SaaS Security (expanded)59 items
SaaS Security (expanded)59 items
SaaS Security → Tenant Isolation
Question: Does the SaaS enforce tenant isolation at data/execution with per-tenant keying?
Applicable Requirements:
- NIST 800-53: SC-4, SC-7, SC-28
- ISO 27001: A.14.2.7
- SOC 2: CC6.6
Applicability: Multi-tenant SaaS
Expected Result: Tenant ID validation on every access; RLS; per-tenant keys or strict grants.
Why It Matters: Prevents cross-tenant leaks.
Technical Breakdown:
- Middleware enforces tenant claims; block cross-tenant joins.
- Pen tests include cross-tenant attempts.
SaaS Security → SSPM & Config Drift
Question: Is SaaS posture monitored for misconfig and drift?
Applicable Requirements:
- NIST 800-53: CA-7, RA-5
Applicability: Core SaaS (M365, Google, Slack, Salesforce)
Expected Result: Continuous checks; alert on public shares/legacy auth/weak MFA.
Why It Matters: Early detection of risky settings.
Technical Breakdown:
- Baseline desired config; ticket on drift; export to SIEM.
SaaS Security → OAuth App Governance
Question: Do you restrict third-party OAuth apps and review scopes/consent?
Applicable Requirements:
- NIST 800-53: AC-19, SI-4
Applicability: Google/M365/Slack/Salesforce
Expected Result: Admin consent workflows; block risky scopes; review tokens.
Why It Matters: SaaS-to-SaaS exfil path.
Technical Breakdown:
- Limit offline_access; alert on new app installs; remove dormant apps.
Deep Dive
- Concept: OAuth2 is an authorization framework; JWT is a token *format*. OAuth2 access tokens may be JWTs, but OAuth2 can use other formats too.
- RFC 6749: OAuth 2.0
- RFC 7519: JSON Web Token (JWT)
- AWS API Gateway: JWT authorizers
- Azure APIM: validate-jwt policy
- Google Cloud Endpoints/ESPv2: Auth
SaaS Security (Microsoft 365) → Audit Logging
Question: Are admin and data-access logs enabled with export to SIEM and ≥365d retention?
Applicable Requirements:
- NIST 800-53: AU-6, AU-12
- SOC 2: CC7.3
Applicability: All tenants
Expected Result: Immutable logs; export API enabled; retention set; access restricted.
Why It Matters: Supports IR and legal holds.
Technical Breakdown:
- Enable advanced audit add-ons; WORM storage; sign logs.
SaaS Security (Microsoft 365) → Backup & Restore
Question: Are backups/versioning enabled and restores tested for RPO/RTO?
Applicable Requirements:
- NIST 800-53: CP-9, CP-10
Applicability: Business-critical data
Expected Result: Daily backups; quarterly restores; immutable copies; separate keys.
Why It Matters: Resilience to ransomware and operator error.
Technical Breakdown:
- Export APIs; cross-tenant isolation for backups; restore runbooks.
SaaS Security (Microsoft 365) → DLP & Sharing Controls
Question: Are DLP rules and external sharing controls enforced by sensitivity?
Applicable Requirements:
- NIST 800-53: MP-7, AC-4
Applicability: Docs/chat/code
Expected Result: Sensitivity labels; block external shares by default; exceptions approved.
Why It Matters: Prevents inadvertent data exposure.
Technical Breakdown:
- CASB policies; quarantine flows; owner reattestation.
SaaS Security (Microsoft 365) → Legacy/Basic Auth
Question: Is legacy/basic auth disabled tenant-wide?
Applicable Requirements:
- NIST 800-53: IA-2, AC-17
Applicability: Email/IMAP/POP/SMTP/API
Expected Result: Block legacy protocols; migrate to OAuth; enforce MFA.
Why It Matters: Legacy auth bypasses MFA and is abused.
Technical Breakdown:
- CA rules to block; metrics to show residual usage.
SaaS Security (Google Workspace) → Audit Logging
Question: Are admin and data-access logs enabled with export to SIEM and ≥365d retention?
Applicable Requirements:
- NIST 800-53: AU-6, AU-12
- SOC 2: CC7.3
Applicability: All tenants
Expected Result: Immutable logs; export API enabled; retention set; access restricted.
Why It Matters: Supports IR and legal holds.
