How we impact
act PROSPERI.AI
Act Digital Corporate Artificial Intelligence
Solutions
Services
Partners
SaaS (Software-as-a-Service) is a cloud-based delivery model in which Cloud Service Providers (CSPs) host, manage, and deliver software applications for their customers, allowing users to access them over the Internet.
SaaS has become increasingly prevalent in recent years thanks to a wide range of services that are quickly replacing traditional COTS (Commercial Off-The-Shelf) solutions. SaaS provides additional value by delivering faster, cost-effective, and more efficient features, allowing consumers to focus on their core business rather than worrying about platform administration and infrastructure investments.
But while SaaS offers many benefits, its widespread adoption may also bring security challenges that many organisations fail to address. In fact, it is believed that 96.7% of organisations used at least one application that had a security incident in the past year. Also, according to the Annual SaaS Security Survey Report 2025, 70% of enterprises are prioritising SaaS security by having dedicated teams to secure applications.
With this in mind, let’s examine some of the most critical SaaS threats to businesses.
The cloud has redefined the traditional boundaries where data can transit. In the past, organisations implemented data protection measures to keep data within their physical and logical borders. Now, this approach has fundamentally shifted with the advent of cloud technologies.
When data enters the cloud, it travels beyond the perimeter of the organisation, and copies of it can exist in different regions worldwide. This is further complicated with SaaS solutions, which often rely on other PaaS (Platform-as-a-Service) and IaaS (Infrastructure-as-a-Service) providers, resulting in reduced visibility into where data resides and what controls are implemented to protect it.
Under these conditions, the threat of a data breach can arise from unauthorised access by a Cloud Service Provider, whether it’s the primary SaaS provider or another entity from the cloud supply chain. The data breach may be intentional, for example carried out by a malicious employee or an external attacker exploiting vulnerabilities, or it can occur accidentally due to human error.
SaaS providers are especially attractive targets to attackers, as they host data for multiple organisations. This was particularly evident in 2020, when Zoom was targeted following its surge in usage during the COVID-19 pandemic. The attack led to a data breach affecting approximately 500,000 users, exposing e-mail addresses, passwords, and links to personal meetings.
Fortunately, there are proactive security measures companies can adopt to effectively mitigate this threat, such as:
SaaS providers offer services to multiple organisations simultaneously, using a shared infrastructure model to host customer data and manage related operations. In a multitenancy setup, a single software instance, infrastructure component (such as a database, middleware…), or physical resource (including Central Processing Unit – CPU – or memory…) is used by multiple customers at once.
While this provides numerous benefits for both providers and customers by reducing service costs, it also introduces new security threats as the multitenancy setup can spawn a myriad of vulnerabilities that malicious actors may exploit.
In a multitenant environment, a malicious actor could access another tenant’s data if proper isolation measures are not implemented. Additionally, one tenant can intentionally or inadvertently exhaust shared resources (such as CPU or memory), affecting service availability for all tenants.
It would be unrealistic to expect SaaS providers to change their multitenancy architecture to satisfy their individual customer needs while keeping the same pricing model. It is therefore important that organisations adopt robust security practices to mitigate risks within the multitenancy environment, such as:
While traditional availability threats relevant to on-premises environments still apply in the cloud, there are additional challenges specific to the cloud that organisations need to consider and address.
One significant challenge is vendor lock-in, where a customer becomes heavily dependent on a specific service provider, making it difficult to transition to other SaaS platforms or even to a self-hosted solution. This issue can arise due to the proprietary nature of the solution and can result in reduced agility and responsiveness to changing business needs.
Another crucial threat has to do with data portability, where it becomes difficult for organisations to move data between different service providers. This may be due to varying data formats or restrictions imposed by the provider.
As previously mentioned, SaaS providers often rely on IaaS or PaaS providers, creating a chain of dependencies. If one of these underlying services experiences a failure, it can lead to disruption in the entire SaaS offering.
To navigate these availability threats, organisations should:
Misconfiguration can occur from a failure to follow good practices in the configuration of resources, leading to potential security vulnerabilities. They may involve inadequate access control, excessive permissions, unencrypted data, or the use of insecure protocols, all of which may introduce security risks.
Misconfiguration is one of the leading causes of cyber incidents within the cloud. An example of where this happens is the AWS S3 service, where customers sometimes fail to disable public access, inadvertently exposing sensitive data. This misconfiguration has affected numerous companies and organisations, including Verizon, which suffered a data leak that exposed personal information of millions of its customers.
Given the prevalence of misconfiguration threats and the risks they introduce, it is crucial for customers to understand their roles in securing cloud environments. In the SaaS model, security responsibilities are divided under the Shared Responsibility Model. While SaaS providers are responsible for the security of the applications and underlying infrastructure, customers are responsible for implementing secure configurations to protect their data as it moves through the SaaS applications.
Shadow SaaS refers to SaaS solutions that employees adopt within an organisation without the knowledge of the IT department. Driven by the need to improve productivity or meet their specific needs, employees may turn to certain cloud-based applications.
Common solutions in a Shadow SaaS environment include Canva, WeTransfer, ChatGPT, and Google Forms. While these solutions might prove to be useful, they introduce potential security and compliance risks when used without the oversight of the IT department, potentially exposing sensitive data and bypassing established security protocols.
To address the risks associated with Shadow SaaS, organisations should focus on:
To strengthen cyber resilience within a cloud environment, there are several services tailored to help organisations secure their cloud applications and infrastructure, namely:
While SaaS solutions offer significant benefits to organisations, they also introduce a new suite of challenges that threaten the security of their data. However, by understanding these threats and addressing them through a robust cloud security strategy, organisations can significantly enhance their resilience in the cloud.
