NIST SP 800-207 - What does it mean for SaaS security
Devops

NIST SP 800-207 - What does it mean for SaaS security

Corey O'Connor
March 7, 2022

NIST SP 800-207 and Zero Trust

The National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA) in August 2020 published NIST Special Publication 800-207. This special publication follows the focused interest in zero-trust initiatives, which almost every organization has adopted to some extent in 2022. With more reliance on cloud-based and SaaS offerings coupled with the evolving state of remote work, this SP 800-207 offers sound design advice, implementation considerations, use case examples, and technology gaps for modern zero-trust architectures (ZTAs).

It is widely recognized that NIST has become the de facto standard not only for federal agencies, but also for private sector companies to strengthen the security of their information systems. It's also generally accepted that zero-trust has become the new set of principles that CISO's use to align their security programs. So for organizations looking to make zero-trust a practical reality, NIST SP 800-207 offers a great way to get started or use as a strong reference point.

Most organizations have made the necessary adjustments to remove all implicit trust from their users and systems and continuously monitor how users interact with data. However, security pros should look at zero-trust more as a vision - something organizations strive to achieve but never fully accomplish. Similarly, as with security programs in the general sense, most zero-trust initiatives are ongoing, with continual improvements and adjustments required to mitigate advanced threats.

A focus on resource protection

According to NIST, "zero-trust focuses on protecting resources (assets, services, workflows, network accounts), not network segments, as the network location is no longer seen as the prime component of the security posture of the resource."

Organizations no longer depend on the network as the backbone to security posture. Identity has become the new perimeter and it's critical to wrap security around all users’ various identities – especially the ones that are more privileged. The lines of what organizations consider “privileged" have truly become commingled. Under certain circumstances, a standard user can gain privileged access. However, it's not enough to secure the identity. It is critical to provide granular access controls to the actual resources so the organization can mitigate the risk of a company's crown jewels becoming compromised.

The data access control engine and policy elements covered in detail in this publication must be considered - it's not just NIST's zero-trust reference architecture; the same considerations exist within Google's BeyondCorp Enterprise. BeyondCorp Enterprise and NIST ZTA are the two most leveraged references for building a zero-trust security model. These logical components are foundational to these architectures, as they dictate which identities can access which resources.

Data access engines and policies, as defined by NIST, are what many would expect. The security team defines the access policy, and the engine enforces whatever corresponding (secure) workflow that has been set. But the policies are just a starting point in authorizing the appropriate access to resources, which need to be established with the principle of least privilege in mind. In the same vein, data access should be segmented in terms of "who should be able to access what, and when it should be accessed." It's necessary to consider the downstream implications of "what would happen if 'xyz' identity is compromised?" As with network segmentation, segmenting the access to data will minimize the blast radius in the event of a breach.

The policy engine becomes responsible for enabling the appropriate access to the identity or user. Security teams need context-based and dynamic data access policies and fully-automated engines to support these types of workflows. The team needs to connect self-service tools for data access monitoring, control, and remediation to the policy engine to enable IT and security teams to intervene manually and take immediate action if necessary. The engine essentially acts as the gatekeeper by granting, denying, or revoking access to the organization's resources, and the team needs a nimble approach to support flexible and dynamic workflows. Inputs from external sources, as well as observable information about users, attributes and roles, metadata sources, and historical and deterministic behavioral patterns should help power the policy engine.

What SP 800-207 mean for software-as-a-service security

Today, organizations of all sizes and types are universally adopting SaaS applications. Analysts that cover this area continually highlight the soaring adoption rates and predicted market spend in SaaS. SaaS applications now address almost every aspect of doing business, and they all let organizations become nimbler and more productive at a much faster rate. However, organizations can't make SaaS security an afterthought. Companies need to enable the business in a secure manner, and they need to do it in a consistent and centrally- enforced way.

