HIPAA compliance does not equal security, as continuing attacks on healthcare organizations show. Medical devices need to be secured.

Connected medical devices have revolutionized patient care and experience. However, the use of these devices to handle clinical and operational tasks has made them a target for attackers looking to profit off of valuable patient data and disrupted operations. In fact, when Palo Alto Networks scanned more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations, it found that 75% of them had at least one vulnerability or security alert.

Besides being difficult to protect, these connected devices present challenges when it comes to complying with the security requirements of laws such as the Health Insurance Portability and Accountability Act (HIPAA). Luckily, there are several strategies hospitals can leverage to bolster their defenses. Here are five actionable ways hospitals can help secure medical devices and provide life-saving patient care without disruption.

**1\. Maintaining Vigilant Visibility**

Developing a zero-trust (ZT) security approach is critical to defend against today's sophisticated attacks, but the first step is establishing complete visibility of all assets across the network. Infosec and biomed teams need a comprehensive picture of all the assets being used on a hospital's network and how many are connected medical devices to get a clear understanding of their points of vulnerability. Then teams must go beyond the device level by identifying the main applications and key components that are running underneath the operating system to truly enforce a ZT approach. For example, having insights into various applications, such as electronic health records (EHRs), picture archiving, and communications systems (PACS), that process digital imaging and communications in medicine (DICOM) and Fast Healthcare Interoperability Resources (FHIR) data and other business-critical applications can improve the overall visibility posture of assets.

**2\. Identifying Device Exposures**

Many devices are linked to different vulnerabilities that fall under two categories: static and dynamic exposures. For example, static exposures typically consist of Common Vulnerabilities and Exposures (CVEs) that can be independently addressed. In contrast, dynamic exposures can be found in how devices communicate with each other and where they send information (within the hospital or to third parties), making them more challenging to identify and address. Luckily, artificial intelligence (AI) and automation will play an increasingly important role in helping hospitals identify these exposures by providing data-driven insights and proactive recommendations on how to remediate them more efficiently.

**3\. Implementing a Zero-Trust Approach**

Once hospitals have a clear grasp of their assets and exposures, they can embrace a ZT approach by limiting access to vulnerable devices and applications. By separating devices and workloads into microsegments, administrators can better manage security policies based on least privilege access. This can help hospitals reduce their attack surfaces, improve breach containment, and strengthen regulatory compliance by placing devices onto various segments with different requirements and security controls. For example, if a computer is compromised within the hospital, microsegmentation can limit the damage to that specific device without impacting medical devices critical to patient care.

**4\. Rolling Out Virtual Patching for Legacy Systems**

Medical devices have been in use at hospitals for over a decade and, as such, often run on legacy software and systems. Because of their use requirements, hospitals may not be able to upgrade or patch the specialized medical system, which can lead to a variety of unique security issues. Additionally, hospitals may not be able to afford to take devices offline to update or patch due to the risks of loss of care for the patient. As hospitals adopt a ZT approach, they can invest in other forms of protection, such as virtual patching to reduce medical device exposures. For example, tools like next-generation firewalls can apply defenses around the device's network and application layers without needing to physically touch the device.

**5\. Instituting Transparency Across the Ecosystem**

Communication and transparency are critical to preventing threats from the start. Hospital CSOs and infosec teams must be included in the device procurement process because they offer a critical perspective on how to best protect devices throughout their life cycles. Hospitals, security teams, vendors, and device manufacturers must work together to create solutions and strategies that keep security at the forefront of a medical device's defense. Historically, when hospitals were under attack, security teams worked together to defend against attackers. However, post-attack, the information stayed between the security teams and hospitals, with very little information (if any) going back to inform the device manufacturer about how they could improve their devices' security. Hospitals must be more proactive when it comes to sharing direct feedback with device manufacturers on areas for improvement.

Ultimately, as cybersecurity policies continue to evolve for medical devices, there are ways in which we can create solutions to solve security challenges both now and in the future. Regardless of the unknowns, we can make a more proactive effort to ensure we're enabling a shift-left approach to security and fostering a culture of cyber resiliency for the medical community.

5 Ways Hospitals Can Help Improve Their IoT Security

Enterprises need to create a secure structure for tracking, assessing, and monitoring their growing stable of AI business apps.

