In the context of cloud security, the focus is almost always on securing Infrastructure as a Service
(IaaS) and Platform as a Service (PaaS) environments. This is despite the reality that while
organizations tend to consume 2-3 IaaS providers, they are often consuming tens to hundreds
of SaaS Offerings. The SaaS Governance Best Practice for Cloud Customers is a baseline set of
fundamental governance practices for SaaS environments. It enumerates and considers risks during
all stages of the SaaS lifecycle, including Evaluation, Adoption, Usage, and Termination.
As organizations continue to adopt SaaS-based applications and solutions, several areas of traditional
organizational cybersecurity must be updated to reflect this new operating model.
Internal organizational policies must be updated to reflect key items, such as service level
agreements, security and privacy requirements, and operational implications. Organizational
operational security activities are impacted, such as responsibilities and tasking as well as
implications for mobile devices and remote working employees. Information is an asset and in the
SaaS paradigm classification, labeling, and storage requirements must be considered when it comes
to external service providers. While SaaS providers handle much of the responsibility in the Shared
Responsibility Model, SaaS consumers are still largely responsible for data governance and access
control. This means ensuring who has access to what data, what level of permissions, and under
what context, especially in a Zero Trust Architecture.
Organizations still have key decisions around encryption key management and operational activities
such as vulnerability management and backup and storage. Organizations need to ensure they
consider SaaS providers as part of their third-party risk management programs and that incident
response and business continuity plans and processes are updated accordingly. This is increasingly
true, as SaaS often serves key functions from a business continuity perspective in the remote
work paradigm. Even with the shared responsibilities, organizations also still have compliance and
regulatory requirements they must meet to protect their stakeholders as well as their reputation and
to avoid potential legal consequences.
The SaaS environment ultimately presents a shift in the way organizations handle cybersecurity that
introduces a shared responsibility between producers and consumers. Failing to adjust accordingly
can have devastating consequences such as disclosing sensitive data, loss of revenue, customer
trust, and regulatory consequences.
• Provides a baseline set of SaaS governance best practices for protecting data within SaaS
• Enumerates and considers risks according to the SaaS adoption and usage lifecycles
• Provides potential mitigation measures from the SaaS customer’s perspective
© Copyright 2022, Cloud Security Alliance. All rights reserved. 9
• SaaS Consumers
• SaaS Providers
• SaaS Security Solution Providers
• Cloud Security Professionals
• Cybersecurity Executives
• IT Executives
• Risk Managers
• IT Auditors and Compliance
• Third-party Risk Manager
Software as a Service (SaaS) consumers and customers should assess and mitigate information
security risks raised by the usage of SaaS services. This document discusses SaaS in the context
of NIST 800-145, which defines SaaS as “the capability provided to the consumer through using
a provider’s applications running on cloud infrastructure.” In this context, the consumer does not
manage or control the cloud infrastructure, operating systems, associated storage, or even individual
applications, except specific configuration settings.
While the domain of cloud adoption and security continues to evolve, not much guidance is available regarding SaaS governance and security. This is despite the reality that organizations are increasingly utilizing SaaS offerings occasionally by different departments in the organization (Shadow IT), to power their critical business processes and functions and often storing sensitive data in SaaS environments.