Web services have become an indispensable part of everyday business. They offer flexibility, enable easy data exchange and access to applications without installation. But these advantages also entail security risks. To minimize these risks, the Association of the Automotive Industry (VDA) has developed the Information Security Assessment (ISA). Chapter 1.3.3 of the VDA ISA specifies how companies must assess and approve external IT services before they are used.
This is where Microsoft Cloud App Security (MCAS) comes in as part of Microsoft Defender for Cloud Apps. As a comprehensive SaaS security solution, MCAS provides deep visibility into cloud and web application usage, strong data controls, and advanced threat protection. This solution serves as a Cloud Access Security Broker (CASB) that helps enforce security policies and control access to cloud apps.
MCAS ensures that data does not disappear into shadow IT.In this article, I'll explain how you can use Microsoft Cloud App Security to meet the requirements of the VDA ISA. I'll cover how MCAS helps assess and monitor web services, mitigate risks, and ensure sensitive data is protected. This will help you ensure you meet strict security and compliance requirements while still being able to enjoy the benefits of the web services you approve as usual.
The requirements of VDA ISA Chapter 1.3.3
To what extent is it ensured that only evaluated and approved external IT services are used for processing the organization’s information assets?Particularly in the case of external IT services that can be used at relatively low cost or free of charge, there is an increased risk that procurement and commissioning will be carried out without appropriate consideration of the information security requirements and that security therefore is not ensured.Many companies use web services that come from third-party providers. These services can pose significant security risks, especially if they are used without official approval and review. To ensure that such services are used securely, the VDA ISA has strict (must) requirements that must be strictly adhered to:
+ External IT services are not used without explicit assessment and implementation of the information security requirements:
- A risk assessment of the external IT services is available,
- Legal, regulatory, and contractual requirements are considered.External IT services must not be used without a thorough assessment and approval. This means that a detailed risk assessment must be carried out for each service. This assessment should ensure that the service is secure and meets the necessary information security requirements. The assessment must also check whether the service complies with all relevant legal, regulatory and contractual requirements. This includes, for example, data protection laws, industry-specific regulations and contractual requirements from the customer.
+ The external IT services have been harmonized with the protection need of the processed information assets.Each service used must be tailored to the protection requirements of the data being processed. This means that particularly sensitive data may only be processed via services that have appropriate security precautions in place. These security measures must ensure that the data is protected from unauthorized access and loss.
Both of these requirements are non-negotiable and allow no exceptions. They ensure that only tested and approved web services are used in the company. This is crucial to ensure the security of the data.
In chapter 1.3.3 there are further (should) requirements that must be implemented in principle:
+ Requirements regarding the procurement, commissioning and release associated with the use of external IT services are determined and fulfilled.This means that the company has defined clear processes and criteria for how external web services are procured, tested and approved. Before a service is used, all security requirements must be reviewed and confirmed. This ensures that only services that meet the company's security and compliance requirements are used.
+ A procedure for release in consideration of the protection need is established.This means that a defined process exists to ensure that only web services are used that meet the protection needs of the data being processed. The protection needs are assessed based on the sensitivity of the data and the risks that could arise from the service. Only services that pass this assessment and are approved accordingly may be used.
+ External IT services and their approval are documented.This means that the company maintains complete and up-to-date documentation of all external IT services used and their approval status. This documentation includes detailed information on which services are used, which security assessments have been carried out and who has granted approval. This transparency is crucial to keep track of the IT infrastructure and to be able to prove that all services have been properly reviewed and approved.
+ It is verified at regular intervals that only approved external IT services are used.This requirement means that there are regular checks to ensure that no unauthorized web services are being used. This helps prevent the use of shadow IT and ensures that all services deployed meet the established security standards. These checks are an important part of ongoing security monitoring and help ensure that the company remains up to date at all times and potential security vulnerabilities are identified early.
Implementing the requirements with MCAS
+ External IT services are not used without explicit assessment and implementation of the information security requirements:
- A risk assessment of the external IT services is available,
- Legal, regulatory, and contractual requirements are considered.Microsoft Cloud App Security (MCAS) helps organizations ensure that no external IT services are used without first conducting a detailed security assessment. MCAS automatically detects all cloud applications used on the network and provides a comprehensive security analysis. This analysis includes:
Risk assessment: MCAS evaluates each application against a variety of security criteria, including data encryption, security certificates, authentication procedures, and the history of security incidents. This risk assessment gives companies a clear overview of which applications can be used safely and which ones pose potential risks.
Consideration of legal, regulatory and contractual requirements: The solution checks whether the applications meet the relevant legal, regulatory and contractual requirements. These include international standards such as ISO 27001, industry-specific regulations and data protection laws such as the GDPR. MCAS ensures that only applications that meet these requirements are used, thus providing a legally secure basis for the use of cloud services.