There is no doubt that generative artificial intelligence (GenAI) is going to change how business gets done. Research firms are estimating huge productivity gains across all sectors that, if fulfilled, would completely transform every industry. With such great potential gain, it is clear why every enterprise is striving to enable their teams to build AI-powered applications as fast as possible. However, security teams must act now to ensure these apps will hold up to scrutiny.

**The Race to Capture AI Business Value First**

Some enterprises have already built hundreds of AI-powered apps so far. The rate of development is just incredible, with notable examples like Microsoft releasing Copilot applications at a rate far beyond what a huge enterprise typically delivers.

Because of the immaturity of the frameworks and tooling around AI app development, these are being built with a wide range of technologies. Development frameworks that build on top of the few fundamental models are numerous and vary significantly, and they keep on popping up. Frameworks such as LangChain and AutoGPT have gained significant popularity at an unprecedented pace. In a major enterprise, you can easily expect to find tens of different frameworks being used to build these applications.

The first organizations that are able to capture productivity gains from AI before others will have a huge win. Therefore, we are taking part in a race where we have to make do with the frameworks available right now and just get things done. It will probably take a long time for frameworks to standardize, and by that time you'll already be late to the game.

We have to face reality: Business is being reimagined — with unproven tools, frameworks, and threat models — at an unprecedented pace.

**Security: Where Do We Even Begin?**

Building so many new applications in such a short time frame has huge security implications. First, these are just more applications, with the same security risks as any other application introduces; they need to get identity, dataflow, and secret management right, to name a few concerns. Second, GenAI creates some unique security challenges, which frameworks such as the OWASP LLM Top 10 help to capture and educate on.

Advanced security organizations, in collaboration with IT, are putting together dedicated centers to inventory, assess, and secure these applications. Note that these require creating entirely new processes and newly delegated responsibilities. Ideally, these centers can act as an enabling resource for developers, offering threat modeling and design review services to ensure secure standards are met.

Creating a centralized resource is not an easy feat. Finding all AI-powered projects across an enterprise is a huge challenge, as inventory always is. Developing the technical skills required to audit these applications is difficult as well — especially due to the proliferation of different AI frameworks, each with its own quirks and gotchas. Monitoring these apps in production is yet another challenge, both from a technical perspective of getting the right data from immature development frameworks and from the security analysis perspective of knowing what to look for.

These are not insurmountable challenges, however. In fact, they follow the typical application security problem formula of inventory, security assessment, and runtime protection. To get ahead and enable our business to capture the AI revolution first, we have to start making headway in solving those problems.

Security Must Empower AI Developers Now

A spoofed version of the popular RedAlert app collects sensitive user data on Israeli citizens, including contacts, call logs, SMS account details, and more.

Attackers are spoofing a widely used open source application that warns Israelis of incoming airstrikes, called RedAlert, to lure users into downloading a malicious version of the software that, instead of telling those under attack where to seek safety, collects their sensitive data.

Applications warning Israelis of incoming airstrikes have become a trending attack vector for pro-Palestinian threat groups, according to a new report from Cloudflare. The latest round of cyberattacks uses a modified version of the open source RedAlert to lure users into downloading the spoofed version, which then provides cybercriminals with access to contacts, call logs, SMS details, a list of accounts associated with the device, as well as insights into other apps installed on a victim's device, Cloudflare added.

"Only users who installed the Android version of the app from this specific website are impacted and urgently advised to delete the app," Cloudflare said. "Users can determine if they installed the malicious version by reviewing the permissions granted to the RedAlert app."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Malicious 'Airstrike Alert' App Targets Israelis

**PRESS RELEASE**

**Woburn, MA – October 16, 2023 —** Kaspersky today announces the launch of a full-featured solution for containerized environments, Kaspersky Container Security (KCS). This solution offers secure containerized application at all stages, from development to operation. The product becomes active directly after installation, is low-cost, simple to deploy and easily integrates into the company’s IT infrastructure. Together with Kaspersky Hybrid Cloud Security, KCS forms a security ecosystem for hybrid and cloud infrastructures.  

Containerization is becoming an increasingly popular choice in software development as it helps developers to more rapidly create and deploy high-profile applications. The main advantage of the technology is its autonomy, which is reflected in its name. Like bagged cargo on a container ship, the container holds everything that is needed to develop, deliver and deploy an application (microservice), binary code, associated configurated files, libraries and dependencies. This allows containerized applications to be easily portable, highly reliable and capable of being run by distributed teams.

