SBN

SaaS Security under NYDFS with Grip SSCP

In March 2017, the New York Department of Financial Services (NYDFS) Cybersecurity Regulation was enacted to protect consumers and financial systems from the increasing threat of cyberattacks. This regulation applies to all entities regulated by the NYDFS, including banks, insurance companies, and other financial institutions.

Background

The NYDFS is the regulatory body that oversees financial institutions and services providers in the state of New York. Compliance with this regulation is now mandatory for all financial services companies operating in the state of New York, and it is vital to have the right tools to achieve compliance. The impact on financial institutions is universal, regardless if their organization is headquartered outside of New York, the bank or lending institution must conform to these standards simply by doing business in the state of New York.

Back in 2017, when the NYDFS introduced cybersecurity regulations, the goal was to set out specific requirements for financial institutions and insurance companies operating in the state. And although software-as-a-service (SaaS) is not typically considered to be a corporate resource (it is a service after all, being hosted and managed by a third party), these regulations have significant implications for companies that leverage SaaS. Because every service is a place where identities and data flock, and most often, are unguarded.

The Challenge (and Solution) for Secure SaaS under NYDFS

The NYDFS cybersecurity regulations require financial institutions to establish and maintain a cybersecurity program that is designed to protect the confidentiality, integrity, and availability of information systems and non-public information. The regulations also require companies to establish and maintain a written cybersecurity policy, appoint a Chief Information Security Officer (CISO), and conduct regular cybersecurity risk assessments.

Here are the key areas that impact how organizations tackle the NYDFS standards in a SaaS-first, distributed identity reality, along with specific ways Grip can help:

1. Conduct regular risk assessments: Companies must conduct regular risk assessments of their SaaS solutions and provide a written report of the assessment to their financial institution clients. This can be difficult in organizations that thrive on cloud and SaaS services, because most are provisioned and deprovisioned with simple usernames and passwords. Identifying where SaaS apps are in use and who is using them is exactly what Grip’s discovery was made to do.  

Figure 1.1 | Basic architectural diagram of Grip’s SaaS Security Control Plane (SSCP)

Grip’s identity-based discovery enables organizations to pinpoint every SaaS app via the app’s connection to a corporate identity, allowing security teams to look back through time and understand all identity-SaaS relationships for 10+ years. By identifying all the SaaS assets in connection to identity assets, security and risk teams can satisfy the NYDFS requirement to know where apps and data are and who is accessing it.

2. Forge a written security policy for SaaS use: Companies must establish and maintain a written policy for evaluating and assessing the security practices of third-party service providers that have access to non-public information. Once companies responsible to the NYDFS standards have found all their SaaS apps and identity relationships, they must determine what is correct security policy for what could be hundreds of SaaS instances for a single user (identity).  

One of the most common security policies for SaaS relates to how SaaS is accessed. And while many organizations have used legacy directory services, like Active Directory, a majority of financial services also rely on SaaS-delivered identity and access management solutions (SaaS-delivered IAM) such as vendors like Okta, Ping Identity, SailPoint, and CyberArk.  

What is more difficult to know is whether those services are, in fact, being used by users when connecting to SaaS services — and Grip can tell you the answer. Grip tracks every authentication event by latching on to corporate identities and observing when and where SaaS is consumed.

Figure 1.2 | Identify and track policies like single sign-on and MFA from
a single dashboard for all SaaS services

Additionally, Grip tracks the authentication method used for every SaaS-identity interaction, providing telemetry to the organization to know when authentication risks emerge, such as when users circumvent SSO, grant overly permissive access for OAuth related services, or even reset the SaaS password. Financial institutions leverage Grip’s insights to identify and close authentication gaps and policy-dodging, often leading to cost savings too as organizations consolidate the channels for access to fewer identity providers.

Grip helps scale security policy and protection, by focusing on identity protection, credential safeguards, and translating security policies into access controls applied to the identity — enabling safe identity-SaaS connections whenever and wherever SaaS is used.

3. Establish multi-factor authentication: Companies must implement multi-factor authentication (MFA) for access to SaaS services and apps. While MFA has been a punchline for how difficult it is to deploy for every identity and SaaS app, the mandate from NYDFS comes with high expectations (and carrots and sticks to see that it’s done).  

Once again, we can see how Grip’s continuous identity-based discovery maintains an unbreakable connection to identities, so the moment a SaaS is first used until it is decommissioned, Grip is aware of who is accessing it, how they are authenticating, the MFA status of the app and identity, and on-demand action (like access revocation) until security standards like MFA are established.  

Without continuous discovery of the evolving SaaS attack surface, organizations are at a loss to know where MFA is needed, where it is being used, when use falls out of compliance, and where security and compliance risks need mitigation.  

Figure 1.3 | Grip identity risk scoring and SaaS risk indexing

4. Implement data retention and disposal policies: Companies must establish policies for the retention and disposal of non-public information. Grip identifies each SaaS app’s key capabilities, including file sharing, OAuth scopes, financial records, business function and justification.  

