In 2023, the European Union passed NIS2, its updated directive aimed at upgrading the cybersecurity posture among businesses in essential and important industries and their suppliers. The directive, which member states must implement into law by October 2024, is sweeping in its requirements and onerous in its penalties.
NIS2 aims to overcome the shortcomings of NIS, the EU’s original directive, which was published in 2016. Citing the importance that network and information systems play in everyday life, as well as the increase in cyber incidents that threaten that lifestyle, NIS2 positions itself as being essential to the proper functioning of the market.
This article examines the directive and the implications it will have on organizations using SaaS applications.
Risk Management and SaaS Security
NIS2 specifically mentions the need to secure SaaS applications, in addition to other cloud components.
The directive sets out baselines for some of these measures.
In Article 21 it requires organizations to “take appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimize the impact of incidents on recipients of their services and on other services.”
These measures specifically include identity security, access control policies, and asset management, and it directly calls for the use of multi-factor authentication solutions. Identity and access management is considered a basic cyber hygiene practice in the directive.
SaaS applications play various roles within essential and important businesses. Some, such as CRM systems containing customer Personally Identifiable Information (PII) or employee data, should already be heavily secured to comply with GDPR requirements. Others, though, that help facilitate operations, contain sensitive product information, or hold financial records, now must be secured under the NIS2 directive.
Organizations looking to insulate themselves from security breaches and the accompanying NIS2-driven financial penalties must look to SaaS Security Posture Management (SSPM) platforms to secure their SaaS stack. SSPMs enable organizations to fully secure their SaaS stack, with a set of tools that identify SaaS risks and detect threats before they turn into data exfiltration attacks.
A Growing SaaS Attack Surface
SaaS applications have large attack surfaces. Misconfigured settings, such as those that don’t enable but don’t require MFA, can open the door to threat actors who merely conducted a successful phishing expedition. Allowing users to share boards, documents, or other resources publicly is another misconfiguration that can lead directly to data leakage.
Authorized users are another attack surface ripe for exploitation. Generative AI is routinely used to successfully social engineer users to hand over their login secrets. User accounts with high privileges, either because they were over-permissioned or because they were admins, allow their attacker access to a wide range of access.
Partially deprovisioned users, external users who retained credentials, accounts that are shared among multiple users, dormant accounts, and other identity security missteps grossly increase the attack surface. Even user devices with low hygiene can be a path of entry for threat actors.
Third-party connected applications provide another possible entry point for threat actors. By integrating a malicious app with high privileges into an application, threat actors can easily delete files, download data, and otherwise interfere with operations.
Any successful breach of a SaaS application can be construed as a non-compliance with NIS2. For organizations looking to improve their compliance, SaaS Security Posture Management (SSPM) is the only realistic option.
SSPM Reduces the Attack Surface
SaaS Security Posture Management (SSPM) is the only solution in the market and positions organizations to comply with SaaS security aspects within NIS2. SSPM was built to handle the unique characteristics of SaaS applications, monitoring hundreds of applications.
It’s an automated 24/7 monitoring platform to check for misconfigurations in each application, and alerts users when configuration drifts occur. It detects third-party integrations, reviewing scopes and letting security teams know when an application’s permission request is high risk.
SSPMs also monitor identities, their permissions and their devices, helping teams understand the access granted to each user and alerting security and app owners when those permissions increase the risk level.
SaaS security is rounded out by adding an additional layer of identity security, through an Identity Threat Detection & Response (ITDR) mechanism. ITDRs monitor activity throughout the SaaS stack, looking for indications of compromise and detecting threats as they arise.
Taken together, SSPM provides a measurable security solution that reduces the overall risk from SaaS applications. Furthermore, its auditing and reporting functions can be used in the event of a breach to generate the reporting required by NIS2.
NIS2 Compliance is a Requirement in the EU
Organizations that fall under the wide umbrella of NIS2 must take industry-accepted security measures to manage risk for their entire SaaS stack. While NIS2 doesn’t mandate the tools required for compliance, companies that don’t use a SSPM security solution to protect their SaaS applications are risking high fines and putting their SaaS applications at risk. There is no better solution to protect SaaS and considering the type of information stored within SaaS applications, there is nothing more important to protect to comply with this directive.
