A starting point for SaaS security and NIST 800-53

SaaS (Security as-if adding Salt) haha

Security is like salt. You need to add it at the right time, add just the right amount, and keep in mind the health/dietary needs. One can’t really learn the art-of-salt, unless one cooks, and eats what they cooked!

So here you go! My view of learning Security as-if learning the art of salting.

What does this paradigm mean to say learning a SaaS Cloud Platform?

Well, it means, go ahead, get say a trail Office 365 subscription*, set up the default, then start securing it, or as security people say, harden it. It escapes me as to why it is still called hardening, feels like it is neither Agile or DevSecopsy**, so let's say hardening is like a callus that a pro-player develops.

Anyways, unless one sets up a user, one will not experience the skipped/skimped password settings, and next unless one assigns a role** one will not experience membership management issues. So, go ahead create a few fictitious users*** and assign them trial licenses and roles.

Furthermore, only after one sets up a few users can the users share data, and unless one looks into logs can one spot of who is sharing what, and one won't understand the deep interconnectedness of say, a breach of confidentiality and logging and monitoring. So, go ahead set up a SharePoint site or two for each user, and share docs across users, and then go to the Admin center and look at the SharePoint file activity report.

Go ahead and share one of the fictitious user’s ID and a different fictitious user ID and password on any social site or blog. Then wait for Cyber Criminals (some professionals see hacking or the term hacker as a way to describe their job as a security professional and don’t appreciate the term being interchangeable with criminal/malicious actors) to attack you. Keep a close watch on your logs to see what happens. What will you do if you do see unexpected reads on your SharePoint files? Well, you won't see them unless one of your Azure AD accounts is hacked! This is because SharePoint is not accessible for anonymous access anymore.

Just doing the above four 'controls' gets you started in your journey of NIST 800-53***** controls of IA-5, AT-3, AC-5, AC-6, IR-8, AU-6, and other associated ones, in a tactile manner.

Ok now please remove the fictitious user IDs and unsubscribe! Lest you may end up paying Microsoft a bit more $ than you anticipated!!

Happy Learning!

Srini Kasturi 

https://www.linkedin.com/in/skasturi/

https://www.banyanlogic.com/Classes/

* Even if you pay for the top of the line subscription for a few months, as I see it, you will still come out far cheaper than eating out for a month or two. Not too high a price to pay for the reward! 

** For now, suffice it to say that a role has to do with the what role people play along a business process, and a group has to do with what people belong to such as a geographic location or a business unit.

*** URLs and menus you need 

• https://admin.microsoft.com  >  Users (on left hand side> > Active users > Add a user
• https://admin.microsoft.com  >  Admin centers > SharePoint > SharePoint admin center > Sites > Active sites > Team site
  
• https://admin.microsoft.com  >  Admin centers > SharePoint > SharePoint admin center > Home

**** For now, suffice it to say that Agile is fast adjustments by Project Manager to fast changes in Business plays and DevOps is fast adjustments by Developers and Operators to meet these changes in Business plays.

***** URLs you will need:  

• https://nvd.nist.gov/800-53/Rev4/control/IA-5
• https://nvd.nist.gov/800-53/Rev4/control/AT-3
• https://nvd.nist.gov/800-53/Rev4/control/AC-5
• https://nvd.nist.gov/800-53/Rev4/control/AC-6
• https://nvd.nist.gog/800-53/Rev4/control/IR-8
• https://nvd.nist.gov/800-53/Rev4/control/AU-6