With Software as a Service (SaaS) solutions, the security options that you can control may be only at the application level. In a Public Cloud scenario, this requires a high degree of trust in the cloud vendor because they have complete control of the instructure and platform layers. As well as their reputation and track record, you should assess the processes they have in place to provide security. When performing due diligence you should also assess whether they can provide network security in addition to application and data security. While network security is not typically considered a part of SaaS, there is no reason it cannot be implemented in addition to application specific controls included in the SaaS solution. You should be absolutely clear about where security responsibilities lie. You should use SLAs and contracts to define exactly what security responsibilities the cloud vendor has and what responsibilities the customer has.
Another factor with Public Cloud-based SaaS solutions is app stores. The cloud vendor might only offer their own applications in their app store, but increasingly they act as shop fronts for many SaaS application vendors. It is possible that malware is maliciously posted into an app store and indeed in the cell phone arena, the Google Android app store had exactly this problem in the past. What processes does the cloud vendor have in place to test the apps in the app store? Do you trust the app vendor as well as the cloud vendor?
If you are deploying your own SaaS software in the Public Cloud you should assume that it will be scanned by hackers looking for vulnerabilities. Threats such as SQL injection are well known and straightforward to exploit, but, if security guidelines are followed when developing applications, they are also straightforward to prevent.
In the Private Cloud, the threats are different, but not removed. With the absence of app stores, there is less threat of malicious malware from outside the company; however, poorly written apps can be just as damaging as malicious code. The private network should be treated with the same levels of scrutiny as the Internet and as well as well written, well-tested and secure Private Cloud SaaS solutions, you should have proven, well-tested network and data security.
Please review the Cloud Storage section on the IaaS page.
Although SaaS is not concerned directly with storage, you should ensure that data is encrypted as it travels across the Internet and if the data is stored at a Public Cloud vendor facility you should investigate their storage encryption mechanisms and their overall storage architecture. Specialist storage vendors typically store all of the data from all customers together and therefore the risks of data being accessed by another customer from the same cloud vendor can be high. To avoid this risk, you should encrypt all data stored in the public cloud and store sensitive data on private systems.
As well as the SaaS software itself, you should also consider browser vulnerabilities and compatibility. Browser updates should be implemented quickly, but should also be tested to ensure they are fully functional with the SaaS software. Processes should be put in place to test, evaluate, and deploy updates for critical browser updates. ARCHITECURAL DESIGN EXAMPLE:
Thomas W Shinder - MSFT edited Revision 2. Comment: added links and community note.
Thomas W Shinder - MSFT edited Revision 1. Comment: first edit complete