There are limits to the checking system for SaaS usage that relies on human resources.

Mizuho Financial Group is a comprehensive financial group that includes Mizuho Bank, whose parent organization is the First National Bank, Japan's oldest bank, as well as Mizuho Trust and Banking, Mizuho Securities, and Mizuho Research & Technologies. Currently, we are aiming to "strengthen DX promotion power" as part of our management strategy, and we aim to leverage the "advanced technology, specialized knowledge, and IT implementation capabilities" of our group companies, including AI, as well as venture companies with high technological capabilities, and other businesses in various fields. We leverage our strong business foundations with large companies that are promoting cutting-edge initiatives, our strategic alliance with Google in the DX field, and our alliances with platform companies to develop new businesses to help society and We aim to create new solutions by connecting our customers with their issues.

The group has introduced and uses many SaaS, some of which have tenant contracts based on departments, etc. Previously, they checked SaaS functions and vendor system operations, but specific usage methods and SaaS settings were carried out on a department-by-department basis.

The company therefore decided to investigate the actual situation regarding SaaS usage and settings, but the task was expected to be a heavy burden. Hiroyuki Okawa, a researcher in the Risk Management Office of the Cyber Security Management Department, said, ``Our group already had many guidelines and multiple checklists, but we had to discuss their operation several times with the person in charge of the user department. "We had to go back and forth repeatedly to get the information we wanted, which was a huge burden on both us and the user department."

Initially, Mr. Okawa planned to prepare an additional cloud configuration checklist (SaaS version) to check specific usage of the user section and SaaS settings. However, using the same method as the existing one is expected to result in a similarly large burden. Furthermore, as the number of SaaS services that will be used increases in the future, manual checks may soon become unsustainable.

In total, the group uses hundreds of SaaS services. Creating a checklist for each SaaS is a difficult task; for example, for a web meeting SaaS, it took about a week, using various benchmarks as reference. In addition, when high-risk settings were discovered in these SaaS, it took a lot of time to understand the impact and take action on the discovered settings.
"Even if we ask a question, if a member is not in the security-related department, the question will have to be asked by the service provider, which inevitably takes lead time. This creates a time lag between when a problem occurs and when a response is taken, increasing the possibility of an incident.In order to solve these problems, we believe it is essential to introduce a tool that can accurately grasp the situation and respond automatically without relying on humans. ” (Mr. Okawa)

Falcon Shield allows for guideline-based checks

As the Cybersecurity Division considered tools, it was introduced to Falcon Shield, an SSPM solution for SaaS configuration audits, by Macnica in the summer of 2021. While selecting the tool, Okawa was also creating a checklist, and in preparation for this he was gathering information on key guidelines, CIS Benchmarks, best practices published by SaaS providers, and other topics.
"We used these guidelines to select the items we wanted to make sure we checked, and the fact that Falcon Shield covered all of these items was a major plus," says Okawa.

In addition to a common checklist, the company also has dedicated checklists for some SaaS services. Performing these checks manually would require manual work, such as looking at the checklist to find the relevant section, checking it, and then copying it into Excel, which could lead to misunderstandings or mistakes. By using Falcon Shield, the settings can be obtained automatically, reducing the effort and ensuring accuracy.

The company conducted a PoC of Falcon Shield in November 2021. As a result, it was confirmed to have satisfactory results, and decided to officially adopt it in September 2022.
"From the user's perspective, their greatest wish is to be able to use the tools they need for their work safely and without hassle. However, requests from the security team often involve inserting tasks, which is not well received by the field. So this time, we will start using a checklist for SaaS, but we explained that this will be automated using Falcon Shield so it will not be a major burden, and we were able to gain understanding," says Okawa.

Enhanced security when using SaaS, reducing workload and errors

The group's SaaS offerings for Falcon Shield include major tenants such as Zoom, Box, Salesforce, Webex, and GitHub, and the scope is gradually expanding.
"Currently, we have some tenants that are not yet connected to Falcon Shield, so we use some of the checklists in conjunction with it. We also use some of the changes to Falcon Shield 's audit items as a reference when updating our own checklists. For tenants that are not yet connected, we regularly check the checklist, but there is a chance that the person in charge will change the settings the next day. For tenants that are connected, Falcon Shield conducts continuous audits, and being able to detect changes is a major benefit. With SaaS, new features are added and specifications change frequently, so it is not uncommon for settings on the SaaS side to change without us noticing. It is very reassuring to have a system that notifies us in real time when settings have been changed to inappropriate settings," says Okawa.

Another major benefit is the reduction in the burden and mistakes made by the person in charge. For example, in a SaaS used by several hundred users, there are settings for each user in addition to the overall settings. When reviewing the settings for each user, the work of checking for several hundred users is required. If done manually, there is a risk of mistakes such as oversights.
"By introducing Falcon Shield, we were able to reduce the workload of multiplying the number of users by the number of items by the number of departments, and we also eliminated the possibility of making mistakes. Also, because we can track setting changes in real time, when we ask users to change their settings, we can provide a reason that the other party can understand," says Okawa.

However, in actual operation, the targets of real-time detection are narrowed down. Mr. Okawa said, ``We receive all alerts, but we distinguish between those that should be dealt with promptly and those that are not.This is because even if we ask the person in charge of the department to take action, it may be necessary to "Stopping operations may not necessarily be beneficial to the organization. Therefore, we focus on those for which there is clear evidence, such as the risk of being attacked by a cyberattack if the settings are incorrect." .

Considering expansion of SaaS tenants covered, expecting support for domestic SaaS

Looking ahead, the group plans to work to ensure it can fully cover incidents occurring at other companies. Okawa expressed his expectations, saying, "We plan to expand the number of SaaS tenants we target, although this will have to do with costs. Therefore, we would be happy if Falcon Shield could support domestic SaaS." He added, "It's the same with CSPM, but when there are changes to the settings on the vendor's side, we have to refer to the manual to take action. As we check many SaaS services, we can begin to see overall trends from increases and decreases (differences in settings, etc.), and we would like to reflect this in the new checklist."

*The information and company names mentioned in the text are from the time of the interview (June 2023).