Table of Contents
Businesses are moving away from traditional software to cloud-based solutions at a rapid pace to meet the ever-changing market demands. However, there are still a large number of businesses that are not well aware of what SaaS is and how it can help them stay competitive in the 21st century. Having a basic understanding of how SaaS software works, its advantages, drawbacks and challenges associated with moving to the cloud help businesses make informed decisions and optimize their IT spending.
The concept of SaaS is fairly simple, but the underlying infrastructure and technologies behind a cloud-based software can get very complex. The term Software as a Service is self-explanatory and refers to software delivered as a service on a subscription basis, which many businesses prefer than paying in full for an expensive software. From cloud storage to ride hailing, SaaS is everywhere and flexible enough to support almost all industries.
SaaS software is hosted, maintained and updated on a central server, so the benefits are common across all industries. Compared to traditional on-premises software, SaaS software is not bound by location or device. Instead of installing, managing and maintaining services on their own servers, businesses can simply ‘rent’ the software on a subscription basis and access it over the internet using almost any device, including mobile devices.
Low Upfront Costs
Running on-premises software requires heavy investment in the infrastructure and resources needed to install, maintain and manage security. High upfront costs associated with on-premises software has been the biggest hurdle for small and medium businesses. The SaaS model has leveled the playing field and enables SMBs and even individuals to leverage modern technologies to their benefit. SMBs now have access to the same technologies that were previously reserved for large enterprises.
Businesses only have to pay for the services they plan on actually using instead of paying in full for unused licenses or software features. This minimizes the financial risk associated with buying expensive software, its implementation and maintenance. Multi-tenant software environment allows users to access computing resources that are shared between them through central servers. SaaS is a boon for SMBs that were unable to use traditional software due to high licensing and maintenance costs.
SaaS software lowers the TCO (Total Cost of Ownership), which includes the hardware, network, software, human resources, backup systems, support and security system, maintenance costs and physical space. SaaS solutions enable businesses to spread the cost of operating a piece of software over a longer period of time. The long-term benefits in terms of overall cost of using SaaS software are debatable, but the short-term benefits are pretty obvious as traditional software come with a big opportunity cost.
High Level of Scalability and Flexibility
Compared to on-premises software that is usually tied up with specific machines, SaaS software offers greater flexibility and can be used from anywhere using almost any device. One of the main reasons behind the popularity of SaaS is the scalability and flexibility it offers. Most vendors allow businesses to cancel their subscription anytime, while many of them don’t create hurdles that make it difficult to migrate data. The pay-as-you-go options allow users to instantly add options and features, and upgrade or downgrade their plans depending on the usage or cancel the subscription altogether if it’s not working for them.
That’s not so simple with traditional software as businesses already have made a huge investment in the infrastructure and the software itself. Many providers allow hand-picking different features and paying on the basis of actual usage instead of just based on the number of users. A high level of scalability is beneficial for businesses that have significantly higher traffic during peak seasons such as businesses in the fashion industry or during holiday season.
Maintenance-free, Automatic Updates
Most SaaS solutions are ready-to-use and require no installation, configuration and regular maintenance. This allows businesses to focus more on their core operations instead of worrying about initial and maintenance costs. Users can start using most SaaS apps just after confirmation of a subscription. Updates, patches, fixes, performance enhancement and adding new features are also the responsibility of the vendor, so businesses don’t have to spend a lot of time managing these things.
Since SaaS apps are run through the cloud and are accessible using almost any device, they offer excellent cross-platform compatibility. This is particularly beneficial for remote workers who can work efficiently from anywhere. Compatibility issues plagued traditional software and organizations had to spend a lot of time and resources to ensure everything is working smoothly. All users get instant access to up-to-date software and data, which boosts productivity and minimizes data duplication.
Another advantage of choosing SaaS software over traditional software is the ability to switch between different providers, allowing businesses to switch to a provider that offers more value for the money. Although some providers deliberately make it difficult to switch to another provider or make data migration a lot of hassle, data migration and switching between providers is still simpler when using a cloud-based solution.
Most modern SaaS software are able to communicate with other systems through APIs and connectors (Application Programming Interface). App integration minimizes data duplication, manual work and chances of error, and enables businesses to make the most out of their IT investment. That’s why app integration and compatibility with other systems is an important factor for many businesses when evaluating different SaaS solutions.
Easy-to-use, High Adaptability
Modern SaaS software is built on the best industry practices, is easy to use and has a smaller learning curve. Since there are no installations, time consuming configurations and regular maintenance involved, the adoption rate of SaaS apps is higher and the workforce does not require a lot of time getting used to these simple web-based solutions. Most SaaS solutions offer a trial run, allowing users to get used to the software without making a long-term commitment. Ease of use and high adaptability also reduces the time to market and time required in carrying out proof-of-concepts.