By exposing which apps can do what actions or contain specific data types, organizations can prioritize inspection and validation for data retention and disposal because key aspects of what the SaaS app can do are instantly surfaced from Grip’s knowledge base of 20,000+ SaaS apps and their key capabilities.

5. Conduct regular penetration testing and risk assessments: Companies must conduct regular penetration testing and vulnerability assessments of their SaaS solutions. As many organizations have come to realize, penetration testing for SaaS apps is a quick process, involving little more than usernames and passwords to enter the SaaS and leverage its controls.  

Figure 1.4 | Common workflow for user access reviews
via Grip SSCP and in compliance with NYDFS standards

One of the simplest ways to ensure the safety of login information, like credentials, is to remove the user’s knowledge of their passwords. Grip uses a double-blinded credential protection (we don’t even know the password) rooted in the identity and the key attributes that distinguishes it from all other identities in the corporate coffers. By severing the identity from the credential, only Grip can ensure the reliability of access controls and policy compliance for SaaS today and SaaS yet to be deployed.

6. Provide notice of cybersecurity events: Companies must provide notice of any cybersecurity event to their financial institution clients within 72 hours of becoming aware of the event. For financial institutions with thousands of SaaS applications, managed by a third-party SaaS provider, the rules for client notification is a significant challenge.  

First, the financial institution must know that one of their SaaS services has been breached. Second, they must know which data types are potentially at risk of compromise or theft. Third, they must notify clients within a 3-day window. The scale of this issue is difficult for any one financial institution to do on their own. That’s why banking and finance customers rely on Grip.  

7. Establish an incident response plan: Companies must establish and maintain a written incident response plan that outlines procedures for responding to cybersecurity events. Responding to incidents involving SaaS services can be challenging given the lack of control most security teams have over the majority of identity-SaaS relationships. Leveraging Grip, security teams can maintain line-of-sight and execute integrated actions to remediate SaaS security incidents. When SaaS providers experience a breach, Grip customers can instantly see if and where they are affected, and secure identities and access to the effected SaaS service in just a few clicks. This includes full-scale offboarding for targeted users, all users, specific SaaS, or entire groups of apps and tenants — fully automated with Grip SSCP.

Figure 1.5 | Automated offboarding through the Grip SSCP portal

Grip delivers on-demand insights into SaaS use, misuse, and abuse by continuously discovering SaaS as it is consumed by a company’s users (internal and external/guest identities), regardless of network status, device, or location — all without proxies or agents. If a new SaaS is discovered today and is then breached tomorrow, Grip’s customer in financial services are able to see it and automate actions with simple workflows, documentation, and pre-built reports to swiftly notify customers and mitigate the risk, all at once.

8. Maintain audit trails: Companies must maintain audit trails that enable the reconstruction of all financial transactions that occur in their SaaS solutions. Again, the foundations necessary to fulfill the NYDFS standards in a SaaS context, requires a continuous stream of insights from ongoing discovery, never losing sight of where transactions take place across the enterprise SaaS layer, thereby enabling audit trails for specific SaaS apps or classes as new SaaS emerge and older SaaS are abandoned.  

Whether the app was used in the past, used in the present, or will be used in the future, because Grip is anchored to identities, any identities connecting to SaaS are known and graphed, along with functional capabilities like transaction processing, file storage, or duplicative with other apps holding sensitive information.

9. Implement access controls: Companies must implement access controls that limit access to non-public information to authorized personnel. This is easier said than done. Financial institutions depend on Grip’s access management capabilities to universalize access controls by pinning controls to identities and applying security protocols and protections direct to SaaS in the moment identities use it. There is no need to enroll apps or configure settings in the SaaS or cram more users into the backlog of SAML/SSO provisioning. Grip goes with the identity each time it engages a SaaS services, enforcing access controls that comply with the organization’s security policies — and by extension the regulations of NYDFS.

Figure 1.6 | Add access control by selecting “Move to Grip Access” to
enable double-blind strong credentials on continuous rotation.

Conclusion

The NYDFS regulations have significant implications for companies leveraging SaaS solutions and apps. Companies must establish and maintain a robust identity-SaaS program that meets the specific requirements set out in the regulations. Failure to comply with the regulations can result in significant fines and reputational damage.  

This makes it clear that companies must ensure their enterprise SaaS layer and the global identity fabric is visible, risks are actionable, and access control can be realized whenever and wherever SaaS is used. And that is why financial services customers choose Grip for unified SaaS discovery, comprehensive identity risk scoring and SaaS risk indexing, and airtight access controls to meet the requirements set out in the NYDFS regulations.

Get started today with Grip’s free Identity SaaS Discovery

*** This is a Security Bloggers Network syndicated blog from Grip Security Blog authored by Grip Security Blog. Read the original post at: https://www.grip.security/blog/blog-using-grip-for-nydfs-saas-security-compliance