MSPs and IT teams are trusted to maintain the security and compliance of sensitive data while also being on the hook for end-user experience. In and of itself, this is a tricky balancing act. When you add SaaS to the mix, compliance gets even more complex. SaaS compliance with regulations like GDPR, HIPAA, and CCPA is more complicated than traditional “castle and moat” style on-prem networks, where data resides squarely within an organization’s control.
The right SaaS monitoring approach can help organizations address modern compliance challenges. The key is aligning your requirements, strategy, and SaaS management tools with business and regulatory requirements.
In this post, we’ll dive deep into the current state of SaaS compliance, including how to address seven of the most common challenges MSPs face.
Get started with Auvik’s server monitoring software
See for yourself how effortless monitoring your Windows servers can be.
The current state of SaaS compliance and security
The inherent loss of control that comes with SaaS deployments and rising SaaS adoption makes compliance and security a complex challenge for MSPs. No two tech stacks are the same, different vendors require different security controls, and insider threats aren’t constrained to a physical location. Add to that the need to consider the various regulatory requirements MSP clients must meet, and the picture becomes clearer.
All these factors combine to create an environment where MSPs are accountable for securing platforms and data when they often have limited visibility, control, and understanding of requirements. To better understand the challenges MSPs face, let’s dive into three of the biggest drivers of SaaS compliance and security complexities.
Multiple standards and regulations increase compliance complexity
Legislation is catching up with the demands of privacy and data protection advocates in many regions across the globe. While these regulations often solve real-world problems and are in the best interest of consumers, medical patients, and end users, they create a web of compliance complexity for IT and MSPs. Even within the same country, regulations can vary from location to location. Case in point: the California Consumer Privacy Act (CCPA) specifically protects consumers in California.
As you cross industries, deal with data in different countries, and layer in the complexities of data governance and sovereignty, the situation gets even more complex. For example, given that outsourcing to MSPs is one of the top healthcare IT trends, SaaS HIPAA compliance is a hot topic for service providers in the space.
The table below provides an overview of some of the common privacy and cybersecurity regulations and standards that IT and MSP teams face.
| Standard/Regulation | Description |
|---|---|
| General Data Protection Regulation (GDPR) | EU law protecting personal data. |
| Health Insurance Portability and Accountability Act (HIPAA) of 1996 | US law protecting healthcare data |
| Sarbanes-Oxley (SOX) Act of 2002 | US law related to financial data and reporting |
| California Consumer Privacy Act (CCPA) | California state law protecting the privacy of consumers in the state |
| Payment Card Industry Data Security Standard (PCI DSS) | Standard defining security and privacy requirements for cardholder data (CHD) and payment processing |
| Personal Information Protection and Electronic Documents Act (PIPEDA) | Canadian law governing how organizations can use personal information |
| Family Educational Rights and Privacy Act (FERPA) | US privacy law focused on student’s educational records |
| System and Organization Controls 2 (SOC 2) | Standard reports for demonstrating compliance to security and privacy controls |
| ISO/IEC 27001 | International standard for information security management systems (ISMS) |
As we saw with Meta’s $263 million-dollar GDPR fine, even major tech players can struggle to stay compliant. And, it’s not just the household names that regulators will penalize. In January 2025, Solara Medical Supplies agreed to a $3 million USD settlement for HIPAA violations. Notably, for those of us learning from the case, the incident in question occurred in 2019. The time it took to reach the Solara settlement demonstrates that the risk of even alleged noncompliance (the agreement stipulated it was not an admission by Solara) can have costs beyond settlement dollars and fines.
Shadow IT is on the rise
If you have a credit card and an email address, you can onboard a new SaaS app in minutes. That convenience is a key driver of the popularity of SaaS, but it also creates security and compliance risk due to an increase in shadow IT.
Users looking to solve a business problem will often also bypass standard app onboarding processes, leaving IT or their MSP blind to how data is processed, stored, and secured. For example, SaaS apps under management can be required to use multifactor authentication (MFA), enrolled in single sign-on, and be configured to enforce granular role-based access control (RBAC), but a user provisioning their own SaaS product could simply sign up and log in with an email/password combo.