Containerized environments need protection, as the number of cyber incidents continues to grow. To counter this problem, Kaspersky launched Kaspersky Container Security, a specialized solution for containerized environments designed to protect businesses that already use or plan to implement containers. The product provides security for all stages of containerized application development. In addition to the development process, the solution protects runtime. For example, it controls the launch of only trusted containers, the operation of application and services inside the containers, and monitors the traffic.

There are three main components in Kaspersky Container Security: 'KCS scanner,' 'KCS agent,' and managing 'KCS server':

*   KCS scanner checks configuration files for misconfigurations, scans images for vulnerabilities, malware, sensitive data, and checks them for accordance with assurance policies within the image registry and CI/CD platforms.
*   KCS agent ensures protection from various attacks on the application in the container, monitors container and network interactions in clusters, and checks the whole system for compliance with security standards.
*   KCS server aggregates the data received from the scanner and the agent, allows customers to visualize data and to generate reports, and integrates with other security solutions (e.g., SIEMs like Kaspersky’s KUMA).

Kaspersky Container Security easily integrates into DevSecOps framework of organization, CI/CD\[1\] pipelines and infrastructure. It can strengthen DevOps protection both for companies with developed DevSecOps processes and for companies that only begin to implement them. The solution also allows predictable deadlines to be set for the application to be released due to the automation of security and compliance checks on all the stages.

_"Containerization is the new normal, but its risks are not covered by traditional endpoint or virtual machine security solutions as it requires specific solutions,"_ said Timofey Titkov, head of the cloud and network security product line at Kaspersky. "_This is why we launched Kaspersky Container Security (KCS), a solution that protects containerized application during its life cycle including runtime, the most vulnerable area. KCS helps our customers to build the DevSecOps process where security is ensured at every stage of development. This launch is an important step towards one of Kaspersky's key goals to provide comprehensive protection to all types of digital assets of our customers."_

To learn more about Kaspersky Container Security, please visit the website.

Kaspersky Launches Specialized Security Solution for Containerized Environments

No patch or workaround is currently available for the maximum severity flaw, which allows attackers to gain complete administrator privilege on affected devices remotely and without authentication.

Cisco is asking customers to immediately disable the HTTPS Server feature on all of their Internet-facing IOS XE devices to protect against a critical zero-day vulnerability in the Web User Interface of the operating system that an attacker is actively exploiting. 

Cisco IOS XE is the operating system that Cisco uses for its next-generation enterprise networking gear.

The flaw, assigned as CVE-2023-20198, affects all Cisco IOS XE devices that have the Web UI feature enabled. No patch or other workaround is currently available for the flaw, which Cisco described as a privilege escalation issue that enables complete device takeover. Cisco has assigned the vulnerability a maximum possible severity rating of 10 out of 10 on the CVSS scale.

**CVE-2023-20198: Maximum-Severity Flaw**

"The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access," Cisco said in an advisory on Oct. 16 on the new zero-day bug. "The attacker can then use that account to gain control of the affected system." Privilege level 15 on a Cisco IOS system basically means having complete access to all commands including those for reloading the system and making configuration changes.

An unknown attacker has been exploiting the flaw, to access Cisco, Internet-facing IOS XE devices and drop a Lua-language implant that facilitates arbitrary command execution on affected systems. To drop the implant the threat actor has been leveraging another flaw — CVE-2021-1435 — a medium severity command injection vulnerability in the Web UI component of IOS XE, that Cisco patched in 2021. The threat actor has been able to deliver the implant successfully even on devices that are fully patched against CVE-2021-1435 via an as yet undetermined mechanism, Cisco Talos researchers said in an a separate advisory.

Cisco said it first got wind of the new vulnerability when responding to an incident involving unusual behavior on a customer device on Sept. 28. The company's subsequent investigation showed that malicious activity related to the vulnerability actually may have begun as early as Sept. 18. That first incident ended with the attacker leveraging the flaw to create a local user account with admin privileges from a suspicious IP address.

**Malicious Activity Cluster Targets Cisco Networking**

On October 12, Cisco's Talos Incident Response Team spotted another cluster of malicious activity related to the flaw. As with the first incident, the attacker initially created a local user account from a suspicious IP address. But this time around, the threat actor took several additional malicious actions including dropping the implant for arbitrary command injection.

"For the implant to become activity, the Web server must be restarted," Cisco Talos said. "In at least one observed case the server was not restarted so the implant never became active despite being installed," Cisco noted. The implant itself is not persistent, meaning that an organization can get rid of it via device reboot.

