9 minutes – that’s all cybercriminals need today to compromise core systems. This is one of the findings of the SaaS Security Threat Report by OBSIDIAN. Even more alarming: in 2024 alone, security incidents targeting software-as-a-service (SaaS) solutions increased by 300%. Cyber risks are therefore not only rising for global enterprises, but also for small and medium-sized businesses – and at the same time, the attack surface continues to expand.

AI features, for example, are now integrated into more than 60% of enterprise SaaS products (source: Founders Forum Group). It is hardly surprising, then, that the security architecture of many organizations is changing quietly and often unnoticed. AI does not just process data – it analyzes, structures, and interconnects it. For organizations, this means that SaaS security is no longer just about access control, but also about transparency around what happens to data within the platform. Losing control or visibility over data is something organizations can no longer afford – whether intentionally or unknowingly.

The new standard of work: Software as a Service

Software-as-a-service, or SaaS, has fundamentally transformed how businesses work and has been pivotal to the Great Transition to remote work of 2020. By 2025, SaaS has grown into a global market worth USD 315.68 billion, with an expected annual growth rate of 18.7%. Continued adoption of the public cloud will remain a key driver of this growth, as organizations seek cost-efficient and flexible solutions.

However, security concerns around moving data assets from companies’ internal networks to external ones can easily become a bottleneck to this goal. Adopters must make sure that their data is kept safe both in transit and at rest, mitigate the risk of employees using shadow applications, and minimize authorization gaps, among other things. And do so while ticking compliance boxes, from industry standards to international law.

This article explores what SaaS security means, why it matters, and what to keep in mind when evaluating and implementing SaaS products to maximize value while minimizing risk. It quickly becomes clear that organizations also need to address the AI question. SaaS tools with an AI-free system architecture can offer significant advantages from a compliance and data protection perspective.

Tackling data and application security: SaaS edition

Organizations that move data from on-premises systems to vendor-hosted servers must address potential security and privacy risks from the very beginning. When sensitive and business-critical data is handed over to a third party, organizations typically have limited control over that provider’s security protocols and practices.

SaaS security therefore means proactively ensuring that no individual – whether acting maliciously, without authorization, or simply through negligence – can create or exploit vulnerabilities. This can be achieved by implementing appropriate safeguards across workflows, compliance processes, and reporting mechanisms.

This raises an important question: who is responsible for maintaining a secure SaaS – those who provide or those who use it? The short answer is ‘both.’ That said, the amount of responsibility each party assumes strongly depends on the type of cloud service used and the way the service provider chooses to implement it, the UK’s National Cyber Security Centre (NCSC) points out.

SaaS cybersecurity: 4 key SaaS security issues to look out for

1. Identity and access management

As the security incidents mentioned above illustrate, employees of SaaS cloud service providers can become a significant risk factor for customers by opening up new attack vectors – ranging from brute-force attacks to sophisticated social engineering campaigns.

2. Regulatory compliance

According to McKinsey’s Customer Perspectives on SaaS Survey, product compliance is a major CISO concern. Respondents said they’re often unsure if SaaS solutions actually meet their data protection compliance needs or providers just say they do.

3. Data protection

According to Moody’s Analytics, the solution provider’s methodology for preventing data breaches, primarily by using various methods for data encryption both at rest and in transit, is the single most important security practice for SaaS applications.

4. Misconfigurations

The more customized a SaaS application is, the more complex it becomes to configure – and the more vulnerable it is to data breaches. The average cost of data breaches, often caused by cloud misconfigurations, now amounts to USD 4.4 million (source: IBM).

SaaS cloud security checklist: 7 SaaS security best practices for new adopters

1. Check for recommendations from cybersecurity authorities

Browse both local and global cybersecurity organizations' resources for guidance on SaaS adoption. The NCSC, for example, has published comprehensive and in-depth guidelines on how to choose and deploy cloud services securely. Definitely go through their 14-point list of cloud security principles for organizations to gauge how well a cloud service is designed, built, and run – as well as security reviews of some of the most popular SaaS offerings out there.

2. Review data access controls and enforcement practices

Does the SaaS vendor have access to the data you store on its servers? The answer you’re looking to hear is ‘no.’ No cloud service provider should be able to read your data or provide ambiguous information on the steps they take to safeguard it. Also make sure to review all available security documentation on what precautions, policies, and practices the vendor has in place to ensure maximum protection and transparency in handling your data assets.

3. Map the flow and security of data across the SaaS servers

The first question to ask yourself here is what type of data will change hands when you use the SaaS solution. Beyond IP concerns, data processing regulations such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) might severely impact the provider vetting process depending on the jurisdiction your business resides in – along with the people whose data it processes.

Next, explore the solution provider’s security posture – and don’t settle for less information than what you’d require about on-premise applications. These might cover available encryption methods, business continuity and disaster recovery plans, security track record, software development cycles and deployment pipelines, and any details you need to fully grasp the risk profile of both the cloud environment and the organization that supplies it.

This brings us to another key question to implore here: ‘Who will the service provider share your data with?’ Ideally, no one. But in reality, fourth-party access to your data can be legitimate and necessary, ISACA experts point out. Always ask your cloud vendors about potential supply chain dependencies, keep an eye on external applications integrated into your SaaS environment, and embrace the zero-trust approach to user and device access.

4. Verify whether AI-free operation is possible

At this point, it is essential to clarify how artificial intelligence is used. Whenever AI accesses data without visibility, organizations lose oversight of what happens to that data. Maximum data security is offered by SaaS solutions that provide AI-free workspaces. This does not mean the solution must avoid AI entirely, but AI and machine learning features should be centrally configurable and, where necessary, fully deactivatable.

