Cyberhackers are Targeting your Organization’s Sensitive Data
The article’s solution is twofold: ask for your vendor’s or SaaS provider’s security model, and take security into your own hands that is use “the power of PaaS”.
As usual, it’s a bit more nuanced than that, so let’s put some of the claims in the article under the microscope, and find out which approach is better for you.
"A proven method to up your cloud security posture is to utilize a PaaS-based cloud platform"
It’s true, you can deploy to your own dedicated deployment infrastructure having dedicated network resources and dedicated secrets, and your own encryption key. However, you need the required knowledge of the given PaaS solution to do it right, otherwise you may end up with a less secure posture.
You can't tell if the SaaS provider has accessed your data, decrypted it, and handed over to the authorities
However, what could or would you do if the same authorities knocked on your door? Would you comply or risk the consequences?
"The SaaS vendor controls when an update is done"
It’s an absolutely correct statement. In the SaaS model it’s the provider’s responsibility to apply security and product updates, and indeed you have zero control on their change management. In the PaaS model it’s your responsibility. Again, the article presumes your SaaS provider can’t or won’t handle such updates in a responsible manner, but you would.
And finally, despite the efforts of the article to convince you that SaaS solutions suck and they are inferior when it comes to security, just because Mimecast suffered a security incident, I still believe that a good SaaS provider is worth to give a shot. Especially if you are an SMB company, and you already outsourced much of your IT services (anyone using Office 365 or Google Workplace?), it’s a reasonable decision to use a SaaS email archiving provider.
At the end of the day hackers are still targeting your organization’s sensitive data regardless of which solution you choose.