Once again, this plays into the theory that SAAS is a double-edged sword. On one hand it exposes a larger attack surface than a hosted app behind a VPN. But it also reduces the risk caused by not keeping up with vendor patches.
@denbesten I agree, even the clients have a duty of care and due diligence even the NIST SP800-53 R5 points this out, but I wonder how many have actually assessed their Cloud Providers and actually asked for proof they are being maintained other than through SOC Level 1, 2 Reports?
Which as the auditors state, allowing the Cloud Providers to audit themselves every 12 months for the SOC 1, 2 reports cannot be objective. These assessments need to be completed independently by another third party, with independent reporting conducted etc.