Cloud Security Automation WG
Macnica
Akinori Nezuka

The Cloud Security Automation WG would like to introduce various monitoring automation mechanisms to reduce the burden on cloud security operations staff as much as possible. First, I would like to discuss SaaS security automation.

The migration of business systems to the cloud, which has been underway as part of DX, has further accelerated due to changes in corporate work styles due to the spread of coronavirus infection. Companies have rapidly adopted SaaS, such as cloud services such as telework, web conferencing systems, and online storage. While SaaS is scalable and easy to implement, it often handles confidential corporate data and requires a high level of security.

On the other hand, there are many incidents of information leakage from SaaS, and I would like to give some examples.

• [Cases that occurred at multiple companies] (2019)
  Inadequate settings in the global settings of the project management system (Jira) exposed the risk of leakage of corporate data and personal information mainly in the US
• [Microsoft PowerApps case] (2021)
  A total of 38 million pieces of sensitive data including personal information, social security numbers, names, and email addresses were leaked due to Microsoft Power Apps misconfiguration.
• [Case of a certain board of education] (2022)
  In a survey conducted using Google Forms targeting employees of public elementary, junior high, and compulsory education schools who are planning to retire at the end of 2021, the results were set to be shared with the respondents, resulting in an error in their responses. It was discovered that the person's name was available for viewing by other respondents.

Setting to display a summary of Google Forms results (default is disabled)

• [Cases that occurred at multiple companies] (2022)
  It has been discovered that multiple companies have misused the settings of a task management tool (Trello), causing internal and personal information to be exposed and searchable to the outside world. It became such a hot topic that the National Cyber Security Center (NISC) issued a warning.
• [Case of a certain automobile company] (2023)
  On the software development platform (GitHub), the source code containing the access key to the database was made public. It turned out that by using this access key, it was possible to access the email address and customer management number stored on the data server. These issues often stem from poorly configured SaaS.
  Data illustrating this point is that a CSA survey*1 conducted in 2022 suggests that 63% of SaaS security incidents may be due to configuration deficiencies. Furthermore, according to data published by IPA*2, in terms of the percentage of unauthorized access by cause in 2022, incorrect settings ranked second at 16.1% of the total. From this, you can see that it is extremely important to consider countermeasures for SaaS configuration deficiencies.

Why do configuration deficiencies occur that can cause security issues?
The answer is not a simple human error such as a work error or setting error, but rather a complex interplay of various factors such as the following.

• [Less opportunity for configuration audit and manual configuration check]
  As a common SaaS implementation process for Japanese companies, when deciding whether to use the service, they use a security check sheet to check the data management method of the entire SaaS, physical security, compliance, etc. before deciding whether or not to use the service. After that, the SaaS settings are performed, but the only way to check whether the settings are appropriate and whether there are any security issues is at the time of implementation; after that, if you neglect to regularly check and monitor the security settings. There are many companies that do. Additionally, even companies that perform regular configuration checks may still check configurations manually. This manual configuration verification consumes time and resources, and as SaaS usage increases, so does the need to do so. This can lead to situations where operations cannot be handled or require a lot of man-hours.
• [Different settings for each SaaS and appropriate setting decisions]
  SaaS providers provide a variety of functions to support different uses, and the operating specifications and settings differ for each SaaS. Therefore, it is thought to be relatively difficult to appropriately determine the most secure settings and the optimal settings that do not compromise user convenience based on each benchmark (CIS, CCM, etc.). This can also be one of the reasons for setting errors.
• [Operation management outside the security department]
  There are cases where the business department is entrusted with SaaS operation management.If the operation is performed by a team other than security, there may be cases where it is not possible to handle the complexity of configuration monitoring operations and security checks as described above. Issues with this kind of operational structure can also be considered as one of the factors. In fact, a CSA survey*1 found that the departments most responsible for SaaS configuration are the security department at 59%, the IT department at 50%, and the business application owner at 40%. It shows that multiple departments outside of the security department are involved in setting up SaaS.

Additionally, the following factors may be contributing to the acceleration of the above factors.

• [Increasing complexity of SaaS operations management]
  • Lack of visibility into SaaS configuration
  • Increase in the number of SaaS managed by companies (more than 30% of companies have introduced 11 or more SaaS, and the number of companies with 40 or more SaaS is also increasing) *3
  • Frequency of SaaS updates
  • Increasing complexity due to increase in data linkage and API linkage between SaaS and SaaS
  • In some cases, the default settings do not take sufficient security into account.

Under these circumstances, there is a solution called SaaS Security Posture Management (SSPM) that can automatically resolve security and operational issues. This is a solution to prevent incidents (unauthorized access, leakage of confidential information, etc.) due to incorrect configuration of SaaS applications.

Although the name is similar to CSPM (Cloud Security Posture Management), the difference is that CSPM mainly provides configuration auditing functionality for IaaS, whereas SSPM provides configuration auditing for SaaS.

SSPM mainly provides the following functions:

• Configuration, configuration analysis/tracking automation
• Evaluation of compliance status
• Evaluation of data access rights
• Risk detection
• Visualization of analysis results
• Dashboard
• アラート
• Teaching how to make improvements to reduce risk
• Setting items
• Setting parameters

In operation, it mainly accesses each SaaS using API and comprehensively monitors and analyzes configuration information. Depending on the product, you can compare each configuration to security benchmarks and instantly see how compliant you are. Since almost everything is automated, the visual and manual setting confirmation work that previously took several days is no longer necessary. Some SSPMs have a function that will list affected users if there is a problem with the settings, provide suggestions for setting corrections, and visualize coordination between SaaS, allowing you to maintain SaaS settings securely. It has functions. Therefore, it is a solution that can comprehensively cover the multiple causes of configuration errors mentioned earlier.

SSPM is a relatively new solution that is gradually penetrating the market and gaining customer experience.
However, more than 90% of SSPM-compatible SaaS provided by overseas vendors are overseas-made SaaS, and support for domestically-made SaaS is still insufficient. Many Japanese customers who are considering using SSPM have requested that we increase the number of domestically produced SaaS services. This can be said to be an issue as SSPM becomes more widespread in the future.

As an alternative tool, there are tools provided by each SaaS vendor to check the configuration status of each tenant, but there is a high possibility that it can only monitor the SaaS of the provider, and management for each SaaS is required, which remains complicated. In the first place, there are currently no such tools released by companies other than major SaaS vendors, so if you are managing multiple SaaS, there is an advantage to using SSPM, which can be checked all at once. thinking about.

Another similar solution is CASB.
One of the functions of CASB is the ability to control each SaaS using API, but its main function is to monitor user activities and check files, which is covered by SSPM. This is different from the audit function of the settings.
However, depending on the vendor, there are cases where the SSPM function is provided as part of the CASB function, so when considering SaaS security as a whole, we would like you to understand it thoroughly and consider it. Masu.