Technical Breakdown:
- Enable advanced audit add-ons; WORM storage; sign logs.
SaaS Security (Google Workspace) → Backup & Restore
Question: Are backups/versioning enabled and restores tested for RPO/RTO?
Applicable Requirements:
- NIST 800-53: CP-9, CP-10
Applicability: Business-critical data
Expected Result: Daily backups; quarterly restores; immutable copies; separate keys.
Why It Matters: Resilience to ransomware and operator error.
Technical Breakdown:
- Export APIs; cross-tenant isolation for backups; restore runbooks.
SaaS Security (Google Workspace) → DLP & Sharing Controls
Question: Are DLP rules and external sharing controls enforced by sensitivity?
Applicable Requirements:
- NIST 800-53: MP-7, AC-4
Applicability: Docs/chat/code
Expected Result: Sensitivity labels; block external shares by default; exceptions approved.
Why It Matters: Prevents inadvertent data exposure.
Technical Breakdown:
- CASB policies; quarantine flows; owner reattestation.
SaaS Security (Google Workspace) → Legacy/Basic Auth
Question: Is legacy/basic auth disabled tenant-wide?
Applicable Requirements:
- NIST 800-53: IA-2, AC-17
Applicability: Email/IMAP/POP/SMTP/API
Expected Result: Block legacy protocols; migrate to OAuth; enforce MFA.
Why It Matters: Legacy auth bypasses MFA and is abused.
Technical Breakdown:
- CA rules to block; metrics to show residual usage.
SaaS Security (Salesforce) → Audit Logging
Question: Are admin and data-access logs enabled with export to SIEM and ≥365d retention?
Applicable Requirements:
- NIST 800-53: AU-6, AU-12
- SOC 2: CC7.3
Applicability: All tenants
Expected Result: Immutable logs; export API enabled; retention set; access restricted.
Why It Matters: Supports IR and legal holds.
Technical Breakdown:
- Enable advanced audit add-ons; WORM storage; sign logs.
SaaS Security (Salesforce) → Backup & Restore
Question: Are backups/versioning enabled and restores tested for RPO/RTO?
Applicable Requirements:
- NIST 800-53: CP-9, CP-10
Applicability: Business-critical data
Expected Result: Daily backups; quarterly restores; immutable copies; separate keys.
Why It Matters: Resilience to ransomware and operator error.
Technical Breakdown:
- Export APIs; cross-tenant isolation for backups; restore runbooks.
SaaS Security (Salesforce) → DLP & Sharing Controls
Question: Are DLP rules and external sharing controls enforced by sensitivity?
Applicable Requirements:
- NIST 800-53: MP-7, AC-4
Applicability: Docs/chat/code
Expected Result: Sensitivity labels; block external shares by default; exceptions approved.
Why It Matters: Prevents inadvertent data exposure.
Technical Breakdown:
- CASB policies; quarantine flows; owner reattestation.
SaaS Security (Salesforce) → Legacy/Basic Auth
Question: Is legacy/basic auth disabled tenant-wide?
Applicable Requirements:
- NIST 800-53: IA-2, AC-17
Applicability: Email/IMAP/POP/SMTP/API
Expected Result: Block legacy protocols; migrate to OAuth; enforce MFA.
Why It Matters: Legacy auth bypasses MFA and is abused.
Technical Breakdown:
- CA rules to block; metrics to show residual usage.
SaaS Security (Slack) → Audit Logging
Question: Are admin and data-access logs enabled with export to SIEM and ≥365d retention?
Applicable Requirements:
- NIST 800-53: AU-6, AU-12
- SOC 2: CC7.3
Applicability: All tenants
Expected Result: Immutable logs; export API enabled; retention set; access restricted.
Why It Matters: Supports IR and legal holds.
Technical Breakdown:
- Enable advanced audit add-ons; WORM storage; sign logs.
SaaS Security (Slack) → Backup & Restore
Question: Are backups/versioning enabled and restores tested for RPO/RTO?
Applicable Requirements:
- NIST 800-53: CP-9, CP-10
Applicability: Business-critical data
Expected Result: Daily backups; quarterly restores; immutable copies; separate keys.
Why It Matters: Resilience to ransomware and operator error.
Technical Breakdown:
- Export APIs; cross-tenant isolation for backups; restore runbooks.