However, the local user accounts that attackers can create via CVE-2023-20198 are persistent and give attackers continued administrator level access on affected systems even after a device restart. Cisco Talos researchers urged organizations to be on the lookout for new or unexplained users on IOS XE devices as potential evidence that attackers have exploited the flaw. They also provided a command that organizations can use to determine if the implant is present on any affected device.

**Immediately Implement Guidance**

"We strongly recommend organizations that may be affected by the activity immediately implement the guidance outline in Cisco's Product Security Incident Response Team (PSIRT) advisory," the company said. Cisco has assessed the same threat actor is behind both clusters of malicious activity related to the new flaw.

Cisco IOS XE's Web UI component is a system management feature that allows administrators to provide the system. Cisco describes it as simplifying system deployment and manageability. CVE-2023-20198 is the second significant vulnerability that Cisco has disclosed in the same feature in recent weeks. In September, the company disclosed CVE-2023-20231, a command injection vulnerability that also allowed an attacker to obtain level 15 privileges on IOS XE devices.

Zero-day bugs — and any bugs that enable administrator level privileges — on network technologies such as those from Cisco are especially valuable for attackers. As the US Cybersecurity and Infrastructure Security Agency (CISA) and numerous others have noted, network routers switches, firewalls, load balancers, and other similar technologies are ideal targets because most or all traffic must flow through them.

Critical, Unpatched Cisco Zero-Day Bug Is Under Active Exploit

A threat group known as "Void Rabisu" used a spoofed Women Political Leaders Summit website to target attendees to the actual conference with espionage malware.

Attendees of August's Women Political Leaders Summit 2023 conference found themselves targeted by a spoofed event website loaded with a new cyber espionage malware variant called ROMCOM 4.0.

Leaders from all over the world attended the conference to explore the role of women in politics as well as prospects for peace in Ukraine. Specifically, the cyber espionage campaign targeted those helping to further gender equality in the European Union, according to a report from Trend Micro.

Just a year ago, Void Rabisu threat group was a a run-of-the-mill ransomware outfit, but the invasion of Ukraine offered an opportunity for the cybercriminals to get in on more nation-state, advanced persistent threat (APT) action, the Trend Micro report explained.

The group's primary malware strain has been updated to a new version, ROMCOM 4.0, and is used primarily to target politicians, the military, and government employees, Trend Micro observed.

"While we have no evidence that Void Rabisu is nation-state-sponsored, it's possible that it is one of the financially motivated threat actors from the criminal underground that got pulled into cyberespionage activities due to the extraordinary geopolitical circumstances caused by the war in Ukraine," the report added.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

'RomCom' Cyber Campaign Targets Women Political Leaders

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Has this royal kingdom gone digital? Come up with a clever cybersecurity-related caption to describe the scene, above, and our favorite will win a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the Nov. 13, 2023, deadline:

*   Email _\[email protected\]_ with the subject line "Dark Reading October Toon."
*   Via social media: X (formerly known as Twitter), Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)

**Last Month's Winner**

We received an impressive array of caption contenders for last month's "Somewhere in Sleepy Hollow" cartoon, but the one that ultimately made it's way to the top of our list came from Sumitra Rao, consulting director at Palo Alto Networks (Unit 42). Congratulations, Sumitra, and thank you to all who played!

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Modern Monarchy

It's been a year since its last communication and attack on Iran — but the conflict with Hamas appears to have reactivated the group.

A pro-Israeli hacktivist group named Predatory Sparrow re-emerged in the past week.

Citing the current Gaza conflict, last week the group sent the first tweet in more than a year the group, saying: "You think this is scary? We're back. We hope you're following the events in Gaza" — with a link to a report on the US sending fighter planes and warships to support Israel.

Predatory Sparrow is a known threat that researchers believe to be a relatively sophisticated Israeli hacking operation. It has a history of destructive attacks in Iran, designed to embarrass the Iranian government.

According to Cyberscoop, in October 2021 an attack was carried out on an Iranian payment system linked to a national network of fuel pumps, while in June 2022 multiple attacks were carried out on steel facilities apparently in response to unspecified acts of "aggression" carried out by the Islamic Republic.

