What Does Software as a Service Mean?
Software as a service (SaaS) is a software distribution model that delivers application programs over the Internet. End users can access SaaS cloud apps with a web browser. The SaaS provider is responsible for hosting and maintaining the application throughout its lifecycle.
Advantages to using the SaaS delivery model include:
- Clients can easily access the software from multiple locations and computing devices.
- Updates and patches can be applied automatically without client assistance.
- Application access, as well as storage to support application use, can be sold on a subscription basis.
SaaS solutions tend to work best for non-strategic, non-mission-critical processes that do not require a high level of integration with the consuming organization's other business functions and systems.
SaaS offerings are typically offered through the web, but they can also be applications or application programming interfaces (APIs) that can be integrated with another service. SaaS is also known as hosted software or on-demand software.
Techopedia Explains Software as a Service
SaaS can be thought of as subscription-based commercial off-the-shelf (COTS) software that's hosted on a cloud service provider's (CSP's) servers. SaaS offerings are generally dedicated in nature and target a specific business need such as collaboration, document management or human resources functions.
In recent years, a number of developments have allowed SaaS to become the preferred delivery model for a large number of software applications. One contributing factor is bandwidth; the internet is simply faster than it was a decade ago and access is more widely available. Another major factor has been the growing acceptance of distributed computing for business use.
Today, there are literally thousands of SaaS vendors, but Salesforce.com is perhaps the best known example, as it was one of the independent software vendors to significantly disrupt a traditional software vertical by changing the delivery model.
SaaS Security Risks
Cloud platforms consist of multiple software and hardware components that in turn, may be sourced from multiple providers and it's not unusual for subsystems to be outside of the direct control of the cloud provider.
This is why it is imperative for SaaS customers to confirm what security services and controls the cloud provider will supply — or not supply. To avoid creating gaps in security, controls must be applied commensurately with those used for internal organizational systems.
Some SaaS providers will have the ability to integrate with existing identity access providers; others will not have authentication integration options and will have their own identity realm. Unfortunately, this means that if an aversary determines a weaknesses in a provider's subsystem component, they can take advantage of the weakness and launch an advanced persistent threat (APT) attack in the cloud environment by moving laterally through the cloud, looking for vulnerabilities that will allow them to elevate privileges.
Although mitigating supply chain attacks against the cloud platform is mainly the responsibility of the cloud service provider, it's important for SaaS customers to:
- Choose software-as-a-service (SaaS) vendors carefully.
- Implement configuration and security controls to lower risk for SaaS subscriptions.
- Continuously monitor cloud use.
- Pen test the organization's SaaS applications and infrastructure at least twice per year.
