Software as a Service (SaaS)

According to the U.S. National Institute of Standards and Technology (NIST), SaaS is the capability provided to the consumer to use the provider's applications running on a cloud infrastructure. The consumer does not manage or control the underlying network, servers, operating systems, or storage, with the possible exception of limited user-specific application configuration settings. This model allows businesses to rapidly deploy applications and reduce upfront costs.

When adopting SaaS, Taiwanese companies face challenges such as data breaches, regulatory compliance, and trade secret protection. Under the "Shared Responsibility Model," SaaS providers are responsible for the security of the cloud, while the customer is responsible for security in the cloud, including data access and user behavior. Mishandling these responsibilities can lead to violations of Taiwan's Personal Data Protection Act (PDPA) or Trade Secrets Act, resulting in significant fines and reputational damage. As supply chain security requirements become stricter, managing SaaS risk is a critical issue for businesses.

SaaS risk management is highly relevant to several international standards. ISO/IEC 27001:2022, Annex A.5.23 "Information security for use of cloud services," explicitly requires organizations to establish processes for the acquisition, use, management, and exit from cloud services. Furthermore, ISO/IEC 27017 provides a code of practice for information security controls for cloud services, and ISO/IEC 27018 focuses on the protection of personally identifiable information (PII) in public clouds.

Winners Consulting is Taiwan's pioneering management consulting firm integrating ERM, industrial engineering, technology law, and data science. We have assisted leading companies like TSMC and MediaTek in incorporating SaaS risks into their information security and trade secret protection frameworks. Our team, led by a founder with a background in preventive law, includes technology lawyers, ISO Lead Auditors, and AI experts. We vertically integrate ISO 27001 and ISO 27017 with corporate governance and internal controls, ensuring your SaaS adoption achieves an optimal balance between regulatory compliance and operational efficiency.