Darkreading.com reported that “Software-as-a-Service (SaaS) Infrastructure…may represent 70% to 80% or more of a company's IT these days. Between Microsoft 365, Google Workspace, Salesforce, AWS/Azure, and even software development tools, most of the digital crown jewels of companies today might exist on someone else's infrastructure.” The November 24, 2021 report entitled “When Will Security Frameworks Catch Up With the New Cybersecurity Normal?” included these comments about SaaS how “…the pandemic has also accelerated the disparity between large cybersecurity frameworks like ISO 27001 and the NIST Cybersecurity Framework”:
…. and the reality of most modern organizations, even ones that haven't gone 100% virtual.
This has been happening for years, but as the gaps widen between the security standards we have to follow and the actual security challenges on the ground, the frameworks are going to have to become more agile or risk becoming standards that cost a lot of money to comply with but have little to no effect on actual security.
Current frameworks either don't even mention SaaS or just lump it in with all third-party access. NIST finally released a Cloud Computing update in 2018 (SP 500-322), but it was already outdated when it came out.
Different approaches and controls are required for this type of infrastructure; encryption is often built in, but it may require special backup services or custom settings within the SaaS setup.
The built-in security features and tools are often impressive but offer limited customization. Frameworks need to adjust for this and update their guidance for these widely used platforms.
Given the use of SaaS this should give almost every business major concerns.