SaaS Security (Slack) → DLP & Sharing Controls
Question: Are DLP rules and external sharing controls enforced by sensitivity?
Applicable Requirements:
- NIST 800-53: MP-7, AC-4
Applicability: Docs/chat/code
Expected Result: Sensitivity labels; block external shares by default; exceptions approved.
Why It Matters: Prevents inadvertent data exposure.
Technical Breakdown:
- CASB policies; quarantine flows; owner reattestation.
SaaS Security (Slack) → Legacy/Basic Auth
Question: Is legacy/basic auth disabled tenant-wide?
Applicable Requirements:
- NIST 800-53: IA-2, AC-17
Applicability: Email/IMAP/POP/SMTP/API
Expected Result: Block legacy protocols; migrate to OAuth; enforce MFA.
Why It Matters: Legacy auth bypasses MFA and is abused.
Technical Breakdown:
- CA rules to block; metrics to show residual usage.
SaaS Security (Atlassian) → Audit Logging
Question: Are admin and data-access logs enabled with export to SIEM and ≥365d retention?
Applicable Requirements:
- NIST 800-53: AU-6, AU-12
- SOC 2: CC7.3
Applicability: All tenants
Expected Result: Immutable logs; export API enabled; retention set; access restricted.
Why It Matters: Supports IR and legal holds.
Technical Breakdown:
- Enable advanced audit add-ons; WORM storage; sign logs.
SaaS Security (Atlassian) → Backup & Restore
Question: Are backups/versioning enabled and restores tested for RPO/RTO?
Applicable Requirements:
- NIST 800-53: CP-9, CP-10
Applicability: Business-critical data
Expected Result: Daily backups; quarterly restores; immutable copies; separate keys.
Why It Matters: Resilience to ransomware and operator error.
Technical Breakdown:
- Export APIs; cross-tenant isolation for backups; restore runbooks.
SaaS Security (Atlassian) → DLP & Sharing Controls
Question: Are DLP rules and external sharing controls enforced by sensitivity?
Applicable Requirements:
- NIST 800-53: MP-7, AC-4
Applicability: Docs/chat/code
Expected Result: Sensitivity labels; block external shares by default; exceptions approved.
Why It Matters: Prevents inadvertent data exposure.
Technical Breakdown:
- CASB policies; quarantine flows; owner reattestation.
SaaS Security (Atlassian) → Legacy/Basic Auth
Question: Is legacy/basic auth disabled tenant-wide?
Applicable Requirements:
- NIST 800-53: IA-2, AC-17
Applicability: Email/IMAP/POP/SMTP/API
Expected Result: Block legacy protocols; migrate to OAuth; enforce MFA.
Why It Matters: Legacy auth bypasses MFA and is abused.
Technical Breakdown:
- CA rules to block; metrics to show residual usage.
SaaS Security (GitHub) → Audit Logging
Question: Are admin and data-access logs enabled with export to SIEM and ≥365d retention?
Applicable Requirements:
- NIST 800-53: AU-6, AU-12
- SOC 2: CC7.3
Applicability: All tenants
Expected Result: Immutable logs; export API enabled; retention set; access restricted.
Why It Matters: Supports IR and legal holds.
Technical Breakdown:
- Enable advanced audit add-ons; WORM storage; sign logs.
SaaS Security (GitHub) → Backup & Restore
Question: Are backups/versioning enabled and restores tested for RPO/RTO?
Applicable Requirements:
- NIST 800-53: CP-9, CP-10
Applicability: Business-critical data
Expected Result: Daily backups; quarterly restores; immutable copies; separate keys.
Why It Matters: Resilience to ransomware and operator error.
Technical Breakdown:
- Export APIs; cross-tenant isolation for backups; restore runbooks.
SaaS Security (GitHub) → DLP & Sharing Controls
Question: Are DLP rules and external sharing controls enforced by sensitivity?
Applicable Requirements:
- NIST 800-53: MP-7, AC-4
Applicability: Docs/chat/code
Expected Result: Sensitivity labels; block external shares by default; exceptions approved.
Why It Matters: Prevents inadvertent data exposure.
Technical Breakdown:
- CASB policies; quarantine flows; owner reattestation.
SaaS Security (GitHub) → Legacy/Basic Auth
Question: Is legacy/basic auth disabled tenant-wide?
