- Key insight: A new industry-wide framework now exists to evaluate the security of individual SaaS applications, rather than relying on broader company-level certifications.
- What's at stake: Without a standard, companies face "significant security challenges" and "unnecessary risk exposure" when using cloud-based software.
- Supporting data: Exploitation of weak or nonexistent multifactor authentication — a control covered by the framework — is the cause of 46% of SaaS breaches.
Overview bullets generated by AI with editorial review
A new security standard released Tuesday makes it easier for companies to judge the safety of the specific cloud-based tools they use every day.
For example, say a bank intends to use a suite of Amazon Web Services, or AWS, products to conduct data analytics. The framework provides a template the bank can use to evaluate the product suite against 36 specific security controls.
The SaaS Security Capability Framework, or SSCF, released Tuesday, outlines these "configurable, consumable and customer-facing security controls" that SaaS vendors can provide to their customers, including banks.
For companies that rely heavily on cloud-based operations, such as U.S. banks and credit unions, the lack to date of a standard for evaluating SaaS application security creates "significant security challenges" and leads to "unnecessary risk exposure," the Cloud Security Alliance said in the write-up.
The framework "enhances existing certifications by translating high-level principles for the SaaS vendor into actionable security capabilities that customers can directly configure and enforce," reads the framework. "It complements established compliance frameworks, such as SOC 2 and ISO 27001, by balancing robust security with the resource constraints of early-stage SaaS companies."
Focus on customer responsibility and critical controls
The framework focuses on customer-facing security controls within SaaS platforms. It aligns with the Shared Security Responsibility Model, emphasizing that the SaaS customer must manage security within the cloud, including securing data, managing user accounts and correctly configuring provided security settings. The framework highlights controls whose implementation the customer typically owns.
The framework organizes controls into six security domains: change control and configuration management; data security and privacy lifecycle management; identity and access management; interoperability and portability; logging and monitoring; and security incident management, e-discovery, and cloud forensics.
IAM controls paramount for data protection
The framework emphasizes identity and access management, calling these controls "paramount" to protecting customer data and ensuring platform integrity.
This focus is critical because overprivileged accounts caused 41% of SaaS breaches, and 58% of organizations struggle to enforce proper privilege levels across SaaS applications, according to the
The framework mandates that SaaS platforms support multifactor authentication, or MFA, enforcement. This control directly addresses a leading vulnerability: Exploitation of weak or lack of MFA caused 46% of SaaS breaches experienced by organizations, according to the survey released in April.
Nonhuman identities and AI threat management
The rise of AI and automation drives bot traffic, meaning nonhuman identities — such as API keys, bots and AI agents — represent an expanding security blind spot. More than half (56%) of organizations worry that third-party vendors and generative AI tools gain overprivileged API access to sensitive data, according to the survey report.
The framework addresses this threat directly, requiring that SaaS platforms support the identification of nonhuman identities (their type, source, expiration and entitlements) and programmatic revocation of these bots by platform administrators.
The framework asserts that AI agents increasingly rely on credentials to access systems and perform tasks, making it "essential to implement strong operational controls" for nonhuman identity activity.
Visibility and configuration standards
The framework compels SaaS vendors to provide customers with necessary visibility to fulfill their security duties, requiring platforms to support the programmatic querying of all current security configurations, covering authentication, permissions and entitlements.
It also mandates that providers offer a security auditing role with read-only access to all security settings and logging data.
For security incident response, the framework requires providers to offer a security contact who will receive notifications during incidents.
Benefits for banking operations
The framework provides immediate utility for financial institutions managing extensive SaaS portfolios. For teams that manage third-party risk, the framework claims to offer "a baseline of security capabilities during SaaS vendor assessment, simplifying risk assessments and procurement processes."
This standardized approach for SaaS providers allows financial institutions to minimize friction in vendor onboarding and risk management, alleviating the assessment burdens caused by the previous lack of a standardized approach between providers.
