CISA Demands Federal Agencies Secure SaaS Apps. Here’s How to Get it Right.

Ready to Close the SaaS Security Gap?

The Cybersecurity and Infrastructure Security Agency (CISA) recently issued a new directive requiring federal agencies to strengthen security across their Microsoft 365 SaaS environments. Although it only finalized the secure configuration baseline (SCB) requirements for Microsoft 365, it plans to release SCBs for Google Workspaces, and other SaaS applications, in 2025.

‍

CISA’s directive comes in response to a wave of breaches exploiting misconfigured SaaS environments and inadequate security measures, like accounts configured without multi-factor authentication (MFA). As agencies scramble to meet these requirements, the broader message for all organizations—public and private—is clear: securing SaaS ecosystems is no longer optional, it’s essential.

‍

At Reco, we believe effectively securing SaaS applications like Microsoft 365 requires securing the entire SaaS lifecycle – from SaaS deployment through scaling, and beyond. Here’s what it takes:

‍

1. Discover All Your SaaS Applications

‍

The first step to securing SaaS applications is understanding what you’re working with. The average organization operates with 490 SaaS applications, like Microsoft 365, Salesforce, Slack, Snowflake, and more. But out of this 490, only 229 are authorized by IT, leaving on average hundreds of apps unauthorized and unmonitored. Without Security oversight, SaaS applications are often deployed with weak security settings, like duplicative passwords, overly permissive roles, or lack of MFA. These applications may also integrate with business critical applications, like Microsoft 365, creating an attack vector for threat actors to exploit and gain access to sensitive data.

‍

The Reco platform uses advanced AI-based graph technology to discover all SaaS applications across your organization—both authorized and unauthorized. It uncovers 3rd-party apps, shadow applications being used by employees, and also shadow AI applications, including AI assistants and copilots that may be embedded into approved business tools.

‍

2. Gain Visibility into Your SaaS Ecosystem

‍

SaaS ecosystems contain hundreds, sometimes thousands, of apps. Add into the mix all the app-to-app connections, identities, and permissions and you gain a picture of a highly complex web that is impossible to track manually. Most security teams are sending event logs to their SIEM or SOAR from a handful of core apps, but what about all the other apps that are not being monitored?

‍

Reco provides visibility into every app, identity, and their actions so Security teams can understand what’s going on and remediate risks. The knowledge graph offers insight into who has access to what, how they’re authenticating, what permissions they have, and what actions they’ve taken.

‍

3. Unify Identities Across SaaS Applications

‍

SaaS environments are made up of disparate applications, each with their own unique security settings. They’re owned and managed by various business departments across the organization, from Sales and Engineering, to HR and Finance. This allows businesses to be more agile, but it creates blindspots for security because managing security for multiple apps means toggling between multiple accounts and working with different stakeholders.

‍

To make matters more complex, every app user creates a new identity with a unique permission set for every app. So consider a company with 1000 users and 100 apps. That amounts to 100,000 unique identities to manage!

‍

To simplify identity management in SaaS, Reco consolidates identities across multiple apps. With Reco, Security teams can manage access controls, roles, and permissions for all SaaS applications from a single console.

‍

4. Continuously Monitor and Manage SaaS Posture

‍

CISA specifically highlighted misconfigurations as a top attack vector. Attackers often gain initial access through unprotected accounts, weak MFA enforcement, or overly permissive settings. As CISA’s directive emphasizes, agencies must regularly audit and secure Microsoft 365 tenants to prevent breaches.

‍

The best way to do this is with a SaaS Security Posture Management (SSPM) solution. SSPM provides continuous monitoring of SaaS application configurations and raises alerts when something is misconfigured. From enforcing MFA to identifying stale accounts and over-privileged roles, proactive posture management reduces the attack surface and minimizes the chance of a breach.

‍

5. Detect and Respond to Threats in Real Time

‍

Securing SaaS applications isn’t just about prevention; it’s about being able to identify live attacks in real time. For example, when an identity that typically logs in from the US suddenly logs in from China — that could be a sign of an active breach.

‍

Reco provides alerts for suspicious activities such as unusual downloads, failed login attempts, or impossible travel. It integrates with your existing SIEM or SOAR so security operations teams can be notified within existing workflows and take appropriate actions.

‍

It’s Time for All Organizations to Cover Their SaaS

‍

CISA’s new directive is a wake-up call for all organizations, not just federal agencies. SaaS applications have become the backbone of modern work, but securing them requires having the right tools and processes in place.

‍

At Reco, we help organizations monitor and secure the entire SaaS lifecycle, from the moment an app is provisioned through upgrades and scaling. We currently support 130 apps! And that number is steadily growing, as we add 2-3 integrations per week.

‍

Ready to take the first step in securing your SaaS ecosystem? Reach out to schedule a demo of Reco.

‍

No items found.