CERIAS Security Seminar: Securing SaaS, a Practitioner’s Guide

The Center for Education and Research in Information Assurance and Security
September 15, 2021
4:30 PM - 5:30 PM


Aaron Shafer
NBC Universal


In this session we will talk about applying appropriate security controls to Software as a Service (SaaS) offerings. While it may seem like the SaaS vendors have most of the responsibility for securing these platforms, there are still a number of threats that customers need to worry about themselves.

During the session we will walk through various types of SaaS solutions, including a few new surprising categories, and will then talk about the nuances of the Shared Responsibility Model (SRM). We will dive into how to assess the threats to our data, users, and connected systems related to the deployment of SaaS solutions by taking a Threat Modeling approach to the problem. Once we’ve compiled our list of risks we will then talk through practical counter measures that can be implemented to mitigate or reduce risk. The session will then wrap up with a discussion of some existing security tooling that can be considered to further strengthen the defenses around these SaaS solutions today.


Aaron is Vice President & Information Security Officer for NBCUniversal’s Direct-to-Consumer business unit which includes Fandango, Vudu and the company’s new streaming service Peacock.

Aaron has over 20 years of extensive experience in software engineering, architecture, design, network and application security. He has spent the past 12 years in various Cyber Security roles where he has led projects in industries including media, defense, energy, and financial services. He has a bachelor of science from Monmouth University where he studied Computer Science and a Masters in Software Engineering from Penn State.

The weekly security seminar has been held every semester since spring of 1992. We invite personnel at Purdue and visitors from outside to present on topics of particular interest to them in the areas of computer and network security, computer crime investigation, information warfare, information ethics, public policy for computing and security, the computing "underground," and other related topics. More info

Contact Details

Event Website


Add to calendar