What’s your shadow IT & AI risk factor?
Find out in this free quiz and guide.
Vendor risk is business risk
Well-intentioned tech leaders often look to offload risk, complexity, and administrative overhead to third parties. In many cases, that’s an excellent business decision. Teams that use third-party platforms like Office 365, SalesForce, and Slack can focus more on business outcomes and less on “keeping the lights on” tasks such as upgrades, infrastructure, and patching.
However, purchasing a solution from a vendor isn’t a compliance or security panacea. Ultimately, organizations are responsible for compliance, and assessing third-party security risk is necessary. The Okta data breach that exposed information for all of the identity provider’s (IdP) customers is a textbook example of where even industry-leading platforms aren’t foolproof.
SaaS compliance issues and MSP compliance solutions for SaaS risk assessment and beyond
Now that we have a feel for the SaaS compliance landscape, let’s jump into the security and compliance challenges MSPs need to solve so they can protect their clients and avoid penalties. To address SaaS risk at scale, you’ll typically need to add a SaaS management tool to your stack. With that in mind, we’ll also explain how effective SaaS monitoring and management can help address each of these challenges.
1. Shadow IT and poor visibility into clients’ SaaS usage
You can’t protect what you can’t see. That’s why organizations everywhere are working to eliminate shadow IT and bring more apps under management to reduce compliance and security risk.
Unfortunately, poor visibility into what users are actually doing in a browser or on a mobile device make detecting shadow IT difficult. Manual processes like spreadsheet-based app inventories are error-prone and lead to MSP blindspots. And, the visibility challenge is getting worse. One of the scariest shadow IT stats we’ve seen is that 41% of employees use tech IT cannot see, and Gartner projects that will grow to 75% by 2027.
The SaaS monitoring solution: Implement real-time SaaS discovery to build and maintain a complete inventory
Real-time SaaS discovery based on real-world SaaS usage enables MSPs to understand the full scope of apps in use. Automatic discovery of the apps users access from their endpoint devices eliminates blindspots and shifts inventory creation and maintenance from a point-in-time event to a continuous process.
Auvik SaaS Management (ASM) is purpose-built to discover SaaS apps and provide actionable security and risk management insights. MSPs can use Auvik Network Management (ANM) to detect real-time SaaS usage and categorize them based on criteria such as SSO use, business owner, management status, and risk.
2. Weak user access controls across client SaaS applications
Credential-based attacks and account compromise are some of the most common ways attackers successfully breach a network. Incidents like last year’s Snowflake breach that led to password exposure for multiple customers demonstrate why single-factor authentication isn’t enough. Defining granular RBAC policies based on the principle of least privilege (PoLP) is essential for reducing blast radius if an account is compromised.
The SaaS monitoring solution: Track SSO utilization and remediate risky user behavior
In addition to zero trust network architecture (ZTNA), strong identity management and MFA are the two biggest levers IT can pull to reduce the risk of credential-based attacks and account management. Enabling SSO is a good starting point, but if users bypass standard app onboarding processes or use personal emails, they also bypass the security controls an organization implements via SSO.
SaaS monitoring with ASM helps MSPs detect what apps users are accessing, determine if those apps are using SSO, and detect risky user behavior like shared account usage. Once a non-compliant app or account is discovered, MSPs can remediate the problem by implementing SSO, securing the relevant accounts, or offboarding the app altogether.
3. Misconfigured SaaS security settings and policies
SaaS apps remove many security maintenance responsibilities, like patching and upgrades, from an MSP’s plate. However, there are still plenty of risks at the application level, and a single misconfiguration can lead to a breach or compliance penalties. This is particularly true for cloud-based file shares and storage solutions. For example, Fortinet suffered a data compromise related to unauthorized access to an Azure SharePoint site in Q3 2024.
The SaaS monitoring solution: Automate compliance checks and security audits
Securely provisioning SaaS apps and user accounts during onboarding is the best preventative measure MSPs can implement to reduce misconfiguration risk. However, configuration drift is real, and even well-defined application onboarding processes can have gaps.
