What Does Software as a Service Mean?
Software as a service (SaaS) is a software distribution model that delivers application programs over the Internet, browsable via the web. The SaaS provider is responsible for hosting and maintaining the application throughout its lifecycle.
Advantages of using the SaaS delivery model include:
- Clients can easily access the software from multiple locations and computing devices.
- Updates and patches can be applied automatically without client assistance.
- Application access and storage to support application use can be sold on a subscription basis.
SaaS solutions work best for non-strategic, non-mission-critical processes that do not require high integration with the consuming organization’s other business functions and systems.
SaaS offerings are typically offered through the web, but they can also be applications or application programming interfaces (APIs) that can be integrated with another service. SaaS is also known as hosted software or on-demand software.
Software as a Service (SaaS)
SaaS can be considered subscription-based commercial off-the-shelf (COTS) software hosted on a cloud service provider’s (CSP’s) servers. SaaS offerings are generally dedicated and target a specific business need, such as collaboration, document management, or human resources functions.
Several recent developments have made SaaS the preferred delivery model for many software applications. One contributing factor is bandwidth; the internet is faster than a decade ago, and access is more widely available. Another major factor has been the growing acceptance of distributed computing for business use.
Today, there are thousands of SaaS vendors, but Salesforce.com is perhaps the best-known example, as it was one of the independent software vendors to significantly disrupt a traditional software vertical by changing the delivery model.
SaaS Security Risks
Cloud platforms consist of multiple software and hardware components that may be sourced from multiple providers, and it’s not unusual for subsystems to be outside of the direct control of the cloud provider.
This is why SaaS customers must confirm what security services and controls the cloud provider will supply — or not supply. Controls must be applied commensurately with those used for internal organizational systems to avoid creating security gaps.
Some SaaS providers can integrate with existing identity access providers; others will not have authentication integration options and will have their identity realm. Unfortunately, this means that if an adversary determines a weakness in a provider’s subsystem component, they can take advantage of the weakness and launch an advanced persistent threat (APT) attack in the cloud environment by moving laterally through the cloud, looking for vulnerabilities that will allow them to elevate privileges.
Although mitigating supply chain attacks against the cloud platform is mainly the responsibility of the cloud service provider, it’s essential for SaaS customers to:
- Choose software-as-a-service (SaaS) vendors carefully.
- Implement configuration and security controls to lower risk for SaaS subscriptions.
- Continuously monitor cloud use.
- Pen-test the organization’s SaaS applications and infrastructure at least twice yearly.
