How CPS 230 is Influencing the Future of SaaS Security in Australia

How CPS 230 is Influencing the Future of SaaS Security in Australia

Quick Overview

• The deadline for compliance with the Australian Prudential Regulation Authority’s (APRA) CPS 230 is scheduled for July 2025.
• CPS 230 requires robust cybersecurity practices, compelling financial organisations to effectively manage cyber risks.
• Key tools for adherence to CPS 230 include SaaS Security Posture Management (SSPM) and Identity Threat Detection & Response (ITDR).
• The Shared Responsibility Model assigns the responsibility of configuring, securing, and managing SaaS environments to businesses.
• Essential pillars for SaaS security encompass Misconfiguration Management, Identity & Access Governance, Third-party Connected Applications, Connected Device Posture, and Threat Detection.

The CPS 230 Deadline: An Urgent Compliance Challenge

Australian financial institutions are hurrying to comply with the CPS 230 deadline set by the Australian Prudential Regulation Authority (APRA) for July 2025. This regulation imposes demanding standards for managing cyber risks, encompassing the identification, monitoring, assessment, and mitigation of cyber threats. With time running out, organisations are on the lookout for dependable solutions to ensure compliance.

A significant aspect of this compliance route involves addressing the cybersecurity risks related to Software as a Service (SaaS) applications. SaaS Security Posture Management (SSPM) and Identity Threat Detection & Response (ITDR) are two critical tools that have surfaced to help fulfil these requirements, becoming indispensable for financial institutions aiming to protect their digital assets and evade penalties.

The Shared Responsibility in SaaS Security

In September 2018, APRA recognised the growing reliance on cloud computing and SaaS solutions for vital operations. The APRA document “Outsourcing Involving Cloud Computing Services” pointed out that while SaaS providers deliver essential security controls, customers carry substantial responsibility for establishing proper security settings, user authentication practices, and overseeing connected applications.

The Shared Responsibility Model, which governs SaaS products, requires businesses to secure their data, configure services accurately, and manage access control policies. Even secure platforms like Salesforce or Microsoft 365 can expose risks if misconfigurations or inadequate access controls are not rectified. Recent incidents, such as breaches affecting Snowflake users, highlight the necessity of effective SaaS management.

Five Fundamental Pillars for Securing a SaaS Environment

To align with CPS 230 and avert severe financial consequences, Australian financial organisations must concentrate on the following five pillars of SaaS security:

1. **Misconfiguration Management:** Ensuring security settings are properly configured to prevent vulnerabilities.
2. **Identity and Access Governance:** Managing user roles and permissions to restrict access to critical systems.
3. **Third-party Connected Applications:** Overseeing and evaluating risks from third-party applications linked to the SaaS environment.
4. **Connected Device Posture:** Monitoring devices that access SaaS applications to guarantee they are secure and effectively managed.
5. **Threat Detection:** Identifying and addressing potential cyber threats, such as unauthorised logins or unusual user activity.

Kendal Watt, a cybersecurity expert from Adaptive Shield, underscores that while staying proactive through configuration management and access policies is crucial, threat detection plays a vital part in spotting threats that bypass these safeguards.

SaaS Security Posture Management (SSPM) and Identity Threat Detection & Response (ITDR)

The Importance of SSPM for CPS 230 Compliance

SaaS Security Posture Management (SSPM) tools are vital in ensuring that SaaS applications are configured accurately and stay secure. Initially centred on monitoring configuration parameters, modern SSPM systems now oversee a diverse range of attack surfaces, detecting misconfigurations, tracking user access, and ensuring adherence to best security practices.

SSPM solutions also play a role in managing identity security, a critical facet of SaaS operations. These tools can identify inactive accounts, external users with excessive permissions, and even past employees who still have access to company systems. Furthermore, SSPMs keep tabs on Non-Human Identities (NHI), like service accounts and API keys, to ensure protections against misuse by attackers.

Bolstering Security with ITDR

Identity Threat Detection & Response (ITDR) tools complement SSPM in recognising potential security threats. ITDR enhances SaaS security by scrutinising user behaviour, spotting suspicious activities, and reporting possible threats. For example, ITDR can identify if a user tries to log in from two different locations at once, signalling a potentially breached account.

When integrated with SSPM, ITDR affords greater insights into user and application interactions, forming a robust alliance for identifying and reducing threats. This synergy is crucial for Australian financial institutions aiming to adhere to CPS 230 and secure their SaaS environments.

The Shared Responsibility Model for SaaS

As stated by the United States National Security Agency’s (NSA) Shared Responsibility Model, SaaS providers are accountable for securing and maintaining the underlying infrastructure, including hardware, operating systems, and networks. However, it is the customer’s duty to configure the service, manage access protocols, and secure data.

Australian companies need to fully grasp their responsibilities within this model to comply with CPS 230. Documentation and service terms from Cloud Service Providers (CSP) will specify each service’s responsibilities, and it is essential for businesses to follow these protocols closely.

Conclusion

As the July 2025 deadline for CPS 230 compliance draws near, Australian financial institutions must focus on securing their SaaS environments. By utilising tools like SaaS Security Posture Management (SSPM) and Identity Threat Detection & Response (ITDR), businesses can alleviate risks, manage configurations, and detect possible threats. The Shared Responsibility Model emphasizes the necessity for customer accountability in the security of their SaaS applications, making it imperative for organisations to take a proactive stance in managing their cybersecurity. By adhering to the five pillars of SaaS security, financial service providers can achieve compliance with CPS 230 and protect their digital assets.

Q&A: Frequently Asked Questions About CPS 230 and SaaS Security

Q: What is CPS 230, and to whom does it apply?

A:

CPS 230 is a regulatory framework set forth by the Australian Prudential Regulation Authority (APRA), mandating financial service providers to manage operational and cyber risks. It applies to all entities regulated by APRA, including banks, credit unions, and insurance firms.

Q: Why is SaaS security crucial for CPS 230 compliance?

A:

SaaS applications are extensively utilised in financial services and often house sensitive information. CPS 230 requires that businesses manage risks associated with third-party service providers, including SaaS platforms. Errors in configurations or inadequate access controls can leave companies vulnerable to cyber threats, rendering SaaS security essential for compliance.

Q: What are SSPM and ITDR, and how do they facilitate CPS 230 compliance?

A:

SaaS Security Posture Management (SSPM) tools help oversee and manage the security configurations of SaaS applications, while Identity Threat Detection & Response (ITDR) tools identify and counteract potential identity-based threats. Together, they ensure that SaaS applications remain secure and adhere to CPS 230 stipulations.

Q: How can organisations verify that they are meeting their obligations under the Shared Responsibility Model?

A:

Organisations need to scrutinise the terms and conditions of their SaaS providers to comprehend their responsibilities in safeguarding data and managing access. Implementing SSPM and ITDR tools allows businesses to monitor configurations, track user permissions, and identify potential threats, ensuring compliance with obligations under the Shared Responsibility Model.

Q: What are the ramifications for a financial institution that does not comply with CPS 230 by the deadline?

A:

Non-compliance with CPS 230 could lead to substantial financial penalties and reputational harm for APRA-regulated entities. It is essential for financial institutions to utilise the necessary tools and processes to meet compliance standards by the July 2025 deadline.

• Category: Australia Tech News