SaaS Data Security. PHOTO: Cybercrime Magazine.

NIST Cybersecurity Framework 2.0 and the SaaS Stack

The long-awaited update introduces important cybersecurity concepts

Hananel Livneh, Head of Product Marketing, Adaptive Shield

Tel Aviv, Israel – Feb. 29, 2024

Last week, the National Institute of Standards and Technology (NIST) released its long-awaited update to its cybersecurity framework. NIST Cybersecurity Framework (CSF) 2.0 introduces important cybersecurity concepts, the most visible of which is the governance circle that touches on each of its five pillars.

In the nearly six years since version 1.1 was released, the software industry has gone through significant changes, and many of the updates in NIST can be attributed to and used to secure SaaS applications. Govern, which is used to monitor an organization’s cybersecurity risk management strategy, expectations, and policy, is critical in SaaS security.

SaaS applications have numerous attack vectors; adding Govern to the process will help organizations better understand the risks inherent in SaaS, as well as available solutions. Here is a look at how Govern functions and comes together with NIST’s five pillars to form the foundation of SaaS security.

Governance Over the SaaS Stack

It’s worth noting that NIST CSF 2.0 doesn’t directly address SaaS security. Rather, it offers a framework that can be applied to any number of cybersecurity installations, including securing the SaaS stack. For example, under Govern, it discusses understanding risk management as it relates to third-party suppliers. When applied to SaaS, this can mean understanding the risk external admins or third-party app integrations pose to your organization.

Organizations must understand who their SaaS security stakeholders are. This includes the security team, as well as the app owners who control the applications. App configurations should be aligned with corporate policy, and adequate resources should be allocated for SaaS security. Governance also includes establishing policies, processes, and procedures to manage risk.

Read about how to apply the NIST 2.0 guidelines to your SaaS stack.

Develop a Deep Understanding of the SaaS Stack

Identify is the first NIST CSF 2.0 pillar. It recommends that organizations manage cybersecurity risk through their deep understanding of systems, users, assets, data, and capabilities. When looked at through a SaaS lens, that means identifying risk that comes from user accounts and behaviors as well as configurations and resources.

Identifying high-risk settings within the SaaS applications is of high importance. Those involved in SaaS security must be aware of the location of all sensitive assets, as well as their access permissions. Identifying all users is the second half of the pillar. Using a central repository to identify internal and external users, their permissions within each application, and the apps they can access should be a priority. Special attention should be paid to high-permission users, such as admins, and the devices they use to access the SaaS apps.

Placing Safeguards Around the SaaS Environment

Adding protective measures is a key principle of NIST CSF 2.0. From a SaaS perspective, that means managing identities and credentials for all users, and authenticating them using MFA or SSO. It also requires limiting access to authorized users, using role-based access control, to adhere to the Principle of Least Privilege (POLP).

SaaS applications contain a wealth of valuable data, which makes them attractive to threat actors. Deprovisioning former employees, adding password controls to documents, and disconnecting unused third-party applications reduce the possibility of data leakage. 

Detecting Threats in the SaaS Stack

The third pillar in the NIST framework is the need to detect cybersecurity events taking place. To be truly effective in a SaaS environment, threat detection capabilities require a holistic view of the entire SaaS stack. Identity Threat Detection & Response (ITDR) capabilities that focus on each app individually will miss out on events, such as a user who logs into multiple applications at the same time using a different browser or operating system.

SaaS threat detection goes beyond the capabilities of standard ITDR solutions, which typically are not designed to understand the complex nature of SaaS environments. It requires the ability to monitor and analyze logs for anomalous behavior from both human and non-human accounts. SSPM solutions include ITDR capabilities and identify subtle and sophisticated identity-centric threats such as users who gain access following password-based attacks, unlikely travelers, and those who have anomalies in their IP address.

Responding To and Recovering From Threats

When threat actors manage to get past access control points, NIST recommendations position organizations for limited damage and fast recovery. SaaS response and recovery is similar in many ways to any other asset that was attacked. However, due to the distributed nature of SaaS applications, a breach in one application is often an isolated event.

Following NIST guidelines, organizations should have full visibility into any actions taken by threat actors. That events log should be stored securely outside the application, where it can be referred to in an investigation and is safe from changes implemented by threat actors to cover their tracks. 

To ensure a full recovery, SaaS owners should ensure that their backup settings are configured correctly. Furthermore, they should monitor users with access to the backup files. 

Protection Through Comprehensive Policies

Aligning SaaS security with NIST recommendations should be standard practice for organizations. Adding the Govern function to NIST’s Cybersecurity Framework emphasizes the value placed on monitoring the SaaS stack. SaaS Security Posture Management (SSPM) platforms are ideal for applying NIST standards to SaaS applications.

SSPMs monitor the entire SaaS stack, providing visibility into configurations and alerting users when misconfiguration places the application at risk. It monitors user accounts, including non-human accounts, to prevent data leakage and threats that can come from user accounts. SSPMs also detect and monitor third-party applications, alerting users when apps appear malicious or request sensitive scopes.

ITDR, built into the SSPM platform, supports NIST adherence by reviewing logs, monitoring activities, and detecting anomalies. It combines Indications Of Compromises (IOC) to understand the true nature of a threat, and activates automated processes when threats are detected.

The NIST framework offers a structured risk management approach. In the world of SaaS, those guidelines are best adhered to through an SSPM and ITDR platform.

Download the NIST guidelines checklist to align your SaaS stack with the framework.

Hananel Livneh is Head of Product Marketing at Adaptive Shield. He joined Adaptive Shield from Vdoo, an embedded cybersecurity company, where he was a Senior Product Analyst. Hananel completed an MBA with honors from the OUI, and has a BA from Hebrew University in Economics, Political Science and Philosophy (PPE). Oh, and he loves mountain climbing.

About Adaptive Shield

Adaptive Shield, leader in SaaS Security, enables security teams to secure their entire SaaS stack through threat prevention, detection and response. With Adaptive Shield, organizations continuously manage and control all SaaS apps, including 3rd-party connected apps, as well as govern all SaaS users and risks associated with their devices. Founded by Maor Bin and Jony Shlomoff, Adaptive Shield works with many Fortune 500 enterprises and has been named Gartner® Cool Vendor™ 2022. For more information, visit us at or follow us on LinkedIn.