* Rogue users. User error is always one of the top two causes of data loss for any application, cloud-based or otherwise. This is because software has no way of distinguishing between legitimate and illegitimate commands. One slip of the mouse and a Copy command becomes a Delete command. Simple user mistakes cause between one-third and two-thirds of all data losses. That's scary enough, but those numbers only describe the damage inflicted by accident.
Now imagine what a rogue user -- one who is intentionally trying to cause damage -- could do to your cloud data. Authorized users are, by definition, allowed inside your SaaS application's defensive perimeter. Disgruntled employees can be your worst nightmare, as these users can do every bit as much damage as a compromised zombie account but with the added threat of knowing exactly where to look for valuable data.
Rogue user defense: Trust no one (more than you have to). Most SaaS applications offer some degree of tiered access privileges. Never grant anyone more access than they need.
* The black swan. A black swan is shorthand for an event that is so unprecedented as to be almost impossible to predict. Tech writer Mat Honan made headlines earlier this year when a weird combination of Amazon and Apple security procedures allowed hackers to wipe out virtually all of his online accounts, as well as purge the local data from his laptop. What made this epic hack so remarkable was that Apple and Amazon's security procedures both protected their own systems, but it was the combination of data that both providers disclosed that allowed hackers to assume control of all of Honan's linked cloud accounts. Almost no one could have seen that coming. While Honan's loss doesn't fit the classic definition of a black swan event, it matches the general profile of an all but unforeseeable security failure.
Given the complexity of SaaS applications and the relative immaturity of cloud application security standards, it's highly likely that another such black swan event will occur -- one that may well compromise your own SaaS application data. That's the very image of a security threat you can't see coming, and nothing could be scarier than that.