Software as a Service (SaaS)

January 31, 2022

What is Software as a Service (SaaS)?

Software as a Service (SaaS) is a cloud-based delivery model that allows users to access a software application through an internet-connected device.

In the SaaS model, a third-party vendor manages all aspects of the software application, including coding, hosting, monitoring, updating and security, as well as the purchase and maintenance of the associated hardware, such as servers and databases.

Since SaaS solutions are delivered over the internet, customers generally do not need to download or install the software to use the service. This means that users can access the application or their data from virtually anywhere with an internet connection, assuming all other system requirements and security protocols are met.

SaaS Examples

Most internet users regularly access SaaS applications even if they are not familiar with the term itself. For example, email applications, such as Webmail and Outlook, are examples of SaaS. In a business setting, users often leverage SaaS applications to conduct routine business activities such as: conducting online meetings and conference calls; accessing customer data portals or databases; logging help desk or support tickets; or creating or editing documents and other files.

Perhaps the most notable SaaS service provider is Salesforce. This company defined the category when it launched its customer relationship management (CRM) platform in 1999. In so doing, the company spawned a new delivery model that has been replicated by both established companies and startups alike. Other prominent SaaS vendors and SaaS solutions include:

  • Adobe
  • Amazon Web Services (AWS)
  • Atlassian
  • Box
  • Dropbox
  • GSuite
  • Microsoft Office 365
  • SAP
  • ServiceNow
  • Slack
  • Quickbooks
  • Workday
  • Zapier
  • Zendesk
  • Zoom

SaaS vs IaaS and PaaS

Before reviewing the SaaS model in detail, it may be helpful to provide an overview of the other two main “as-a-service” cloud computing options:

  1. Infrastructure as a Service (IaaS): A cloud computing model in which a third-party cloud service provider (CSP) offers virtualized compute resources such as servers, data storage and network equipment on-demand over the internet to clients.
  2. Platform as a Service (PaaS): A platform delivery model that can be purchased and used to develop, run and manage applications. In the cloud platform model, the PaaS solution provider manages both the hardware and software used by application developers.

SaaS Deployment

While all SaaS solutions are accessed via the internet, there are three main deployment models:

  1. Multi-tenant or public cloud
  2. Single-tenant or private cloud
  3. Hybrid cloud

Multi-tenant or Public Cloud

Most SaaS applications are deployed via the public cloud and used as a shared resource by multiple customers or tenants. While each tenant maintains control of their account and data, the platform and infrastructure on which the application is built and run is common to all customers. The public cloud model tends to be the most affordable model in that the cost of the platform itself is shared among a group of users. However, it is also associated with greater risk since each tenant is responsible for maintaining the security of its data and users. A breach in one account can jeopardize security across all SaaS users.

Single-tenant or Private Cloud

As the name suggests, a single-tenant deployment model is one in which the SaaS app is offered via the private cloud and is used exclusively by one customer. In this model, the SaaS application is managed by the SaaS provider, but the cloud itself is managed by the customer or another third-party vendor. While this model is generally far more expensive than a public option, it is often leveraged by companies, organizations or government agencies that manage or store sensitive information such as personal data, financial transactions or intellectual property (IP). Using the private cloud grants these organizations more control and enhanced security of their data, as well as the ability to comply with any relevant government or industry regulations.

Hybrid Cloud

Organizations are increasingly leveraging a hybrid cloud environment that combines elements of a public cloud, private cloud, and on-premises infrastructure into a single, common, unified architecture. This model grants organizations the option to deploy SaaS solutions on a private or public cloud depending on the application use case, presence of sensitive data, or regulatory requirements. The hybrid environment grants organizations increased flexibility and cost efficiencies, while also providing enhanced security.

Learn More

To learn more about the differences between public, private and hybrid cloud deployment, read our related Cybersecurity 101 article: Public vs Private Cloud

SaaS Advantages

SaaS applications have exploded in popularity over the past three decades because they offer valuable workforce efficiencies and cost savings for both large and small enterprises. Some key advantages include:

