SaaS

What is SaaS?

Software as a service (SaaS) is a licensing and delivery model in which software hosted on a third-party server is made available on an on-demand basis by an SaaS cloud service provider (CSP). End users pay a recurring subscription fee to access SaaS services and do not need to buy, install, or maintain any hardware or software; they only need an internet connection. The SaaS provider maintains the data, infrastructure, software, and security.

SaaS is commonly used for email and messaging services, customer relationship management (CRM) and enterprise resource planning (ERP) software, payroll processing, document sharing, data backups, network monitoring, content management, ticketing systems, web hosting, and collaboration applications.

Some well-known SaaS products are Google’s G Suite, Microsoft’s Office 365, Atlassian’s Jira, and Oracle’s NetSuite.  

Using SaaS services reduces software development, administration, and maintenance costs; improves remote collaboration between teams and with customers; and offers a security framework managed by a provider. The main downside to SaaS is that organizations may still have to perform some often complex integration tasks; may lack control over their data like its storage location; have to trust a CSP to adequately secure confidential data; and monitor their systems to ensure they perform in accordance with the level of service defined in a service level agreement (SLA). To do this, organizations use their own application monitoring solutions to reassure themselves that adequate standards are being maintained. Simultaneously, IT departments are faced with new cybersecurity security challenges, like the rise of shadow IT which is when employees use SaaS applications without the approval of the IT department. 

SaaS services are similar to those provided by an application service provider (ASP). The difference is that SaaS is a self-service, while an ASP has to manually build a separate system for each customer.

SaaS history

The term SaaS was coined in 2005 by John Koenig – currently head of product at Rappi, a digital commerce platform – but the beginnings of an SaaS model originated much earlier, in the 1960s, from what was called a time-sharing system.  The Compatible Time-Sharing System (CTSS), a time-sharing operating system (OS), was launched in 1961 by the Massachusetts Institute of Technology (MIT). It fulfilled a need by small- and medium-sized businesses (SMBs) for an affordable computing environment where the cost of expensive individual workstations was unaffordable. Time-sharing allowed the allocation of computing resources among multiple users on dumb terminals for a small period of time called a time slot, simultaneously using multi-programming and multi-tasking processes on multiple central processing units (CPU).

A time-sharing system uses a hub-and-spoke communication model, where each computer (the spoke) communicates directly with the hub, which usually resided on a mainframe.

Organizational IT changed during the early 1990s mainly due to the shrinking cost of computing resources. Instead of using dumb terminals, companies could afford to purchase individual computers for their employees and connect them through a local area network (LAN). The downside to users having their own devices was an increasing demand for hard drive space, which became expensive. The solution was to use external data center storage facilities and cloud computing services.

SaaS as a cloud computing service model

SaaS evolved in tandem with the growth of cloud computing services. The terms SaaS and cloud computing are often used interchangeably but SaaS is one of many types of cloud computing service models. Cloud computing refers to computing services – like the provision of software, networks, storage, and analytics – delivered through virtual hardware and simulated on physical devices, on demand, and where users do not have to actively manage a service as they would on localized devices.

As-a-service models

Cloud computing service models include various as-a-service models, sometimes referred to as XaaS, which is an acronym for anything provided as a service.

Examples of as-a-service models are managed software as a service (MSaaS), infrastructure as a service (IaaS), network as a service (NaaS), desktop as a service (DaaS), platform as a service (PaaS), IT as a service (ITaaS), backend as a service (BaaS), function as a service (FaaS), mobile backend as a service (MBaaS), and data as a service (DaaS).

Each of these as-a-service models may be incorporated into systems developed to deliver SaaS services. For example, PaaS provides services for the cloud platform on which SaaS services run.

Cloud types

SaaS services are run in four main types of cloud: public clouds, private clouds, hybrid clouds, and multi-clouds.

A public cloud is not owned by the end user and is partitioned for multiple tenants. It allows users to access resources remotely, either free or for a subscription fee. Examples of public clouds are Amazon Web Services (AWS), Google Cloud, and Microsoft Azure.

A private cloud, like a data center, is created for the exclusive use of one organization or a group of users. Similarly, a community cloud, a type of private cloud, is a shared cloud environment for organizations with similar interests, for example the insurance community or non-governmental organizations (NGOs).

