practice, requires the establishment of an Information Security Management System (ISMS) consisting of policies and procedures, and sets out five processes to achieve the basic elements of security.

  • Establishment
  • Implementation
  • operation
  • surveillance
  • evaluation
  • improvement

The 10 clauses of ISO 27000:2013

Many of the clauses appear quite vague at first glance, and they are. ISO has adopted a risk-based approach to establishing an ISMS, but this does not mean that companies can just do as they please.

The first three clauses provide basic terminology and scope, while clauses 4 to 10 provide more detailed provisions, including:

  • Article 4: Organizational Status
  • Article 5: Leadership
  • Article 6: Planning
  • Article 7: Support
  • Article 8: Operation
  • Article 9: Performance Evaluation
  • Article 10: Improvement

ISO provides detailed definitions within the clauses, but at a fairly high level. The meat of how to achieve ISO compliance is in Annex A, which lists 114 control points aligned to 10 clauses.

Position of SaaS security in ISO compliance

The problem with understanding the importance of SaaS security within the context of ISO is that it doesn't specifically mention SaaS applications. Because ISO works as a risk-based framework, security teams must start by identifying the risks that SaaS applications pose and then bring those risks under control.

It would take too long for this article to cover all of the controls outlined in ISO 27001, but we will provide a few examples to give you a sense of where SaaS security and SaaS Security Posture Management (SSPM) fit into your ISO compliance plan.

access control

Access control involves ensuring that all users are assigned the appropriate access rights necessary to perform their job functions.

Ensuring SaaS security based on this requirement is not easy, as you need to ensure that the following sub-requirements are met:

  • Access Control Policy: Establish, document, and review access requirements
  • Privileged Access Management: Restrict and allocate privileged access
  • Review user access rights: Regularly review access rights to ensure compliance with access control policies
  • Remove or adjust access: Remove access for all employees and external users
  • Information access restriction: Restrict access based on access control policies

example

Permission drift occurs when a user who has certain permissions as a group member is granted permissions that exceed the privileges granted to the group. Over time, in such a situation, many users will get more permissions than they need, thus defeating the purpose of provisioning through groups.

Using SSPM

SSPM provides a way to manage cloud access for users through the following features:

  • Discover all SaaS users, including partners and guests
  • Continually measure each user's permission level
  • Identify users with excessive permissions
  • Remove unused permissions and deprovision inactive users
  • Identify and disable insecure user authentication methods

Operational Security

Operational security is the process of ensuring correct and secure operations at any information processing facility. In cloud environments, the lack of visibility often makes operational security difficult to manage.

Ensuring SaaS security based on this requirement is not easy, as you need to ensure that the following sub-requirements are met:

  • Document operational procedures: Document operational procedures and make them available to all users who need them.
  • Change Management: Managing all changes to the organization, business processes, and information processing facilities and systems that affect information security.
  • Capacity Management: Monitor and adjust to ensure system performance requirements are maintained while resources are utilized
  • Malware Controls: Strengthening malware protection through proper detection, prevention and remediation
  • Event logging: Records user activity, anomalies, failures, and events
  • Technical vulnerability management: monitoring systems for exposure to threats and taking steps to address risks
  • Audit control of information systems: Plan activities to minimize disruption to business operations

example

While OAuth is a very common action that users perform, if implemented incorrectly it can lead to attacks. You should ensure that you have documented proper operating procedures for deploying new applications that use OAuth. Additionally, attackers may use misconfigurations, such as using OAuth applications to send phishing emails, as part of a ransomware attack.

Using SSPM

SSPM provides SaaS-to-SaaS access as well as continuous security checks for all SaaS applications in use.

  • Monitor all global settings, user specific settings and user privileges for misconfigurations
  • Prioritize and automate remediation
  • Log all events and track user activity, anomalies and outages across your SaaS environment
  • Communicate risk context and remediation methods to individual SaaS owners
  • Minimize business disruption with unobtrusive monitoring

compliance

This requirement focuses on complying with legal, statutory, regulatory or contractual obligations.

Ensuring SaaS security based on this requirement is not easy, as you need to ensure that the following sub-requirements are met:

  • Privacy and Personally Identifiable Information (PII) Protection: Protecting personal information as required by relevant laws and regulations
  • Third-party audits of information security: External audits are conducted at scheduled intervals to check the implementation of the ISMS
  • Compliance with security policies and standards: Periodic reviews by administrators or application owners to ensure that appropriate security policies, standards, or other security requirements are being applied.
  • Technical compliance review: Regularly reviewing information systems to ensure they comply with the organization's information security policies and standards

example

Default settings can lead to the exposure of personal information, as seen in the Power Apps Portal issues that arose in 2021 and were fixed by Microsoft. Understanding what default settings can lead to non-compliance and monitoring to ensure issues are fixed is key to compliance.

Using SSPM

SSPM helps you achieve compliance by:

  • Continuously monitor all global settings, user-specific settings, and user privileges for misconfigurations
  • Align settings, user permissions, and other controls required for compliance with standards and regulations
  • Issues alerts when misconfigurations that could lead to non-compliance are detected
  • Prioritize and automate remediation
  • Communicate risk context and remediation methods to each SaaS owner, track progress, and verify and monitor risk reduction

Inquiry/Document request

Macnica Falcon Shield

Inquiry

Weekdays: 9:00-17:00