table of contents
- 01.What is SSPM?
- 02.Background of the need for SSPM
- 03.Differences between SSPM and CSPM
- 04.How SSPM is different from CASB
- 05.Key features of SSPM
- 06.Benefits of SSPM
- 07.Key points when introducing SSPM
- 08.SSPM installation process
- 09.For SaaS environment configuration diagnosis, we also recommend the “Cloud Security Diagnosis” provided by professionals.
- 10.Use SSPM in conjunction with LANSCOPE Professional Services’ Cloud Security Assessment
- 11.summary
SSPM (SaaS Security Posture Management) is a security solution that monitors and evaluates the security settings of SaaS applications used in cloud environments, leading to correct settings.
The main functions are
- Detecting SaaS “security risks”
- “Visualization” and “regular monitoring and analysis” of security risks
- Support for “compliance”
Some examples include:
By introducing SSPM, you can not only continuously prevent cloud configuration errors, but you can also expect benefits such as ” reducing operational burden by centralizing SaaS management ” and ” reducing the labor required for compliance management .”
A service similar to SSPM is “CSPM.”
The difference between SSPM and CSPM is the “evaluation target,” with SSPM evaluating “SaaS” and CSPM evaluating “IaaS/PaaS . “
・SaaS app examples: Google Workspace, Microsoft 365, etc.
・IaaS/Paas app examples: AWS, Azure, Google Cloud Platform, etc.
Like SSPM, there is also a security solution for cloud services called “CASB.”
The two have different functions and purposes: SSPM is focused on preventing incidents caused by improper SaaS configurations before they occur, while CASB is focused on detecting risky behavior of employees using the cloud after the fact .
In this article, we will provide a clear explanation of what SSPM is and the benefits of its implementation.
To summarise this article:
- SSPM is a security solution that detects security flaws in SaaS and notifies administrators to take appropriate action.
- The main difference between SSPM and CSPM is the “evaluation target.” SSPM evaluates “SaaS” and CSPM evaluates “IaaS/PaaS.”
- The difference between SSPM and CASB is that SSPM focuses on preventing incidents caused by improper configuration of SaaS , while CASB focuses on detecting risky behavior of employees using the cloud after the fact.
- The main reason for the need for SSPM is the growing use of cloud computing in the modern business environment , which in turn increases security challenges .
- By introducing SSPM, not only can you continuously prevent cloud configuration errors, but you can also centralize SaaS management and reduce the effort required for compliance management.
- There is also a service called ” Cloud Security Diagnosis ” that checks the configuration status of cloud environments.
What is SSPM?
SSPM is a security solution for monitoring, evaluating, and managing security settings in SaaS (Software as a Service) . The role of SSPM is to identify security issues in SaaS settings that could lead to unauthorized access or information leakage , and to encourage administrators to take appropriate measures.
SaaS is a type of cloud service. By utilizing cloud services, you can use services online without downloading software or applications to your PC or device.
Some representative SaaS offerings include:
▼Representative examples of SaaS:
Microsoft 365,
Salesforce,
Google Workspace
, Zoom
, Slack
For example, applications that are commonly used in business, such as Teams, SharePoint, and OneDrive, are part of the “Microsoft 365” service, which is a SaaS service.
Due to its convenience – “as long as there is an internet connection, it can be used from anywhere, on any device” – SaaS has become indispensable for businesses today.
However, SaaS poses various security risks.
What are the security risks when using SaaS?
Examples of security risks when using SaaS include the following:
Incorrect access permissions
Ideally, access permissions should be set so that each employee has access only to the information they need.
If access permissions are not set properly and anyone is able to view important information or manage the system, it increases the risk of information leaks and unauthorized access.
In addition, changes to SaaS specifications can change access permission settings, which can make it possible to access the system from outside the company without you realizing it.
Poor account management
When using SaaS, it is common to create an account for each employee who uses it.
Therefore, when an employee is transferred or leaves the company, any accounts that are no longer in use should be deleted promptly.
This is because if the accounts and privileges of employees who have been transferred or left the company are left unchanged, there is a risk of information leaks.
In fact, according to the IPA’s “Survey on the Actual Situation of Trade Secret Management in Companies 2020,” the most common route for leaking trade secrets was leaks caused by “mid-career resignations ,” which increased from the previous survey and became the most common at 36.3%.
By using the “SSPM” tool, you can review the security settings of the SaaS your company uses and check whether they comply with the security policies established by your organization and are being kept safe, thereby avoiding the risks mentioned above.
Background of the need for SSPM
The main reasons why SSPM is needed as part of a company’s security measures are
- The expansion of “cloud service usage” in the modern business environment
- The resulting increase in security issues
Examples include:
The SaaS market size is expanding year by year
As cloud services become more widespread, the domestic usage rate of SaaS is steadily increasing.
According to a survey by IDC, due to factors such as the impact of COVID-19, there is a growing shift from traditional on-premise environments to the cloud, which is promoting diversification of working styles.
As a result, Japan’s public cloud service market is growing steadily and is predicted to reach 4 trillion yen by 2026.
