SaaS Compliance through the NIST Cybersecurity Framework

By neub9
2 Min Read

The US National Institute of Standards and Technology (NIST) cybersecurity framework is one of the world’s most important guidelines for securing networks. It can be applied to any number of applications, including SaaS. One of the challenges facing those tasked with securing SaaS applications is the different settings found in each application, making it difficult to develop a configuration policy that aligns with NIST compliance standards and applies to all types of apps.

However, we have identified several settings that can be applied to nearly every SaaS app. In this article, we’ll explore some universal configurations, explain why they are important, and guide you in setting them to improve your SaaS apps’ security posture.

Start with Admins

Role-based access control (RBAC) is key to NIST adherence and should be applied to every SaaS app. There are two types of permissions within a SaaS application: functional access and data access permissions. Admin accounts have full access to both types of permissions, making them the most sensitive accounts within the app. Organizations must do everything within their power to maintain control over these accounts through configurations and best practices.

Implement Limited Redundancy

It’s important to have a minimum of two admins for every application. This redundancy makes it difficult for an admin to act alone against the best interests of the organization, while also limiting exposure. An automated review of the number of admins should trigger alerts when the number of admins is outside the preferred range.

Eliminate External Admins

Having external admins introduces a new layer of uncertainty into SaaS security. Organizations should block external admins from getting admin privileges or identify external users with admin rights and remove those privileges, to prevent data breaches and ensure NIST compliance.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *