Who is responsible for security in SaaS?

We answer this directly: protection of cloud applications follows a shared responsibility model. Providers secure the platform and core infrastructure. We, as customers, must secure identities, configurations, and data inside our tenant.

Recent 2024 incidents at Snowflake show the point. Attackers used stolen credentials and missing MFA to reach customer accounts. That was not a provider-side breach of enterprise systems. The example clarifies roles and the stakes for business leaders.

In this Ultimate Guide, we map those responsibilities into practical controls. We define terms such as tenant, provider, identity, and least privilege so technical teams and non-specialists share a clear vocabulary.

Our goal is action: better access control, less data exposure, and clear audit evidence. Each section ends with steps you can apply across multi-SaaS environments.

• The model splits duties: platform protection by providers, tenant controls by customers.
• Credential theft and missing MFA drove recent Snowflake customer incidents.
• Clear definitions help align IT, security, and business teams.
• We convert responsibilities into controls, templates, and verification steps.
• Outcomes include stronger access, lower data risk, and better compliance evidence.

Recent incidents show why a practical playbook for cloud control is no longer optional. In spring 2024, UNC5537 used stolen credentials and absent MFA to access Snowflake customer databases. Mandiant found no evidence that Snowflake’s enterprise environment was breached.

Those events sit beside provider outages such as Atlassian’s prolonged 2022 disruption caused by an internal script error. Together they highlight two concurrent risks: availability and tenant-level compromise.

We explain how attackers target identity and configuration gaps inside tenants. That means prioritizing strong authentication and continual monitoring across applications.

• As more applications and services move to the cloud, the attack surface grows with operational complexity.
• Regulators now expect demonstrable controls over user access, data sharing, and recovery—not just policies.
• Clear division of duties speeds response and reduces finger-pointing during incidents.
• Shadow IT and decentralized app purchases increase exposure; visibility and governance are foundational.

We set the stage for a pragmatic blueprint that maps the shared responsibility model to tools, detection, and repeatable controls you can apply in your environment.

People often ask the question when they encounter unclear boundaries between platform controls and tenant settings. That uncertainty usually reflects real risk: misconfigurations, missing MFA, and accidental data exposure.

The shared responsibility model clarifies duties. The provider secures the platform, infrastructure, and uptime. We secure identities, data, configuration, and compliance inside our tenant.

Practically speaking, the shared responsibility splits ownership of controls. Infrastructure protections belong to the provider. Tenant controls — MFA, role design, sharing policies, and access governance — belong to us.

• Map controls to roles: access governance, data loss prevention, and activity monitoring are customer tasks.
• Choose scalable controls: centralized SSO, consistent password policies, and automated offboarding reduce human error.
• Complement native features with SSPM or ITDR to close visibility and response gaps.

Clarity reduces risk: explicit responsibilities prevent gaps like over-permissioned accounts and risky link-sharing. We must be accountable for outcomes and audit evidence, not just aware of defaults.

We draw a clear line: platform-level defenses belong to the provider, while tenant controls belong to the account owner.

Mandiant found that the 2024 Snowflake incidents arose from stolen credentials and absent MFA, not a breach of the vendor’s enterprise environment. This underscores customer responsibility over identity and access controls.

We state this without ambiguity: the shared responsibility model sets non-overlapping duties. Providers secure the platform, uptime, and core patching. Customers manage identities, configuration baselines, and data protection.

Key point: poor controls on our side—weak passwords, absent MFA, over-broad permissions—lead to compromise even when provider defenses are sound.

We will next unpack the shared responsibility model with practical controls and verification steps you can apply immediately across your applications and services.

We define clear boundaries so teams can act fast and reduce exposure. The shared responsibility model separates platform duties from tenant controls. That split makes it simple to assign task owners and audit evidence.

Providers secure the platform: physical facilities, network segmentation, patching, and encryption at rest and in transit. They also maintain uptime and platform telemetry.

We secure access, data handling, configurations, and compliance evidence inside our tenant. That includes MFA, SSO, role design, and export restrictions for sensitive data.

• Encryption: provider manages disk encryption; we control key access and role permissions to decrypt or export data.
• Patching: provider patches hosts; we apply secure configuration baselines to services and applications.
• Monitoring: provider supplies platform logs; we run tenant-level detection and retention to meet audit needs.

The model reduces blind spots by matching visibility to authority. Clear lines stop overlap, prevent over-permissioned accounts, and make compliance evidence straightforward.

Next: we itemize provider and customer responsibilities into actionable controls you can verify and monitor across applications and the cloud environment.

A robust provider posture starts with secure defaults and a clear plan for patching and incident response.

Secure-by-design features appear as strong password policies, MFA prompts, and safe defaults that nudge users to adopt better practices. These features reduce risk before customers configure settings.

Major providers harden data centers with access controls, surveillance, and environmental protections. Network defenses include segmentation, firewalls, and IDS/IPS to block attacks in real time.

On the application side, providers patch OS and database layers, apply secure coding standards, and enforce encryption for data at rest and in transit.

Vulnerability management combines continuous scanning, prioritized remediation, and prompt customer alerts for critical issues. Incident response covers detection, containment, recovery, and transparent communication to help tenants assess impact.

Practical defense in multi-tenant clouds starts with customer-led controls over accounts and data. We must translate policy into daily controls that prevent account takeover and data exposure.

We mandate SSO and enforce MFA for all users, including privileged accounts. Robust password policies and automated lifecycle rules reduce credential risk and simplify access management.

Classify sensitive data and apply tenant-available encryption options. Retention settings and tenant backups are our obligation; provider snapshots do not replace restore-ready backups.

Define roles, enforce least privilege, and audit permissions frequently. Deprovision dormant accounts and manage non-human identities (API keys, service accounts) through rotation and limited scopes.

We train users to spot phishing, vet SaaS-to-SaaS scopes, and restrict risky sharing. Continuous monitoring and threat hunting of admin and user activity provide early warning and forensic evidence.

Real incidents teach precise lessons: small tenant gaps often cause large customer impact.

Snowflake in 2024 shows that stolen credentials plus missing MFA let attackers reach customer accounts even when the platform remained intact. These data breaches underline how tenant-level controls matter.

Dropbox’s 2012 case began with an employee’s reused password. That breach exposed user records and taught a lasting lesson: credential hygiene and staff MFA are essential.

Capital One (2019) resulted from a misconfigured firewall in a cloud tenant. The cloud provider’s infrastructure did not fail; a customer setting did. That shows how costly configuration errors can be.

Atlassian’s 2022 incident—an internal script that deleted critical resources—demonstrates provider-side outages impact availability. Customers need recovery plans and documented runbooks.

• Core themes: enforce org-wide MFA, apply least privilege, and run continuous monitoring.
• Validate third-party integrations and rotate secrets to shrink blast radius.
• Practice tabletop exercises for tenant compromise and provider outage to speed recovery and clarify responsibilities.

Simple user actions often open attack paths across multiple applications and platforms. Public links, anonymous sharing, or broad folder permissions in Google Drive, Box, or SharePoint/OneDrive can expose sensitive data quickly.

Public link sharing and permissive folders are frequent causes of data exposure. Apply DLP rules, default to private sharing, and run periodic audits of shared links.

Over-permissioned roles, former employees with lingering access, and unmanaged external admins create attack paths. Enforce least privilege, automate offboarding, and schedule regular access reviews.

Outages and infrastructure failures affect availability. Understand SLAs, keep runbooks, and design multi-region or backup strategies to preserve operations and compliance evidence.

Connected apps can inherit broad scopes. Maintain an application registry, whitelist trusted integrations, and revoke unused OAuth grants. Vet vendors and limit scopes to reduce blast radius.

Phishing, malware, and account takeover remain top vectors. Combine MFA, user education, anomaly detection, and monitoring of unusual downloads to cut compromise likelihood.

• Measurable mitigations: automated offboarding, entitlement reports, DLP incidents reduced, and OAuth audit logs.
• Practical steps: enforce PoLP, schedule access reviews, and document policies and recovery tests for auditors.

