It’s hard to stay compliant with government regulations, much less get out in front of them. But if you’re effectively managing your company’s software portfolio, chances are you’re already ahead of emerging requirements expected to crack down on how companies protect their data. SaaS management is predicted to become a primary component behind security and privacy regulations rising on the horizon.
Here’s what you should know.
Gartner: SaaS Regulations will Hit All Industries
Read Gartner’s 2024 Magic Quandrant for SaaS Management and you’ll find buried in the Market Overview this warning statement:
“Emerging governmental regulations focused on asset discovery, risk assessment and disclosure require that many organizations maintain an accurate inventory of their application portfolio… Though the majority of regulations are currently focused on specific industries (mainly financial services and technology providers), Gartner expects these regulations to expand to all industries in the near future.”
Indeed, the financial industry’s leadership in establishing tight data security and privacy controls could result in wider jurisdictions. Financial regulations have the potential to create a blanket policy that would make SaaS management best practices wide sweeping. Gartner goes on to state that most companies will struggle to comply due to SaaS visibility challenges and will fail to comply without asset management and security software.
While still considered theoretical guesses for now, these potential realities are founded in valid trends (explored in the next section) and could transpire from the following U.S. and European regulations.
Regulations Driving Tighter SaaS Management
There’s a growing list of government regulations demanding companies to comply with data security requirements, and many of them intersect with SaaS management practices including third-party compliance, Shadow IT discovery, SaaS risk assessments, and security incident reporting procedures.
U.S. Securities and Exchange Commission Regulations
The SEC oversees a library of regulations, including two Security Acts from the 1930s. Some are growing more rigid and extensive with time. For instance, data-breach reporting regulations have tightened. Last year, the SEC added new incident response rules stating institutions must give notice of a breach as soon as possible but no later than 30 days. Plus, they must provide more details including the type of data accessed by an unauthorized user.
Companies mismanaging their SaaS applications can struggle with threat detection and response as well as data breach notifications, because they may not know where (and how) information flows across different software platforms. This makes it difficult to define and report the type data compromised under the new stipulations for incident response programs.
New York State Department of Financial Services
Piling on federal rulebooks, state laws are getting tougher on security. In 2023, the state of New York implemented a cybersecurity strategy that could set in motion more state-based rules impacting data security and software protections. Today, states are creating entities like the DFS which issue regulations, enforce laws, take action on non-compliance, and drum up new cybersecurity strategies. Because these state entities also control business licensing, operations will depend on compliance.
EU AI Act
As many Americans will tell you, where Europe goes, the U.S. follows and the EU AI Act is the most recent legislation inserting law into artificial intelligence practices. In addition to its risk-based approach to AI regulation, the Act harmonizes various regulations across the EU while focusing on ethics, transparency, and accountability. Among other things, companies are required to track AI usage and disclose to customers when they are interacting with a machine or when AI-powered decisions are being made about them. Most provisions come into effect in 2026.
Because AI can introduce new attack surfaces for companies, security professionals are calling for companies to comply with the EU AI Act. With the number of software manufacturers infusing AI into the core of every app, staying on top of third-party service providers and their tools will be increasingly important for compliance. Europe is a recognized global leader in tech regulation and privacy rights; therefore, business leaders see this set of statures as having the highest potential for global impact. We’re already witnessing uptake; the State of Colorado has followed suit, passing SB 24-205.
EU Digital Operational Resilience Act
European Union financial entities and their service providers are rushing to comply with DORA’s new regulations, which will be enforced starting January 2025. With the aim of making financial systems more resilient by hardening security, the new set of uniform technical standards address everything from incident reporting and third-party compliance to testing, audits, and information sharing. DORA adds to the list of other evolving security requirements in Europe.
EU NIS2 Directive
NIS2 is an example of just how pointed new rules are becoming with some anticipating SaaS security solutions to join the list of newly required products and services. In addition to a broader reach and revised reporting rules, NIS2 deploys stricter security obligations requiring member states to use specific security products, services, and processes – which must be certified under European cybersecurity certifications (see Article 24).
The EU’s Network and Information Security (NIS) Directive is an update to previous security regulations introduced in 2016. It expands the scope of cybersecurity rules to new sectors and entities, including “essential” infrastructure – think water companies, electricity providers, banks, and hospitals operating in the EU. While NIS2 establishes a common level of cybersecurity, it also designates more companies as “essential.”
U.K. National Cyber Security Centre’s Shadow IT Guidelines
The United Kingdom is taking direct aim at the security threats of Shadow IT, unmanaged software, and unsanctioned devices, putting forth guidelines to teach businesses how to use SaaS securely and mitigate SaaS vulnerabilities. While the guidelines don’t have the force of the law behind them, new guidelines can be steppingstones toward regulatory requirements, which is why some argue these serve as foreshadowing of what’s to come.
How SaaS Management Tools Help You Comply
IT and security leaders need to have a wider understanding of what they must protect, and SaaS management solutions shed light on key blind spots. Unmanaged assets and software services can be unmasked by SaaS management solutions like Tangoe’s.
Benefits include:
- Shadow IT discovery using a multi-source approach to reveal both sanctioned and unsanctioned applications in use
- Threat intelligence revealing the security risk associated with each application in use
- Deep SaaS user analytics, exposing who uses each app and how
- Compliance aids show the list of certifications associated with each app in use
- Accelerated processes for generating a list of all applications in use
- Managed services including Shadow IT monitoring and SaaS cost optimization
Explore Tangoe’s fully managed services for SaaS management, and get the brochure.
Visibility Challenges will No Longer Be Tolerated
Regulatory requirements are expected to grow increasingly stringent and prescriptive as legislation responds to changing threat landscapes and continues to put into place a uniform framework for data and privacy protections with accelerated timelines for threat response procedures. That’s why it’s growing increasingly important for companies to maintain an accurate list of applications that have access to their data and use AI with it.
Companies that don’t mitigate SaaS risk open themselves to steep financial penalties and data breach related costs. Every application in use has the potential to expose corporate and customer data to cybersecurity threats. As breaches become daily occurrences, IT leaders must be able to secure their applications and quickly disclose SaaS information in a timely manner.
While it remains difficult for companies to see and control the exact list and number of apps in use, common visibility challenges will no longer be tolerated by government entities. Soon, IT and security leaders will be forced to gain complete awareness of their app environment with new rules calling for them to leverage SaaS discovery tools, security insights, and Shadow IT mitigation strategies to improve data security postures.
Tangoe can help you stay ahead of these trends. When you’re ready for a SaaS management assessment, talk to Tangoe.