Cloud 101CircleEventsBlog
CSA's Continuous Audit Metrics Working Group is expanding! Help shape the future of cloud assurance.

10 SaaS Governance Best Practices to Protect Your Data

10 SaaS Governance Best Practices to Protect Your Data

Blog Article Published: 02/17/2023

Written by the SaaS Governance Working Group.

In the context of cloud security, the focus is almost always on securing Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) environments. This is despite the reality that while organizations tend to consume 2-3 IaaS providers, they are often consuming tens to hundreds of Software as a Service (SaaS) offerings.

The SaaS environment ultimately presents a shift in the way organizations handle cybersecurity that introduces a shared responsibility between producers and consumers. Failing to adjust can have devastating consequences such as disclosing sensitive data, loss of revenue, loss of customer trust, and regulatory consequences. This blog describes ten SaaS governance best practices for protecting data within SaaS environments.

1. Information Security Policies

SaaS customers should develop a SaaS security strategy and build a security architecture that reflects that strategy. A strong security architecture should include security policies that guide the deployment and maintenance of SaaS applications, and should be developed regarding evaluation, adoption, usage, and termination of SaaS services.

2. Organization of Information Security

Even though many view SaaS as an outsourced responsibility, it is imperative that the Role and Responsibility (R&R) between the Cloud Service Customer (CSC) and Cloud Service Provider (CSP) is clearly understood. Controls must be in place to enforce Segregation of Duties (SoD), identify key stakeholders, identify specific teams to maintain contact with special interest groups, and facilitate secure remote operations.

3. Asset Management

To benefit from a SaaS service, the SaaS customer would need to provide certain data to be processed on the SaaS service. Therefore, management of data is extremely important for a SaaS customer. Responsibility for assets include taking inventory, identifying the usage of SaaS by users in the organization, ownership, and acceptable use of assets.

4. Access Control

It is important to evaluate whether a person needs access to a service, to identify the business requirements and establish roles, to have proper IAM practices to enforce least privileges and segregation of duties, and to store passwords to protect confidentiality, integrity, and availability.

5. Encryption and Key Management

A critical aspect to consider when using SaaS services is the security of the data being stored. Any time data is moved, there is a risk of exposure. The best way of mitigating this risk is to ensure the encryption of data as it’s transmitted to or from the SaaS provider, as well as while stored in the SaaS provider’s systems. Generally, it is more secure to use customer-managed encryption keys than those provided by the vendor. However, whether or not to use vendor-managed encryption keys depends on two factors:

  • Does the vendor allow the use of customer-managed keys?
  • Does the data stored with the vendor warrant the level of risk mitigation provided by using your keys, or is the risk of vendor-managed keys acceptable?

6. Operations Security

Operational responsibilities include documenting operating procedures, protection and controls against malware, information backup, event logging and monitoring, technical vulnerability management, and consideration of information systems audit controls.

7. Network Security Management

Governance of network security within the context of SaaS services is broken down into two domains: controls owned and operated by SaaS providers and controls that a SaaS consumer may need to consider. The Zero Trust Network Access (ZTNA) and Secure Access Service Edge (SASE) approaches to network security are important to consider.

8. Supplier Relationships

Organizations should develop and maintain a real-time picture of components comprising a given SaaS product, develop internal risk management policies for them, negotiate contractual terms with CSPs to ensure the security of the offering, and not rely solely upon external certification regimes to assist in risk management.

9. Incident Management

The four phases of Incident Response are:

  1. Preparation: Every SaaS service should be vetted during the procurement process and include reliable third-party risk analysis aligned to the corporate risk appetite and regulatory and industry compliance requirements.
  2. Detection and Analysis: Detect data exfiltration, integrate any SaaS service with a corporate identity platform, automate alerts, and assign the proper priority.
  3. Containment, Eradication, and Recovery: The CSC will only be able to limit access to its tenant-based on originating IP, revoke user or account access, and rotate data-at-rest encryption keys. For recovery, it is crucial to request support from the CSP to invoke the data backup and recovery plan.
  4. Post-Mortem: Take a step back and review the lessons learned and what can be improved. The outcome of this should flow into Phase 1.

10. Compliance

SaaS applications should be categorized and assessed based on the types and sensitivity of data contained within them as well as other relevant risk factors such as the number of records at risk, organizational reliance, and continuity.


Read SaaS Governance Best Practices for Cloud Customers to learn more about SaaS governance best practices, risks according to the SaaS adoption and usage lifecycles, and potential mitigation measures from the SaaS customer’s perspective.

Share this content on your favorite social network today!