Compliance demands often reveal gaps between platform backups and tenant obligations. Regulators and auditors expect clear controls over retention, recovery, and handling of regulated data.

We map common frameworks — HIPAA, SOC 2, ISO 27001, and GDPR — to practical controls. Each requires auditable retention schedules, secure handling of sensitive data, and demonstrable recovery procedures.

Providers keep system-level snapshots to protect platform continuity. Those backups are for disaster recovery of the provider’s infrastructure, not for tenant restores.

Customers must maintain tenant-level backups and define retention that meets regulatory needs. HYCU and other vendors highlight mistakes such as assuming provider snapshots equal tenant restores and neglecting retention duties.

Define RPO and RTO for each data category. Keep evidence of restore tests: logs, screenshots, and sign-offs. Document retention schedules and map them to each application and jurisdiction.

• Maintain a control matrix that maps responsibilities and artifacts.
• Centralize backup policies across major saas applications to simplify audits.
• Avoid relying on recycle bins or brief restore windows for regulated retention needs.

Key point: clear ownership, scheduled testing, and audit-ready documentation prevent surprises during incidents and regulatory reviews.

Practical toolchains let teams enforce controls, detect drift, and respond to incidents fast. We pair policy with technology so the model drives measurable outcomes across applications and platforms.

SSPM continuously checks configuration baselines and surfaces deviations that raise risk or violate compliance. That prevents drift before it becomes an incident.

IAM for SaaS enforces least privilege through automated access reviews, role rationalization, and lifecycle workflows. These practices cut excess entitlements and speed audits.

ITDR detects identity-centric threats—impossible travel, odd token use, or atypical downloads—and orchestrates containment steps to limit damage.

Unknown apps increase exposure. Shadow app discovery quantifies unauthorized usage and brings renegade integrations under governance or removes them.

Centralized event monitoring enriches alerts with user, device, and network context. That context accelerates triage and root-cause analysis during security incidents.

We recommend a simple roadmap: start with high-value applications, establish baselines, automate reviews, and expand to broader services.

• Outcomes: fewer misconfigurations, faster detection, stronger audit evidence for data handling and recovery.
• Vendor criteria: broad platform coverage, deep configuration checks, API-based monitoring, and response automation (Reco, Valence emphasize these areas).

Start by mapping every application, admin, and integration. Inventory reveals crown-jewel data, privileged users, and tokens that can move or export data.

Next, enforce tenant-side controls urgently: enable SSO and require MFA for all accounts (privileged first). Set baseline configurations: disable public links, require justification for external sharing, and log admin actions.

Implement least privilege through role templates, scheduled access reviews, and fast offboarding tied to HR events. Catalog non-human identities, revoke unused API keys and OAuth grants, scope permissions, and rotate secrets regularly.

• Deploy monitoring to alert on atypical downloads, impossible travel, and admin changes outside maintenance windows.
• Add threat hunting focused on high-value platforms (Mandiant guidance is a useful reference for Snowflake-like environments).
• Define tenant-level backups with clear RPO/RTO and run routine restore tests.

We track progress with KPIs and report to leadership. These practical measures, paired with provider features and the right tools, operationalize the shared responsibility model and reduce tenant risk across the cloud environment.

This final note pulls together lessons from Snowflake, Dropbox, Capital One, and Atlassian into concrete actions.

We reaffirm that responsibility is shared: the provider secures the platform while we own identities, configurations, and how data is used and shared.

Essential controls: enforce MFA/SSO, apply least privilege, manage integrations and non-human identities, and monitor for anomalies to protect data and reduce risk.

Tenant-level backups and recovery tests are non‑negotiable. They provide restore readiness and audit evidence when compliance or business continuity matters.

Start with high-impact applications, track metrics, and expand. Implement MFA everywhere, inventory integrations, codify baselines, and schedule your first cross-application access review and recovery test.

We stand ready to help design, implement, and improve a responsibility-aligned program so your teams reduce risk, meet compliance, and strengthen resilience.