How to secure SaaS: Understanding the cloud’s security layers

Because of gaps across cloud systems, too often user data is stored in unencrypted stores, including caches on internal networks, that can be easily viewed

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

When you address security in the cloud for your enterprise use, you need to think of it in several layers:

  • Layer 0 is the primary IaaS cloud on which everything else runs; typically, Amazon Web Services, Microsoft Azure, Google Cloud Platform, IBM Cloud, or Alibaba.
  • Layer 1 is the SaaS provider for your applications and servers. The SaaS offerings typically run on (someone else’s) Layer 0 provider, or come from a Layer 0 provider that also offers SaaS. Your own cloud-delivered apps are in this layer as well.
  • Layer 2 is the specific application and its user.

What can be confusing is understanding what layers reside where. For example, there are more than 3,000 SaaS providers out there—CRM and accounting systems, health care portals, bail-bond management, you name it—that run on someone else’s IaaS cloud, such as AWS. You often won’t know what IaaS Layer 0 providers they use, or if they use several.

Furthernore, within the SaaS Layer 1, SaaS providers group users into “macrotenants,” which typically typically are composed of users (more importantly, departments) from the same enterprise customer. 

Then there’s the user in Layer 2, who has credentials to specific applications and services and is using computers, browsers, and network typically not managed by either the IaaS or SaaS provider. In other words, Layer 0 is within the IaaS provider’s cotrol, and Layer 1 is within the SaaS provider’s control. Layer 2 is not.

The IaaS providers do a very good job of looking after Layer 0 security. The SaaS providers typically do a good job of looking after Layer 1 security, though the quality can matter based on the provider’s size and experience.

To continue reading this article register now