Furthermore, the SaaS market is expanding year by year; according to a survey of companies that provide SaaS marketing platforms, the domestic SaaS market is growing at an average annual rate of approximately 13% , suggesting that the market size will reach approximately 1.12 trillion yen in 2024 .
While the convenience of cloud services and SaaS continues to grow, the number of security incidents caused by cloud services is on the rise due to malicious attackers targeting their vulnerabilities.
In the past, there have been cases of information leaks at companies and local governments due to misconfigurations in SaaS.
In January 2021, it was discovered that personal information of 38 local governments and domestic companies was exposed to external viewing due to improper configuration of SaaS . The National Center of Incident Readiness and Strategy for Cybersecurity (NISC) has issued a warning to several major infrastructure providers.
The cause of the information leaks in all cases was a “misconfiguration of the scope of disclosure” made by the local governments and companies that used the services , and this incident once again highlights the “importance of security settings” for cloud services.
To reduce the risk of information leakage due to cloud service settings, it is effective to use configuration assessment tools such as SSPM and CSPM . In addition, professional diagnosticians can manually check the correct settings.It may also be effective to take a “cloud security assessment.”
One advantage of cloud security assessments is that they allow knowledgeable vendors to review detailed settings, so even companies without the knowledge or resources can use them with peace of mind .
Differences between SSPM and CSPM
A service similar to SSPM is “CSPM.”
CSPM (Cloud Security Posture Management), like SSPM, is a security solution that identifies problems in cloud service configurations and prompts administrators to take appropriate action.
The difference between SSPM and CSPM is the ” object of evaluation .” SSPM evaluates SaaS settings , while CSPM evaluates the settings of the entire cloud infrastructure, including IaaS/PaaS .
| SSPM | CSPM | |
|---|---|---|
| subject | SaaS | IaaS/PaaS |
| function |
|
|
As mentioned above, the basic purpose and functions of CSPM and SSPM are similar, and which one should be used depends on whether the service being evaluated is “SaaS” or “IaaS/PaaS.
How SSPM is different from CASB
Like SSPM, there is another security solution for cloud services called CASB (Cloud Access Security Broker). CASB is a solution that visualizes, controls, and centrally manages employee use of cloud services.
Both SSPM and CASB are cloud security-related solutions, but they differ in scope and functionality.
| SSPM | CASB | |
|---|---|---|
| subject | SaaS | SaaS, IaaS, PaaS |
| function |
|
|
SSPM targets SaaS , while CASB targets the entire cloud service, including not only SaaS but also IaaS and PaaS .
A key feature of SSPM is visibility into SaaS misconfigurations, allowing you to take proactive measures and prevent incidents before they occur. CASBs have the ability to detect risky behaviors of employees using the cloud , and some can even prevent those behaviors.
Depending on their cloud security requirements, businesses must consider which option to choose, or whether to use a combination of both.
Key features of SSPM
SSPM has three main functions:
- Detecting SaaS “security risks”
- “Visualization” and “regular monitoring and analysis” of security risks
- Support for “compliance”
1. Evaluating SaaS “security risks”
SSPM assesses SaaS configurations based on the security policies defined by your organization.
By detecting configuration errors and compliance violations in SaaS , you can quickly nip incidents that could lead to risks such as unauthorized access and information leaks in the bud.
It is also possible to check whether current settings comply with the security policies and regulatory requirements established in advance by the organization, enabling companies to comply with security policies and maintain a secure cloud.
2. Visualization of security risks
SSPM visualizes security risks in SaaS environments, allowing administrators to understand security settings and risk status at a glance . This allows administrators to immediately check “where the flaws are in the cloud settings” and take appropriate measures.
3. Automatic “regular monitoring” and “analysis”
SSPM regularly monitors the SaaS environment, so it can detect new risks early on. The tool automatically monitors settings, reducing the workload of administrators and allowing for more efficient security operations.
In addition, by analyzing the collected data and identifying trends in security risks and compliance violations, it is possible to predict and take measures against future risks.
Benefits of SSPM
The following benefits can be expected from the introduction of SSPM:
- Prevent cloud configuration errors “continuously”
- Centralize SaaS management and reduce operational burden
- Reduces the effort required for compliance management
1. It can continuously prevent cloud configuration errors
The first benefit is that it can “continuously” monitor and take measures against misconfigurations in the cloud. SSPM has the ability to “automatically monitor” security settings and activities of SaaS.
SSPM periodically checks SaaS settings and reports misconfigurations and risks, so cloud services can be used “continuously” in a safe state. If a problem is detected, it will notify the administrator with a warning or alert.
2. Centralize SaaS management and reduce operational burden
The second benefit is that SSPM allows you to centrally manage security settings and activities for different SaaS.
Information collected from multiple SaaS platforms can be viewed on a single dashboard, enabling administrators to perform integrated and efficient security management.
3. Reduce the effort required for compliance management
The third benefit is that it allows you to efficiently check whether your cloud service settings are in compliance.
SSPM monitors SaaS configurations based on pre-configured security policies. Automated compliance checks reduce the need for administrators to manually check rules and review configurations.
Some products can even automatically generate compliance reports, reducing the time and effort required for audits and compliance reporting.
