Membership
Become a Member
Enterprises
Solution Providers
Current Members
Solution Providers
Affiliates
Assurance
STAR Program
STAR Levels
View Registry
Submit to Registry
Provide Feedback
GDPR Code of Conduct for STAR
STAR Resources
CAIQ
Cloud Controls Matrix
GDPR Code of Conduct
CAIQ-Lite
CSA-OneTrust VRM Tool
GDPR
Download the Code of Conduct
Submit Code of Conduct to the Registry
Resource Center
Global Consultancy
Become a Consulting Partner
Find a Consulting Service
Certificates & Training
Certificates
CCSK
CCAK
Trainings
CCAK (Coming Soon)
CCSK Lectures
CCSK Lectures + Labs
Advanced Cloud Security Practitioner
Register for Training
For Individuals
For Enterprises
Instructors
Become an Instructor
Training Partners
Become a Training Partner
Webinars
Cloudbytes
Research
GDPR
Events
Americas
APAC
EMEA
Research
What We Do
Research Working Groups
CSA Research Lifecycle
Research Publications
Security Guidance v4
Cloud Controls Matrix (CCM)
IoT Framework
Contribute
Open Peer Reviews
Surveys
Volunteer FAQ
Ron Knode Award
Working Groups
Internet of Things
DevSecOps
Software Defined Perimeter
Blockchain
Cloud Controls Matrix
EMEA Projects
APAC Projects
Community
About Circle
Create an Account
Login to Circle
How To Get Started
Blog
Events
Americas
APAC
EMEA
Chapters
Global Chapters
Form a Chapter
About
About CSA
Board
History
CSA Staff
CSA EMEA
Press Releases
News Coverage

SaaS Governance

Latest ResearchJoin Group
Research Home
View Working Groups
Contribute
Download Publications
Join our working group
Home
Research
Working Groups
SaaS Governance
Security and privacy are the primary concerns for organizations considering SaaS adoption, and recent research indicates that 77% of SaaS-adopting organizations have experienced SaaS-specific security incidents. SaaS services account for the bulk of the cloud industry market, and any security incident could critically impact cloud customers. 

SaaS services present unique risks to their cloud customers since they:
  • Are highly business process specific;
  • Handle and store critical business and personal data.
  • Integrate a broad array of service components, operating over a deep application stack.
  • May depend on multiple cloud service providers. 
Due to heavy competitive pressure in the SaaS market today, security is too often not a top priority for SaaS providers – especially for the smaller providers that may not have the necessary security expertise to identify and manage the risks that could impact cloud customers and the cloud provider’s own operations. The SaaS Governance Working Group encourages and defines mechanisms to ensure the security of customer data and the resilience of the SaaS cloud infrastructure. 

This group has already started writing the SaaS Governance Best Practice for SaaS Customers . You can preview the chapters in progress below:Interested in what you can do to improve SaaS governance?
The Security, Trust, Assurance, and Risk (STAR) Registry allows cloud customers to view the controls implemented by popular SaaS providers. Based on the controls outlined in the Cloud Controls Matrix, providers submit the CAIQ to this publicly available registry. This allows cloud customers to easily access and assess offerings from popular cloud providers. View CSA’s registry of secure companies 

SaaS Governance

This group aims to benefit all parties in the Software-as-a-Service (SaaS) ecosystem by supporting a common understanding of SaaS related risks from the perspectives of the cloud customer and cloud service provider.
Join Group

Next Meeting

No Meetings Currently Scheduled


Working Group Leadership

Ronald Tse Headshot

Ronald Tse

Join our working group

Cloud Security Research

CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.

Cloud Octagon Model

Cloud Octagon Model

While not created by this working group, the Cloud Octagon Model helps provide context and background to SaaS Governance. The model is an approach to assess risk in SaaS cloud computing. It provides practical guidance and structure to all involved risk parties in order to keep pace with rapid changes in privacy and data protection laws and regulations, and changes in technology. 

Download this publication
The 2020 State of Identity Security in the Cloud

The 2020 State of Identity Security in the Cloud

The use of cloud services have continued to increase over the past decade. Particularly in the wake of the COVID-19 public health crisis, many enterprises' digital transformations are on an accelerated track to enable employees to work from home. CSA surveyed these organizations to better understand how cloud services are being used during this transition and how organizations are securing their operations over the next 12 months.

Download the results

SaaS Governance Best Practice for Cloud Customers (in progress)

The SaaS Governance Best Practice for SaaS Customers is a baseline set of fundamental SaaS governance practices for SaaS Customers. It enumerates and considers risks during all stages of the SaaS adoption lifecycle and takes into account the SaaS usage lifecycle. It will also aim to provide mitigation measures from the cloud customer’s perspective.

Preview this document here
View All Research

Security, Trust, Assurance and Risk (STAR) Registry

STAR lets cloud customers assess which organizations meet the level of assurance they require and gain insight into the controls in place to protect their data. For SaaS organizations, STAR enables them to validate their cloud security and offer proof to current and future customers of the controls in place. Currently the STAR registry lists over 1000 cloud service providers including SaaS providers, and is growing daily.

The STAR allows CSPs to submit the CAIQ questionnaire in order to validate their security offerings. 

View CSA’s registry of secure cloud providers

Blog Posts

​CSA STAR Attestation and STAR Certification Case Studies
Read Now
Cloud Security for SaaS Startups Part 1: Requirements for Early Stages of a Startup
Read Now
How to avoid the biggest mistakes with your SaaS security
Read Now