SaaS

Software-as-a-Service (SaaS) is a cloud delivery model where applications (e.g., CRM, email, file sharing) are hosted and maintained by a provider, and customers access them over the internet via a subscription. Unlike on-prem software, users don’t install or update the app locally. Common SaaS examples include Microsoft 365, Salesforce, and Slack.

How does it affect identity security?

SaaS centralizes data in a provider’s environment. If attackers compromise a user’s SaaS account, they gain immediate access to potentially vast data (emails, financial records, etc.). Strong identity security—SSO, MFA, and provisioning controls—becomes vital to protect these hosted apps. 

Organizations often tie SaaS logins to their main identity provider (e.g., Azure AD SSO). This ensures consistent password and MFA policies. SaaS vendors usually offer SAML or OpenID Connect for federated access. 

Cloud Access Security Brokers (CASBs) can overlay additional security controls, monitoring logins or data movement. SaaS management platforms unify licensing and user provisioning. Essentially, SaaS identity integration is critical for productivity and security—without it, each app becomes an isolated identity silo prone to mismanagement.

Many data leaks occur when an organization fails to integrate SaaS apps into corporate IAM or neglects to remove ex-employees from the SaaS user list. SaaS also introduces a shared responsibility model: while the provider secures infrastructure, the customer must secure identities and data usage.

Case study

Box, a SaaS storage/collaboration tool, had customers inadvertently create publicly indexable “shared” links. This led to sensitive files being exposed online. Identity-driven controls—like restricting link generation to certain user groups—would have reduced the risk.

‍