{"id":5045,"date":"2025-09-25T17:08:05","date_gmt":"2025-09-25T17:08:05","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5045"},"modified":"2025-09-25T17:08:05","modified_gmt":"2025-09-25T17:08:05","slug":"cloud-security-alliance-launches-framework-to-improve-saas-security","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5045","title":{"rendered":"Cloud Security Alliance launches framework to improve SaaS security"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Independent security experts have welcomed what\u2019s billed as the first standardized set of SaaS (software as a service) security controls.<\/p>\n

The SaaS Security Capability Framework (SSCF)<\/a>, launched this week and backed by the Cloud Security Alliance, is designed to close long-standing gaps in third-party risk management.<\/p>\n

The framework is designed to addresses the need for an industry standard that defines the minimum technical security capabilities SaaS applications should provide, particularly those that fall within the customer\u2019s scope under what\u2019s commonly known as the Shared Security Responsibility Model.<\/p>\n

Organizations have built sophisticated zero trust architectures<\/a> around their on-premises and IaaS (Infrastructure as a service) environments. However, by contrast, the security controls of SaaS applications have long been opaque.<\/p>\n

This disconnect creates a massive, unnecessary risk that the SSCF aims to bridge. Publication of the guidance follows recent attacks targeting Salesforce SaaS applications<\/a> that have focused industry concerns around the more general issue of the security of cloud-based applications.<\/p>\n

Lefteris Skoutaris<\/a>, associate vice president for GRC Solutions at Cloud Security Alliance, said: \u201cThe SSCF addresses a critical gap in SaaS security by establishing the first industry standard for customer-facing security controls. This framework exemplifies CSA\u2019s mission to unite diverse industry partners (from SaaS providers to enterprise customers) in creating practical solutions that translate compliance requirements into actionable security capabilities that organizations can actually configure and enforce.\u201d<\/p>\n

SSCF specifies controls across six security domains:<\/p>\n

Change control and configuration management<\/p>\n

Data security and privacy lifecycle management<\/p>\n

Identity and access management<\/p>\n

Interoperability and portability<\/p>\n

Logging and monitoring<\/p>\n

Security incident management, e-discovery, and cloud forensics<\/p>\n

These domains are designed to map high-level business requirements into tangible SaaS security features that customers can actually configure and rely on, such as log delivery, SSO enforcement, secure configuration guidelines, and incident notification.<\/p>\n

The approach is designed to complement rather than replace business-focused security frameworks such as ISO 27001.<\/p>\n

\u201cThe SaaS Security Capability Framework represents a significant step forward for the industry,\u201d said Brian Soby<\/a>, co-founder & CTO of SaaS security posture vendor AppOmni, and SSCF lead author. \u201cIt provides a clear, consistent, and much-needed standard that will help organizations move past outdated risk assessments and truly build zero trust principles into their SaaS environments.\u201d<\/p>\n

Toward more consistent SaaS security controls<\/h2>\n

The industry has long struggled with a lack of consistent SaaS security controls. Without an industry standard, enterprises, SaaS vendors, and security teams have ended up duplicating efforts or carrying unnecessary risks.<\/p>\n

The SSCF tackles this long-standing challenge by offering a practical framework of security capabilities that can be adopted by SaaS vendors, providing more consistency across the industry while reducing potential security risks.<\/p>\n

\u201cCSA\u2019s SSCF is a meaningful step forward for SaaS governance, setting clearer expectations for both vendors and buyers,\u201d said David Brown, SVP of international business at firewall policy management firm FireMon. \u201cBut a framework only reduces risk when translated into operational controls, specifically continuous network-policy visibility, tight egress controls, and automated compliance checks.\u201d<\/p>\n

Brown continued: \u201cOrganizations that pair SSCF requirements with real-time network posture verification can prove controls work and materially reduce SaaS-related risk.\u201d<\/p>\n

Continuous validation<\/h2>\n

A growing share of internet traffic is generated by non-human actors<\/a>; bots, agents, automated systems that interact with SaaS apps in ways traditional monitoring often misses.<\/p>\n

\u201cThe SSCF provides a much-needed benchmark for what \u2018secure by default\u2019 should look like in SaaS environments,\u201d said Mayur Upadhyaya<\/a>, CEO at APIContext. \u201cIts focus on technical controls within the customer\u2019s scope is timely, especially as the boundaries between internal users, third-party integrations, and machine-driven traffic continue to blur.\u201d<\/p>\n

Upadhyaya added: \u201cA framework like SSCF can only be effective if it reflects this expanded surface area and encourages continuous validation, not just static configurations.\u201d<\/p>\n

Next steps<\/h2>\n

If widely adopted, SSCF will offer enterprises more consistent security features across their SaaS portfolio. Vendors will gain the knowledge of what security controls will be expected by customers.<\/p>\n

The next phase of the project will focus turning the framework into something more practical by developing implementation and auditing guidelines and an assessment and certification scheme. Rather than offering checklists that vendors are encouraged to follow, SSCF aims to offer measurable security improvements.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Independent security experts have welcomed what\u2019s billed as the first standardized set of SaaS (software as a service) security controls. The SaaS Security Capability Framework (SSCF), launched this week and backed by the Cloud Security Alliance, is designed to close long-standing gaps in third-party risk management. The framework is designed to addresses the need for […]<\/p>\n","protected":false},"author":0,"featured_media":5046,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5045","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5045"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5045"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5045\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5046"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5045"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5045"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5045"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}