Archive360 wrote an article about a security breach of Mimecast’s Saas platform claiming that “this unfortunate breach highlights the main security issues associated with third-party SaaS providers like Mimecast
 

The article’s solution is twofold: ask for your vendor’s or SaaS provider’s security model, and take security into your own hands that is use “the power of PaaS”.

While the article has some valid points, it also features a few misleading claims. The main theme of the article seems to be that SaaS providers basically suck, and you should archive your emails for yourself [with Archive360’s product].
 
The article suggests you have two options regarding email archiving. You may either sign up at a SaaS provider (often utilizing a major cloud provider’s – like AWS or Azure – PaaS platform), and use the SaaS solution for email archiving. Or you may sign up at a major cloud provider’s – like AWS or Azure – PaaS platform and use your choice of Archive360’s email archiving product.
 

As usual, it’s a bit more nuanced than that, so let’s put some of the claims in the article under the microscope, and find out which approach is better for you.

"A proven method to up your cloud security posture is to utilize a PaaS-based cloud platform"

It’s true, you can deploy to your own dedicated deployment infrastructure having dedicated network resources and dedicated secrets, and your own encryption key. However, you need the required knowledge of the given PaaS solution to do it right, otherwise you may end up with a less secure posture.

You can't tell if the SaaS provider has accessed your data, decrypted it, and handed over to the authorities

It’s an interesting and somewhat controversary topic. Any SaaS provider (and business entity for the matter) is expected to comply with the laws and regulations of the given country. Archive360 refers to a “secrecy warrant” (ie. forbidding the SaaS provider to notify you in such case), but I believe it’s different from country to country. You may pick a SaaS provider operating in a country with different laws.
 

However, what could or would you do if the same authorities knocked on your door? Would you comply or risk the consequences?

"The SaaS vendor controls when an update is done"

It’s an absolutely correct statement. In the SaaS model it’s the provider’s responsibility to apply security and product updates, and indeed you have zero control on their change management. In the PaaS model it’s your responsibility. Again, the article presumes your SaaS provider can’t or won’t handle such updates in a responsible manner, but you would.

Conclusion

Archive360 suggests you to use the PaaS platform of either AWS or Azure with their product on top, of course. It’s definitely an option for you, though you are free to use any other cloud compatible email archiving product, there are many.
 
I believe that it’s a viable option provided that you have the required knowledge and resources in-house to do the job. Make no mistake, while it’s true that you have much greater control over your data, you are also in charge with the security of your data. You just received all the responsibilities and the challenges mentioned in the article that a SaaS provider might have. You need the resources (both human and technical), and the article implicitly demands a superior security model as well. Not to mention the confidence that you can do it better.
 
However, a PaaS platform in the cloud is not the only option. Several companies have deployed an on-premise email archive. They have their own infrastructure, they can fit it in their IT security, and they have the resources to maintain one more service to their users.
 

And finally, despite the efforts of the article to convince you that SaaS solutions suck and they are inferior when it comes to security, just because Mimecast suffered a security incident, I still believe that a good SaaS provider is worth to give a shot. Especially if you are an SMB company, and you already outsourced much of your IT services (anyone using Office 365 or Google Workplace?), it’s a reasonable decision to use a SaaS email archiving provider.

Final words

At the end of the day hackers are still targeting your organization’s sensitive data regardless of which solution you choose.