Applicable Requirements:
- NIST 800-53: IA-2, AC-17
Applicability: Email/IMAP/POP/SMTP/API
Expected Result: Block legacy protocols; migrate to OAuth; enforce MFA.
Why It Matters: Legacy auth bypasses MFA and is abused.
Technical Breakdown:
- CA rules to block; metrics to show residual usage.
SaaS Security (ServiceNow) → Audit Logging
Question: Are admin and data-access logs enabled with export to SIEM and ≥365d retention?
Applicable Requirements:
- NIST 800-53: AU-6, AU-12
- SOC 2: CC7.3
Applicability: All tenants
Expected Result: Immutable logs; export API enabled; retention set; access restricted.
Why It Matters: Supports IR and legal holds.
Technical Breakdown:
- Enable advanced audit add-ons; WORM storage; sign logs.
SaaS Security (ServiceNow) → Backup & Restore
Question: Are backups/versioning enabled and restores tested for RPO/RTO?
Applicable Requirements:
- NIST 800-53: CP-9, CP-10
Applicability: Business-critical data
Expected Result: Daily backups; quarterly restores; immutable copies; separate keys.
Why It Matters: Resilience to ransomware and operator error.
Technical Breakdown:
- Export APIs; cross-tenant isolation for backups; restore runbooks.
SaaS Security (ServiceNow) → DLP & Sharing Controls
Question: Are DLP rules and external sharing controls enforced by sensitivity?
Applicable Requirements:
- NIST 800-53: MP-7, AC-4
Applicability: Docs/chat/code
Expected Result: Sensitivity labels; block external shares by default; exceptions approved.
Why It Matters: Prevents inadvertent data exposure.
Technical Breakdown:
- CASB policies; quarantine flows; owner reattestation.
SaaS Security (ServiceNow) → Legacy/Basic Auth
Question: Is legacy/basic auth disabled tenant-wide?
Applicable Requirements:
- NIST 800-53: IA-2, AC-17
Applicability: Email/IMAP/POP/SMTP/API
Expected Result: Block legacy protocols; migrate to OAuth; enforce MFA.
Why It Matters: Legacy auth bypasses MFA and is abused.
Technical Breakdown:
- CA rules to block; metrics to show residual usage.
SaaS Security (Microsoft 365) → External Collaboration Policies
Question: Are external sharing and guest access constrained by sensitivity labels and approvals?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (Microsoft 365) → Retention & eDiscovery
Question: Are legal holds/retention policies configured per data class?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (Microsoft 365) → OAuth Token Hygiene
Question: Are long-lived refresh tokens limited and rotated?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
Deep Dive
- Concept: OAuth2 is an authorization framework; JWT is a token *format*. OAuth2 access tokens may be JWTs, but OAuth2 can use other formats too.
- RFC 6749: OAuth 2.0
- RFC 7519: JSON Web Token (JWT)
- AWS API Gateway: JWT authorizers
- Azure APIM: validate-jwt policy
- Google Cloud Endpoints/ESPv2: Auth
SaaS Security (Microsoft 365) → Privileged App Consent
Question: Is privileged app consent limited to security admins with approval workflow?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (Google Workspace) → External Collaboration Policies
Question: Are external sharing and guest access constrained by sensitivity labels and approvals?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (Google Workspace) → Retention & eDiscovery
Question: Are legal holds/retention policies configured per data class?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (Google Workspace) → OAuth Token Hygiene
Question: Are long-lived refresh tokens limited and rotated?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
Deep Dive
- Concept: OAuth2 is an authorization framework; JWT is a token *format*. OAuth2 access tokens may be JWTs, but OAuth2 can use other formats too.
- RFC 6749: OAuth 2.0
- RFC 7519: JSON Web Token (JWT)
- AWS API Gateway: JWT authorizers
- Azure APIM: validate-jwt policy
- Google Cloud Endpoints/ESPv2: Auth
SaaS Security (Google Workspace) → Privileged App Consent
Question: Is privileged app consent limited to security admins with approval workflow?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (Salesforce) → External Collaboration Policies
Question: Are external sharing and guest access constrained by sensitivity labels and approvals?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (Salesforce) → Retention & eDiscovery
Question: Are legal holds/retention policies configured per data class?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (Salesforce) → OAuth Token Hygiene
Question: Are long-lived refresh tokens limited and rotated?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
Deep Dive
- Concept: OAuth2 is an authorization framework; JWT is a token *format*. OAuth2 access tokens may be JWTs, but OAuth2 can use other formats too.
