CYBER ESSENTIALS MYTHCONCEPTION: SAAS Scope

In this post in our series on Cyber Essentials "Mythconceptions", we tackle the myth:

  "Since SaaS is now in scope, then every little site that someone in the organisation might use is now in scope and has to be compliant."

 

 

There are a lot of Software-as-a-Service (SaaS) applications that staff within your organisation might use as part of their job. Image editors, stock image sites, video conferencing, collaboration, etc. While it would be best if all those sites were Cyber Essentials compliant, the scope that you are responsible for does not include them all.

The important rule you need to know about SaaS scoping is that only SaaS that have user accounts that are managed by your organisation (or you delegate to a 3rd party to manage) are in scope. So, if a staff member privately uses an image-editing site that your organisation does not subscribe to, then that SaaS does not get pulled into scope. However, if your organisation pays for or subscribes to the SaaS app or in any way manages or assigns user accounts for your staff for the SaaS app, then it is in scope. The rule focuses on account management, not whether it is paid or not.

This should ease any panic of trying to chase down every little app that people in your organisation might use.

However, just like everything else in scope, you need to be able to list the in-scope SaaS apps you manage or subscribe to and be able to show that they are compliant. If you are worried about the new MFA rules on those SaaS apps, we will tackle that in our next Mythconceptions post in this series.

 

Barrier's "Securely Compliant Tips" for SaaS

The following tips are offered as inspiration to help you devise a strategy for securing SaaS in your organisation for and beyond compliance:

  1. Manage your SaaS apps, account access, and SaaS security by using a Cloud Access Security Broker (CASB) or a Secure Access Service Edge (SASE). These technologies add a lot of control and monitoring to what would be uncontrolled access to SaaS that might expose your organisation to a breach.

  2. Block access to SaaS apps that you do not approve of by using a DNS filtering service. DNS filtering is often a part of CASB and SASE, but filtering can be applied separately.

  3. If you cannot control what people use, consider creating an approved list of SaaS apps that you know are more secure than others and provide awareness to your staff that not all SaaS are created equal. In addition, provide security training on general SaaS use and how not to expose organisational data to the cloud.

For any questions, contact IASME: https://iasme.co.uk/contact-us for official Cyber Essentials queries,

or Barrier Networks: https://www.barriernetworks.com/contact-us to schedule a Cyber Essentials assessment or help with anything from the Tips.

Jordan Schroeder