A hybrid cloud includes multiple connected environments, for example a private cloud that an organization uses to store sensitive customer data and a public cloud it uses for hosting its eCommerce platform. Another use case for hybrid clouds is for backups, where local data may be stored on premise and then replicated to a public cloud. CSPs like Amazon, Microsoft, and Google all offer hybrid cloud services. In some cases, public cloud providers may partner with private cloud providers to provide hybrid cloud services. An example of this is the Google/Cisco hybrid cloud partnership. 

A multi-cloud includes multiple cloud services from multiple vendors, public or private. A hybrid cloud is a multi-cloud but not all multi-clouds are hybrid clouds, for instance a multi-cloud could include multiple cloud services only from public vendors.

Core SaaS characteristics

SaaS core characteristics are security, scalability, automation, on-demand services, and low cost.

Security is handled by an SaaS provider who takes measures to provide effective security services as documented in an SLA.

Vertical scalability is the capability to increase or decrease resources to match demand, for example adding extra storage. Vertical SaaS targets niche industries like health or finance. Horizontal scalability refers to the addition or removal of features or nodes. Horizontal SaaS allows businesses to cater to a broad customer base.  Scalability allows organizations to make the best use of their resources and ensure a consistently good user experience.

Automation allows businesses to automate repetitive tasks like re-ordering stock, and mitigate human error when performing complex tasks like auditing expenses. Using SaaS services, automation workflows can be managed and updated through a single interface that is available to users in real time at different geographic locations.

On-demand services are services where users can add or remove features depending on their needs.

The cost of SaaS solutions versus on-premises solutions may vary but generally, SaaS solutions are cheaper than on-premises solutions. The main reason for this is that there are no up-front costs with an SaaS solution, just a recurring subscription that usually includes maintenance. With an on-premises solution, there is an initial capital outlay and recurring maintenance costs.

Why is SaaS used?

Before organizations started using the internet as a business tool, companies (and individuals) installed programs – like email, editing, graphics, and anti-virus software, and office tools – on individual devices. To do this, they had to purchase software installation disks – first floppy disks and then CDs – and then install and configure the applications. The same laborious process had to be followed for patching and updating programs. And the disks themselves, susceptible to wear and tear, had to be backed up as well.

As the internet became more popular, software vendors began offering their software for download from the internet but copies of the software still had to be installed on every user’s device. In-house administrators had to continuously monitor software usage, security, and access rights. For instance, if someone resigned, an in-house administrator needed to be notified by human resources that their credentials had to be removed from the system. Where employees had used their own computers, for example field workers or staff that worked from home, some software needed to be removed from the users’ computers.

During the early 1990s, business functionality on the internet was enhanced by the launch of online marketplaces like eBay, capabilities for secure credit card transactions, and the development of secure socket layer (SSL) by Netscape Navigator. Cloud computing and modern SaaS were thus driven by the requirements of eCommerce and consecutively, by the provision of cloud solutions by software vendors.

Who uses SaaS?

SaaS has numerous applications across a wide range of industries. It addresses the needs of most organizations for applications to increase productivity and improve communication between employees and with customers.

SaaS services are used in software development, business analytics, human resources, finance and accounting, procurement and sourcing, sales and marketing, manufacturing, retail, budgeting and planning, risk and compliance, eCommerce, education, and customer support.

Some popular small-businesses applications for SaaS services are automating sign up for new customers, company file sharing, using calendars to set up meetings, making use of online email services, team collaboration, and utilizing meeting and video conferencing portals.

SaaS services are not used exclusively by businesses. For private individuals, popular SaaS services include social networking, location and weather, media and entertainment, and gaming services.  

Freelancers and entrepreneurs can make use of free SaaS products to grow their businesses. Examples of popular SaaS services in this niche are photo editing software like Pixlr, collaboration software like Slack, project planning software like Trello, document processing software like Google Docs, spreadsheets like Google Sheets, and file sharing software like Dropbox.

In the early days of SaaS, it was mostly small businesses that adopted cloud computing. Enterprises usually purchased complex and expensive in-house, end-to-end software systems.

In more recent times, according to a 2017 Paessler survey, it is mostly larger companies with more than 500 employees that have adopted, or plan to adopt SaaS services. Currently, the majority of organizations use hybrid cloud services, that is, they use a combination of selected SaaS services and in-house systems.

