4 Priorities for Cloud Security Architecture

Oct 18, 2022

Oct 18, 2022

blue polygon icon

6 min

SaaS security is not only consistent with overall cloud security, it is entailed by it—because SaaS is the principle technology used to access and control everything else, including IaaS systems and IaaS security controls.

Link to Linkedin
Link to Linkedin
Link to Linkedin
Josh Mayfield
VP Product Marketing
4 Priorities for Cloud Security Architecture
This webinar will cover:

Four Priorities for Cloud Security Architecture

Cloud security is the center of attention for most organizations. And most programs place a special emphasis on defending infrastructure-as-a-service (IaaS) but overlook software-as-a-service (SaaS) when developing durable, sustainable cloud security architecture.  

In reality, security architecture is best served by incorporating SaaS security with IaaS security to achieve a comprehensive design that secures each layer of our cloud environments. Today, Gartner forecasts $168 billion in SaaS spending in 2022, representing a 19% YoY growth. And by the year 2030, some experts predict ungoverned SaaS (business-led SaaS) will represent over 80% of the total SaaS estate.

With all this in mind, here are four key priorities for enterprise cloud security architecture—protecting each cloud service layer.  

Priorities for Cloud Security Architecture

#1 Embrace Business-led IT

In 2021, 83 percent of organizations reported the value of business-led IT strategies—characterized by business teams identifying and sourcing technology, especially SaaS. And in 2022, according to Gartner, 36 percent of SaaS spending will be outside core IT budgets, selection, procurement, support, and security oversight. For security architects, this comes down to accepting the reality of business-led IT and building future designs to secure it.  

INSIGHT | Map and graph user-SaaS relationships across the SaaS service layer, including business-led SaaS, risky or abandoned SaaS, and production and security-controlled SaaS.  

#2 Change the Mindset to Multi-layered Cloud Security

For most organizations, cloud security is a common focus. It is also common to bias cloud security focus toward infrastructure-as-a-service (IaaS), while neglecting the most challenging cloud service layer—software-as-a-service (SaaS). And what is more concerning is how the SaaS service layer can create systemic cloud risk, because of the unmatched privilege to control business and information systems via SaaS services. After all, cloud computing has always consisted of three service layers—IaaS, PaaS, and SaaS.

Figure 1.1 - Multi-layered Cloud Security

Today, the SaaS service layer consists of billions of user-SaaS relationships, connections, and activity—dwarfing the digital footprints of IaaS and PaaS—accounting for more than 75 percent of cloud services used by today’s organizations, according to Cisco. Much of this unchecked activity is the result of the other trends we see with unbundling, industry-cloud SaaS services, and the meteoric rise of micro-SaaS.  

SaaS security is not only consistent with overall cloud security, it is entailed by it—because SaaS is the principle technology used to access and control everything else, including IaaS systems and IaaS security controls. While IaaS protection and security is basic to overall cloud security, the inherent risk of SaaS left unguarded cannot be ignored.

INSIGHT | Baseline cloud risks, adopting a layered mindset that includes SaaS security and prevention, prioritized for access exposure (e.g., weak credentials or SSO violations).

#3 Unified: Your New Favorite Word

Most organizations today operate a complex environment that includes numerous operating system platforms, diverse, multi-faceted SaaS services, along with IaaS cloud providers. Depending on your industry, this also often includes a variety of operational and business-led cloud services (IaaS and SaaS). Each of these entities belong to a cloud service layer, whether they are long-term residents like ASNs or temporary technologies, as is the case with thousands of SaaS services in most organizations.

The primary motivation for multi-faceted SaaS, multi-cloud security strategies is to unify.

Today’s security architects must build defenses for their multi-faceted SaaS, multi-cloud, cross-platform reality. A litany of tools, techniques, and technologies have come to serve this purpose from cloud security posture management (CSPM) for control and visibility to cloud workload protection platforms (CWPP) for threat detection and vulnerability analysis to cloud infrastructure entitlement management (CIEM) for orchestrating authorization and authentication to IaaS systems.  

As for the SaaS service layer, we see the rise of solutions like SaaS security posture management (SSPM) and SaaS security control plane (SSCP).  

INSIGHT | The goal for security architecture is to design unified defense for cloud services and be universally applicable to the specific cloud service layer (IaaS or SaaS).

#4 Technology Considerations

According to Gartner, increasingly complex cloud implementations require security and risk teams to wade through an assortment of tools and technologies, but collectively these tools help provide a coverage map well-suited to today’s security architectural demands.

IaaS Security Controls

Cloud Security Posture Management (CSPM)

A category of automated data security solution that manages monitoring, identification, alerting, and remediation of compliance risks and misconfigurations in cloud environments. One of its most critical functions is continuous proactive process of enterprise-wide asset visibility, configuration assessment, and transformation with the goal of reaching a target security state.

Sample vendors include Aqua Security, Check Point, Microsoft, Orca Security, Palo Alto Networks, and Wiz.  

