NIST Cybersecurity Framework 2.0 and the SaaS stack


NIST Cybersecurity Framework 2.0 and the SaaS stack

Long-awaited update introduces important cybersecurity concepts

Hananel LivnehProduct Marketing Manager, Adaptive Shield

Tel Aviv, Israel – February 29, 2024

Last week, the National Institute of Standards and Technology (NIST) released the long-awaited update to its cybersecurity framework. The NIST Cybersecurity Framework (CSF) 2.0 introduces important concepts in cybersecurity, the most visible of which is the circle of governance that touches each of its five pillars.

In the six years since the release of version 1.1, the software industry has seen significant changes, and many updates from NIST can be attributed and used to secure SaaS applications. Govern, which is used to monitor an organization’s cybersecurity risk management strategy, expectations, and policy, is essential to SaaS security.

SaaS applications have many attack vectors; Adding Govern to the process will help organizations better understand the risks inherent in SaaS, as well as the solutions available. Here’s an overview of how Govern works and combines with the five NIST pillars to form the foundation of SaaS security.

Governance on the SaaS stack

It should be noted that the NIST CSF 2.0 does not directly address SaaS security. Rather, it offers a framework that can be applied to a number of cybersecurity installations, including securing the SaaS stack. For example, under Govern, it addresses understanding risk management as it relates to third-party vendors. When applied to SaaS, this can mean understanding the risk that external administrators or third-party application integrations pose to your organization.

Organizations need to understand who their SaaS security stakeholders are. This includes the security team, as well as the application owners who control the applications. Application configurations should be aligned with company policy and adequate resources should be allocated to SaaS security. Governance also includes establishing policies, processes and procedures to manage risks.

Learn how to apply NIST 2.0 guidelines to your SaaS stack.

Develop a deep understanding of the SaaS stack

Identify is the first pillar of NIST CSF 2.0. It recommends that organizations manage cybersecurity risks through their in-depth understanding of systems, users, assets, data and capabilities. Seen from a SaaS perspective, this means identifying risks related to user accounts and behaviors, as well as configurations and resources.

Identifying high-risk settings within SaaS applications is of great importance. Those involved in SaaS security must know the location of all sensitive assets, as well as their access permissions. Identifying all users is the second half of the pillar. Using a central repository to identify internal and external users, their permissions within each application, and which applications they can access should be a priority. Particular attention should be paid to users with elevated rights, such as administrators, and the devices they use to access SaaS applications.

Place safeguards around the SaaS environment

Adding protective measures is a key principle of NIST CSF 2.0. From a SaaS perspective, this means managing the identities and credentials of all users, and authenticating them using MFA or SSO. It also requires limiting access to authorized users, using role-based access control, to adhere to the Principle of Least Privilege (POLP).

SaaS applications contain a wealth of valuable data, making them attractive to malicious actors. Removing old employees, adding password controls to documents, and logging out of unused third-party applications reduces the risk of data leaks.

Threat Detection in the SaaS Stack

The third pillar of the NIST framework is the need to detect ongoing cybersecurity events. To be truly effective in a SaaS environment, threat detection capabilities require a holistic view of the entire SaaS stack. Identity Threat Detection and Response (ITDR) capabilities that focus on each application individually will miss events, such as a user logging into multiple applications at the same time using a browser or a different operating system.

SaaS threat detection goes beyond the capabilities of standard ITDR solutions, which are typically not designed to understand the complex nature of SaaS environments. This requires the ability to monitor and analyze logs for anomalous behavior from human and non-human accounts. SSPM solutions include ITDR capabilities and identify subtle and sophisticated identity-centric threats, such as users gaining access through password-based attacks, unlikely travelers, and those with anomalies in their IP address.

Responding to and recovering from threats

When bad actors successfully breach access control points, NIST recommendations position organizations for limited damage and rapid recovery. SaaS response and recovery is similar in many ways to any other asset under attack. However, due to the distributed nature of SaaS applications, a breach in an application is often an isolated event.

Per NIST guidelines, organizations must have full visibility into all actions taken by threat actors. This event log should be stored securely outside of the application, where it can be viewed as part of an investigation and is safe from changes implemented by malicious actors to cover their tracks.

To ensure complete recovery, SaaS owners should ensure their backup settings are configured correctly. Additionally, they need to monitor which users have access to backup files.

Protection through comprehensive policies

Aligning SaaS security with NIST recommendations should be a standard practice for organizations. The addition of Govern to the NIST Cybersecurity Framework emphasizes the value placed on monitoring the SaaS stack. SaaS Security Posture Management (SSPM) platforms are ideal for applying NIST standards to SaaS applications.

SSPMs monitor the entire SaaS stack, providing visibility into configurations and alerting users when misconfiguration puts the application at risk. It monitors user accounts, including non-human accounts, to prevent data leaks and threats that may originate from user accounts. SSPMs also detect and monitor third-party applications, alerting users when applications appear malicious or request sensitive scopes.

ITDR, integrated with the SSPM platform, supports NIST membership by reviewing logs, monitoring activities, and detecting anomalies. It combines Indications of Compromise (IOCs) to understand the true nature of a threat and activates automated processes when threats are detected.

The NIST framework provides a structured approach to risk management. In the world of SaaS, these guidelines are best met through an SSPM and ITDR platform.

Download the NIST Guidelines Checklist to align your SaaS stack with the framework.

Hananel Livné is Product Marketing Manager at Adaptive Shield. He joined Adaptive Shield from Vdoo, an embedded cybersecurity company, where he was a senior product analyst. Hananel completed an MBA with distinction from OUI and holds a BA from the Hebrew University in Economics, Political Science and Philosophy (PPE). Oh, and he loves mountain climbing.

About Adaptive Shield

Adaptive Shield, the leader in SaaS security, enables security teams to secure their entire SaaS stack through threat prevention, detection, and response. With Adaptive Shield, organizations continuously manage and control all SaaS applications, including third-party connected applications, and govern all SaaS users and risks associated with their devices. Founded by Maor Bin and Jony Shlomoff, Adaptive Shield works with many Fortune 500 companies and was named a 2022 Gartner® Cool Vendor™. For more information, visit us at or follow us on LinkedIn.

Leave a comment