SaaS architecture

SaaS layers

An SaaS system consists of a database, backend functional code, and a frontend user interface.

SaaS reference architecture has a number of layers. Layers in reference architecture represent system components that have similar functionalities.

Frontend – Users accessing an SaaS service are called thin clients. Thin clients are computers that connect to a remote server and run on its resources rather than resources on the client’s drive itself. In SaaS systems, thin clients access software from providers on the internet, so the clients have only one layer themselves, the user layer, which is usually a web browser.

Backend – SaaS provider layers include distribution, presentation, business service, application service, data access, data storage, and supporting service layers. Each of these layers comprises multiple sublayers; for example, the distribution layer includes routing and load balancing sublayers.

Database – In the backend, the data storage layer contains the database and the data access layer includes a data management system to access data.

Types of backend architecture

A monolithic architecture was the predecessor of modern SaaS architecture, which is based on a micro-services architecture. In a monolithic architecture, backend source code, application programming interfaces (API), and databases are deployed as one executable process and kept in one place.

Micro-services architecture, a variant of service-oriented architecture (SOA), is native to cloud environments and comprises multiple services (or modules) that are deployed on different servers and are loosely coupled using APIs to communicate.

The main benefits of using micro-services architecture rather than monolithic architecture for SaaS development are that services can be scaled separately, are easily deployed individually, and if a service goes down, it doesn’t affect other services. The main drawback to using a micro-services approach is that if an API is changed, numerous services may need to be updated to accommodate the changes.

How does SaaS work?

Roles

Users – SaaS uses an on-demand cloud delivery model. SaaS programs and systems are usually accessed through a web browser with users having to log in using a user name and password.

Organizations – Companies use APIs to integrate SaaS services with their IT systems.

Providers – Providers either develop their own applications that they can offer as a cloud service or bundle offerings from multiple software vendors. Before an SaaS service can be used, a provider has to enable or implement it in a cloud environment.
SaaS products are delivered by different types of software providers. Software providers may host an application themselves or contract a cloud provider to host it.
An independent software vendor (ISV) has usually developed an application themselves and is selling it. A managed service provider (MSP) provides cloud services for a business, acting as their virtual IT department. Resellers are cloud providers that sell SaaS products they didn’t develop themselves and don’t own. A value-added reseller adds something – like a new feature – to a product, customizes it for a specific industry, or bundles a product with complementary software.   

Implementation

SaaS implementation refers to the tasks that must be done to set up an SaaS offering in the cloud. SaaS implementation is also referred to as SaaS enablement or SaaS onboarding.

Some of the tasks in the enablement process include selecting a multi-tenant model, provisioning users, creating workflows, optimizing data types, setting subscription plans, optimizing integration processes, defining a security strategy, designing a scalable infrastructure, and developing a training program.

Hosting

SaaS providers usually use a multi-tenant model for hosting customers. In this model, customers have network-based access to a single copy of a service, whose source code is the same for all subscribers. This means that any updates, bug fixes, or new features are automatically rolled out to all customers. Customers can choose whether to store their data on premise, in the cloud, or whether to have a mixture of both.

Service plans

SaaS usually has a flexible, tiered subscription model so businesses can select a subscription plan to suit their requirements. Subscribers pay a recurring fee.  Subscription plans usually include maintenance, security, compliance, and web monitoring services. SaaS providers usually offer a free plan with limited features intended to tempt customers to upgrade to a paid tier.

SaaS service plans can be based, for example, on the number of users using the software, the number of features a subscriber chooses, how much storage a customer uses, or how often users access a service.

Integration

SaaS integration is the process of connecting SaaS solutions to other systems, applications, or services, either on- or off-premise, through the use of APIs. Google Suite is an example of a popular SaaS product that includes seamlessly integrated modules, namely Google Drive, Google Docs, Google Sheets, and Gmail. It can be more complicated to integrate software developed by different companies where custom data types and proprietary APIs are used. Integration is usually automated and managed through Integration Platform as a Service (IPaaS) services and SaaS integration Platforms (SIPs). SIPs help service providers to integrate different applications through a single interface, avoiding data duplication and streamlining workflows.