ASM SaaS monitoring gives MSPs a source of truth for application risk and provides detailed security logs teams can use to audit SaaS usage. For example, ASM’s SaaS Health Score provides a high-level indicator of SaaS risk. It enables administrators to drill down to specific recommendations to improve SaaS security and address issues before auditors flag them.
4. Vendor security incidents and data breaches
Modern IT infrastructure is a chain of dependencies. Even if an MSP does everything right, a vendor security breach can directly impact their clients. Unfortunately, MSPs don’t get advanced notice when a vendor experiences a breach or security incident.
As we saw with the November 2024 cyberattack against CTS, an MSP serving legal clients in the UK, MSPs can be high-value targets for attackers and it is critical for MSPs to react quickly when a vendor-related security issue requires action.
The SaaS monitoring solution: Get alerts on vendor security incidents
The sooner an MSP knows about security risks, the sooner it can address them. Subscribing to vendor mailing lists and security advisory notifications can help teams react early when an incident occurs. For SaaS applications, ASM monitors security incidents across over 100,000 applications and allows MSPs to filter based on impacted clients to focus their efforts where risk is highest.
5. Lack of documentation and reporting
Demonstrating compliance often requires detailed reports and evidence. If MSPs are proactive about maintaining inventories, documentation, and reports, they’re more likely to struggle during audits. Conversely, because many standards and regulations have overlapping requirements, effective inventory, reporting, and documentation practices can have compounding benefits. Additionally, the same reports and documentation can be used to highlight value or areas of concern with clients during quarterly business reviews (QBRs).
The SaaS monitoring solution: Automate reporting and create executive summaries
Automation allows MSPs to ensure that their reports and inventory documentation are up-to-date and minimize blindspots. With ASM, MSPs can run a wide range of reports related to specific workflows (e.g., an offboard report) or executive-level QBR reports for strategic meetings.
6. Poor offboarding practices creating security risk
SaaS offboarding studies show that over 30% of ex-employees retain access to SaaS tools after they leave. These accounts create significant security and compliance risk and often go undetected for extended periods of time. Employees using personal credentials for business apps is one of the most common reasons this SaaS security issue emerges in the wild.
The SaaS monitoring solution: Automate employee offboarding with a SaaS access list
SSO enforcement across apps and a robust offboarding process can drastically reduce the risk of old accounts leading to a security incident. ASM empowers MSPs by recording what applications a user has access to, generating offboarding reports on-demand, and creating detailed offboarding checklists to ensure policy adherence during account de-provisioning.
7. Lack of proactive threat detection in SaaS applications
Endpoint security and management tools are an important part of defense in depth, but they aren’t intended to detect risky SaaS behavior like password sharing or abnormal account usage. With so many mission-critical workflows occurring in a browser, this leaves MSPs with a meaningful blindspot in their security posture.
The SaaS monitoring solution: Get alerts on risky user behavior
Moving threat detection closer to user activity is the key to solving this risk. SaaS monitoring can analyze user activity and empower MSPs to respond before a threat escalates. For example, ASM can alert MSPs for shared credential usage and detect the use of personal accounts with business applications.
Strengthen your SaaS compliance with Auvik’s proactive SaaS monitoring software
SaaS security isn’t about checking boxes on a form and scrambling to pass an audit. MSPs that want to protect their clients and their reputation as trusted advisors must take a proactive approach to SaaS risk. Effective SaaS monitoring empowers MSPs to become proactive about compliance and remediate security issues before they lead to costly fines or breaches.
Auvik SaaS Management (ASM) is purpose-built to help MSPs address their SaaS security and compliance challenges while supercharging their SaaS operations. With ASM, MSPs can:
- Automatically build and maintain SaaS inventories that include key security and usage information
- Discover shadow IT and SaaS sprawl to reduce risk and grow revenue
- Generate detailed SaaS reports to highlight risk, demonstrate value, and support security initiatives
- Detect risky user behavior such as password sharing
- Streamline onboarding and offboarding workflows with automatic checklists and offboard reports
If you’d like to see how Auvik SaaS Management (ASM) can help you address SaaS risk, book an expert-led demo, sign up for a free (no credit card required) trial, or get a pricing estimate today!
Try Auvik Network Management
Free to try! Setup takes less than 15 minutes and you will see results in an hour.
