Skip to main content

Cybersecurity Executive Order 2021: What It Means for Cloud and SaaS Security.




In response to malicious actors targeting US federal IT systems and their supply chain, the President released the "Executive Order on Improving the Nation's Cybersecurity (Executive Order)."
Although directed at Federal departments and agencies, the Executive Order will likely have a ripple effect through the Federal technology supply stream. Private companies and enterprises will look to the Executive Order to build their best practices.
At a high level, the Executive Order includes information-sharing requirements, a push toward cloud and Zero Trust architectures, and enhancing transparency throughout the software supply chain.

Understanding the fundamentals of the White House Executive Order on Improving the Nation's Cybersecurity

The bulk of the Executive Order focuses on administrative tasks associated with it, including redefining contract language, setting timelines, and defining agency roles and responsibilities. For enterprises that don't supply technology to the federal government, the Executive Order may feel unimportant.
In reality, several of the basic tenets could be used by companies operating outside the federal IT supply chain, including:

Better intelligence sharing

Modernizing agency infrastructure with cloud and Zero Trust

Securing the federal IT software supply chain

What the Executive Order Says

The text of the Executive Order is long and comes with all the regulatory jargon associated with the law. Breaking it down into bite-size chunks gives a good overview, though.

Better information sharing

The short, succinct point of this one is that "everyone needs to play nicely and stop hiding behind contracts." In a nutshell, the Executive Order looks to create a more meaningful information-sharing opportunity for agencies and vendors when threat actors find and exploit a vulnerability.

Move to cloud and create Zero Trust Architecture

Although this one mostly speaks for itself, the requirements in the Executive Order created a bit of panic across the federal space because a lot of the timelines are super short. For example, within 60 days, federal agencies need to:

Prioritize resources to move to the cloud as rapidly as possible

Plan to implement Zero Trust Architecture (ZTA)

Get things as secure as possible and remediate cyber risk

Finally, within 180 days, they all need to adopt multi-factor authentication (MFA) and encryption both at-rest and in-transit. With agencies adopting Software-as-a-Service (SaaS) applications to modernize their IT stacks, identity, and access control configurations, including multi-factor authentication, act as a primary risk mitigation strategy.

Secure the supply chain

Without even needing to list the recent supply chain hacks and breaches, this is the least surprising of all the requirements. Surprising very few people, this section includes several key bullet points:

Create criteria for software security evaluation

Establish standard and procedures for secure software development

Establish a "Software Bill of Materials" that lists all the technology "ingredients" developers use

What the Executive Order Means for Enterprises

For agencies, this is going to take a bit of work. For enterprises, this is likely a harbinger of things to come. The problem is that while the Executive Order is a great start, the two primary requirements for putting Zero Trust into effect, MFA and encryption, don't really close all cloud security gaps.
According to the 2021 Data Breach Investigations Report (DBIR) misconfigurations remain a primary threat vector for cloud architectures. The increased use of Software-as-a-Service (SaaS) applications actually trigger two different attack patterns:

Basic Web Application Attacks: focused on direct objectives, ranging from access to email and web application data to repurposing the web application to distribute malware, defacement, or Distributed Denial of Service (DDoS) attacks.

Miscellaneous Errors: unintentional actions, usually by an internal actor or partner actors, including sending data to the wrong recipients.

According to the DBIR, the basic web application attacks include things like credential theft and brute force attacks. Meanwhile, the Miscellaneous Errors subset also included things like cloud-based file storage being placed onto the internet with no controls.
These attack vectors show the importance of SaaS security management to cloud security as a whole. Many enterprises lack visibility into their configurations, and the proliferation of SaaS applications makes manual configuration monitoring nearly impossible. As enterprises continue on their digital transformation journey, configuration monitoring and management will only become more difficult.
Cloud security, even with a focus on establishing a Zero Trust Architecture, needs to incorporate SaaS application security. As agencies and enterprises in their supply chain incorporate SaaS apps, the security risk that misconfigurations pose needs to be addressed.

The Enhance SaaS Security Playlist

As agencies and enterprises start looking for solutions, enhancing SaaS security should be on the "proactive steps to take" list.

Integrate all applications: Travel the Long and Winding Road

Doing the business of your business requires many applications, especially across remote workforces. Despite a potentially long purchase cycle, adding applications to your stack is relatively easy. Your IT team creates some connections to your cloud infrastructure using APIs, then adds the users. People can get down to business.
Learn more about how to prevent misconfiguration risks in your SaaS app estate
Managing SaaS app security for the long term is the big challenge. You have a lot of applications, and each one has unique configurations and language. No organization can have an expert in every application language and configuration. If you can integrate all your applications into a single platform that creates a standardized approach to configurations, you're taking the first step down the long and winding road to securing your cloud infrastructure.

