Time is running out for Australian financial institutions to meet a critical regulatory deadline. Australian financial service providers are rapidly moving to comply with the Australian Prudential Regulation Authority’s (APRA) CPS-230 by the July 2025 deadline. With eight months to go, businesses are looking for solutions that will enable them to comply with the legislation’s strict requirements for cyber risk identification, monitoring, assessment, and mitigation. This article looks at how SSPM and ITDR can help these organisations comply with the legislation.
Effective cybersecurity is a shared responsibility between SaaS providers and the organisations that use their services. In September 2018, APRA published an information paper titled “Outsourcing Involving Cloud Computing Services,” acknowledging the rapid growth of cloud computing, including SaaS. This paper highlights that services delivered through these channels are crucial for essential operations, categorizing tools like Microsoft 365 as material service providers. According to CPS 230, regulated entities must manage the risks associated with these service providers by implementing a comprehensive service provider management policy, establishing formal agreements, and conducting robust monitoring.
While SaaS offerings come with foundational security controls, the onus is on customers to address practical considerations such as configurations, user authentication methods, and connected applications. Each of these elements introduces potential risks that need to be effectively mitigated.
In essence, no matter how secure applications such as Salesforce and Microsoft are designed, the responsibility for configurations and policies that enable users to share data publicly, connect third-party apps, or grant extensive permissions falls on the businesses utilising these systems. This division of responsibility is outlined in the Shared Responsibility model for SaaS. Misconfigurations, overly permissive user roles, and compromised identities can expose applications to threat actors, leading to significant disruptions, as evidenced by a recent breach impacting Snowflake subscribers. Ultimately, the responsibility for mitigating risks associated with the points above rests firmly with the customers.
Five Key Pillars to Securing a SaaS Estate
Considering the CPS-230 legislation and onerous financial penalties built therein, Australian-regulated financial services institutions should focus their SaaS security efforts on:
- Misconfiguration Management
- Identity and Access Governance
- Third-party Connected Applications
- Connected Device Posture
- Threat Detection
According to Kendal Watt, a cybersecurity expert from SaaS security firm Adaptive Shield,
“Managing configurations, user identities, devices, and connected apps are prevention-related security activities. They harden environments to shrink attack surfaces. For example, following the principle of least privilege reduces the number of employees with overly permissive access to key system configuration. If an employee with limited access has their identity compromised, the damage to the company will be limited as a result.
“Threat detection, on the other hand, is about detecting threats that manage to access the system. For example, if you have a user logged into two different applications at the same time from two different locations, it is likely that one of those logins is a threat and should be disabled pending an investigation.”
The challenge for many financial institutions is finding the right tool to monitor their SaaS applications and secure their SaaS stack. This brings us to SaaS Security Posture Management (SSPM) and Identity Threat Detection & Response (ITDR).
The Shared Responsibility Model | SaaS
As defined within the Shared Responsibility model published by the United States National Security Agency, SaaS provides end-user capabilities such as email, storage, and data modelling. In this service model, the customer generally configures the service, manages access control policies, and secures their data. The Cloud Service Provider secures and maintains the hardware, operating system, networking, and application software. SaaS offerings have a wide range of security models and consequently, customer responsibilities for these services will vary.
Organisations must understand the details of their responsibilities for each offering that
they use. CSP documentation and terms of service outline how the customers and CSPs share the responsibilities.
Using SSPM and ITDR to Comply with CPS-230
SSPMs (SaaS Security Posture Management) serve as essential preventive tools in SaaS security. Initially designed to monitor configurations and detect configuration drifts, today’s advanced SSPMs oversee every attack surface within SaaS applications.
In addition to managing misconfigurations, modern SSPMs place a strong emphasis on identity security. They track user access to applications, including the levels of access granted. SSPMs can identify former employees who still have access, dormant accounts that pose increased risk if compromised, and permissions assigned to external users.
Moreover, identity security extends to monitoring Non-Human Identities (NHI) such as service accounts, OAuth authentications, and API keys, ensuring these identities function as intended and are not exploited by threat actors.
SSPMs also maintain comprehensive device and app inventories. Device inventories catalog all devices that have accessed SaaS applications and link them to users. If issues arise, such as unmanaged devices or those with critical vulnerabilities, the system alerts the security team. App inventories review all connected applications, helping organizations identify shadow apps and assess the permissions granted to determine any high-risk applications.
When integrated with Identity Threat Detection and Response (ITDR), SSPMs enhance threat detection capabilities significantly. The integration allows for a deeper understanding of user and app behavior, enabling more precise identification of threats entering the application.
As Watt noted, “The combination of SSPM and integrated ITDR represents the most effective strategy for securing SaaS applications and ensuring compliance with APRA’s CPS-230.”