John Hultquist, chief analyst for Mandiant Intelligence at Google Cloud, said at a press event last week that having taken credit for a series of attacks inside Iran, the group's timely reappearance makes it "certainly a player to watch."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Pro-Israeli Hacktivist Group 'Predatory Sparrow' Reappears

By using data to drive policy underwriting, cyber-insurance companies can offer coverage without a price tag that drives customers away.

A flood or fire might have devastated a business in the mid-1990s when offices were filled with filing cabinets and paper records. Today, most of those assets are in the cloud, and business insurance must cover them in modern form. 

Cyber insurance should be a priority in this business landscape, yet too often it is an outlier. There is no other insurance product where so few have coverage but so many need it.

According to Fortune Business Insights, the global cyber-insurance market was $13.33 billion in 2022 and is forecast to grow to $84.62 billion by 2030. Many companies aren't sure how much cyber insurance they need, and, more critically, insurers aren't sure what the risk landscape looks like for an individual company that seeks coverage. 

This risk miscalculation has spurred huge losses and changed the landscape of the cyber-insurance market. In its latest report, the National Association of Insurance Commissioners (NAIC) shows the top 20 groups reporting on cyber supplements had direct loss ratios of up to 130.6%.

Insurance coverage isn't necessarily hard to obtain — a company with a mature security posture can likely get multiple quotes without a problem. However, specific sectors with historically poor security postures, like education, or highly targeted sectors, like software developers, may have a more challenging time. 

Let's look at how the market has changed and where it's heading.

**How the Market Hardened**

The cyber-insurance market has rapidly transitioned from a soft cycle, characterized by lower premiums and higher limits, to a hard cycle. This shift resulted in insurance premiums skyrocketing.

Some businesses have been surprised when their policies increased dramatically despite nothing changing on their end. But most insurance companies saw more demand than supply, and risk increased as more claims were filed. According to Verizon's "2023 Data Breach Investigations Report," ransomware accounted for roughly 5% of breaches in 2020 and soared to 24% in 2022 and 2023. Insurers raised rates accordingly.

Those rates finally dipped by 10% in June, partly because insurance companies mandated their customers implement better protections. Insurance companies must excel in risk management to offer competitive rates. This enables the insurer to accept risk and ensure prices don't have to jump to a point that makes the company noncompetitive. 

**Where SMBs Fit In**

When the market began less than a decade ago, only big businesses were looking for coverage. Underwriters want balanced books, with a few large risks and many smaller ones, but the market demanded half of that. Industrial-sized companies sought coverage, while small and midsized businesses (SMBs) were on the sidelines. 

Large tech companies had risk-management processes at the board level requiring them to seek cyber insurance. SMBs didn't know their threats, and their risks weren't considered imminent. The dynamic shifted when the threat landscape changed, and cyber insurance became more commercialized with offerings that made sense to SMBs. According to NetDiligence's 2022 Cyber Claims Study, large companies represented only 2% of cyber claims from 2017-2021, but those claims accounted for 51% of total incident costs. 

These days, large businesses require their smaller partners to carry cyber insurance, and brokers can be sued for negligence if they don't offer it to their clients. Some brokers have clients sign a waiver if they don't buy the policy, saying they at least offered it.

With these forces pushing the market, we're seeing more and more small businesses turning to cyber insurance.

**Where Things Are Going**

When insurance companies have limited capacity, they choose customers with lower risk. Low-risk companies take measures to minimize their exposure. Traditionally, it's been hard to prove where those exposures are, let alone if they've been mitigated. 

Technology is changing this. Companies now have better ways to understand where to harden their security posture, and insurance companies have new methods to determine how risky their potential client is. 

This data empowers underwriters to mitigate risk that would impact policies and offers mitigation strategies for companies seeking coverage. These efforts promote a hardened security posture, which means lower risk for insurance companies so that they can offer competitively priced premiums. This eventually translates into lower loss ratios and higher profitability for the whole industry. That in turn enables more affordable rates for businesses. 

In less than a decade, cyber insurance has grown from a niche product to a multibillion-dollar industry. By using data to drive policy underwriting, cyber-insurance companies can offer the coverage so many want without a price tag that will drive them away.

How Data Changes the Cyber-Insurance Market Outlook

SaaS security is broad, possibly confusing, but undeniably crucial. Make sure you have the basics in place: discovery, risk assessment, and user access management.

In today's fast-paced business world, software-as-a-service (SaaS) applications have transformed how we work. They offer unprecedented flexibility, collaboration, and efficiency, making them the go-to solution for most organizations. From project management to customer relationship management and file storage, SaaS applications touch nearly every aspect of daily business operations. With sensitive data and critical business processes housed in these platforms, the need for robust SaaS security has never been more pressing and clear.