Virtualization

Virtualization is an important element of cloud computing that enables the creation of virtual environments in which cloud computing services run. Virtualization refers to the abstraction of a solution from the infrastructure needed to support it. SaaS is an application instance of virtualization, abstracting a service from the OS.

Serverless computing

SaaS services are serverless. While there are servers involved, serverless computing refers to any cloud development model where developers don’t have to manage servers. With serverless computing, infrastructure concerns like provisioning servers and allocating resources are done on third-party servers so that developers can focus on writing application code. 

SaaS technology stack

The technologies - programming languages, libraries, development tools, databases, hardware, security solutions, networks, business logic, and backend and frontend frameworks – that a provider chooses to build SaaS systems vary depending on a service’s specification. SaaS technology stacks may comprise a custom solution for on-premise and hybrid solutions, or businesses can select software from bundled solutions developed by cloud providers, for example Google’s Cloud Platform (GCP).

GCP includes Google Compute Engine (GCE), Google App Engine (GAE), Google Kubernetes Engine (GKE), and Google Cloud Functions (GCF). GCP offers tools to create virtual machines and manage resources like storage and memory; GCE provides IaaS services; GAE provides PaaS services; GKE manages and scales containerized applications; and GCF is used to create serverless, event-driven functions.

SaaS examples

Proprietary

SalesForce, whose CRM launched in 1999, is credited with being the first SaaS company to build an application from scratch specifically to provide an SaaS service. However, the first SaaS company that sold software licenses directly to enterprises instead of using disks was Concur, a travel, income, and expenses management business. Most proprietary SaaS solutions offer a limited freemium plan.

Some of the most popular proprietary SaaS products for businesses are Google’s G Suite, HubSpot, Dropbox, Slack, Zoho, WhatsApp, Asana, Mailchimp, Splunk, Zendesk, AWS, and Spotify.

As of September 2021, Adobe had the biggest market capitalization for SaaS services of $315 billion, followed by Salesforce at $251.85 billion.

Open source

There are numerous open source SaaS products, one of the most well-known being WordPress. Gmail and Yahoo are popular examples of open source SaaS email services.

Open source SaaS products – referred to as Open SaaS –are popular with cash-strapped small businesses and startups. Using Open SaaS products allows companies to customize their SaaS applications, benefit from the continual improvement of applications by the open source community, and save on software costs.

Open SaaS is also a cost-effective solution for governments and public sector initiatives like NGOs, healthcare, education, and the provision of low-cost housing. Because public sector initiatives are often constrained by a lack of resources, Open SaaS can help them access the latest IT innovations with less capital outlay. Open SaaS development platforms like Cloudify, OpenStack, and CloudStack provide a complete framework, including virtual machine management tools and IaaS services, to manage complex cloud systems.

Hybrid

A hybrid SaaS model combines different cloud and on-premises functionalities to address some of the limitations of pure SaaS solutions, namely security risks and the loss of an organization’s control of its data. For example, a hybrid SaaS solution allows businesses to choose to store highly confidential data on their own in-house servers.

Hybrid SaaS solutions include those that allow organizations to choose either a cloud-based or on-premise version of an application. SugarCRM is an example of a hybrid SaaS application.

SaaS security accreditation

Although security and data privacy risks are often cited as potential SaaS downsides, there are numerous security and regulatory standards that provide guidance for SaaS providers to mitigate security risks, protect confidential customer data, and manage sensitive information. Many standards are voluntary but compliance can help to improve security, increase customer trust and confidence, and lessen the workload of IT administrators. 

Some security standards and regulations are aimed at specific industries. The health insurance portability and accountability act (HIPAA) documents security legislation for the American health care industry. 23 NYCRR 500 manages cybersecurity requirements for companies in the financial services, banking, and insurance industries. A reliable SaaS provider in the eCommerce niche must be compliant with the Payment Card Industry Data Security Standard (PCI DSS).

The ISO/IEC 27001 family of standards is considered the most important set of ISO security guidelines for cloud service providers. (ISO does not perform certifications; it only provides the standards.)

ISO 22301 is concerned with business continuity management in the event of a disruptive cloud incident. Compliance with this standard attests to an organization’s high availability.

