RSAC insights: ‘SaaS security posture management’ — SSPM — has emerged as a networking must-have

By Byron V. Acohido

Companies have come to depend on Software as a Service – SaaS — like never before.

Related: Managed security services catch on

From Office 365 to Zoom to, cloud-hosted software applications have come to make up the nerve center of daily business activity. Companies now reach for SaaS apps for clerical chores, conferencing, customer relationship management, human resources, salesforce automation, supply chain management, web content creation and much more, even security.

This development has intensified the pressure on companies to fully engage in the “shared responsibility” model of cybersecurity, a topic in that will be in the limelight at RSA Conference 2022 this week (June 6 -9) in San Francisco.

I visited with Maor Bin, co-founder and CEO of Tel Aviv-based Adaptive Shield, a pioneer in a new security discipline referred to as SaaS Security Posture Management (SSPM.) SSPM is part of emerging class of security tools that are being ramped up to help companies dial-in SaaS security settings as they should have started doing long ago.

This fix is just getting under way. For a full drill down, please give the accompanying podcast a listen. Here are the key takeaways:

Shrugging off security

A sharp line got drawn in the sand, some years ago, when Amazon Web Services (AWS) took the lead in championing the shared responsibility security model.

To accelerate cloud migration, AWS, Microsoft Azure and Google Cloud guaranteed that the hosted IT infrastructure they sought to rent to enterprises would be security-hardened – at least on their end. For subscribers, the tech giants issued a sprawling set of security settings for their customers’ security teams to monkey with. It was left up to each company to dial-in just the right amount of security-vs-convenience.

SaaS vendors, of course, readily adopted the shared responsibility model pushed out by the IT infrastructure giants. Why wouldn’t they? Thus, the burden was laid squarely on company security teams to harden cloud-connections on their end.


What happened next was predictable. Caught up in chasing the productivity benefits of cloud computing, many companies looked past  doing any security due diligence, Bin says.

Security teams ultimately were caught flat-footed, he says. Security analysts had gotten accustomed to locking down servers and applications that were on premises and within their arms’ reach. But they couldn’t piece together the puzzle of how to systematically configure myriad overlapping security settings scattered across dozens of SaaS applications.

The National Institute of Standards and Technology recognized this huge security gap for what it was, and issued NIST 800-53 and NIST 800-171 –detailed criteria for securely configuring cloud connections. But many companies simply shrugged off the NIST protocols.

“It turned out to be very hard for security teams to get control of SaaS applications,” Bin observes.  “First of all, there was a lack of any knowledge base inside companies and often times the owner of the given SaaS app wasn’t very cooperative.”

SaaS due diligence

Threat actors, of course, didn’t miss their opportunity. Wave after wave of successful exploits took full advantage of the misconfigurations spinning out of cloud migration. Fraudulent cash transfers, massive ransomware payouts, infrastructure and supply chain disruptions all climbed to new heights. And malicious hackers attained deep, unauthorized access left and right. Every CISO should, by now, cringe at the thought of his or her organization becoming the next Capital One or Solar Winds or Colonial Pipeline.

At RSA Conference 2022, which opens next week in San Francisco, the buzz will be around the good guys finally getting their act together and pushing back. For instance, an entire cottage industry of cybersecurity vendors has ramped up specifically to help companies improve their cloud “security posture management.”

This includes advanced cloud access security broker (CASB) and cyber asset attack surface management (CAASM) tools.  SSPM solutions, like Adaptive Shield’s, are among the newest and most innovative tools. Other categories getting showcased at RSAC 2022 include cloud security posture management (CSPM) and application security posture management (ASPM) technologies.

For its part, Adaptive Shield supplies a solution designed to provide full visibility and control of every granular security configuration in some 70 SaaS applications now used widely by enterprises. This can range from dozens to hundreds of security toggles, per application, controlling things like privileged access, multi-factor authentication, phishing protection, digital key management, auditing and much more.

Tools at hand

Security teams now have the means to methodically filter through and make strategic adjustments of each and every SaaS security parameter. Misconfigurations – i.e. settings that don’t meet NIST best practices — can be addressed immediately, or a service ticket can be created and sent on its way.

“I like to call this SaaS security hygiene,” Bin says. “It’s a way to align your users, your devices and your third-party applications with different activities and different privileges. Misconfigurations is huge part of it, but it’s just one of the moving parts of securing your SaaS.”

Doing this level of SaaS security due diligence on a consistent basis is clearly something well worth doing and something that needs to become standard practice. It will steadily improve an organization’s cloud security policies over time; and it should also promote security awareness and reinforce security best practices far beyond the security team, namely to the users of the apps.

Company by company this will slow the expansion of the attack surface, perhaps even start to help shrink the attack surface over time. Things are moving in a good direction. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone