Your browser does not allow storing cookies. We recommend enabling them.

SaaS Security

Infrastructure Risks Hidden but Still There

The SaaS model hides traditional security risks relating to physical access, operating systems, storage, and applications from the customer. However, the risks have not disappeared; they simply get ignored because they are no longer under the control of the customer. Most cloud service providers, however, offer no guarantees of their security practices, at least not to smaller customers.

Identity and Access Management Integration

The integration of access control to the enterprise's identity and access management (IAM) practices typically remains a task performed by the customer. It is important to ensure that access to cloud services is properly provisioned and terminated when people change roles or leave the organization.

Data Encryption

Some applications support encrypting the stored data using keys held by the customer. Others encrypt the customer's data using keys held by the service provider. Most applications do not perform or document any data encryption.


Taking backups of the data stored in the application in a different cloud service or on the customer's premises may be essential for continuity in the event the service provider suddenly ceases to exist.

Cloud Access Security Brokers

Cloud access security brokers are policy enforcement points on-premise or in the cloud, that may perform integration between the organization's IAM and encryption solutions and applications in the cloud.

More Information

For more information on SaaS and infrastructure security, see the page on cloud security.




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now