CyberArk Glossary >

What is Software-as-a-Service (SaaS)?

Software-as-a-Service (SaaS) is a software licensing and distribution model in which a service provider hosts applications and makes them available to customers over the Internet. Also referred to as “on-demand software,” “hosted software,” and “web-based software,” SaaS is one of three main components of cloud computing—which is one of the foundational elements of digital transformation. Other cloud computing components are infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS).

Most SaaS offerings are based on a multitenant architecture. This means that a single version of the application is provided to all users. Customers can change configuration settings for optimal functionality and look and feel and can also customize components of the software to address their specific use cases, which are maintained through upgrades. However, users cannot change the common, underlying infrastructure and code of SaaS applications.

SaaS Examples

There are two major types of SaaS: vertical SaaS and horizontal SaaS.

  • Vertical SaaS. Addresses a specific industry need such as electronic medical record (EMR) software for healthcare or financial management software for banking or insurance.
  • Horizontal SaaS. Addresses needs across all industries, such as email and collaboration software, human resource management (HRM) software, customer relationship management (CRM) software, enterprise resource planning (ERP) software and cybersecurity software.

 SaaS Benefits

  • Cost-savings. SaaS models are sold as pay-as-you-go subscriptions, so organizations can minimize up-front deployment costs such as licensing and installation fees. Instead, they can start with a small investment and subscription plan, then scale to more users and use cases as necessary.
  • Ease-of-use. Instead of being installed and maintained by the user, SaaS applications can be accessed through a web browser or thin-client terminal—regardless of device or location. The SaaS provider manages availability, performance, ongoing maintenance, updates and patches and the security of the cloud itself.
  • Operational efficiencies. Because applications are hosted in the cloud, internal teams can eliminate time-consuming tasks related to infrastructure management and refocus on the core competencies of the business. Additionally, SaaS requires little to no computing or storage from the user organization, which helps to save resources.
  • SaaS services can be easily scaled up or down and additional features can be accessed on demand. This benefits organizations with cyclical needs, those that are growing quickly and those that need to scale back as needs and budgets shift.
  • Ease of integration. The popularity of SaaS offerings, coupled with the standardization in API technology, has created a surge in integrations and “mashups” that combine data, presentation and functionality from multiple services to meet evolving customer needs and provide best-of-breed services for cloud security.

SaaS Security Challenges

A 2019 CyberArk survey of more than 1,000 global organizations found that the number one reason organizations move to the cloud is security. Additionally, over a third of these respondents believe that the burden of risk concerning information security is borne entirely or in part by the cloud vendor.

While SaaS providers focus on cloud infrastructure security, they publicly recognize they can only provide a partial security solution and emphasize security collaboration. For example, Microsoft stresses a shared responsibility model, which divides security tasks between the cloud provider and cloud customer. Microsoft notes that regardless of cloud deployment type, the cloud customer is always responsible for protecting the security of its data and identities, on-premises resources and the cloud components it controls.

The US National Security Agency also offers guidance on sharing cloud security responsibilities.

In a January 2020 directive, the NSA notes that “[Cloud service providers (CSPs)] are responsible for securing the cloud infrastructure, as well as implementing logical controls to separate customer data. Organizational administrators are usually responsible for configuring application-level security (e.g., access controls for authorization to data). Many CSPs provide cloud security configuration tools and monitoring systems, but cloud customers are responsible for configuring the service according to organizational security requirements.”

In the event of a data breach, the customer organization is held accountable and must answer to regulators, customers and other stakeholders—not the cloud vendor. As such, organizations should examine and understand this division of responsibility and take steps to protect privileged access to sensitive data and information housed in SaaS applications and other cloud environments.

Learn More About SaaS