SaaS security is multifaceted, covering many types of risks with tools offered by diverse vendors. SaaS security typically falls within SaaS security posture management (SSPM). While modern SSPM solutions provide automation and in-product remediation, they might be somewhat overwhelming at first, especially for smaller organizations that don't have large budgets or don't know where to start or what to prioritize.

During a career spanning two decades in the Israeli military serving various cyber-related roles, I learned the importance of breaking down large challenges into smaller pieces. Tackling a large problem starts with identifying the basic requirements. In this article, I will lay out three must-have SaaS security essentials that any organization can implement, regardless of budget or headcount. These are three steps you can introduce into your organization today.

**Step 1: Discover Your SaaS Usage**

After serving hundreds of SaaS-using companies, it is clear to me that most organizations have a serious SaaS shadow-IT problem. In fact, the average employee uses 28 SaaS applications at any given time. When you think about it, it makes sense: Most employees, when encountering a specific business need, will look up a fast and easy solution online. That solution is often a SaaS tool that requires permissions into the employee's work environment. Onboarding these SaaS applications often goes completely unnoticed by security and IT teams. So, before you can secure your SaaS environment, you must first have full visibility into every employee's SaaS usage, all the time.

**Step 2: Perform Risk Assessments on Each SaaS Application**

Now that you have a clear picture of your SaaS landscape, it's time to evaluate the security risks associated with each application. Not all SaaS applications are created equal, and some may pose a higher risk to your organization's data and operations. We should always be cautious as to where we keep or share sensitive data and who we trust with our most critical assets. There are several critical considerations for determining whether an application is risky or not. Here are a few:

*   The SaaS vendor's security and privacy compliances.
*   The SaaS vendor's size and location.
*   The SaaS app's marketplace presence: Has it been validated by others?
*   Is it a private or public company? Does it share its security status publicly?

This type of analysis is crucial not only for maintaining SaaS security; it is a significant factor in companies' vendor risk-assessment processes. SaaS is a third-party vendor, and assessment is part of how you manage a vendor's risk. Organizations cannot afford to turn a blind eye to their third-party risks of any size.

**Step 3: Ensure Users Have Only Necessary Permissions and Roles**

The third essential step is managing user permissions. Often, security breaches occur due to excessive permissions granted to users or that the users grant to certain applications. To mitigate this risk, follow these best practices:

*   **Least-privilege principle:** This means granting users only the permissions they absolutely need to perform their tasks. Avoid granting broad, blanket permissions that can lead to data exposure or unauthorized actions.
*   **Regular permission reviews:** Establish a process for regularly reviewing and updating user permissions and roles. This is especially true for your core business applications. Employees' roles and responsibilities can change over time, and permissions should be adjusted accordingly.
*   **Start with the admins:** Assessing all your employees and their roles and permissions across dozens of apps can be daunting and time consuming. I've learned that focusing on various admin roles and auto-approving low-permissions roles is a huge time saver.

**Why These Three?**

There are many ways to implement SaaS security practices. Some organizations prefer looking at sensitive files shared between these applications; others start with irregular user behaviors to tackle insider risks. These are all valid, and robust SSPM tools offer these capabilities. But for smaller organizations with tighter budgets or those that prefer to start small then expand, I firmly believe these three principles are the way to go. These are required by major compliance standards such as ISO 27001 and SOC 2 and fall under basic vendor risk-assessment and user-management requirements.

**Embrace SaaS Without Compromising Security**

By enforcing these three steps, you can make significant strides in protecting your digital workspace. Remember that security is an ongoing process, and continuous monitoring and adaptation are key to staying ahead of evolving threats in the SaaS landscape. By prioritizing security, you can ensure employees are free to fully embrace the advantages of SaaS while always keeping your organization safe from SaaS potential harm.

**About the Author**

    

A retired colonel from the elite 8200 Unit, Galit Lubetzky Sharon has vast, hands-on experience designing, developing, and deploying some of the Israeli Defense Forces' most vital defensive and offensive cyber platforms as well as leading large and strategic operations. She was an integral part of developing the IDF's first cyber capabilities and continued improving and enhancing these capabilities throughout her career. She is the recipient of numerous accolades, including the prestigious Israeli Defense Award.

Source

DARKReading