The Service Level Agreement (SLA) outlines what the customer should expect from the vendor and guarantees how well a SaaS software will work, which is usually represented as 99.XX% uptime. 99.9% has become an industry standard, which means a downtime of 52m-36s per year. The SLA also includes other services and vendor obligations, including backup and recovery options in case something goes wrong.
Security and Compliance
According to a report by McAfee [i], around 23 percent organizations fully trust public clouds, while 29 percent still do not trust public clouds. Security has been a big concern for businesses, especially large businesses running mission critical apps. SaaS has come to a point where security is no more a big issue, and some even consider cloud-based apps to be safer than their on-premises alternatives.
According to Gartner [ii], the leading cause of security lapses has been misconfigured apps due to customer mistakes and lack of process oversight, while by 2022, 95 percent of security failures will be because of customer’s negligence. From geographically separated data centers to enhanced authentication, data encryption and auditing procedures, modern SaaS solutions have strong security measures working in the background.
Cloud providers have improved significantly in recent years when it comes to security. SaaS deployments have an added benefit of reduced operational risk and offer better auditability and business continuity. General compliance certificates help ensure security and compliance, including SOC1/2, ISO 27001/22301, OWASP ASVS, CSA STAR. Security benefits of SaaS include continuous and automated security management, auto detection of compromised accounts and data loss prevention.
Some providers offer the bare minimum when it comes to security, while others take responsibility for securing the software, but not the customer data or user access. On the other hand, many companies offer comprehensive security options as Cloud Access Security Broker (CASB), which refers to an intermediary security layer between the service provider and the user. The four pillars of CASB include visibility, compliance, data security and threat protection.
CASBs help address security gaps in SaaS, PaaS as well as IaaS environments and have become an important element of enterprise security. The main objective of using a CASB is to improve visibility, have more control over data and deal with online threats to meet security requirements. CASBs use auto-discovery to identify threats and potential vulnerabilities, classify risk levels and automatically take action to remedy the risk.
White-labeling refers to reselling an existing SaaS software after rebranding and/or adding new features. The concept has gained popularity recently as it saves vendors from having to code from scratch and allows them to deliver even better software and add more value. This encourages innovation and enables small development teams to create specialized products. White-labeling is not limited to vendors as businesses can also customize existing solutions according to their own unique requirements.
Some of the biggest advantages of SaaS also happen to be its cons. SaaS apps require an active internet connection in absence of which most SaaS apps cannot be accessed. A reliable internet connection might not be possible in all situations, especially in cases like field workers working in remote areas.
However, we have reached a stage when high-speed internet and broadband is widely available and a stable internet connection is less of an issue. The drawbacks or cons covered below are applicable when the user meets the internet and system requirements specified by the vendor and not directly related to internet connectivity or system resources.
When an app is run and managed by a third-party on its own servers, businesses naturally won’t have complete control over all processes. Enterprises have to rely on vendors for most of the stuff related to delivering services and securing data. A business might end up signing up with a vendor that does not deliver according to its promises, which can cause service disruptions, downtime and loss of customers and revenue.
Businesses generally have more control when using traditional software, which installs on local machines and is managed by in-house resources. Much of that control is handed over to the vendor in case of cloud-based apps. Although automatic updates are a pro for SaaS apps, they can also be a con for businesses that want to independently gauge an update before the final rollout. That’s why many large enterprises prefer hiring a third-party company to manage their critical business applications and go through complex processes of compliance and audit.
Unwanted service disruption is another aspect of having limited control. Uptime guarantees vary from one vendor to another, while some release patches and updates more frequently than others. In case of a security breach, the customer also suffers along with the vendor, which in case of mission critical services such as banking transactions can have a devastating effect.
SaaS Security Challenges
Cloud computing in general and SaaS in particular presents unique security challenges. The data is stored in the cloud on a third-party server. Limited visibility and lack of complete control raises questions like if the data is secured properly. Cloud security issues are treated as a shared responsibility by service providers. The provider is responsible for securing the cloud, while customers are responsible for what they do with it and how they operate. Some of the most common SaaS security issues and challenges include:
- Limited visibility and control over processes
- Limited ability to monitor how data moves to and from the app
- Lack of technical and human resources to manage security
- Lack of ability to prevent misuse of data or insider theft
- Advanced attacks and new threats against the vendor
- Difficulty maintaining regulatory compliance
- Data theft from a cloud app
- Uncertainty about where the data is physically stored
- Access management issues
- Misconfigurations can happen because of incompatibilities, integration issues etc.
- Mistrust on vendor’s claims about security and compliance
- Lack of communication between the vendor and security teams
- Lack of a customer-centric approach towards data security and compliance
Humans or the customers play an important role in preventing security breaches. According to a study conducted by IBM into cyber breaches, human error was behind 95 percent of all breaches, which were otherwise preventable. Human errors can either be skill-based or decision-based and can compromise security in endless ways, including mis-delivery of information, lack of awareness, password issues, failing to install security patches and physical security issues.
