How to secure SaaS: Understanding the cloud’s security layers


When you address security in the cloud for your enterprise use, you need to think of it in several layers:

  • Layer 0 is the primary IaaS cloud on which everything else runs; typically, Amazon Web Services, Microsoft Azure, Google Cloud Platform, IBM Cloud, or Alibaba.
  • Layer 1 is the SaaS provider for your applications and servers. The SaaS offerings typically run on (someone else’s) Layer 0 provider, or come from a Layer 0 provider that also offers SaaS. Your own cloud-delivered apps are in this layer as well.
  • Layer 2 is the specific application and its user.

What can be confusing is understanding what layers reside where. For example, there are more than 3,000 SaaS providers out there—CRM and accounting systems, health care portals, bail-bond management, you name it—that run on someone else’s IaaS cloud, such as AWS. You often won’t know what IaaS Layer 0 providers they use, or if they use several.

Furthernore, within the SaaS Layer 1, SaaS providers group users into “macrotenants,” which typically typically are composed of users (more importantly, departments) from the same enterprise customer. 

Then there’s the user in Layer 2, who has credentials to specific applications and services and is using computers, browsers, and network typically not managed by either the IaaS or SaaS provider. In other words, Layer 0 is within the IaaS provider’s cotrol, and Layer 1 is within the SaaS provider’s control. Layer 2 is not.