Key points when introducing SSPM
If you are considering introducing an SSPM product, be sure to check the following points in advance.
・Types of SaaS supported
・Response after evaluation
・Support system and update frequency
・Compliance with your company’s security policy
Supported SaaS types
The SaaS that can be evaluated varies depending on the SSPM product.
To avoid introducing an SSPM product only to find that it is not compatible with the SaaS your company uses, be sure to check the types of SaaS that are supported.
Post-evaluation response
SSPM products are designed to detect security risks in SaaS and suggest countermeasures, but it is the SaaS administrator who actually takes action, such as changing settings.
Therefore
- Which security risks should be prioritized?
- What steps should I take to deal with this?
Choosing a system that has features that help you respond to risks, such as the above, will make operation easier.
Support system and update frequency
It’s also very important to have a support system in place.
To ensure smooth response, we recommend products that offer support in Japanese, if possible.
Additionally, SSPM products are regularly updated, so you can be sure your monitoring is up to date with the latest standards.
Compliance with company security policies
SSPM assesses SaaS configurations based on the security policies defined by your organization.
Therefore
- Access permission settings
- Data sharing settings
- Multi-factor authentication settings
Check whether the evaluation can be done in accordance with the security policies and regulatory requirements that have been agreed upon in advance by your organization, such as whether the system can meet the above requirements.
SSPM installation process
The implementation of SSPM can be carried out in six steps:
- Understanding the security status of the SaaS used in your company and identifying needs and requirements
- Select SSPM
- Plan your implementation
- SSPM introduction
- Education for personnel
- Operations and Continual Improvement
1. Understanding the security status of the SaaS used in your company and identifying needs and requirements
First, evaluate the SaaS that your company uses and identify potential vulnerabilities.
At the same time, clarify the legal regulations and compliance requirements that each company or organization must comply with.
2. Select SSPM
Compare multiple SSPM solutions and choose the one that best suits your company’s size and security needs. Consider the tool’s features, compatible SaaS, scope of application, customizability, support system, etc.
If possible, we recommend that you try out the free version to see how it works.
3. Develop an implementation plan
Consider the specific schedule, tasks, and division of roles for each person in charge, and create an implementation plan. Also include a schedule for notifying employees and training them.
There will be some implementation costs involved, so be sure to clarify your budget as well.
4. Introduction of SSPM
We will deploy the selected SSPM in your production environment, including various settings, configurations, and integration with your existing SaaS.
Verify that it works correctly and that diagnostic items are investigated as expected.
5. Education for personnel in charge
We will train personnel on how to use the SSPM solution and interpret security events. Through training, we will have personnel learn how to use SSPM to check and respond to security settings.
In addition to educating those in charge, it is also important to encourage all employees to abide by the established “Security Policy for Cloud Use.”
6. Operation and continuous improvement
Through regular monitoring and analysis of diagnostic results, we will continuously implement and improve the operation of SSPM.
Adjust settings and policies accordingly based on user feedback and new security requirements.
For SaaS environment configuration diagnosis, we also recommend the “Cloud Security Diagnosis” provided by professionals.
Like SSPM, there is a service called “Cloud Security Diagnostics” that checks the configuration status of cloud environments.
Cloud Security Assessment is a service that regularly evaluates the settings and security status of the entire cloud environment, including SaaS, and identifies potential vulnerabilities and configuration errors and makes improvements.
Differences between SSPM and Cloud Security Assessment
The main difference between SSPM and Cloud Security Assessment is whether the configuration status of the cloud environment is checked automatically or manually .
In the case of SSPM, the connection settings are made in advance and the settings checks are mainly performed automatically, but when preparing for operation and implementation, your company will need to configure what items to check, etc.
In contrast, the unique feature of cloud security assessments is that checks are performed “manually” by security experts.
Unlike a one-off “cloud security assessment” that is outsourced to a vendor, SSPM excels in terms of “sustainability” in that once implemented, it can continuously detect settings .
▼Comparison between SSPM and cloud security assessment
| Cloud Security Assessment | SSPM | |
|---|---|---|
| Evaluation subject | Human evaluation | Software Evaluation |
| flexibility | ○ (High) | × (low) |
| Number of diagnostic items | ○ | △ |
| Is it possible to diagnose with the latest information? | ○ | No (vendor dependent) |
| Sustainability | × (Requires regular implementation) | ○ |
| Responding to changes in cloud service specifications | ○ | △ |
| Expertise | Unnecessary | need |
However, in terms of flexibility, such as always being able to check the latest diagnostic items and being able to respond to changes in the specifications of various cloud services, cloud security diagnosis performed by humans is preferable.
Another advantage of cloud security assessments is that, unlike SSPM, which requires a certain level of knowledge and experience to operate, the investigation can be left entirely to experts, making it available to anyone regardless of knowledge or experience.
If your company has someone knowledgeable about security and is able to operate the system in-house, you should consider SSPM . If your company has little knowledge about cloud computing and security and would like to outsource to the professionals , you should consider using a cloud security assessment. It is a good idea to consider the appropriate service based on your company’s environment and objectives.