You should also receive transparent information about whether background processes rely on AI, whether data is shared with external AI models, and what this means for your data security.

There must be no exceptions when it comes to customer data: SaaS providers must guarantee that customer data is not used for AI training or product optimization. Documented data flows help maintain visibility at all times. Request advance notice of new or modified AI features so you can make conscious decisions about which features to adopt and which to disable.

Our tip: The safest option is to contractually ensure that the service remains fully functional without AI processes. Many industries depend on AI-free workflows for compliance reasons, and to offer legally compliant and trustworthy services, organizations must be able to meet this requirement themselves.

5. Run a legal review on compliance with applicable data protection laws

Compliance with data protection regulations is non-negotiable for SaaS. Depending on your operating environment, industry, and region, organizations must meet regulatory and supervisory requirements. In addition to well-known regulations such as the GDPR and HIPAA, industry-specific standards like the Payment Card Industry Data Security Standard (PCI DSS) require proactive protection of personal data.

Key considerations include data residency and whether you can control where your data is stored. An often-overlooked aspect of data protection law is where personal data may legally be stored. Since cloud providers frequently transfer and store data across borders and data centers, staying compliant with data residency requirements is essential. If personal data of EU citizens is transferred outside the EU, for example, GDPR-level protection must travel with the data.

Speaking of GDPR: confirm whether a Data Processing Agreement (DPA) is required. Organizations subject to GDPR must have DPAs in place with all data processors. These agreements define how personal data may be stored, accessed, used, and secured, demonstrating that processors are capable of providing adequate protection for entrusted data.

6. Ensure compliance with international, regional, and industry standards – and European regulations

Check whether the provider is ISO 27000 certified. This widely adopted family of standards helps organizations improve information security through best practices and a systematic, people‑, process‑, and technology-focused risk management approach. While no certification replaces a comprehensive security assessment, standards like ISO 27000 provide an additional layer of trust.

SOC 2 audits assess whether a provider has implemented effective controls for security, availability, and system integrity. For cloud-based platforms with third-party integrations and data exchange, SOC 2 provides an important trust foundation by independently validating that sensitive information is structurally protected.

Beyond certifications, organizations should also verify compliance with evolving regulatory requirements. The NIS2 Directive, for example, requires many organizations – not just critical infrastructure operators – to demonstrably implement risk management, incident response, and supply chain security measures.

In the financial sector, the Digital Operational Resilience Act (DORA) is gaining importance, requiring robust security, resilience, and reporting processes from financial organizations and their ICT providers. Organizations using SaaS in regulated industries should ensure the solution can be operated in a DORA-compliant manner and meets sector-specific requirements, such as those in healthcare or critical infrastructure.

7. Run a security audit to uncover security blindspots

Perform a comprehensive cybersecurity audit to get a clear idea of your cloud attack surface. Examine at-rest and in-transit data security, review authentication options such as enterprise single sign-on (SSO) and multifactor authentication (MFA), and check the availability and sophistication of role-based access control mechanisms.

Also, never underestimate your users’ willingness to hack around a solution that isn’t straightforward and convenient to use. Evaluate if the security features offered by the SaaS solution fall into this category as well as the number of system administrators you’ll need to efficiently manage users and ensure a seamless experience.

SaaS encryption: how E2EE can boost cloud security

SaaS solutions that use end-to-end encryption, E2EE for short, are infinitely more secure than those that don’t. Not to mention that they eliminate several of the above SaaS security risks and concerns by design, such as:

  • Data access risk – E2EE means that no one but you can access the data stored on their servers. Should any of your encrypted information leak, it would still remain unreadable to unauthorized users, including malicious actors.
  • Compliance shortfalls – End-to-end encryption can significantly improve compliance in cases where data protection is required by law, such as the HIPAA for health records or by professional standards like the PCI DSS.
  • Breach notifications – Encrypted data is unintelligible to anyone without your encryption key. Thus, the GDPR’s 72-hour data breach notification rule does not apply, as no individual can possibly be identified from your encrypted content.

Tresorit: a no-stress, no-hassle way to SaaS data security

An end-to-end encrypted cloud storage and collaboration platform, Tresorit empowers you to:

  • Use end-to-end encryption to boost productivity and security:
     Exchange files securely with external collaborators, including clients and vendors, using encrypted links. Ultra-secure share links enable zero-knowledge, end-to-end encrypted document and folder sharing with anyone in just a few clicks or taps.
  • Prevent data breaches due to human error and malicious attacks:
     Apply policy templates, including 2-step verification, IP filtering, timeout policies, and sharing policies, to a set of users, create different policies for each template, and modify these policies at any moment through a single interface.
  • Keep access secure and limited:
     Manage files at a granular level, plus monitor and decide which devices are allowed to access which files within the organization and from where users are allowed to log in to their company account to safeguard critical data assets.
  • Ensure data confidentiality and integrity:
     The GDPR requires users to have a level of access to personal data that is strictly necessary for them to carry out their jobs. Use Tresorit’s permission settings to make sure that access to data is restricted on a need-to-know basis.

An all‑in‑one platform like Tresorit offers an additional benefit by reducing risks associated with tool sprawl. Centralized workflows minimize interfaces, data duplication, and uncontrolled sharing – significantly enhancing security while shrinking the attack surface.

Sounds like a good fit for your business? See what else Tresorit has to offer.

See what Tresorit has to offer

Tresorit Team