JPMorganChase Global CISO
Patrick Opet penned an
open letter to third-party software providers in April this year, warning that the rising cyberthreats stemming from the software-as-a-service (SaaS) delivery model were threatening the global economic system, and urging them to prioritize security over new features.
Security incidents involving software providers can easily reverberate through the supply chain, causing significant problems for downstream customers.
“SaaS has become the default and is often the only format in which software is now delivered, leaving organizations with little choice but to rely heavily on a small set of leading service providers, embedding concentration risk into global critical infrastructure,” Opet wrote. “While this model delivers efficiency and rapid innovation, it simultaneously magnifies the impact of any weakness, outage, or breach, creating single points of failure with potentially catastrophic systemwide consequences.”
A working group within the
Cloud Security Alliance (CSA), security services provider
GuidePoint Security,
MongoDB, and others are looking to address the issues raised by Opet with the
SaaS Security Capability Framework (SSCF), a standardized set of SaaS security controls released this week that the organizations said will close a crucial gap in
third-party risk management (TPRM).
“The primary issue is that current third-party risk management practices are operating at the wrong level of granularity,”
Jonathan Villa, GuidePoint’s senior cloud practice director, told MSSP Alert. “Traditional approaches focus heavily on vendor organizational security, examining policies, procedures, and high-level controls through frameworks like SOC 2 and ISO standards.”
A Shift in Focus
The SSCF shifts the focus from “high-level organizational assessments to standardized, product-level security capabilities,” Villa said. “Instead of just asking, ‘Is this vendor secure?’, organizations can now ask, ‘Does this specific SaaS application provide the standardized security features we need, and can our business users configure them properly?’"
According to the CSA, the SSCF defines 41 key customer-facing security controls that span six primary domains, such as change control and configuration management, data security and privacy lifecycle management,
identity and access management (IAM), interoperability and portability, logging and monitoring, and security incident management.
The framework creates a common baseline of security capabilities for both SaaS providers and customers, the organizations said.
“Enterprises have long struggled with the question, ‘How do we know our SaaS applications are actually secure?’” Villa said. “The SSCF provides a concrete answer by establishing clear, standardized criteria for evaluating product-level security capabilities. This transforms vague security assessments into precise, actionable evaluations.”
Who's Responsible for What?
It also clarifies the significant issue of what he called the “often-confusing shared responsibility aspects of SaaS security.” Enterprises no longer have to question what they’re responsible for securing vs. what the vendor needs to handle.
“The framework provides explicit guidance on the security capabilities they need to evaluate and configure,” Villa said. “The framework's impact is most pronounced for organizations that have already embraced SaaS adoption and are struggling with security consistency and governance across multiple SaaS platforms.”
A Framework for Partners
For MSSPs and other partners, the SSCF will help them assist organizations in developing, improving, and implementing their SaaS security programs via expert guidance and practical support, he said. This includes running assessments of existing SaaS portfolios, identifying security gaps, and developing strategies tailored to client needs that align with their business objectives and risk tolerance.
“A significant component of our value proposition is helping organizations understand the full spectrum of security possibilities within their SaaS application configurations,” Villa said. “Many enterprises lack the specialized knowledge to maximize the security potential of their cloud applications, often operating with suboptimal configurations that leave them unnecessarily exposed.”
The key challenge in SaaS security is the limited security functionality that is inherent in many of the SaaS applications themselves, he said. Traditional infrastructure security includes extensive tools and capabilities.
Removing the Constraints
“SaaS security is often constrained by what vendors choose to provide as configurable security features,” Villa said.
With SSCF v1.0 now out, the creators of the framework are hoping vendors will adopt the baseline set of controls and integrate them into their platforms and that organizations will use the controls in their SaaS application onboarding processes.
Meanwhile, the CSA SaaS Working Group and its partners are
working to expand the framework, including developing implementation auditing guidelines to help organizations leverage the controls and for auditors to understand how to best assess them. They also want to create an assessment and certification scheme to measure the effectiveness of the controls.
