Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Download Publication

Home
Publications
SaaS Governance Best Practices for Cloud Customers
SaaS Governance Best Practices for Cloud Customers
Who it's for:
  • Application developers
  • Application Architects
  • Cybersecurity professionals
  • Cloud security practitioners
  • IT professionals
  • Auditors
  • Compliance managers

SaaS Governance Best Practices for Cloud Customers

Release Date: 10/10/2022

Working Group: SaaS Governance

In the context of cloud security, the focus is almost always on securing Infrastructure-as-a-Service (IaaS) environments. This is despite the reality that while organizations tend to consume 2-3 IaaS providers, they are often consuming tens to hundreds of SaaS Offerings. The SaaS Governance Best Practice for Cloud Customers is a baseline set of fundamental governance practices for SaaS environments. It enumerates and considers risks during all stages of the SaaS lifecycle, including Evaluation, Adoption, Usage, and Termination.


The SaaS environment ultimately presents a shift in the way organizations handle cybersecurity that introduces a shared responsibility between producers and consumers. Failing to adjust accordingly can have devastating consequences such as disclosing sensitive data, loss of revenue, customer trust, and regulatory consequences.


Key Takeaways:

  • Provides a baseline set of SaaS governance best practices for protecting data within SaaS environments;
  • Enumerates and considers risks according to the SaaS adoption and usage lifecycles, and
  • Provides potential mitigation measures from the SaaS customer’s perspective.
Download this Resource

Bookmark
Share
View translations
Related resources

Related Resources

PublicationsBlogs
Map the Transaction Flows for Zero Trust
Map the Transaction Flows for Zero Trust
Download Now
Top Concerns With Vulnerability Data
Top Concerns With Vulnerability Data
Download Now
Using Asymmetric Cryptography to Help Achieve Zero Trust Objectives
Using Asymmetric Cryptography to Help Achieve Z...
Download Now
View all publications
The Lost Art of Visibility, in the World of Clouds
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
Group-Based Permissions and IGA Shortcomings in the Cloud
Group-Based Permissions and IGA Shortcomings in the Cloud
Published: 11/18/2024
9 Tips to Simplify and Improve Unstructured Data Security
9 Tips to Simplify and Improve Unstructured Data Security
Published: 11/18/2024
How AI Changes End-User Experience Optimization and Can Reinvent IT
How AI Changes End-User Experience Optimization and Can Reinvent IT
Published: 11/15/2024
View all blogs
View all webinars

Acknowledgements

Anthony Smith
Anthony Smith
Cloud CyberSecurity

Anthony Smith

Cloud CyberSecurity

Anthony brings over 20+ years IT experience, specializing in IT compliance, auditing, governance. He has provided guidance in areas/industries such as: Manufacturing, Site Management, Merger's and Acquisitions, Emerging Technologies and Cloud Computing. He has extensive knowledge in: NIST, ISO, CAIQ and GDPR.

Anthony currently serves in the role of Cloud CyberSecurity advisor supporting the GCP, Azure and AWS platforms.

Read more

Tim Bach
Tim Bach
VP Security Engineering

Tim Bach

VP Security Engineering

Tim Bach is the Vice President of Engineering at AppOmni. His career as a security practitioner has focused on security engineering initiatives that make best in class security accessible and usable to teams of all sizes and industries.

Before joining AppOmni, Tim held security engineering roles at Apple and Salesforce. At Salesforce, Tim led the security team that designed and developed solutions to secure the AppExchange ecosystem ...

Read more

Alistair Cockeram
Alistair Cockeram
Security Architect at Financial Services

Alistair Cockeram

Security Architect at Financial Services

Alistair has spent over two decades specialising in network & information security management across Internet Service Provider, Defence and the Financial Services sectors.

Alistair is a member of the Cloud Security Alliance Software-Defined Perimeter (SDP) Zero Trust and SaaS Governance working groups.

An acknowledged reviewer of the CSA SDP Specification v2.0 and co-author of the SaaS Governance Best Practice Guide.

