SaaS (Software-as-a-Service) is a cloud-based delivery model in which Cloud Service Providers (CSPs) host, manage, and deliver software applications for their customers, allowing users to access them over the Internet.

 

SaaS has become increasingly prevalent in recent years thanks to a wide range of services that are quickly replacing traditional COTS (Commercial Off-The-Shelf) solutions. SaaS provides additional value by delivering faster, cost-effective, and more efficient features, allowing consumers to focus on their core business rather than worrying about platform administration and infrastructure investments.


But while SaaS offers many benefits, its widespread adoption may also bring security challenges that many organisations fail to address. In fact, it is believed that 96.7% of organisations used at least one application that had a security incident in the past year. Also, according to the Annual SaaS Security Survey Report 2025, 70% of enterprises are prioritising SaaS security by having dedicated teams to secure applications.


With this in mind, let’s examine some of the most critical SaaS threats to businesses.

 

 

1) Data breaches

The cloud has redefined the traditional boundaries where data can transit. In the past, organisations implemented data protection measures to keep data within their physical and logical borders. Now, this approach has fundamentally shifted with the advent of cloud technologies.


When data enters the cloud, it travels beyond the perimeter of the organisation, and copies of it can exist in different regions worldwide. This is further complicated with SaaS solutions, which often rely on other PaaS (Platform-as-a-Service) and IaaS (Infrastructure-as-a-Service) providers, resulting in reduced visibility into where data resides and what controls are implemented to protect it.


Under these conditions, the threat of a data breach can arise from unauthorised access by a Cloud Service Provider, whether it’s the primary SaaS provider or another entity from the cloud supply chain. The data breach may be intentional, for example carried out by a malicious employee or an external attacker exploiting vulnerabilities, or it can occur accidentally due to human error.


SaaS providers are especially attractive targets to attackers, as they host data for multiple organisations. This was particularly evident in 2020, when Zoom was targeted following its surge in usage during the COVID-19 pandemic. The attack led to a data breach affecting approximately 500,000 users, exposing e-mail addresses, passwords, and links to personal meetings.


Fortunately, there are proactive security measures companies can adopt to effectively mitigate this threat, such as:

  • Implementing robust data encryption.
  • Enforcing strong access control.
  • Monitoring data exposure through a Data Loss Prevention (DLP) solution.

 

 

2) Multitenancy

SaaS providers offer services to multiple organisations simultaneously, using a shared infrastructure model to host customer data and manage related operations. In a multitenancy setup, a single software instance, infrastructure component (such as a database, middleware…), or physical resource (including Central Processing Unit – CPU – or memory…) is used by multiple customers at once.


While this provides numerous benefits for both providers and customers by reducing service costs, it also introduces new security threats as the multitenancy setup can spawn a myriad of vulnerabilities that malicious actors may exploit.


In a multitenant environment, a malicious actor could access another tenant’s data if proper isolation measures are not implemented. Additionally, one tenant can intentionally or inadvertently exhaust shared resources (such as CPU or memory), affecting service availability for all tenants.


It would be unrealistic to expect SaaS providers to change their multitenancy architecture to satisfy their individual customer needs while keeping the same pricing model. It is therefore important that organisations adopt robust security practices to mitigate risks within the multitenancy environment, such as:

  • Strong data encryption, coupled with independent management of encryption keys.
  • Contractual agreements to ensure that the SaaS provider guarantees the availability of shared resources.

 

 

3) Availability issues

While traditional availability threats relevant to on-premises environments still apply in the cloud, there are additional challenges specific to the cloud that organisations need to consider and address.


One significant challenge is vendor lock-in, where a customer becomes heavily dependent on a specific service provider, making it difficult to transition to other SaaS platforms or even to a self-hosted solution. This issue can arise due to the proprietary nature of the solution and can result in reduced agility and responsiveness to changing business needs.


Another crucial threat has to do with data portability, where it becomes difficult for organisations to move data between different service providers. This may be due to varying data formats or restrictions imposed by the provider.


As previously mentioned, SaaS providers often rely on IaaS or PaaS providers, creating a chain of dependencies. If one of these underlying services experiences a failure, it can lead to disruption in the entire SaaS offering.


To navigate these availability threats, organisations should:

  • Conduct thorough due diligence before migrating to a SaaS solution.
  • Ensure that Service Level Agreements (SLAs) align with their business needs.
  • Develop processes for migrating to a different solution when circumstances change.

 

 

4) Misconfigurations

Misconfiguration can occur from a failure to follow good practices in the configuration of resources, leading to potential security vulnerabilities. They may involve inadequate access control, excessive permissions, unencrypted data, or the use of insecure protocols, all of which may introduce security risks.


Misconfiguration is one of the leading causes of cyber incidents within the cloud. An example of where this happens is the AWS S3 service, where customers sometimes fail to disable public access, inadvertently exposing sensitive data. This misconfiguration has affected numerous companies and organisations, including Verizon, which suffered a data leak that exposed personal information of millions of its customers.


Given the prevalence of misconfiguration threats and the risks they introduce, it is crucial for customers to understand their roles in securing cloud environments. In the SaaS model, security responsibilities are divided under the Shared Responsibility Model. While SaaS providers are responsible for the security of the applications and underlying infrastructure, customers are responsible for implementing secure configurations to protect their data as it moves through the SaaS applications.

 

 

5) Shadow SaaS

Shadow SaaS refers to SaaS solutions that employees adopt within an organisation without the knowledge of the IT department. Driven by the need to improve productivity or meet their specific needs, employees may turn to certain cloud-based applications.

 

Common solutions in a Shadow SaaS environment include Canva, WeTransfer, ChatGPT, and Google Forms. While these solutions might prove to be useful, they introduce potential security and compliance risks when used without the oversight of the IT department, potentially exposing sensitive data and bypassing established security protocols.


To address the risks associated with Shadow SaaS, organisations should focus on:

  • Establishing and enforcing clear acceptable policies.
  • Raising awareness among employees about the risks that such practices may pose.
  • Deploying Data Loss Prevention (DLP) and Cloud Access Security Broker (CASB) tools to help monitor and detect unauthorised app usage.

 

 

Solutions to increase overall cyber resilience

To strengthen cyber resilience within a cloud environment, there are several services tailored to help organisations secure their cloud applications and infrastructure, namely:

  • Consulting services
    Cybersecurity experts from a service provider like Alter Solutions are able to assess and enhance your organisation’s security posture, both within and beyond the cloud. Following a risk-based approach, they provide well-informed guidance on effective controls to implement, safeguarding your data against prevalent threats, and ensuring that you remain compliant with regulatory obligations – a challenge that is particularly critical in the cloud.

  • Assessment services
    They range from compliance audits to technical pentesting and red teaming exercises, providing you with a comprehensive view of the effectiveness of your security controls, while also delivering an independent evaluation of your Cloud Service Provider’s level of security.

  • Detection and incident response services
    This type of strategy can effectively prevent or mitigate the SaaS-specific threats discussed earlier. Managed services are specifically designed to address these challenges, offering 24/7 monitoring and detection capabilities through a Security Operations Centre (SOC). By leveraging the best and latest detection technologies, we ensure you stay one step ahead of attackers targeting your cloud environment. Moreover, with proactive threat detection and response capabilities, our Incident Response team is ready to help you contain and mitigate security incidents before they escalate.

 

 

Conclusion

While SaaS solutions offer significant benefits to organisations, they also introduce a new suite of challenges that threaten the security of their data. However, by understanding these threats and addressing them through a robust cloud security strategy, organisations can significantly enhance their resilience in the cloud.

Compartir artículo