What is SaaS (Software-as-a-Service)

PaaS (Platform-as-a-Service), IaaS (Infrastructure-as-a-Service), and Software-as-a-Service (SaaS) are three types of cloud service model offerings.

• PaaS offers an on-demand cloud-hosted platform that is ideal for use by software developers and service providers to develop, test, and manage applications.
• IaaS is an on-demand IT infrastructure service. IaaS vendors provide access to cloud-hosted resources, including physical and virtual servers, storage and networking.
• SaaS offers on-demand access to cloud-hosted apps.

SaaS can be deployed using several types of cloud models. These are defined by NIST (National Institute of Science and Technology) as follows:

• Private cloud  can be on- or off-premises and provides access to a cloud infrastructure on a per-organization basis. Private clouds may be owned, managed, and operated by the organization. However, a third party may be involved in deployment and management.
• Community cloud can be on or off-premises and allows groups of shared interest communities that may exist across several organizations to collaborate and share services across a common infrastructure. The infrastructure may be managed by one or all of the community groups or by a third-party service provider.
• Public cloud infrastructure is accessible by the public. Public clouds are often used by government services or academia. Public clouds are hosted by a cloud provider.
• Hybrid cloud is a combination of two or more of the cloud infrastructures described above. Each of the clouds within the hybrid remain distinct entities. Standardized or proprietary technology allows for interoperability and data portability.

SaaS is a service-based approach with legal and technological differences to using products installed on in-house IT systems. Some examples of areas that must be considered when transitioning from product to SaaS services include the following:

• Security and access control: Remote access, security protocols, and other security areas, such as zero trust, will be impacted when a company moves to a cloud-based service model. Your SaaS vendor must offer alternative security arrangements that de-risk associated security issues with cloud computing.
• Licensing: Cloud-based apps and service require vendor SLAs. These are a form of contract covering maintenance of the application and infrastructure with commitment to varying levels of availability, performance, and incident response and resolution. 
• Data sharing, privacy, and compliance: SaaS vendors typically host and process customer data. This has implications for data security and privacy and can impact regulatory compliance with the likes of GDPR, HIPAA, etc. Vendors should demonstrate how they adhere to data sharing privacy and security protocols and measures.

Software as a Service (SaaS) is not without its risks and challenges:

On-premises computing provides a degree of protection because it can be protected as a closed system, However, cloud computing has a fuzzy perimeter so has special requirements for securing data and controlling access to resources. For example, special care must be used to ensure that staff have the right level of access to do their job and no more, often called least privilege access. Security solutions designed for SaaS environments ensure that data is protected wherever it goes and with whomever it is shared.

SaaS apps are available over the internet; therefore, for optimal use, users must have Internet connectivity. Also, these apps may have greater latency than client-server apps.

Delivery of SaaS by a third-party vendor may make the recovery and movement of your stored data more difficult. Data ownership can be a complex area and comes under the contract between a client and vendor. It is essential to understand the data ownership clauses in your SaaS vendor contract.

SaaS services are exposed to the internet and is therefore at greater risk of web-based attacks like brute force and credential stuffing.

Much of shadow IT is caused by using unsanctioned SaaS apps. Users with Internet access can easily acquire and use SaaS tools. Shadow IT leaves departments at risk of unmanaged apps being used to create and share sensitive data.

SaaS vendors must be assessed for risk to ensure that they have robust measures to mitigate disasters that could cause business interruption.

A recent Cloud Security Alliance (CSA) survey shows that SaaS security is a top priority for 80% of organizations. The survey also found that over half of organizations had experienced a SaaS security incident, resulting in ransomware, malware, and data breaches. Securing the vast attack surface created by cloud-based apps is essential in de-risking an organization.

The following technologies are used to mitigate the risks and security challenges of SaaS:

• SaaS vendor security assessment: Security begins by knowing who you are dealing with. A security assessment of any SaaS vendors an organization uses is fundamental to security. The assessment analyses potential risks associated with a specific vendor.
• Visibility, app discovery, and monitoring: Knowing what you are dealing with is next step to security. Visibility across the expanded cloud environment allows an organization to monitor app access and use and apply appropriate access and authorization measures.
• Robust authentication and authorization: Robust authentication measures must be applied to control access in a cloud environment. Login credentials are a popular target for cybercriminals who use social engineering, phishing, and dark web marketplaces to gain unauthorized access to SaaS apps. Authorization that fits the needs of the individual role and does not provide unnecessary privileges helps mitigate SaaS risk.
• Zero-Trust architecture and least privilege: A zero-trust architecture (ZTA) can be used to protect SaaS apps and data. ZTA continuously authenticates users, devices, and applications. The principle of least privilege (PoLP) is used to ensure that post-access permissions are applied to the user that reflect their role in the company and offer enough access rights to perform a task and no more.
• AI-enabled advanced threat detection: AI is powering many security solutions in response to the increasingly complex and often automated cyber-attacks focusing on SaaS environments.

Some of the most important Software as a Service security solutions are as follows:

• Identity management and governance - Identity management and governance is a fundamental building block of secure SaaS app access and data security.
• Cloud Security Posture Management / SaaS Security Posture Management (CSPM or SSPM) - CSPM and SSPM provide unified solutions that monitors cloud / SaaS environments for misconfigurations, policy violations, and compliance risks. CSPM is a more holistic way to monitor and secure cloud-based accounts, whereas SSPM focuses on SaaS apps.
• Web application firewalls (WAF) - A WAF filters and monitors HTTP traffic between a web application and the Internet. Any anomalous or suspicious traffic is stopped.
• Email security and spam filtering -Email security solutions help prevent phishing and malicious spam from entering employee inboxes.
• Data encryption - Data must be encrypted during sharing and transmission across a SaaS environment as well as during storage.
• Data loss prevention (DLP) - DLP software sets rules that prevent sensitive or proprietary information from leaving a secure zone.

Data protection in Software as a Service (SaaS) environments is enforced by a variety of standards and regulations. Some of the most well-known are as follows:

• ISO/IEC 27001 (international)
• Service Organization Control (SOC2) (third-party service providers)
• GDPR (general, focused on protection of the data of EU citizens)
• HIPAA (healthcare)

As with many technologies, SaaS embraces artificial intelligence (AI) and machine learning (ML) to improve operational efficiency and business intelligence. Advances are also focusing on improving customer experience (CX) using data-driven user journeys to optimize and enhance the CX. The unification of SaaS and tools like agency management systems (AMS) and comparative rating systems are adding important interoperability to enhance business intelligence and operations. The enhancement of cybersecurity across SaaS and cloud-native apps creates safer environments, which de-risks the enterprise.