  • Access: Because SaaS applications are cloud-based, they can be accessed by any user at any time in any place with virtually any internet-connected device, such as a computer, smartphone or tablet. This means that employees can leverage applications on demand, as opposed to from a physical office or dedicated device. This enhanced access is a necessity for any organization that needs to manage a global workforce or enable remote work capabilities.
  • Cost savings: In a SaaS model, organizations are not required to invest in any of the hardware or equipment needed to run the application, such as servers or databases; nor are they responsible for building, deploying, managing, updating or maintaining the application itself. Further, most SaaS applications offer flexible usage tiers that can expand or contract based on the variable needs of the organization. This significantly reduces the costs associated with software usage, as compared to a traditional enterprise software model.
  • Usability: Most SaaS applications feature an intuitive and friendly user-interface that cater to users with varying degrees of technical literacy.
  • Maintenance: As noted above, the maintenance of the SaaS solution, including updating, patching and managing security controls, is the responsibility of the SaaS vendor. In addition, the SaaS company has the ability to centrally push a software update, which does not require customers to configure and test endpoint security or compatibility.
  • Scalability: Most SaaS solutions are highly scalable and allow organizations to quickly spin up or down workloads based on demand.
  • Data and analytics: Most SaaS applications provide users with regular data reporting and intelligence tools. This provides businesses with valuable insights into organizational performance and business outcomes.

Disadvantages of SaaS

The SaaS delivery model is not without challenges. Customers should consider the following issues when leveraging SaaS applications:

  • Security and privacy: The vast majority of SaaS solutions are delivered via a multi-tenant or public cloud model. This opens the organization to a certain amount of risk, based on the actions — or inactions — of other tenants. Companies should work with their cybersecurity partner to ensure they have adopted and implemented a comprehensive security strategy that protects and defends cloud-based assets, in particular.
  • Compliance: Many organizations are required to comply with government or industry regulations related to data security and privacy. It is the responsibility of the customer to ensure that each SaaS product and its deployment method fully comply with any relevant regulations. Organizations should ask clear and specific questions about SaaS vendor compliance and review all contracts with a legal expert.
  • Customization: While SaaS application customization and configuration has advanced significantly in recent years, doing so can be complex and time-consuming. Customers must research the flexibility of the application and ensure that any customizations do not affect the performance of the application or other aspects of the IT environment.

A Deep Dive on SaaS Security and Privacy

SaaS security and privacy are of paramount importance to users. With the use of SaaS applications comes increased cloud security risks including:

  • Data breaches: Adversaries often exploit software misconfigurations, compromised credentials, overly permissive account privileges, or other system vulnerabilities to breach the SaaS application. Once inside, attackers can access data within the SaaS solution or use the application as an entry into other areas of the network.
  • Visibility: The use of SaaS applications adds complexity within the IT environment and makes it more difficult for the security team to maintain end-to-end visibility.
  • Unsecured application programming interface (APIs): An API allows applications or components of applications to communicate with each other over the Internet or a private network. In other words, businesses use APIs to connect cloud services and transfer data, either internally or to partners, suppliers, customers and others. Exposed, broken and hacked APIs are responsible for major data breaches, exposing financial, customer, medical and other sensitive data. Because APIs turn certain types of data into endpoints, a change to a policy or privilege levels can increase the risk of unauthorized access to more data than the host intended.
  • Dynamic workloads: A workload consists of all the processes and resources that support an application. In other words, an app is made up of many workloads (e.g., VMs, containers, kubernetes, microservices, serverless functions, databases). The workload includes the application, the data generated or entered into an application, and the network resources that support a connection between the user and the application. Failure to properly secure each of those workloads not only make the application and organization susceptible to breaches, but also delay app development, compromise production and performance, and put brakes on the speed of business.
  • Access control/unauthorized access: Often companies grant employees more access and permissions than needed to perform their job functions, which increases identity-based threats. Misconfigured access policies are common errors that escape security audits. In addition, organizations using multi-cloud environments tend to rely on default access controls of their cloud providers, which becomes an issue specially in multi-cloud or hybrid cloud environments. Inside threats can do a great deal of damage with their privileged access, knowledge of where to strike and ability to hide their tracks.

The Future of SaaS

The SaaS model has revolutionized the way companies do business and how people work. As more organizations shift their on-premises IT environment to the cloud, they are increasingly using SaaS apps to manage all aspects of business including communication, workforce collaboration, data management, financial planning, and reporting and compliance.

SaaS applications are expected to become more advanced in the following ways:

  • Leveraging intelligent automation, such as artificial intelligence (AI) and machine learning (ML) technology to automate routine business processes and improve decision-making
  • Enhance customization options within the SaaS tool
  • Support more advanced use cases, including niche or industry-specific uses
  • Enable more opportunities to integrate or combine data streams across cloud service apps or systems