As costs of on-premises hosting increase and firms continue to deploy more software-as-a-service (SaaS) apps, firms are now storing sensitive and personally identifiable information in SaaS apps — increasing the overall threat surface. This report provides actionable guidance of how security and risk (S&R) pros should contribute to the firm’s SaaS app selection and procurement process in the four most important security aspects of SaaS apps: data, identity, logging, and governance.