Winning the SaaS security shift: A user-centric strategy for MSPs

Businesses are rethinking cyber defense in this cloud-first era, thanks to the rapid adoption of cloud platforms like Microsoft 365, Google Workspace and Salesforce. As more workloads move off the network and outside traditional perimeters, businesses are shifting their cybersecurity focus from an on-premises, network- and endpoint-centric model to one that also prioritizes user behavior and account activity.

Notably, cybercriminals are no longer breaking in; they’re logging in. Threat actors target user accounts through phishing, business email compromise (BEC) and SaaS misconfigurations to infiltrate organizations’ networks. The 2024 State of SaaS Security Report highlights this trend, with MSPs identifying these as the top three threats their clients face, even surpassing ransomware.

For MSPs, this shift presents both challenges and opportunities. Traditional security models no longer align with current user behavior or the evolving threat landscape. To stay competitive, MSPs must evolve to provide user- and account-centric protections and turn them into valuable, recurring services.

In this article, we’ll explore why traditional cybersecurity models are falling short and how cloud detection and response (CDR), together with SaaS backup, can strengthen your clients’ cyber resilience. We’ll also discuss how SaaS-onomics — a knowledge-driven approach that helps MSPs monetize SaaS security — can help you protect clients more effectively while increasing your monthly recurring revenue (MRR).

Where conventional security models fall short

For years, businesses relied on the traditional castle-and-moat cybersecurity model to protect internal networks and devices. This model was built on the idea of a clearly defined perimeter where everything inside was trusted and everything outside was not. However, that perimeter is fading fast.

As businesses adopt cloud applications, integrate third-party tools and support remote access, the concept of a fixed network boundary no longer holds. Users are connecting from anywhere, and data flows across environments that sit outside the old perimeter — the castle walls are coming down.

Firewalls

Firewalls were designed to keep bad actors out by blocking unauthorized access to internal networks. They’re effective against known threats, such as port scanning and denial-of-service (DoS) attacks. But they struggle with modern tactics, such as social engineering attacks, zero-day exploits and malware variants that don’t match known signatures. They also offer no protection against internal threats, whether from careless employees or malicious insiders.

EDR

Endpoint detection and response (EDR) focuses on protecting individual devices, such as laptops, desktops, servers and mobile phones. However, its visibility is limited to the device. It doesn’t cover SaaS apps, cloud environments or off-network activity. As businesses shift to hybrid and cloud-native operations, this limited scope creates serious blind spots in both cloud security and data security.

MDR

Managed detection and response (MDR) delivers 24/7 monitoring, threat hunting and rapid incident response. It’s a solid option for businesses that need coverage without growing their internal teams. However, MDR often uses generic detection rules that may not align with a business’s specific systems or workflows. That lack of context can result in missed threats or too many false alarms.

Both EDR and MDR are inherently reactive. They catch threats after damage may have already started. In a landscape where human error is common and cyberattacks are faster and more complex, MSPs need a smarter, layered approach — one that focuses on users, accounts and real-time visibility across the cloud.

Why MFA and conditional access aren’t enough

Multifactor authentication (MFA) and conditional access policies (CAPs) play a vital role in preventing unauthorized access. However, today’s attacks are far more sophisticated, and these tools, while necessary, aren’t built to catch every threat.

On their own, MFA and CAPs can create a false sense of security if not backed by deeper, layered defenses. Cybercriminals now bypass these defenses using tactics such as phishing, token theft and social engineering.

MFA fatigue attacks

One of the most common techniques used by threat actors is MFA fatigue. Attackers overwhelm users with repeated authentication prompts, counting on frustration or distraction to prompt an accidental approval. It only takes one slip to let them in.

To simplify access across countless SaaS platforms, users often rely on OAuth via Microsoft or Google accounts instead of traditional logins. This convenience, however, increases risk. The SaaS Application Security Insights 2025 report shows that 23% of low-severity incidents involved OAuth-based identity and access management (IAM).

Insider threats

While MFA and CAPs are effective against external actors, they offer limited protection against internal risks. Whether it’s a disgruntled employee or a user tricked by social engineering, attackers can still gain access from within the trusted environment, bypassing controls without raising immediate red flags.

Token theft and AiTM attacks

Stolen session tokens are another major blind spot. Attackers can bypass MFA entirely by stealing tokens through malware or Adversary-in-the-Middle (AiTM) attacks.

In these scenarios, attackers intercept communication between a user and a service, such as Microsoft 365 or Google Workspace. They capture login credentials, MFA codes and session cookies, then use them to impersonate the user, hijack sessions and move laterally through the network, often without detection.

Figure 1: How AiTM attacks work

The conditional access gap

Conditional access policies are designed to verify that access attempts align with expected behavior. However, if a phishing email reaches the intended user and prompts them to enter their credentials on a spoofed site, those credentials are instantly relayed to the actual service. The login succeeds. The session looks normal. No alerts are triggered.

