pwc saas surveyHere at Identropy, we've been helping corporations find their Identity & Access Management destinies since 2006.  

But over the last few years, we've identified a new trend: CSOs are quickly coming to the realization that they have a tsunami of SaaS apps they have to manage, and they are recognizing that the cloud poses unique security requirements that do not map over cleanly from the on-premise software world.


CTA4Assuming you're in the same situation, this one's for you!  We've taken the top 4 risk areas for SaaS security, and broken them down for you.  This will allow you to start putting together a framework for your own SaaS security strategy.


1. Usage Risk

SaaS Security Survey Results

Usage Risk refers to the risk your organization is incurring based on how you are utilizing a specific SaaS app.  The 2 (and perhaps most important) considerations are:

    • Is your organization using this cloud app for a critical business function?
    • Does this app store sensitive data?

If no to both of these, this specific app can immediately go on the 'low risk' list.  For example, if an app is being used to manage get-togethers for employees with pets, and it stores pictures of kittens playing with yarn...move on to the next app.  


2. Data Security Risk

Once you understand how your organization is using the SaaS app, you can move on to data security risk.  While Usage Risk focuses on how your organization is using the app, Data Security Risk focuses on how the service provider is handling your data.  

Here are some pertinent questions in this risk area:  How is the SaaS provider handling your data?  Is it encrypted in transit? At rest? Are there app controls in place that determine how your data is stored and who can view it?  (For a more comprehensive list of questions, download this 50 point security checklist for SaaS apps)


3. SaaS Provider Operational Risk

SaaS Provider Operational Risk addresses how your provider manages their general day-to-day operations.  Although you could think of Data Security Risk as a subset of this risk area (since there is an operational aspect to data security), we call it out specifically due to its importance.

Here are a few questions related to SaaS Provider Operational Risk: What's the uptime SLA gauranteed by the provider? Is there 24x7 support? What compliance certifications has the provider obtained?  What is their DR strategy?


4. SaaS Provider Application Risk

Application Risk is the inherent risk created by how the app was developed.  For example, how does the app handle authentication and authorization? What access provisioning standards does it support?  How are identities imported/exported into the apps datastore? 

Another perspective on Application Risk is the risk generated based on the development lifecycle of the Service Provider.  What development practices are being used by the provider to address configuration management vulnerabilities? authentication vulnerabilities? session management vulnerabilities?  For a more comprehensive list of questions, download this 50 point security checklist for SaaS apps.


Some Weekend Reading Material...

Other researches and security practioners have taken different approaches to the SaaS risk assessment. 

For example, Grant Thorton published the findings of a survey entitled Issues and trends: Assessing and managing SaaS risk, in which they focus on SaaS risk as viewed by the service provider.  In their framework, they focus on 3 risk types: Financial, Operational and Compliance risk. 

On the other end of the spectrum, the government's FedRAMP program provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.  It is extremely thorough (and perhaps overkill) for your organization's needs, but is a great source of ideas regarding a SaaS security framework that will work for your organization.

Lastly, Identropy has published 2 free eBooks that will be extremely helpful in your path towards effective SaaS Risk Management:



Free eBook: SaaS Security Checklist
Ash Motiwala

Ash Motiwala

I’ve been in the identity space for most of my career, and I’m still passionate about it. Anyhow, a CTO is supposed to be the person who sets technical vision for the company, but honestly – Identropy has way too much brainpower for a single person to do that. Instead, I get my hands dirty with the customer development process, lend a helping hand wherever its needed, and I have the privilege to talk identity with some of the brightest minds in this space every day.