SOC 2 (service organization control 2), based on the American Institute of Certified Public Accountants’ (AICPA) trust services criteria (TSC), is an information security auditing framework against which cloud providers can audit security, availability, privacy, confidentiality, and processing integrity.

The General Data Protection Regulation (GDPR) provides mandatory regulations for how businesses globally manage the personal data of European Union (EU) subjects.

The OWASP Application Security Verification Standard (ASVS) is a framework that provides guidelines for testing and hardening technical security controls.

ISO/IEC 20000‑1:2018 is a standard for the implementation and management of a service management system (SMS) like a cloud services platform.

Compliance with security standards should go hand-in-hand with continuous monitoring after setting up a baseline of normal activity so that anomalies can be detected.

To mitigate the effect of a security breach, the particularities of an SaaS provider’s security strategy should be covered in an SLA. An SLA should cover prevention-detection-response processes and procedures.  

CapEx vs. OpEx and SaaS

CapEx stands for Capital Expenditures and includes all longer-term investments in a company's assets with the aim of increasing production and productivity. Typical Capital Expenditures are investments in machinery, buildings, or office equipment. As a rule, CapEx is a one-time payment made in advance. 

Operational Expenditures, or OpEx, comprise recurring expenditures that are necessary for a functioning operational business. Typical examples of these recurring expenses are energy costs, personnel costs, or costs for sales and administration. 

Traditional software, which involves a one-time license purchase, is usually allocated to CapEx unless it involved licenses that had to be renewed annually or monthly. 

SaaS allows companies to move expenses from CapEx to OpEx. Not only does this provide more flexibility, but it also has the advantage of not having to pay the full amount of money for a license right at the beginning so that the initial spending is lower. 

While in the past most software was allocated to CapEx, the share of OpEx in software investments is rising with the ever-increasing presence of SaaS solutions.

SaaS benefits

• Provides out-of-the-box functionality that requires little configuration or coding; most SaaS software can be customized.
• Gives employees and customers access to diverse resources that improve workflows. Promotes team collaboration and agile development, reducing software deployment time.
• Allows businesses to incorporate AI functionality into their products and service like using chatbots on their websites
• APIs allow businesses to integrate easily with multiple external systems and applications, for example connecting a company’s eCommerce website with their customer relationship management (CRM) software. APIs simplify the deployment of hybrid solutions.
• Scalability allows organizations to increase resources as their client base grows; or decrease them (and save money) during tough economic times. Scalability is important for businesses to maintain high performance and mitigate churn (SaaS churn is the rate at which customers cancel their subscriptions).
• With SaaS, software can be accessed over the internet from any device, using any OS, as long as a user has the requisite credentials, and nothing needs to be installed on users’ devices. When an employee resigns, their credentials are simply removed.
• SaaS applications can be simultaneously accessed by multiple users located anywhere. This is important for companies that have a global workforce or use field operatives, home workers, or external consultants.
• SaaS removes the need for an administrator to manage a company’s software and keep users’ computers up-to-date. SaaS updates, patches, and backups are automated.

SaaS limitations

• Data theft, hacking, and malware are some of the security risks facing SaaS businesses. There is also the potential risk when sharing confidential customer data with a service provider.
• SaaS services need a fast and reliable internet connection. Some SaaS products have offline functionality so people can keep working if the internet goes down. The data is synced to the cloud when a connection becomes available.
• If their service provider went bankrupt, an organization would have to move to a different provider, which could be a costly and disruptive process.
• Integration may not be possible with certain software products an organization uses.
• Because enterprise projects are so complex, no single SaaS solution can deliver all necessary functionality so a hybrid solution is usually the best option.
• An SaaS provider may roll out a new version of a product that a customer doesn’t want with features they don’t need.
• May result in SaaS sprawl or shadow IT both of which may increase security risks.
• Multi-layer technology environments are becoming increasingly complex and hybrid SaaS solutions, while providing flexible solutions, can be expensive as companies must maintain their on-premise infrastructure and pay a subscription for some cloud services.
• SaaS vendor lock-in is when vendors make it difficult for users to move from one SaaS service provider to another, for example by making it mandatory to run their services on their proprietary platform instead of using a more flexible platform like Amazon AWS or Google Cloud. If a customer wants to change providers, transitioning can be complicated if there is a lot of data to migrate or a provider uses custom data types or proprietary technologies.