graphgrc

SaaS IAM Standard

Identity and access management requirements for SaaS applications.

Scope

All third-party SaaS applications used by employees (Slack, GitHub, AWS, Google Workspace, etc.).

Requirements

Single Sign-On (SSO)

• All SaaS applications must support SSO integration (SAML/OIDC)
• Use centralized identity provider (Okta, Google Workspace, Azure AD)
• Provision users via SSO, no local accounts
• Exceptions require security team approval (document in vendor assessment)

Multi-Factor Authentication (MFA)

• MFA required for all SaaS applications
• Enforced at IdP level (not application level)
• Acceptable factors: Authenticator app (TOTP), hardware keys (FIDO2/WebAuthn)
• Prohibited: SMS, email-based OTP (unless no other option available)

Provisioning and Deprovisioning

• Automated user provisioning via SCIM where supported
• For non-SCIM apps: API-based automation or manual provisioning documented
• Deprovisioning triggered by HR offboarding, completed within 1 hour
• Quarterly access reviews to identify orphaned accounts

Access Control

• Role-based access control (RBAC) configured in each SaaS app
• Default to least privilege (Viewer/Read-only)
• Elevated permissions require manager approval
• Admin accounts limited to IT/Security teams

Session Management

• Maximum session lifetime: 12 hours for standard users, 1 hour for admins
• Re-authenticate for sensitive actions (payment, config changes)
• Idle timeout: 30 minutes

Audit Logging

• Enable audit logging in all SaaS applications
• Forward logs to centralized SIEM where possible
• Retain logs for minimum 1 year (2 years for SOC 2 compliance)
• Monitor for anomalous access: unusual location, failed auth attempts, permission changes

Inventory Management

• Maintain inventory of all approved SaaS applications (IT asset management system)
• Shadow IT detection via SSO logs and network monitoring
• Quarterly review of SaaS inventory

References

• Related controls: ACC-01, ACC-02, ACC-03, PEO-03
• Related process: access-provisioning-process.md, access-review-process.md

Control Mapping

• ACC-01: Identity & Authentication ^[SSO integration (SAML/OIDC) with centralized IdP, MFA enforced at IdP level]
• ACC-02: Least Privilege & RBAC ^[RBAC configured in each SaaS app, default least privilege, elevated permissions require approval]
• ACC-03: Access Reviews ^[Quarterly access reviews to identify orphaned accounts, audit logs for access monitoring]
• PEO-03: Offboarding ^[Automated deprovisioning via SCIM completed within 1 hour of termination]

---

Referenced By

This section is automatically generated by make generate-backlinks. Do not edit manually.

This site is open source. Improve this page.