Confidential SaaS: A new security paradigm for software-as-a-service

Thomas Strottner


The cybersecurity and data privacy requirements for SaaS companies are growing every year, especially in B2B SaaS, FinTech, HealthTech, and LegalTech. Customers around the world are increasingly subject to strict data protection and compliance requirements, and data breaches are getting more and more expensive. In fact, IBM found that --- for companies without zero trust solutions implemented --- the average data breach costs more than $5M! In addition, data protection is a core feature that impacts customers' perception of a service provider and their willingness to pay.

How to ensure security and data protection in SaaS?

When it comes to running software on public clouds and "renting it" to others for use, there are two key security problems:

1. How can SaaS companies ensure that the cloud provider and its admins cannot access any of their customers' data?

2. How can SaaS customers be reassured that compromised infrastructure doesn't lead to a data leak?

In traditional SaaS, the answer to both questions used to be: "They cannot". First, SaaS companies had no chance to fully remove the cloud provider from the trust equation. Of course, lengthy data processing agreements are usually put in place with AWS, Azure, GCP and co. But the situation is highly complex, especially due to the US CLOUD Act, which is short for "Clarifying Lawful Overseas Use of Data Act". The law gives the US government the right to access data that resides on clouds from US companies, even when the datacenter is in the EU. Thus, it is inherently not compatible with GDPR.

Second, in traditional SaaS, users had no option to verify that their (company's) data is safe from unauthorized access. They could not get assurance that no hacker got in between the communication and exploits security vulnerabilities on the cloud platform.

Existing security solutions for B2B SaaS are painful and expensive

Due to security concerns, many SaaS customers, for example in the public sector, healthcare, and financial services, require on-premises deployments or the setup of so-called "virtual private clouds". Both increase the costs of a deployment, as well as the time to close new deals. On top, these deployments place a heavy burden on both the SaaS provider and its customers when it comes to maintenance and updates, further increasing costs throughout the customer lifetime.

The need to deploy software in multiple heterogenous environments leads to technical challenges. Some SaaS providers are solving these challenges with additional infrastructure tools like Replicated, which wraps applications and facilitates deployments across environments.

To reduce the number of on-prem deployments, SaaS companies are raising the bar to receive this special treatment. For example, Atlassian has increased the minimum number of seats for Jira's "data center" option to 500. Thus, any company with less than 500 seats is likely looking for an alternative solution (Note: In fact, we've heard that from one of our partners).

Confidential Computing ensures security and facilitates SaaS deployments

Confidential computing is a new security paradigm that enables true end-to-end encryption of data, not only at rest and in transit, but also while in use. Thus, data stays always encrypted in the cloud and can never be read in clear text. In addition, confidential computing comes with remote attestation features to verify the integrity of workloads. In a SaaS scenario, this enables companies to use the public cloud as usual, but ensure that the cloud service provider, admins, and hackers can never access any data.

Confidential computing is based on the latest hardware, e.g., by AMD, which is widely available on most cloud platforms. In contrast to technologies like Homomorphic Encryption, confidential computing has almost no performance impact and can already be used in practice.

At Edgeless Systems, we have developed Constellation, which makes it super easy for SaaS providers to provably ensure the protection of their customers' data. Constellation can be set up within few minutes and runs any containerized applications on Kubernetes on any cloud. Thus, SaaS providers can simply deploy their container on Constellation and their app is confidential --- almost like magic.

We believe that confidential computing will soon be a must-have for B2B SaaS. As Microsoft Azure CTO Mark Russinovich said in his keynote at our OC3 conference, "we'll see an expectation that data is always encrypted while it's in use, regardless of how sensitive it might be." If SaaS companies don't meet that expectation as early as possible, they will lose potential customers and market share.

You have questions or comments? Please feel free to reach out to me via LinkedIn or e-mail (