Cloud Infrastructure Entitlement Management (CIEM)

Typically used to monitor and manage account entitlements across user accounts to cloud infrastructure (IaaS), cloud infrastructure entitlement management (CIEM) identifies dormant and unnecessary entitlements on user accounts and enables remediation and enforcement of least privilege security approaches. One of its most critical functions is identifying excessive entitlements by continuously monitoring the permissions and activity of human and nonhuman entities related to IaaS, both for public and private cloud.

Sample vendors include Ermetic, Microsoft, Orca Security, Sonrai Security, Wiz, Zilla Security, and Zscaler.  

Cloud Workload Protection Platform (CWPP)

A solution that is workload-centric for securing application targets with unique protection requirements, often as a necessary translation of protection schemes migrating from on-premise application controls. Workloads in modern cloud environments can include physical servers, virtual machines (VMs), containers, microservices, and serverless workloads. One critical function for CWPP is the combination of system integrity protection, application control, and behavioral monitoring, as well as optional anti-malware from some vendors.

Sample vendors include CrowdStrike, Fidelis, McAfee, Microsoft, Sophos, and VMWare.

Cloud-Native Application Protection Platform (CNAPP)

A solution with an integrated approach, intended to consolidate key functions of cloud security tools such as configuration and posture management as well as cloud workload protection capabilities. Additionally, CNAPP functions as a unifying solution across siloed capabilities, including container security, infrastructure as code scanning (IaC), infrastructure entitlements (CIEM), runtime workload protection (CWPP), and monitoring cloud security posture (CSPM). One critical function for CNAPP is improving developer and security professional effectiveness and collaboration, shifting security controls left and right throughout the cloud application lifecycle.

Sample vendors include Aqua Security, Lacework, McAfee, Palo Alto Networks, Snyk, Sysdig, and Wiz.

SaaS Security Controls

SaaS Security Control Plane (SSCP)

An identity-based architectural element commonly leveraged to discover SaaS services and user-SaaS relationships, identifying risky access controls, malicious or abandoned SaaS services, credential exposures and accumulated risk throughout the SaaS service layer. One critical function of SSCP is unified visibility and control over SaaS services, leveraging identities as the primary enforcement point in user-SaaS connections, including automating offboarding for SaaS services, SaaS users, or any combination of the two.

SSCP is typically part of a broader cloud security strategy, complementing capabilities such as cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), and cloud access security brokers (CASB).  

Sample vendors include Grip Security.

SaaS Security Posture Management (SSPM)

A solution for continuously assessing security risk for specific SaaS applications, generally related to 10-20 SaaS services per organization. Typically, SSPM follows the implementation of SSCP in most cloud security programs. SSPM’s core capability includes reporting on configuration failures or exposures within SaaS services, managing authorization, and insider threat indicators. Some SSPM solutions offer optional benchmarking and compliance comparisons with security and industry frameworks along with auto-reconfiguration for SaaS permissions.

Sample vendors include Adaptive Shield, AppOmni, DoControl, Obsidian, Zilla Security, and Zscaler.

SaaS-Delivered IAM

Also known as identity and access management as a service (IDaaS) or IAM as a service, this tool set is a subset of identity management and identity governance solutions, deployed as a service instead of on-premises or IaaS hosted services. One key function for SaaS-Delivered IAM is the ability to provide single sign-on (SSO) access control and governance, typically via secure assertion markup language (SAML) or OAuth access authentication controls. Optional functions for privileged access management (PAM) and customer identity and access management (CIAM) help to add value to SaaS-Delivered IAM tools.

Sample vendors include Cisco (Duo Security), CyberArk, Microsoft, Okta, OneLogin, Ping Identity, and SailPoint.


Security architecture for cloud services (IaaS and SaaS) is asymmetric, asynchronous, and amorphous. To secure it, we need to build on the principle of outcomes over ownership, facilitate analysis and intelligence captured by observing how cloud layers work, how they are accessed, authorized, controlled, and monitored against threats—internal and external. Central to modern security architecture is a multi-layered mindset for cloud security, one that mirrors the criticality of both IaaS and SaaS service layers.  

Mirror cloud controls to cloud service layers

As with IaaS security, we must approach SaaS security architecture holistically, deprioritizing methods limited to SaaS provider APIs or predetermined user pathways within the SaaS service layer. When SaaS security controls are paired with key IaaS security controls, then we can confidently protect multi-dimensional, multi-layered, multi-faceted cloud services—customers and clouds, employees and websites, partners and portals, users and apps—anyone and anything.

frost and sullivan

Join the webinar --> SaaS Security Control Plane: Real or Hype?

In this webinar:
See More
See more
Fill out the form and watch webinar
Oops! Something went wrong while submitting the form.
Register now and save your seat!
Registration successful!
Webinar link will be sent to your email soon
Oops! Something went wrong while submitting the form.
In this webinar:
See More
See more

See Grip, the leading SaaS discovery tool, live.

Gain a complete view of your SaaS usage—including shadow SaaS and rogue cloud accounts—from an identity-centric viewpoint. See how Grip can improve the security of your enterprise.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.