SaaS security measures depend on the management department, and manual operations approaching the limit

As a leader of Japan's leading ICT company, NEC Corporation (hereafter referred to as "NEC") has been active for more than 120 years since its founding. has contributed to In the 2025 Mid-term Management Plan announced in May 2021, NEC presents the future vision to be realized in 2030, "NEC 2030 VISION." We aim to create social values such as safety, security, fairness, and efficiency, and to realize a sustainable society in which everyone can fully demonstrate their humanity. Mr. Satoshi Miyamoto, senior professional in the Corporate Transformation Division CI SO Management Office, said, "In the medium-term management plan, we are promoting DX for transformation to the future. Our policy is to give back to society the DX that we have practiced in-house, placing it at the core of .In order to realize that, and in order for our company to be trusted by society, security is one of the most important matters. It is positioned as a support for our DX.We are currently aiming to build a zero-trust security platform that is both robust and flexible."

By the way, in promoting DX, the company was rapidly expanding the use of SaaS applications in-house. Of course, when using it, security measures were sufficiently implemented, but it was gradually becoming difficult to keep up with the speed of DX promotion. Under such circumstances, around 2021, security incidents due to improper SaaS settings were reported one after another in Japan and overseas. Mr. Yuta Goto of the CISO Management Office of the Corporate Transformation Division said, "Fortunately, the Company have not encountered such a problem. However, although we conduct a thorough examination at the time of introduction, we wonder if the secure settings can be maintained during the operation phase. , When new services and functions were added, there was concern about whether the settings could be checked continuously,” he recalls.

The company's SaaS operation was investigated by each SaaS operation department based on external references to determine what constitutes a secure setting. As a result, there is a problem that the security baseline differs depending on the department. In addition, SaaS has a mountain of setting items, and it was impossible to keep checking everything manually.

Evaluated for its track record overseas and the abundance of compatible SaaS, and the usability of the dashboard is also attractive

To address these issues, NEC was searching for a system that could ensure the secure operation of SaaS, when Macnica introduced them to Falcon Shield, an SSPM (SaaS Security Posture Management) solution for SaaS configuration audits. "We regularly exchange information with Macnica, and Falcon Shield was introduced to us in April 2021. Of the hundreds of SaaS services we use internally, we wanted to ensure the security of our major SaaS services, and Falcon Shield met our needs perfectly," said Miyamoto. Key points in the decision to adopt Falcon Shield​ ​included its proven track record with major companies around the world, its wide range of supported SaaS services, the many check items, and the user-friendly dashboard.

"Falcon Shield excels in that it has an overwhelming number of security audit items, and it explains why each item is necessary and even how to correct them. Another big attraction was the dashboard, which provides summary information at a glance, such as how many high-risk items remain. In addition, the operability, which takes into account actual usability, such as the flexibility to set permissions according to the services used, was also a point of evaluation," says Goto.

The company will conduct a PoC in July 2021. It was conducted in a test environment and a production environment for major SaaS such as Microsoft365, Box, Salesforce, and ServiceNow that are actually used company-wide.

“As a result of conducting a PoC in the production environment, the atmosphere within the company, which had been somewhat skeptical about the SSPM tool, changed completely. By visualizing the existence of risks, we again understood the necessity of introduction.” (Mr. Miyamoto)

Objective and comprehensive evaluation of settings is possible, and the current status is also visualized on the dashboard

NEC decided to officially adopt Falcon Shield in December 2021. The rollout began early the following year, targeting the SaaS used by 100,000 NEC Group users. The system is used for two main purposes: audits and continuous monitoring. Audits are conducted quarterly, four times a year. Configuration errors are identified and used to develop response plans. Continuous monitoring utilizes the alert function, which sends alerts to the appropriate personnel when changes are made to SaaS configurations, determining whether security measures are necessary. Regarding the benefits of the implementation, Goto commented: "Until now, operations have relied heavily on the knowledge and know-how of each individual, which led to concerns about whether the configurations were truly secure. However, with the introduction of Falcon Shield, we can now visualize objective and comprehensive evaluations numerically, which is a major advantage. For example, when it comes to SaaS configuration management, if a numerical target is set at 100%, the dashboard now allows us to see at a glance how much has been achieved and how much of the remaining configuration needs correction." Miyamoto then went on to explain the importance of the dashboard:

"Rather than checking the data with some tool and reporting it as a PowerPoint presentation, showing the real-time status directly on the Falcon Shield dashboard gives us more confidence as it provides objective figures.

"Also, by clarifying which items should be prioritized, we believe we can achieve proactive responses rather than the reactive approach we've taken up until now, in other words, offensive security." Furthermore, the introduction of Falcon Shield has made it possible to automatically audit the configuration work carried out by each SaaS operations department using uniform standards, which has made it possible to keep up with SaaS updates without increasing the amount of man-hours required. This has led to improved quality and a significant reduction in operational workload.

Practices of 100,000 users are referenced and provided as a unique NEC service

Looking ahead, NEC aims to not only increase the number of target SaaS services, but also to partner with Macnica to utilize Falcon Shield as a commercial product and widely provide it as its own service. Minobu Ayumu, Professional at the Cybersecurity Business Division, said, "We have referenced the knowledge and know-how gained from this implementation and operation experience and released it as a 'SaaS Security Configuration Management Professional Service' in February 2022. While it is primarily aimed at enterprise customers, the response has been overwhelming and we have already proposed it to many customers."

In this service, "SaaS security risk visualization assessment" to identify risky settings according to security standards, "SaaS setting improvement support" to support review of settings based on the assessment results, and risks associated with adding SaaS functions and changing settings. We provide “SaaS security operation support” that regularly checks and reports on Mr. Minobe said, "While the use of SaaS is rapidly increasing due to the introduction of telework, there are many cases where operation is performed without being aware of the risks such as setting errors. We want to improve security," he said.

*The information and company names mentioned in the text are from the time of the interview (July 2022).