ServiceNow Strengthens Cybersecurity Controls
ServiceNow today made available a Vancouver release of its software-as-a-service (SaaS) platform that adds a range of cybersecurity capabilities, including an ability to ingest and process software bills of materials (SBOMs).
Amy Lokey, senior vice president and head of global design for ServiceNow, said IT teams will be able to include SBOMs within workflows to better assess risks associated with open source components included within third-party and custom applications.
In addition, ServiceNow is making available a ServiceNow Zero Trust Access capability within ServiceNow Vault, a repository of security controls, to provide a set of granular authentication policies.
Finally, ServiceNow has extended the third-party risk management tool the company provides with an executive dashboard and workflows to specifically address due diligence requirements.
As cybersecurity regulations become more stringent, providers of SaaS applications are embedding more capabilities within their platforms to enable organizations to better secure applications and workflows. It’s not clear how much security concerns might influence the selection of SaaS platforms going forward, but at the very least, organizations that embraced these platforms will soon be able to make them more resilient in terms of both thwarting attacks and investigating breaches. If breaches occur, an SBOM makes it simpler to identify potential vulnerabilities.
In the wake of the COVID-19 pandemic, the number of organizations relying on SaaS applications substantially increased to enable employees to work from home more easily. Most of the platforms used, however, were chosen by business leaders with little regard for cybersecurity considerations. Since then, cybercriminals have been targeting employees with phishing attacks to gain access to credentials. Those credentials could enable them to log into these applications as if they were a legitimate user. In addition to stealing data and/or distributing malware, cybercriminals are leveraging that access to escalate privileges and access other systems.
The challenge cybersecurity teams now face is finding ways to retroactively implement the controls required to lock down these SaaS applications. The issue is that organizations now have tens, sometimes even hundreds, of SaaS applications, each with a unique approach to configuring security controls. Given that complexity, cybersecurity professionals have a vested interest in encouraging organizations to consolidate as many workflows as possible onto a single platform to help reduce the overall size of the attack surface that needs to be defended.
In the meantime, cybersecurity teams should expect the number of attacks launched against SaaS platforms to steadily increase as more data is created and stored within them. A review of the cybersecurity controls that need to be in place is required regardless of the potential inconvenience to end users. If the controls are cumbersome or non-existent, then cybersecurity teams need to pressure the providers of these platforms into investing more in cybersecurity versus continuing to add new features and capabilities that are likely to be easily exploited.
Naturally, that may take a while for every SaaS application provider to achieve, so it will be up to each organization to determine their level of risk tolerance even as potential sanctions become stiffer.