Putting the security in SaaS

So, what are the XaaSes?

Lets go alphabetically, we’ll get onto order of preference in a wee while.

  • obey the T&Cs
  • obey any copyright, license agreements etc
  • keep credentials that have been issued to you safe
  • obey non-disclosure agreements, if they apply
  • pay for what you use
  • respond to instructions issued via a security bulletin etc from the vendor
  • not doing anything to damage the vendor or the platform
  • your data, your problem — supplier will only be a Data Processor for your tenancy data (likely Data Controller for your account data, such as username’s and billing)

Function-as-a-Service (FaaS)

FaaS is serverless computing. FaaS allows you to develop code and have someone else runs it when you want them to — entirely mitigating the need to run a container, operating system etc.

Infrastructure-as-a-Service (IaaS)

SaaS is effectively renting of virtual compute resources (CPU, RAM, storage) without having to house (power, cool, network) them yourself, worry about cooling or pay the upfront capital expenditure to get the kit in the first place.

Platform-as-a-Service (PaaS)

‘PaaS’ can mean slightly difference things but in essence it is above the IaaS layer (so you generally don’t need to worry about patching etc just your application code/artefacts) but not SaaS as you’re running your own applications.

Software-as-a-Service (SaaS)

The SaaS model is consuming an application itself from the vendor (typically via a web browser or thin application) and you’re responsible for very little unless the SaaS is complex and lets you change a bunch of things about how you use it.

An aside: XaaS terminology doesn’t really work but they are what we have

IaaS, PaaS and SaaS (et al) by themselves are things most people in this space understand but can often become buckets of “I suppose its this” or “it isn’t those so its probably this”.

Order of priority — time to prefer

This order of preference is based on only two things: simplicity and security.


Not a line by line of Michael’s post but picking out some things that made me think.

It depends which ‘security concerns’

“Security concerns don’t change very much based on whether you are using a platform, or infrastructure or just services. They change based on the maturity of the solution and the maturity of the organisation you are using.”

As highlighted above, I think the change in shared responsibility means you probably have more to do which likely means you have more security-related things to do — but security functionality or capability (and the utilisation of the same) is not the same as vendor-based supply chain risks.

“To use an example, Amazon is a multi billion dollar company, and has a set of robust and audited security processes in place. Honest Bob’s Cloud is not, and probably does not.”

I concur.

Mythbustin’ — law enforcement data capture etc

I agree with Michael’s views here (also weighed in my 2c during his drafting) — overall, the probability of such occurrences are also very low.

The difference in diligence

Michael’s article links out to guidance from the UK National Cyber Security Centre (NCSC) on assessing vendor SaaS security.

  1. the guidance is great 😙
  2. NCSC is great — 👋
  3. the guidance scope doesn’t consider data protection, records/information management etc at all or in sufficient depth — but thats OK, that isn’t what guidance scope is
  4. the guidance is a ‘sniff test’ and not a risk assessment or anything beyond ‘the surface’ — but thats also OK because of guidance scope
  5. ‘Security’ people are not always ‘Data Protection’ people, nor ‘risk’ people (proportionally engage risk on behalf of the organisation)
  6. the usual organisational member is usually unable to decipher the legalese presentation of SaaS T&Cs etc by themselves
  7. in many organisations, usual members are not allowed to sign-up the organisation to legal agreements (they in theory aren’t allowed to accept the T&Cs as the organisation)



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store