Educating employees takes time and effort, which not all businesses especially SMBs are willing or able to commit. Modern SaaS solutions are far more secure than ever before, but the chances of human error are still there. Reputable SaaS providers go to great lengths to ensure security and compliance, but the customers also have to take strict measures, especially when dealing with sensitive data.
SaaS Compliance Challenges
Compliance refers to meeting a set of standards set by a certifying agency, including storage, data usage and data sharing. It instills trust in potential clients and customers and enhances security. Just like people prefer used cars that only went to certified mechanics, businesses also prefer vendors that have procedures in place to protect their data and their customer’s digital assets. Compliance can also be viewed as a type of risk management and an added layer of security.
Things are simple when running one or two apps, but as businesses start adding apps in their SaaS stack, each application has the potential of becoming a security risk without strict compliance policies in place. Examples of major compliance regulations include:
- GDPR (General Data Protection Regulation) – Europe
- ISO/IEC 27001 – Provides guidelines for SaaS companies to manage security risks
- Service Organization Control 2 (SOC2) – Auditing Process based on AICPA Auditing Standards Board of the American Institute of Certified Public Accountants
- Health Insurance Portability and Accountability Act (HIPAA) – Federal US law for protecting sensitive information of patients
- Payment Card Industry Data Security Standard (PCI DSS)
- New York Cybersecurity Regulation (NYCRR) – Cybersecurity requirements for companies in the financial sector
- Federal Financial Institutions Examination Council (FFIEC)
Not all SaaS providers comply to local and international standards, while some only comply partially. Large enterprises usually have a dedicated Chief Compliance Officer responsible for leading compliance efforts and designing and implementing procedures and internal controls to ensure compliance with the local, state and federal regulations and laws.
Performance and latency issues can arise if the data centers are located far away from the users. That might not be a big issue for SMBs, but multinational businesses that operate in different geographical regions might not be able to serve their target market well and provide them with a great user experience.
The term cloud service latency refers to the delay between customer request and response from the provider. What makes matters more complicated is that latency in a cloud environment is hard to predict and measure. Some factors that affect latency include communication hops till the target server, which are directly related to the physical distance between the user and the data center.
Limited Apps and Functionality
Many providers have completely moved away from selling traditional software while many offer both cloud-based and on-premises versions. Despite its recent popularity, not all apps are cloud-based. Because of limited apps, there might be on-premises apps that a business has to host and manage itself. In other cases, there are cloud-based alternatives to on-premises software, but with limited functionality because of which businesses have to stick with the traditional software.
Understanding the technical jargon and the SLA can be a daunting task, especially for non-technical staff. Penalties for overusing can be steep and if businesses don’t understand the terms and their contractual obligations, they might end up paying large sums of money in the long run. Software Asset Management (SAM) has become an important element of IT departments, which ensures that the company is buying the right type of subscription and there is no over or under usage of resources.
Data Mobility, Interoperability and Vendor Lock-in
Many SaaS providers have policies in place that make it difficult to migrate data to another provider by locking customers into their own standards and protocols. Although proprietary standards have their own benefits, they can limit the portability of apps and data. Businesses need to consider the ramifications of vendor lock-ins and have a clear understanding about data migration policies.
On-premises software is generally more customizable than cloud-based apps and allows businesses to customize it according to their own unique requirements. The main guiding principle of cloud-based apps is to serve a large number of customers using shared resources in multi-tenant environments. This enables even SMBs to benefit from technologies previously reserved for enterprises. But the trade-off is limited customization. Even SMBs can hugely vary in how they want a software to be, so the provider has to strike the right balance between core features and customization.
Customization normally refers to making changes in the software code, which is not recommended unless really necessary e.g. to fix bugs. On the other hand, configuration refers to the flexibility a software offers, which allows the software to adapt to business model changes. It’s critical to consider the native features as well as configuration options when choosing a SaaS solution.
Like everything else, SaaS software has its own pros and cons and is not perfect. However, the pros generally outweigh the cons, which is why SaaS gained so much popularity in a short span of time. SaaS is a big paradigm shift in the way SMBs use software and most of the cons are not deal breakers for them. What’s important is to understand and address the common challenges before signing up for a subscription. SaaS remains a viable option for most businesses and staying alert to both advantages and disadvantages is the key to optimized IT spending.
[i] “Navigating a Cloudy Sky: Practical Guidance and the State of Cloud Security”. Retrieved from https://www.mcafee.com/enterprise/en-us/solutions/lp/cloud-security-report.html
[ii] “Is the Cloud Secure?”. Retrieved from https://www.gartner.com/smarterwithgartner/is-the-cloud-secure