November 30, 2020
min read

When IT first contemplated moving on-premises applications to the cloud via SaaS services, there were two schools of thought. On-prem diehards couldn’t believe their data could be safe when it was out of IT’s hands and not under their control. The other group reckoned the cloud provider would take care of everything, and security was nothing to worry about – or waste energy on.

The answer is somewhere in between. Here is how McAfee explained it in their 2019 McAfee Cloud Adoption and Risk Report. “SaaS providers handle much of the security for a cloud application. The SaaS provider is responsible for securing the platform, network, applications, operating system, and physical infrastructure. However, providers are not responsible for securing customer data or user access to it. Some providers offer a bare minimum of security, while others offer a wide range of SaaS security options.”

That approach leaves plenty of security work for your IT team. And SaaS security mistakes and neglect are costly indeed. Gartner predicts that by 2022, 95% of security failures in cloud and SaaS will be the customer’s, not the cloud provider’s fault.

According to, here are the biggest cloud security threats:

  • “Data Breaches
  • Misconfiguration and inadequate change control
  • Lack of cloud security architecture and strategy
  • Insufficient identity, credential, access, and key management
  • Account hijacking
  • Insider threat
  • Insecure interfaces and APIs
  • Weak control plane
  • Metastructure and applistructure failures
  • Limited cloud usage visibility
  • Abuse and nefarious use of cloud services”

The SaaS Provider is Only Responsible for Portion of Security – You Do the Rest

In the days of on-premises software, IT was responsible for securing every application layer. That all changed with the cloud and SaaS, leading to the creation of the Shared Responsibility Security Model. Here, some security duties performed by IT in the on-premises days are handled by the Cloud/SaaS provider, while other security functions are the RESPONSIBILITY of IT.

You Must Take Care of Identity & Access Management

While IaaS requires IT do nearly enough to protect the cloud environment as on-premises, since IaaS is really raw computing infrastructure, high level cloud platforms like SaaS require a bit less heavy lifting. “In PaaS and SaaS solutions, Identity & access management is a shared responsibility that requires an effective implementation plan that includes configuration of an identity provider, configuration of administrative services, establishing and configuration of user identities, and implementation of service access controls. Additional considerations that should be considered are the use of two-factor authentication, role-based access control, just-in-time administrative controls, and monitoring and logging of both users and control points,” Microsoft pointed out.

The chart below shows what areas of security IT must handle at each level of the cloud services stack.

Shared Responsibility Security Model chart

Finding Rogue and Dangerous SaaS Apps

As with anything, IT cannot secure what it does not know it has. Nowhere is this more true than with SaaS security. IT needs to find SaaS apps, determine which are Shadow IT, and what to do about it.

Shadow IT sounds cool on the surface. Tech-savvy end users and departments discover hot cloud apps they love and put to work. However, there are security, cost and even productivity downsides. Cloud apps that are that good should be vetted, and if proven, approved and even made standard. Ones that do not meet this threshold have no place in the enterprise. Finding the right answer means discovering and analyzing these hidden apps.

Shadow IT is Everywhere

Shadow IT is a very big deal. Did you know a Cisco survey of CIOs shows they had 15 times more cloud applications than expected? According to Gartner, Shadow IT represents 30 to 40 percent of IT spending in large enterprises.

Shadow IT Kills Security

Shadow IT causes all kinds of problems. It is a huge area of attack by hackers, and a vector for malware. Meanwhile, storage, file sharing and collaboration apps are all key sources of data leakage.

Shadow IT is clearly ripe for attack, as Gartner researchers predict that this year, 2020, one-third of all successful attacks on enterprises will be against Shadow IT resources.

Protect Your M365 Tenant With CoreView

CoreView offers deep Microsoft 365-specific security protection, governance and compliance. Learn how we help with a personalized CoreView demo.

Get a personalized demo today

Created by M365 experts, for M365 experts.