Microsoft evaluates cloud applications against a variety of criteria to determine a comprehensive risk score. These criteria cover several categories, including general information, security features, compliance standards, and legal notices. Here are the specific evaluation aspects in detail:
General information
Application category: Assignment to a specific category, such as productivity or development tools.
Year of establishment: The year in which the application provider was founded.
Domain registration: Information about the application's registered domain, which can provide an indication of the legitimacy of the provider.
Headquarters: Geographical location of the company headquarters.
Data center locations: Countries where the application’s data centers are operated.
Ownership: Whether the application is private or public.
Privacy policies: Availability and quality of privacy policies.
Data storage and processing: location and manner of data processing.
Security features
Last Security Breach: Information about whether and when the application had a security breach.
Monitoring measures: Implementation of mechanisms to monitor and log data access.
Data classification: Support in categorizing and classifying data.
Valid certificates: Availability and up-to-dateness of security certificates such as TLS/SSL.
SAML (Security Assertion Markup Language) support: Ability to use SAML for authentication.
Multi-factor authentication: Support and implementation of MFA for access.
Encryption methods: Encryption of data at rest and data in motion.
Patch management: Updating and managing security patches.
Penetration testing: Conducting penetration tests to identify vulnerabilities.
Compliance standards
International standards: Compliance with standards such as ISO 27001, ISO 27018, SOC 2, and PCI DSS.
Industry-specific requirements: Meet industry-specific compliance standards such as HIPAA (healthcare), FERPA (education), and COPPA (child protection).
Data protection governance: Implementing governance practices to ensure data protection.
Certifications and audits: Existence of certifications and regular audits that confirm security practices and compliance.
Legal notice and data protection
Privacy policy: Transparency and clarity of privacy policies, including the handling of user data.
GDPR compliance: Compliance with the requirements of the European General Data Protection Regulation (GDPR), particularly with regard to data processing and user rights.
Reporting of breaches: Processes for reporting data protection breaches and protecting user rights.
These criteria can help organizations make informed decisions about cloud and web application usage and approval by assessing security and compliance risk.
+ The external IT services have been harmonized with the protection need of the processed information assets.MCAS makes it possible to identify the IT services used outside the organization (cloud and web applications) and to carry out a risk assessment. On this basis, the company can then set specifications as to whether and which classified information may be processed there. This coordination with the data protection requirements helps to minimize the risk of data loss or misuse.
+ Requirements regarding the procurement, commissioning and release associated with the use of external IT services are determined and fulfilled.MCAS enables comprehensive detection and assessment of all web services used. It collects detailed information on security measures, such as data encryption, support for multi-factor authentication and compliance with security certificates. This information is used by the solution to carry out a risk assessment, the result of which can be used by the company to make a decision on approval of use. At the same time, the risk assessment factors provided offer a good starting point for defining the requirements for the procurement and commissioning as well as approval of IT services outside the organization.
+ A procedure for release in consideration of the protection need is established.MCAS enables organizations to create policies and procedures that regulate access to web services based on the protection needs of the data being processed.
+ External IT services and their approval are documented.MCAS offers extensive reporting and documentation functions that enable companies to transparently document all web services used and their approval status.
+ It is verified at regular intervals that only approved external IT services are used.The solution creates continuous monitoring and control mechanisms. It automatically checks whether the services used comply with security policies and blocks the use of unauthorized services. This ensures that only approved and rated web services are used, minimizing the risk of shadow IT.
Zscaler and Netskope as Alternatives to Microsoft Cloud App Security
In addition to Microsoft Cloud App Security (MCAS), there are other powerful solutions for securing the use of external web services. Two of these are Zscaler and Netskope, both cloud security providers offering comprehensive protection measures to ensure the safe use of IT services.
Secure Internet and Web Access
Zscaler and Netskope enable companies to manage internet and web traffic securely. Both solutions monitor incoming and outgoing data streams for threats and block access to unsafe or unauthorized services. This protects organizations from cyberattacks and data loss by preventing the use of unapproved services.
Threat Protection and Compliance
Like MCAS, Zscaler and Netskope offer features to enforce security policies and meet legal requirements. They scan data traffic to ensure that only compliant services are used. These solutions help meet the stringent requirements of the VDA ISA, particularly in protecting sensitive data.
Risk Assessment and Control
Both Zscaler and Netskope assess the security of external web services by identifying vulnerabilities and evaluating risks. Companies can set policies that regulate access to specific services based on their risk assessments. This ensures that only vetted and secure services are used, reducing the risk of shadow IT.
Integration and User-Friendliness
Zscaler and Netskope integrate seamlessly into existing IT infrastructures and offer user-friendly tools for managing and monitoring security policies. This allows companies to easily track which services are being used and how secure they are, simplifying the management and enforcement of security standards.
Both Zscaler and Netskope, alongside MCAS, provide comprehensive security features to protect the use of external web services. Depending on their specific needs, companies can choose the most suitable solution to ensure that all services used comply with security and regulatory requirements.
