Home Providers Security Brief Semantic

Technical Brief

Software as a Service (SaaS) is a licensing and delivery model in which software is centrally hosted and licensed to users on a subscription basis. It falls under the classification of cloud computing alongside a number of other services. It is becoming an increasingly common delivery model for business applications, including office, messaging, payroll, database and virtualization softwares, among numerous others. Even if you've never explicitly heard the term SaaS, it's a solid bet that you employ the use of some (or many) forms of it every day.

The concept of centralized hosting of business apps dates back to IBM and other mainframe providers in the 1960s, who offered their data centers as sources of storage and processing power to large businesses. Centralized computing reached new heights in the 1990s with the advent of Application Service Providers (ASP) who offered businesses specialized apps and hosting services, reducing costs through specialization and centralization. SaaS is effectively a modern extension of the ASP model, where providers develop their own software that can be utilized and accessed by multiple users and businesses via a thin client, often a web browser (Wikipedia).

This contemporary distribution model is gaining steam quickly in this age of Free and Open-Source Software (FOSS). The ever-increasing reliability and availability of the Internet has forced change among organizations and VARs who practiced traditional methods of software distribution in order to remain relevant. Freely available and reliable systems and softwares have been a driving force in the reduction of cost of traditional software, as household names such as Microsoft or Google are forced to offer a comparable service or bid adieu to a healthy chunk of the market.

Traditional software is typically offered as a perpetual license with a high up-front cost and may include a fee for support, while SaaS applications are generally priced using a subscription fee based upon the number of users, and as such tend to have a lower setup cost than an equivalent enterprise software does. The caveat is that user data in a SaaS model exists within the providers servers, leaving opportunities for business to be charged on a per event/transaction basis, and the security of said data outside of company hands. The key to SaaS's growth in today's market, however, still lies within the providers ability to provide a price that is competitive when measured against in-house or traditional software.

As things trend toward the cloud, competitors continue to emerge from the woodwork to carve out their space in the market as SaaS providers. Several notable providers that have established themselves in this market whose offerings are worth consideration include:


Microsoft 365

Microsoft Office applications have long since been a key instrument in the work- place. Announced in 2010, Office 365 is the name for the cloud-based version of their office suite that arrived around the same time as Google's own web-based word processor and office applications went live, though executives at Microsoft had been mulling over the idea of hosted applications and making strategic acquisitions in this area since the mid-2000's (Foley). Users of Office 365 can create, edit, and share content from any Windows, Mac, iOS, or Android device, and connect with customers and colleagues across a range of collaborative tools inside and outside of the business. Microsoft also has agreements with universities across the country to offer the Office 365 suite for student use, wherein students are able to use various office apps and online storage during their 4-year stay, further establishing Microsoft's foothold in the market (Microsoft).


Google Apps

Google has evolved far beyond its advertising and search engine roots, offering businesses a suite of productivity tools comparable to Microsoft's. Google Apps includes email services, calendars, video conferencing, spreadsheets, word processing and presentations, and the Google Drive cloud-storage solution. Drive's link-sharing feature negates the need for email attachments and the hassle that comes with merging various versions of documents.


Amazon Web Services (AWS)

Amazon, too, has grown beyond its roots in e-commerce to support pay-as-you-go, on-demand cloud-based applications and resources for the IT industry, offering services in computing, databases, deployment, analytics, networking, and many more in this ever-expanding Internet of Things.


Slack

Slack is a real-time messenger that is redefining business communications. Users can interact on an individual basis using private and secure direct messages, organize conversations into open or private group channels to collaborate on projects, and share files and comments and highlights to those documents. Notifications, messages, and files are all indexed and archived within the application (Nerdio).


Cvent

Headquartered in Tysons Corner, VA, Cvent offers software services to event planners for online event registration, venue selection, event management, mobile applications, marketing, and web surveys. They offer hotel managers with an integrated platform to optimize event management value chains and have enabled clients to manage hundreds of thousands of meetings and events globally.

Market share in the cloud-computing industry can be split up a number of ways, notably by company, but additionally by private versus public. The public cloud market grew 28.6% in the first half of 2017, boasting revenue of over $63 billion. Software as a Service presently accounts for 68% of the market, but holds the title for slowest year-to-year growth out of X-as-a-Service business model, behind Platform and Infrastructure as a Service. Estimates place global public cloud services at a 22% annually compounding growth rate as we approach the year 2020. While small and medium sized business continue to drive SaaS growth in the public cloud, larger companies are directing growth on a parallel trajectory; the private cloud or a hybrid solution of some sort. The chief contributing factor is likely cybersecurity. Data breaches in 2016 cost business an estimated $2.1 billion, four times that of the year before. The Panama Papers publishing of last year "revealed 11.5 million leaked financial and legal documents of client data... [and] put at risk 12 former country leaders, 29 Forbes-listed billionaires, and 214,000 companies, trusts and foundations, among others" (Finances).

While the SaaS model can be a useful tool in cutting costs for small businesses, there are definite security concerns to consider. "As if the worry about securing data within a corporate network isn't enough, securing data when it's in somebody else's network is even more complicated" (Cloud). Prior to SaaS, security and compliance could generally be condensed to a few critical tasks: identify data, it's location, and it's encryption; identify users and privileges; and document this information for audit and regulation. SaaS complicates these processes, making it difficult for a customer to determine where and how their data is residing on a provider controlled network.

Software as a Service affects compliance with a number of regulations, but most notable is the Payment Card Industry Data Security Standard (PCI DSS). This standard explicitly calls for "service providers" and merchants of any size to be be compliant and acknowledge their responsibility in protecting client credit card data, and that each client of the hosting provider only have access to its own cardholder data environment. As SaaS providers service many customers, this means user or company data may be sitting on the same servers as someone else's data, potentially a competitor. Additionally, access controls of this data sit in the hands of the providers, meaning that login credentials are stored on provider servers. While they can claim for these to be secure, careful management of user accounts is imperative when the provider handles authentication. "Access has to be revoked for users leaving the company, which is easier when done in-house" by the company's own systems(Cloud). Direct integration with the company's directory services for authentication is an option now available from a number of service providers. Finally, as access to logs is required for PCI compliance at the request of auditors and regulators, it is important to negotiate access to internal logs from the provider as a part of your service agreement to make for easier monitoring and in the event of an investigation.

As cloud computing continues to grow in popularity, it becomes an increasingly viable software solution for businesses to consider. SaaS arguably puts data at a greater risk since security control is managed outside of the company's network, but when deployed correctly, it offers decreased infrastructure, increased ease and speed of implementation, lowered upfront costs, and a comparable user experience.