To truly protect your clients, security must go beyond login barriers. It requires a proactive, layered strategy that detects threats inside and outside the environment — even when everything appears legitimate on the surface.

Why CDR is critical in a cloud-first world

Cloud detection and response (CDR) is purpose-built to monitor, detect and respond to threats across cloud environments, especially SaaS platforms. It provides MSPs with visibility into user behavior, access patterns and app activity across services, including Microsoft 365, Google Workspace and Salesforce.

Unlike traditional tools, CDR focuses on what users are doing inside the cloud. It continuously analyzes behavior, filters out noise and flags only the most critical anomalies. This helps reduce alert fatigue and enables faster, more targeted responses.

Here’s how CDR compares to other common security tools:

CDR vs. SIEM

Security information and event management (SIEM) tools gather logs, correlate events and generate alerts across a broad range of sources. However, they’re not designed to interpret SaaS-specific behaviors, such as risky sign-ins or unauthorized access to third-party apps. CDR, by contrast, understands the nuances of user actions within SaaS platforms and flags anomalies that SIEM tools often miss.

CDR vs. MDR

Managed detection and response (MDR) is focused on endpoints. It provides 24/7 threat hunting and incident response, primarily across laptops, servers and mobile devices. MDR tools have often been retrofitted to include some protection of Microsoft 365 and Google Workspace; however, they lack deep visibility in these critical business applications. CDR fills that gap by identifying unusual cloud activity — like excessive file sharing in Google Drive or suspicious OAuth grants in Microsoft 365 — areas MDR tools aren’t as strong in.

In today’s cloud-first business environment, the most valuable data lives in SaaS. To counter account takeovers, insider threats and unauthorized data access, MSPs require a reliable solution that delivers real-time behavioral monitoring, automated remediation and continuous policy enforcement.

CDR provides MSPs with the context they need to act quickly and with precision. By understanding what normal looks like — and reacting instantly when it doesn’t — MSPs can stay ahead of attackers and keep their clients’ cloud environments secure and compliant.

Stronger together: SaaS Alerts and Datto SaaS Protection

CDR platforms give MSPs real-time visibility and protection across cloud environments. However, when data loss occurs — whether from a cyberattack or human error — it’s backup and recovery that help businesses get back on their feet. Together, CDR and backup provide a full SaaS security and business continuity strategy.

That’s where SaaS Alerts and Datto SaaS Protection come in. These solutions enable MSPs to deliver greater value to clients while saving time and enhancing resilience.

SaaS Alerts

SaaS Alerts is an automated SaaS security solution built to detect and respond to advanced threats across managed SaaS environments. It enables MSPs to provide continuous, account-centric protection by analyzing behavioral anomalies in Microsoft 365, Google Workspace and other SaaS platforms. The platform alerts MSPs to suspicious user activity in real time and automatically remediates threats, improving the speed and accuracy of threat detection and response.

Datto SaaS Protection

Datto SaaS Protection provides comprehensive backup and recovery solutions for Microsoft 365 and Google Workspace. It combines secure, seamless data protection with integrated threat defense to keep client environments resilient. The solution delivers immutable backups and simple, efficient data restoration. It protects against accidental or malicious deletion, ransomware and compliance risks while enabling fast recovery to reduce downtime and maintain business continuity.

SaaS-onomics: A new revenue engine for MSPs

SaaS-onomics is a knowledge-driven strategy for generating recurring revenue through SaaS security. By bundling CDR and SaaS backup, it helps MSPs monetize protection services and deliver more value while addressing today’s cloud security and compliance concerns.

Here are three models to do just that:

• The add-on model:

Position CDR and SaaS backup as a required add-on to Microsoft 365 or Google Workspace management services. Let customers opt out by signing a “decline services” waiver, which shifts liability and encourages adoption. Highlight how these services deliver added protection at a low monthly cost. Suggested pricing: $3 to $10 per user/month.

• Cybersecurity bundle:

Combine CDR and SaaS backup with services, such as endpoint protection, email security or dark web monitoring. Present it as an essential package for clients focused on compliance, phishing and ransomware defense, and data protection. Suggested pricing: $25 to $40 per user/month.

• All-inclusive model:

Roll CDR and SaaS backup into your core managed services offering with no separate line items. This simplifies sales and builds client trust through a predictable, fixed monthly fee. All-inclusive models help drive retention by providing comprehensive protection in a single package.

The future is user-centric and SaaS-driven

As more businesses shift critical workloads to the cloud, MSPs have an opportunity to lead with a user-focused, cloud-first security model. This approach strengthens protection across SaaS environments, user accounts and business data — while opening doors to new service offerings and revenue streams.

Thousands of MSPs worldwide rely on SaaS Alerts and Datto SaaS Protection to secure their clients and scale their businesses. By combining these solutions, your MSP can offer stronger protection, faster recovery and a premium service experience that stands out in a crowded market.

Future-proof your clients and your business. Request a demo of Datto SaaS Protection and SaaS Alerts today to see how SaaS security can fuel long-term growth.