27 Sep 2022
Asset discoveryCloud security

NCSC 2022 Cyber Essentials puts the spotlight on SaaS

Sally SoulliereSally Soulliere4 minute read
Summary

This 2022 update is the biggest change in the NCSC Cyber Essentials technical controls since it launched and it marks a huge shift toward our modern environment, where decentralization is the new normal. We’ll offer some guidance about how to handle these new questions and how to satisfy auditors, partners, customers, and prospective clients. 

The 2022 National Cyber Security Centre’s (NCSC) Cyber Essentials certification questionnaire has made a huge shift to ensuring strong security controls for SaaS and cloud assets. This updated set of requirements stems from “feedback from assessors and applicants, as well as consultation with the Cloud Industry Forum,” NCSC said. Their full article on the changes is worth reading and they share some handy FAQs, as well. 

Most notably, NCSC explains the need for these updates in 2022: “The speed of the digital transformation and the adoption of cloud services are driving factors here, as well as the move to home and hybrid working, accelerated by the COVID-19 pandemic, which is now routine for many people.”

This 2022 update is the biggest change in the NCSC Cyber Essentials technical controls since it launched and it marks a huge shift toward our modern environment, where decentralization is the new normal. To push against it or continue to manage your IT and security as we did when assets were tucked safely behind a perimeter simply won’t work anymore to ward off adversaries. The focus on cloud is meant to help organizations defend their SaaS estate by ensuring they and their employees are using cloud services securely to prevent attacks. 

We’ll address some of the biggest changes to the Cyber Essentials technical controls in this article and offer a bit of guidance about how to handle these new questions and how to satisfy auditors, partners, customers, and prospective clients. 

SaaS Visibility

To provide answers that will satisfy auditors, organizations need to know not just what SaaS and cloud providers they’re working with, but any that are used within their business, which have access to their data. This expanded scope means that you now need full visibility of what SaaS apps employees are using, even those outside of the company-sanctioned apps you’ve provided. See the example below from the questionnaire:

Cyber Essentials cloud question
NCSC’s Cyber Essentials question regarding third-party cloud services and apps

MFA for SaaS 

NCSC has gone beyond just asking for visibility of all your cloud assets and has included questions about the security of those third-party services. They now ask whether multi-factor authentication (MFA) has been applied to all of the SaaS apps your company is using, at both the administrator and user level:

Cloud Essentials MFA
Cyber Essentials questions regarding MFA on cloud services

Strong passwords for SaaS

The new Cyber Essentials questionnaire also asks how you’re ensuring that employees are using secure passwords for their accounts, which includes all the SaaS apps they’re using for work. There are a lot of ways to satisfy this requirement, but one of the easiest is by using an automated tool that works directly with employees to improve weak passwords and to create unique passwords to replace those shared across multiple platforms:

Cyber Essentials Passwords
NCSC’s questions around password security

We can help!

We’re pleased that NCSC has taken such a proactive approach to securing the cloud and that even smaller organizations need to address these issues. Many simply may not know how many cloud and SaaS assets are part of their SaaS estate, but we can help! 

Try Push for free to start getting visibility into employee SaaS use within minutes. We’re free for 10 users forever, so you can get real value without paying us a dime. Getting SaaS visibility is the easiest bit - from there, you can see the security of those SaaS accounts for each employee and admin, including:

  • whether they have MFA enabled, 

  • if they’re using a strong password, and 

  • if they’ve accessed the app using a secure option like a social login.

You’ll get an at-a-glance view of which apps employees are using:

Push SaaS dash
Push's SaaS discovery / visibility dashboard

See account security details for each employee, including MFA and password security traits:

Push account details
Push's SaaS account details panel

Get a high-level view of employee SaaS use and enable ChatOps so that we can work with them to improve their security, without your team having to do a thing:

Push employee dash
Push's employee dashboard of SaaS usage

Let us guide your employees to fix issues with just a single click. They can remove dormant apps, improve passwords, enable MFA on each SaaS app that offers that feature, and more:

Push dormant app chatops
Push's ChatOps sample message for dormant apps

Learn more about how we can help you get the insights you need to complete your Cyber Essentials questionnaire by visiting our SaaS discovery page. 

Subscribe to get updates from Push

The latest news, articles, and resources, sent to your inbox.