On October 17, 2024, the long-awaited deadline for the transposition of NIS2 into national law passed, ushering in a new era of cybersecurity for EU member states. And while only 2 member states ransposed the directive into law before the deadline, another 23 are quickly heading to the finish line.
The NIS2 directive aimed at upgrading the cybersecurity posture among businesses in essential and important industries and their suppliers. It is both sweeping in its requirements and onerous in its penalties.
NIS2 aims to overcome the shortcomings of NIS, the EU’s original directive, which was published back in 2016. Citing the importance that network and information systems play in everyday life, as well as the increase in cyber incidents that threaten that lifestyle, NIS2 positions itself as being essential to the proper functioning of the market.
NIS2 specifically mentions the need to secure SaaS applications, in addition to other cloud components. The directive sets out baselines for some of these measures. In Article 21 it requires organizations to “take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.”
The measures described in NIS2 specifically include identity security, access control policies, and asset management, and it directly calls for the use of multi-factor authentication solutions. Identity and access management is considered a basic cyber hygiene practice in the directive.
SaaS applications play various roles within essential and important businesses. Some, such as CRM systems containing customer Personally Identifiable Information (PII) or employee data, should already be heavily secured to comply with GDPR requirements. Others, though, that help facilitate operations, contain sensitive product information, or hold financial records, now must be secured under the NIS2 directive.
Organizations looking to insulate themselves from security breaches and the accompanying NIS2-driven financial penalties must look to SaaS Security Posture Management (SSPM) platforms to secure their SaaS stack. SSPMs enable organizations to fully secure their SaaS stack, with a set of tools that identify SaaS risks and detect threats before they turn into data exfiltration attacks.
SaaS applications have large attack surfaces. Misconfigured settings, such as those that don’t enable but don’t require MFA, can open the door to threat actors who merely conducted a successful phishing expedition. Allowing users to share boards, documents, or other resources publicly is another misconfiguration that can lead directly to data leakage.
Authorized users are another attack surface ripe for exploitation. Generative AI is routinely used to successfully social engineer users to hand over their login secrets. User accounts with high privileges, either because they were over-permissioned or because they were admins, allow their attacker access to a wide range of access. Partially deprovisioned users, external users who retained credentials, accounts that are shared among multiple users, dormant accounts, and other identity security missteps grossly increase the attack surface. Even user devices with low hygiene can be a path of entry for threat actors.
Third-party connected applications provide another possible entry point for threat actors. By integrating a malicious app with high privileges into an application, threat actors can easily delete files, download data, and otherwise interfere with operations.
Any successful breach of a SaaS application can be construed as a non-compliance with NIS2. For organizations looking to improve their compliance, SaaS Security Posture Management (SSPM) is the only realistic option.
SaaS Security Posture Management (SSPM) is the only solution in the market that enables organizations to comply with SaaS security aspects within NIS2. SSPM was built to handle the unique characteristics of SaaS applications, monitoring hundreds of applications.
It’s an automated 24/7 monitoring platform to check for misconfigurations in each application and alerts users when configuration drifts occur. It detects third-party integrations, reviewing scopes and letting security teams know when an application’s permission request is high risk. SSPMs also monitor identities, their permissions, and their devices, helping teams understand the access granted to each user and alerting security and app owners when those permissions increase the risk level.
SaaS security is rounded out by adding an additional layer of identity security, through an Identity Threat Detection & Response (ITDR) mechanism. ITDRs monitor activity throughout the SaaS stack, looking for indications of compromise and detecting threats as they arise.
Taken together, SSPM provides a measurable security solution that reduces the overall risk from SaaS applications. Furthermore, its auditing and reporting functions can be used in the event of a breach to generate the reporting required by NIS2.
Organizations that fall under the wide umbrella of NIS2 must take industry-accepted security measures to manage risk for their entire SaaS stack. While NIS2 doesn’t mandate the tools required for compliance, companies that don’t use an SSPM security solution to protect their SaaS applications are risking high fines and putting their SaaS applications at risk.
Now that the directive has become law across the EU, companies must take the steps needed to comply with NIS2 and fully secure their entire SaaS stack.
The post NIS2 Arrives with Major Changes to EU SaaS Cybersecurity appeared first on Adaptive Shield.
*** This is a Security Bloggers Network syndicated blog from Adaptive Shield authored by Hananel Livneh. Read the original post at: https://www.adaptive-shield.com/blog/nis2-arrives-with-major-changes-to-eu-saas-cybersecurity/