- RFC 6749: OAuth 2.0
- RFC 7519: JSON Web Token (JWT)
- AWS API Gateway: JWT authorizers
- Azure APIM: validate-jwt policy
- Google Cloud Endpoints/ESPv2: Auth
SaaS Security (Salesforce) → Privileged App Consent
Question: Is privileged app consent limited to security admins with approval workflow?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (Slack) → External Collaboration Policies
Question: Are external sharing and guest access constrained by sensitivity labels and approvals?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (Slack) → Retention & eDiscovery
Question: Are legal holds/retention policies configured per data class?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (Slack) → OAuth Token Hygiene
Question: Are long-lived refresh tokens limited and rotated?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
Deep Dive
- Concept: OAuth2 is an authorization framework; JWT is a token *format*. OAuth2 access tokens may be JWTs, but OAuth2 can use other formats too.
- RFC 6749: OAuth 2.0
- RFC 7519: JSON Web Token (JWT)
- AWS API Gateway: JWT authorizers
- Azure APIM: validate-jwt policy
- Google Cloud Endpoints/ESPv2: Auth
SaaS Security (Slack) → Privileged App Consent
Question: Is privileged app consent limited to security admins with approval workflow?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (Atlassian) → External Collaboration Policies
Question: Are external sharing and guest access constrained by sensitivity labels and approvals?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (Atlassian) → Retention & eDiscovery
Question: Are legal holds/retention policies configured per data class?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (Atlassian) → OAuth Token Hygiene
Question: Are long-lived refresh tokens limited and rotated?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
Deep Dive
- Concept: OAuth2 is an authorization framework; JWT is a token *format*. OAuth2 access tokens may be JWTs, but OAuth2 can use other formats too.
- RFC 6749: OAuth 2.0
- RFC 7519: JSON Web Token (JWT)
- AWS API Gateway: JWT authorizers
- Azure APIM: validate-jwt policy
- Google Cloud Endpoints/ESPv2: Auth
SaaS Security (Atlassian) → Privileged App Consent
Question: Is privileged app consent limited to security admins with approval workflow?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (GitHub) → External Collaboration Policies
Question: Are external sharing and guest access constrained by sensitivity labels and approvals?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (GitHub) → Retention & eDiscovery
Question: Are legal holds/retention policies configured per data class?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (GitHub) → OAuth Token Hygiene
Question: Are long-lived refresh tokens limited and rotated?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
Deep Dive
- Concept: OAuth2 is an authorization framework; JWT is a token *format*. OAuth2 access tokens may be JWTs, but OAuth2 can use other formats too.
- RFC 6749: OAuth 2.0
- RFC 7519: JSON Web Token (JWT)
- AWS API Gateway: JWT authorizers
- Azure APIM: validate-jwt policy
- Google Cloud Endpoints/ESPv2: Auth
SaaS Security (GitHub) → Privileged App Consent
Question: Is privileged app consent limited to security admins with approval workflow?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (ServiceNow) → External Collaboration Policies
Question: Are external sharing and guest access constrained by sensitivity labels and approvals?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (ServiceNow) → Retention & eDiscovery
Question: Are legal holds/retention policies configured per data class?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
SaaS Security (ServiceNow) → OAuth Token Hygiene
Question: Are long-lived refresh tokens limited and rotated?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.
Deep Dive
- Concept: OAuth2 is an authorization framework; JWT is a token *format*. OAuth2 access tokens may be JWTs, but OAuth2 can use other formats too.
- RFC 6749: OAuth 2.0
- RFC 7519: JSON Web Token (JWT)
- AWS API Gateway: JWT authorizers
- Azure APIM: validate-jwt policy
- Google Cloud Endpoints/ESPv2: Auth
SaaS Security (ServiceNow) → Privileged App Consent
Question: Is privileged app consent limited to security admins with approval workflow?
Applicable Requirements:
- NIST 800-53: AC-3, MP-6, AU-9
- SOC 2: CC6.6
Applicability: Data-sharing and compliance scenarios.
Expected Result: Policies defined; exceptions logged; audits pass.
Why It Matters: Reduces exfiltration and compliance risk.
Technical Breakdown:
- Sensitivity labels; review external guests; attest privileged apps.