If you knew there was a hidden crack beneath the ice of a frozen lake you were standing on, would you still stand on the lake? Probably because you risk breaking and exposing yourself to the frigid cold water below. it's not.
Similarly, a cybersecurity framework is much like a hypothetical frozen lake.
Frameworks such as NIST CSF, SOC2, and ISO/IEC 27001 are intended to improve an organization's cybersecurity posture and demonstrate program maturity to potential customers. At least in theory. However, the reality is that there is a growing crack beneath the surface (Shadow SaaS), and over-reliance on these frameworks can create a false sense of security.
To be clear, I'm not saying that the framework is flawed or that you shouldn't use it. Rather, ambiguity in language and differences in how frameworks are interpreted create gaps. An organization may be fully compliant on paper, but significant vulnerabilities still exist.
In other words, surface strength does not necessarily equate to solid foundations.
Understanding how common cybersecurity compliance standards differ in intent and practice can lead to more focused conversations about how to strengthen your organization's security posture and reduce the risks posed by the proliferation of shadow SaaS. helps make it possible.
Let's find out where the hidden cracks are.
Crack #1: The way we acquire SaaS has changed.
In an ideal world, all technology requests would pass through IT and the security team would assess the potential risk before adding a new app to the company's technology portfolio. But as we all know, the world is made up of less than perfect people, and our humanity is to survive and thrive, including at work.
SaaS companies offer many apps for free or make it easy to start a trial subscription to help employees be more productive and perform better. In fact, 41% of employees use the app out of sight of her IT department. When unvetted apps slip through established processes, cracks open up that are small enough to seem harmless, but wide enough for bad actors to penetrate.
Many companies do not seem to apply cybersecurity compliance standards to cover deficiencies. in fact. Rather, compliance with these standards typically focuses on: Are known SaaS usage, what's on the surface, not the apps hidden in the shadows below. For example, the SOC2 Security Trust Principles require organizations to protect against unauthorized access. Although it could be argued that this principle indirectly refers to shadow SaaS, it is common for organizations to demonstrate access control. only for systems they are aware of. Shadow SaaS will leave cracks in the security foundation unless companies comprehensively detect apps independently started by employees.
Crack #2: Incomplete system inventory
It's difficult to take inventory of things you don't know exist. Also, Shadow SaaS is ignored because it is outside the scope of IT.
ISO/IEC 27001 includes information on managing information assets, controlling access, and maintaining an inventory of information assets and information processing equipment, but does not specify the extent to which an organization must identify assets. yeah. Once again, we run into a gap between the spirit of the framework and the implementation of the standard.
It's not uncommon for organizations to focus on larger, more visible assets and skip detailed tracking of all SaaS accounts that exist, especially those acquired without IT department approval. As a result, asset inventory and management are only partial. Registration and unregistration controls are also incomplete, as the inventory does not include his unapproved SaaS accounts, and only what is known is reported. Although the purpose of ISO/IEC27001 is to strengthen an organization's information security management system (ISMS), the inventory is not comprehensive and therefore does not benefit from this standard.
Crack #3: Employees seek forgiveness rather than permission.
According to a Gartner study, 69% of employees admit to intentionally circumventing corporate cybersecurity guidance, and 90% knowingly do so because their actions increase their organization's cyber risk. I did. As humans, we are free spirits. In contrast, cybersecurity frameworks like NIST are structured, broad guidelines that miss the nuances of human behavior: another crack.
While the NIST CSF encourages organizations to identify, protect, and detect cybersecurity risks, “identity” capabilities can be interpreted to include: all Most organizations focus on general asset management and risk assessment practices rather than detailed tracking and management of all software applications.
Similarly, CM-11 is designed to manage software installations by users and reduce the risk of installing unauthorized or uncontrolled software. In theory, this principle should also apply to her user-provisioned SaaS. But in practice, companies usually use this control to limit or prohibit the actual installation of software, and overlook unauthorized his SaaS without software installed. And when rules are not explicitly stated, free spirits will interpret them independently and act as their own CIO.
Crack #4: Security and IT teams are understaffed
The three cracks we've covered so far aren't the result of a lack of due diligence on the part of security and IT teams. Comprehensive discovery to uncover shadow SaaS is a time-consuming and never-ending process, further increasing the challenge for teams that are already overworked, overstressed, and under-resourced. Given this, it's a natural reaction for teams to focus on governance of known software. However, the shadow SaaS risk still exists, and the longer it goes undetected, the greater the risk. And just like a virtual lake, cracks can ultimately lead to incidents and have significant implications for other industry regulations such as GDPR, FINRA, HIPAA, and PSI-DSS.
So what's the answer?
The purpose of a cybersecurity framework is to strengthen cyber resilience. However, inconsistent practices in how standards are applied have created gaps that must be addressed to achieve a more secure foundation.
Truly improving cyber resilience means extending beyond the written requirements of a cybersecurity framework. Rather than relying on network, endpoint, or application controls, advanced SaaS discovery tools use identity-centric controls to eliminate unpredictable human behavior and the nuances of SaaS deployments. take into account. That's exactly what Grip Security offers.
Grip helps you proactively combat SaaS sprawl and SaaS shadowing, giving you visibility and control over unauthorized SaaS operating outside of traditional security controls. Grip also provides a panoramic lens into SaaS security risks, uncovering vulnerabilities that industry frameworks fail to address.
Despite your best efforts, employees are constantly accessing web-based tools, starting trial subscriptions, and discreetly downloading new tools. You cannot control the actions of free spirits, but you can control access to them. Using identity as the primary control point, you can confidently secure all your SaaS applications, repair hidden cracks in your security foundation, and ensure your employees embrace her SaaS adoption without the associated risks. You will be able to do this.
Download our free guide to learn more about shadow SaaS and compliance risks.Shadow SaaS Compliance Gap: A Modern IT Dilemma” or to see how Grip can help you identify, manage, and remediate the risks posed by unauthorized SaaS. Book a demo now.
