Infrastructure Risks Hidden but Still There
The SaaS model hides traditional security risks relating to physical access, operating systems, storage, and applications from the customer. However, the risks have not disappeared; they simply get ignored because they are no longer under the control of the customer. Most cloud service providers, however, offer no guarantees of their security practices, at least not to smaller customers.
Identity and Access Management Integration
The integration of access control to the enterprise's identity and access management (IAM) practices typically remains a task performed by the customer. It is important to ensure that access to cloud services is properly provisioned and terminated when people change roles or leave the organization.
Some applications support encrypting the stored data using keys held by the customer. Others encrypt the customer's data using keys held by the service provider. Most applications do not perform or document any data encryption.
Taking backups of the data stored in the application in a different cloud service or on the customer's premises may be essential for continuity in the event the service provider suddenly ceases to exist.
Cloud Access Security Brokers
Cloud access security brokers are policy enforcement points on-premise or in the cloud, that may perform integration between the organization's IAM and encryption solutions and applications in the cloud.
For more information on SaaS and infrastructure security, see the page on cloud security.