Verify access and enforce policies: Stop Believin'

While Journey might say "don't stop believin,'" a Zero Trust Architecture means not believing anyone or anything until they provide the right proof. For example, MFA doesn't work on a system that uses legacy authentication protocols like IMAP and POP3. If you need to secure your SaaS stack and meet these short timelines, you need visibility into all user access, especially Privileged Access holders like super admins or service accounts.
Enterprises need unified policies across all SaaS applications, ensuring continuous compliance. This means the ability to analyze every user's access across all your SaaS platforms by role, privilege, risk level, and platform with the ability to mix and match as you search, so you have the insights you need, when you need them.
Eliminate SaaS misconfigurations

Monitor SaaS security continuously: You Oughta Know.

The hardest part of SaaS security is that it continuously changes, like employees sharing documents with third parties or adding new non-company users to collaboration platforms. The problem is that the Executive Order and most other compliance mandates assume that you oughta know about your risk posture because you're continuously monitoring your security.
You need always-on SaaS security that provides real-time risk identification, context-based alerts, and risk prioritization.

Automate remediation activities: Never Gonna Let You Down

No single human being can manage SaaS security manually.
Manually managing the risks arising from so many users, so many applications, and so many locations will leave the IT department running on espresso and energy drinks and, unfortunately, most likely, missing a critical risk.
Automating the SaaS security process in a single cloud-based platform is the most efficient way to manage the process. SaaS platform management solutions meet your security where it lives, in the cloud, so you can automate your security at cloud-speed, reduce risk, and strengthen your security and compliance posture.

Adaptive Shield: SaaS Performance Security Management is the Missing Link

Adaptive Shield provides full visibility into one of the most complex issues in cloud security. This SaaS security posture management solution enables enterprises to monitor for misconfiguration risks across the SaaS estate continuously: from configurations that cover malware, spam, and phishing to suspicious behavior and incorrectly configured user permissions.
Adaptive Shield aligns technical controls with CIS Benchmarks and can map controls' compliance to NIST 800-53 as well as other frameworks.
The Adaptive Shield SaaS security platform management solution also natively connects with Single-Sign-On (SSO) solutions, like Azure, Ping, and Okta, to help track MFA use across the organization.
With SaaS applications becoming the rule rather than the exception for modern businesses, cloud security relies on continuously monitoring for risky SaaS misconfigurations.



#THN


#osutayusuf 

Comments

Popular posts from this blog

We Bring You Brief Series of Sanctions Against Uganda Government Officials.

📸: Gen Abel Kandiho. On 9-December-2021, USA slapped sanctions against the then CMI Commander Gen Abel Kandiho. 📸: Gen Kale Kayihura. On 9-December-2022, UK slapped sanctions against former Police Boss Gen Kale Kayihura. 📸: Commissioner General of Prisons, Johnson Byabashaija. Again on this 4-December-2023, the same USA has slapped sanctions against Uganda Prisons Commander Johnson Byabashaija over alleged torture and human rights abuses in Prisons across Uganda. We ask, has USA and UK made December as an LCM to slap sanctions against high ranking government officials in Uganda even when the sanctions just remain on paper without deeper investigations to ascertain logical conclusions or remedy to that effect ?. #iip_updates  #Information_is_Power  #we_inform_the_uninformed

How to Host a Website for Free From Your PC or Laptop.

Why pay for a web hosting service when your old computer can do the same thing? Learn how to self-host your site. If you're planning to launch a website but don't want to pay recurring monthly or annual hosting fees, you can use any old laptop or desktop PC to host a website for free. It's a great way to utilize your old system instead of throwing it away. In this guide, we will install and set up services on our 10-year-old laptop to host a WordPress, Joomla, or custom HTML or PHP-based website with a free SSL certificate. MAKEUSEOF VIDEO OF THE DAY Things You Will Need to Host a Website Following are the pre-requisites to host a website for free from home with just your computer: An old laptop or PC running Ubuntu Server. A registered domain name for your website Ethernet cable to connect the laptop or PC to router for reliable and fast connection Step 1: Update and Upgrade the Packages After  installing Ubuntu Server on your computer , execute the following c...

WHERE IS MINISTER OF SEX SIMON LOKODO?. (He deserves a battle of soda from me! Ministe`r esalanga mabee. He is quick to run after Mrs Dr Stella Nyanzi and other Opposition elements. Government aza aza edo zuu vaa kpere bua). Anyway, below is the article! POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit'  Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos. Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.

POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit' Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says  Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos . Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.