Software as a Service (SaaS) removes much of the customer's infrastructure and application-operation burden, but it does not remove customer responsibility for the way the service is used.
Software as a Service (SaaS) removes much of the customer’s infrastructure and application-operation burden, but it does not remove customer responsibility for the way the service is used. In SaaS, the provider usually operates the application platform, runtime, and core feature set. The customer still owns user lifecycle, access governance, tenant configuration, sharing rules, data classification, retention choices, integration scope, and many of the business consequences that follow from those decisions.
This is why SaaS is one of the most commonly misunderstood service models in shared responsibility work. Teams often see that the provider runs “the whole application” and infer that security is now mostly a provider concern. That reading misses where most SaaS failures actually come from: weak admin controls, unsafe sharing settings, unmanaged accounts, over-broad integrations, and poor data governance.
The boundary is better understood as platform operation versus tenant governance:
flowchart LR
A["Provider operates SaaS platform"] --> B["Application runtime, service delivery, baseline feature controls"]
C["Customer governs tenant use"] --> D["Users and roles"]
C --> E["Sharing and integration settings"]
C --> F["Retention, deletion, and data policy"]
What to notice:
The customer commonly remains responsible for:
This is why the customer can still create a serious security problem in a well-operated SaaS platform. The provider may deliver the service exactly as intended. The tenant can still be governed badly.
1service_model: saas
2workload: enterprise-collaboration-suite
3
4provider_responsibilities:
5 - platform-operations
6 - service-availability-baseline
7 - core-application-security-engineering
8
9customer_responsibilities:
10 - user-lifecycle-and-mfa-policy
11 - tenant-admin-role-assignment
12 - external-sharing-controls
13 - data-retention-and-deletion-rules
14 - approved-app-integrations
What this demonstrates:
SaaS environments often fail quietly because the risky decisions do not look like traditional infrastructure changes. A public sharing setting, a stale privileged account, or an unreviewed API integration can cause major customer exposure without any virtual machine, container, or firewall rule ever changing. That makes tenant governance discipline especially important.
A company uses a provider-operated HR SaaS platform and claims the provider is mainly responsible for protecting employee records because the provider runs the application. The company itself manages who gets HR admin access, what external integrations are enabled, and how long records are retained. Is the claim accurate?
No. The stronger answer is that the provider operates the SaaS platform, but the customer still owns critical controls around user access, tenant settings, integrations, retention, and business compliance obligations. The service being SaaS does not eliminate customer governance.