SaaS (Software-as-a-Service) is a cloud-based delivery model in which Cloud Service Providers (CSPs) host, manage, and deliver software applications for their customers, allowing users to access them over the Internet.
SaaS has become increasingly prevalent in recent years thanks to a wide range of services that are quickly replacing traditional COTS (Commercial Off-The-Shelf) solutions. SaaS provides additional value by delivering faster, cost-effective, and more efficient features, allowing consumers to focus on their core business rather than worrying about platform administration and infrastructure investments.
But while SaaS offers many benefits, its widespread adoption may also bring security challenges that many organisations fail to address. In fact, it is believed that 96.7% of organisations used at least one application that had a security incident in the past year. Also, according to the Annual SaaS Security Survey Report 2025, 70% of enterprises are prioritising SaaS security by having dedicated teams to secure applications.
With this in mind, let’s examine some of the most critical SaaS threats to businesses.
The cloud has redefined the traditional boundaries where data can transit. In the past, organisations implemented data protection measures to keep data within their physical and logical borders. Now, this approach has fundamentally shifted with the advent of cloud technologies.
When data enters the cloud, it travels beyond the perimeter of the organisation, and copies of it can exist in different regions worldwide. This is further complicated with SaaS solutions, which often rely on other PaaS (Platform-as-a-Service) and IaaS (Infrastructure-as-a-Service) providers, resulting in reduced visibility into where data resides and what controls are implemented to protect it.
Under these conditions, the threat of a data breach can arise from unauthorised access by a Cloud Service Provider, whether it’s the primary SaaS provider or another entity from the cloud supply chain. The data breach may be intentional, for example carried out by a malicious employee or an external attacker exploiting vulnerabilities, or it can occur accidentally due to human error.
SaaS providers are especially attractive targets to attackers, as they host data for multiple organisations. This was particularly evident in 2020, when Zoom was targeted following its surge in usage during the COVID-19 pandemic. The attack led to a data breach affecting approximately 500,000 users, exposing e-mail addresses, passwords, and links to personal meetings.
Fortunately, there are proactive security measures companies can adopt to effectively mitigate this threat, such as:
SaaS providers offer services to multiple organisations simultaneously, using a shared infrastructure model to host customer data and manage related operations. In a multitenancy setup, a single software instance, infrastructure component (such as a database, middleware…), or physical resource (including Central Processing Unit – CPU – or memory…) is used by multiple customers at once.
While this provides numerous benefits for both providers and customers by reducing service costs, it also introduces new security threats as the multitenancy setup can spawn a myriad of vulnerabilities that malicious actors may exploit.
In a multitenant environment, a malicious actor could access another tenant’s data if proper isolation measures are not implemented. Additionally, one tenant can intentionally or inadvertently exhaust shared resources (such as CPU or memory), affecting service availability for all tenants.
It would be unrealistic to expect SaaS providers to change their multitenancy architecture to satisfy their individual customer needs while keeping the same pricing model. It is therefore important that organisations adopt robust security practices to mitigate risks within the multitenancy environment, such as:
While traditional availability threats relevant to on-premises environments still apply in the cloud, there are additional challenges specific to the cloud that organisations need to consider and address.
One significant challenge is vendor lock-in, where a customer becomes heavily dependent on a specific service provider, making it difficult to transition to other SaaS platforms or even to a self-hosted solution. This issue can arise due to the proprietary nature of the solution and can result in reduced agility and responsiveness to changing business needs.
Another crucial threat has to do with data portability, where it becomes difficult for organisations to move data between different service providers. This may be due to varying data formats or restrictions imposed by the provider.
As previously mentioned, SaaS providers often rely on IaaS or PaaS providers, creating a chain of dependencies. If one of these underlying services experiences a failure, it can lead to disruption in the entire SaaS offering.
To navigate these availability threats, organisations should:
Misconfiguration can occur from a failure to follow good practices in the configuration of resources, leading to potential security vulnerabilities. They may involve inadequate access control, excessive permissions, unencrypted data, or the use of insecure protocols, all of which may introduce security risks.
Misconfiguration is one of the leading causes of cyber incidents within the cloud. An example of where this happens is the AWS S3 service, where customers sometimes fail to disable public access, inadvertently exposing sensitive data. This misconfiguration has affected numerous companies and organisations, including Verizon, which suffered a data leak that exposed personal information of millions of its customers.
Given the prevalence of misconfiguration threats and the risks they introduce, it is crucial for customers to understand their roles in securing cloud environments. In the SaaS model, security responsibilities are divided under the Shared Responsibility Model. While SaaS providers are responsible for the security of the applications and underlying infrastructure, customers are responsible for implementing secure configurations to protect their data as it moves through the SaaS applications.
Shadow SaaS refers to SaaS solutions that employees adopt within an organisation without the knowledge of the IT department. Driven by the need to improve productivity or meet their specific needs, employees may turn to certain cloud-based applications.
Common solutions in a Shadow SaaS environment include Canva, WeTransfer, ChatGPT, and Google Forms. While these solutions might prove to be useful, they introduce potential security and compliance risks when used without the oversight of the IT department, potentially exposing sensitive data and bypassing established security protocols.
To address the risks associated with Shadow SaaS, organisations should focus on:
To strengthen cyber resilience within a cloud environment, there are several services tailored to help organisations secure their cloud applications and infrastructure, namely:
While SaaS solutions offer significant benefits to organisations, they also introduce a new suite of challenges that threaten the security of their data. However, by understanding these threats and addressing them through a robust cloud security strategy, organisations can significantly enhance their resilience in the cloud.