Today, most SaaS applications and platforms are open by design via APIs for collaboration. Securing them can be a challenge for both CISOs and practitioners. Organizations need to ensure they have a consistent security strategy across all the critical SaaS applications being used to maintain business continuity.

If this ZTA publication elevates the importance of resource protection, then organizations should prioritize both a strong data access engine and policies. Within SaaS applications are some of an organization's most critical data and files. Per NIST, the agency defines zero-trust as "an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources." Let's quickly review these three areas of focus for context:

  • Users: Today, most organizations have identity solutions to manage and secure access at the user level by establishing the appropriate levels of access for all the relevant identities for each user. Least privilege has become paramount here. "Never assume trust" demands authentication and authorization for each identity, and it needs to enforce it in a dynamic and strict manner before granting access.
  • Assets: To connect users to the assets they need to do their jobs, organizations can bring zero-trust network access (ZTNA) into the fold. ZTNA solutions are a category of VPN-less technologies that deliver secure access to users wherever they are located, which is pretty much exclusive to remote or hybrid in today's environment. Security teams need to broker a secure connection for the user trying to access target systems and applications.
  • Resources: Once security teams get past these two foundational components of identity security and ZTNA, users can now access, manipulate and share sensitive company data and files. Controlling "who has access to what" has become paramount in the world of zero-trust. Most organizations have introduced some of the tools and technologies to address identity, device, and network levels – but to protect critical resources, the security team needs to go beyond these three layers and into the SaaS application data layer.

Defense-in-depth with security wrapped around every identity and around every asset – each time they connect to business-critical applications takes a zero-trust strategy to the next level. A combination of preventative controls and detective mechanisms can help get companies closer to zero trust. It's not just about controls either. Organizations need to find the right balance between technology, people, and process. Adopt an "assume breach" mentality to the organization's security programs. In the context of zero trust, it's not a matter of “if" but "when," which demands that the company focuses on breach recovery and not just breach prevention. Ensure the success of the organization's IT and security teams. Start enabling the business in a secure way by extending zero-trust to the SaaS application data layer.

Secure your business SaaS Applications with Docontrol's ZTDA.


The SaaS Security Threat Landscape Report

Research-based benchmarks to assess risk across critical threat model

Read now
DoControl - SaaS data access control - open blog button
Get updates to your inbox
Our latest tips, insights, and news
Follow DoControl on social media
DoControl - SaaS data access control - Linkedin logoDoControl - SaaS data access control - Twitter logo
Related Posts
DoControl Included in Forrester’s “The SaaS Security Posture Management Landscape, Q2 2023”
Corey O'Connor
May 24, 2023

Read more
DoControl - SaaS data access control - open blog button
24% of 3rd Party Artificial Intelligence (AI) Apps Require Risky OAuth Permissions
Corey O'Connor
May 18, 2023

Read more
DoControl - SaaS data access control - open blog button
Okta Businesses at Work: Extending Identity Security Further Down the Stack
Corey O'Connor
May 18, 2023

Read more
DoControl - SaaS data access control - open blog button
Platform
Platform Overview
SaaS Asset Management
Continuous Monitoring
Automated Security Workflows
Integrations
Use Cases
Data Access Control
SaaS DLP
Shadow Application Governance
Insider Risk Management
Incident Response
Compliance Enablement
Security
ISO 27001
SOC2 type II
CSA CAIQ
Resources
Product whitepaper
Security whitepaper
Use Cases whitepaper
Solution brief
Blog
Collateral
Glossary
Webinars
Events
Videos
FAQ
Company
About
Customers
Partner with us
News
Press Releases
Careers - We’re Hiring
Security
Services Support
Terms of use
Privacy Policy
Contact
Contact us
Get a demo
Free Risk Assessment
DoControl - SaaS data access control - Linkedin logoDoControl - SaaS data access control - Twitter logo
AWS Partner Network reviewedGDPR readyGDPR ready
DoControl | 333 West 39th St #403, New York, NY 10018 | © 2023 DoControl, Inc. All Rights Reserved