Read more

Sai Honig
Sai Honig

Sai Honig

Bryan Solari
Bryan Solari

Bryan Solari

Chris Hughes
Chris Hughes
Co-Founder and CISO at Aquia

Chris Hughes

Co-Founder and CISO at Aquia

Chris currently serves as the Co-Founder and CISO of Aquia. Chris has nearly 20 years of IT/Cybersecurity experience. This ranges from active duty time with the U.S. Air Force, a Civil Servant with the U.S. Navy and General Services Administration (GSA)/FedRAMP as well as time as a consultant in the private sector. In addition, he also is an Adjunct Professor for M.S. Cybersecurity programs at Capitol Technology University and University of...

Read more

Saan Vandendriessche
Saan Vandendriessche

Saan Vandendriessche

Walter Haydock
Walter Haydock

Walter Haydock

Walter Haydock is an expert on vulnerability management, software supply chain resilience, and industrial Internet of Things (IoT) security. Before entering the private sector, he served as a professional staff member for the Homeland Security Committee of the U.S. House of Representatives, as an analyst at the National Counterterrorism Center, and as a reconnaissance and intelligence officer in the Marine Corps.

Read more

Andreas Peter
Andreas Peter

Andreas Peter

Yao Sing Tao
Yao Sing Tao

Yao Sing Tao

James Underwood
James Underwood
Senior Security Architect at Blackbaud, Inc

James Underwood

Senior Security Architect at Blackbaud, Inc

Zeal Somani
Zeal Somani

Zeal Somani

Paul Lanois Headshot Missing
Paul Lanois

Paul Lanois

Andrew Luhrmann Headshot Missing
Andrew Luhrmann

Andrew Luhrmann

Amit Kandpal
Amit Kandpal
Director of Customer Success, Netskope

Amit Kandpal

Director of Customer Success, Netskope

Akin Akinbosoye Headshot Missing
Akin Akinbosoye

Akin Akinbosoye

Luciano (J.R.) Santos
Luciano (J.R.) Santos
Chief Customer Officer, CSA

Luciano (J.R.) Santos

Chief Customer Officer, CSA

J.R. Santos serves as the Chief Customer Officer for the Cloud Security Alliance. In this role, J.R. serves as a CSA Member advocate, partnering with leaders across all business units to transform the member experience and ensure that members are the center of every business decision. J.R. leads the Experience Services organization that includes the CSA Membership and Sales team, who work collaboratively to promote a consistent experience f...

Read more

Mickey Law Headshot Missing
Mickey Law

Mickey Law

Jessica Shouse Headshot Missing
Jessica Shouse

Jessica Shouse

Abhishek Vyas
Abhishek Vyas
Head of Security Consultancy and Architecture

Abhishek Vyas

Head of Security Consultancy and Architecture

I have been working in Cybersecurity for over 10 years, and have been working on large scale multi-cloud programs in the Software and Finance industries over that period. I deliver business value through robust, scalable, fit for business cybersecurity, by establishing new ways of working to help the business to innovate. Challenging the status quo to help remove inertia, and ensuring that cybersecurity remains relevant and mea...

Read more

Michael Roza
Michael Roza
Risk, Audit, Control and Compliance Professional at EVC

Michael Roza

Risk, Audit, Control and Compliance Professional at EVC

Since 2012 Michael has contributed to over 100 CSA projects completed by CSA's Internet of Things, Zero Trust/Software-Defined Perimeter, Top Threats, Cloud Control Matrix, Containers/Microservices, DevSecOps, and other working groups. He has also served as co-chair of CSA's Enterprise Architecture, Top Threats, and Security-as-a-Service working groups while also serving as the Standards Liaison Officer for IoT, ICS, EA, SECaaS, and Cloud K...

Read more

Are you a research volunteer? Request to have your profile displayed on the website here.

Interested in helping develop research with CSA?

Join this Working Group
View all Working Groups

Related Certificates & Training