Your browser does not support HTML5 local storage or you have disabled it. Some functionality on this site, including saving your privacy settings and offering you special discounts, uses local storage and may not work with local storage disabled. We recommend allowing the use of local storage in your browser. In some browsers, it is the same setting used for disabling cookies.

SaaS Security

Infrastructure Risks Hidden but Still There

The SaaS model hides traditional security risks relating to physical access, operating systems, storage, and applications from the customer. However, the risks have not disappeared; they simply get ignored because they are no longer under the control of the customer. Most cloud service providers, however, offer no guarantees of their security practices, at least not to smaller customers.

Identity and Access Management Integration

The integration of access control to the enterprise's identity and access management (IAM) practices typically remains a task performed by the customer. It is important to ensure that access to cloud services is properly provisioned and terminated when people change roles or leave the organization.

Data Encryption

Some applications support encrypting the stored data using keys held by the customer. Others encrypt the customer's data using keys held by the service provider. Most applications do not perform or document any data encryption.

Backups

Taking backups of the data stored in the application in a different cloud service or on the customer's premises may be essential for continuity in the event the service provider suddenly ceases to exist.

Cloud Access Security Brokers

Cloud access security brokers are policy enforcement points on-premise or in the cloud, that may perform integration between the organization's IAM and encryption solutions and applications in the cloud.

More Information

For more information on SaaS and infrastructure security, see the page on cloud security.