We’ve made a point of shoring up security for infrastructure-as-a-service clouds since they are so complex and have so many moving parts. Unfortunately, the many software-as-a-service systems in use for more than 20 years now have fallen down the cloud security priority list.
Organizations are making a lot of assumptions about SaaS security. At their essence, SaaS systems are applications that run remotely, with data stored on back-end systems that the SaaS provider encrypts on the customer’s behalf. You may not even know what database is storing your accounting, CRM, or inventory data—and you were told that you should not really care. After all, the provider runs the entire system for you, and users and admins just leverage it through some web browser. Indeed, SaaS means that you are abstracted much further away from the components than other forms of cloud computing.