Software as a service is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. SaaS is also known as “on-demand software” and Web-based/Web-hosted software.
SaaS is considered to be part of cloud computing, along with infrastructure as a service (IaaS), platform as a service (PaaS), desktop as a service (DaaS), managed software as a service (MSaaS), mobile backend as a service (MBaaS), datacenter as a service (DCaaS), integration platform as a service (iPaaS), and information technology management as a service (ITMaaS).
SaaS apps are typically accessed by users using a thin client, e.g. via a web browser. SaaS became a common delivery model for many business applications, including office software, messaging software, payroll processing software, DBMS software, management software, CAD software, development software, gamification, virtualization, accounting, collaboration, customer relationship management (CRM), management information systems (MIS), enterprise resource planning (ERP), invoicing, field service management, human resource management (HRM), talent acquisition, learning management systems, content management (CM), geographic information systems (GIS), and service desk management.
For example, with software as a service (SaaS) product, you can deploy software hosted on AWS infrastructure and grant buyers’ access to the software in your AWS environment. You can be responsible for managing customer access, account creation, resource provisioning, and account management in your software.
SaaS has been incorporated into the strategy of nearly all enterprise software companies.
Configuration and customization
SaaS applications similarly support what is traditionally known as application configuration. In other words, like traditional enterprise software, a single customer can alter the set of configuration options (a.k.a. parameters) that affect its functionality and look-and-feel. Each customer may have its own settings (or: parameter values) for the configuration options. The application can be customized to the degree it was designed for based on a set of predefined configuration options.
For example, to support customers’ common need to change an application’s look-and-feel so that the application appears to be having the customer’s brand (or if so desired co-branded), many SaaS applications let customers provide (through a self-service interface or by working with application provider staff) a custom logo and sometimes a set of custom colors. The customer cannot, however, change the page layout unless such an option was designed for.
Accelerated feature delivery
SaaS applications are often updated more frequently than traditional software, in many cases on a weekly or monthly basis. This is enabled by several factors:
- The application is hosted centrally, so an update is decided and executed by the provider, not by customers.
- The application only has a single configuration, making development testing faster.
- The application vendor does not have to expend resources updating and maintaining backdated versions of the software, because there is only a single version.
- The application vendor has access to all customer data, expediting design and regression testing.
- The service provider has access to user behavior within the application (usually via web analytics), making it easier to identify areas worthy of improvement.
Adoption drivers
Several important changes to the software market and technology landscape have facilitated the acceptance and growth of SaaS:
- The growing use of web-based user interfaces by applications, along with the proliferation of associated practices (e.g., web design), continuously decreased the need for traditional client-server applications. Consequently, traditional software vendor’s investment in software based on fat clients has become a disadvantage (mandating ongoing support), opening the door for new software vendors offering a user experience perceived as more “Modern”.
- The standardization of web page technologies (HTML, JavaScript, CSS), the increasing popularity of web development as a practice, and the introduction and ubiquity of web application frameworks like Ruby on Rails or Laravel (PHP) gradually reduced the cost of developing new software services, and enabled new providers to challenge traditional vendors.
- The increasing penetration of broadband Internet access enabled remote centrally hosted applications to offer speed comparable to on-premises software.
- The standardization of the HTTPS protocol as part of the web stack provided universally available lightweight security that is sufficient for most everyday applications.
- The introduction and wide acceptance of lightweight integration protocols such as Representational State Transfer (REST) and SOAP enabled affordable integration between SaaS applications (residing in the cloud) with internal applications over wide area networks and with other SaaS applications.
Unauthorized use of SaaS can be a major security threat
You can only scrutinize a vendor’s security when you know you are using a vendor and you can only decide what additional security processes are required for a SaaS platform when you are aware that you are using it. It’s not enough just to tell employees that they must get permission before signing up to a SaaS platform (especially since they may not grasp what a SaaS platform actually is). You need to keep monitoring and auditing your network usage so that you quickly identify who is using what and take remedial access as necessary.
For the sake of completeness, if you have a fairly relaxed network-usage policy, employees may use unauthorized SaaS services for their own purposes, for example, during their lunch break. In principle, you may be fine with this, but you will still need to check firstly that their activity is personal and does not involve any of your data and secondly that there is no other way that their SaaS usage might compromise your security.
Your SaaS security is only as good as your identity and access management
Identity and access management is core to all forms of security and SaaS is no exception. The good news is that it’s fairly straightforward to implement a very granular level of access control once you have defined exactly who needs access to exactly what. There also needs to be a process in place to ensure that accesses are reviewed periodically, even if people stay within the same role.
If you’re handling sensitive data, you need to manage it effectively
This is also far from unique to the SaaS environment, but it does have particular implications for SaaS use because SaaS platforms give you limited visibility of how the SaaS provider manages your data, which means that unless you have reliable guarantees that they will be implementing the highest levels of data security, especially encryption, you’ll need to do it yourself.
Even if your SaaS provider is prepared to guarantee the highest levels of data security, you’ll still need to manage your own employees, or perhaps it would be better to say your own accesses, to ensure that they are not misused deliberately or accidentally. In addition to guarding against data loss, you’ll need to take precautions against data corruption. This is particularly important for those working in regulated environments, but really has implications for just about any company using SaaS.