There’s been a lot of discussion recently around Software as a Service, or SaaS. Although some may say it is new concept, SaaS has been around for some time β since 2000, I believe – and used to be referred as ASP, or Application Service Provider. The idea seems to be working well: IDC recently forecasted that worldwide spending on SaaS will reach $10.7 billion by 2009.
The need for SaaS has evolved from the increasing licensing and maintenance costs of applications, which became prohibitive for some organisations. The cost for upgrades is also avoided, as the business model that SaaS providers operate imply on a periodic (usually monthly) payment instead of traditional application licensing. Further to this, SaaS providers run the software on their own infrastructure (hardware, operating systems, network, etc… ) avoiding other costs with infrastructure, datacenter operation and maintenance. Most SaaS providers also offer 24 x 7 technical support, physical and electronic security, and built-in support for business continuity.
SaaS definition can be simplified as nothing more than a pay-as-you-go outsourcing model where your internal application is hosted, managed, maintained and operated by a service provider across the Internet.
Of course, such arrangement has its challenges. customers relinquish control over software versions or changing requirements; moreover, costs to use the service become a continuous expense, rather than a single expense at time of purchase.
SaaS also has the same fundamental risks as outsourcing, as the client data is stored and processed by a third party. There are some interesting articles and checklists available on the subject. Some of them include:
– Gartner “Critical Security Questions to Ask a SaaS Provider”
– Financial Industry Shared Assessment Program (Third party review questionnaire developed in the US to assess third service provider security in line with ISO 27002)
I have also written an article to SANS about outsourcing which might be helpful. You can find it here.
The key thing for organisations considering SaaS is to perform appropriate due diligence over the provider. This means that, in order to mitigate inherent security outsourcing risks, it needs to get assurance over the ability of the SaaS provider to support business requirements and the controls that exist on the environment.
There are auditing standards that can help, such as SAS70, which brings some assurance and comfort over a third party service provider controls. However these are just a start when an organisation is considering SaaS and not sufficient to ensure that business requirements will be consistently addressed.
For a comprehensive assessment, an organisation should consider a decent baseline. A good start is CobiT and APRA. Also, consulting companies such as <selling hat> Accenture</selling hat> have frameworks to perform such assessments for a fee. π
Hope you find the post useful. I am still reading about the topic, so would appreciate your comments with your views on SaaS and experiences with providers.
Hi Daniel!
I am computation student and my work of course conclusion is on saas, you can indicate me more academic sources on this subject?
Tks and best regards.
I, for one, believe the SaaS model is here to stay. It will become the standard by which applications will be delivered by providers in the very near future. The total cost of ownership model for a SaaS deployment is simply too good of a model for business to pass up. As the industry continues to mature and businesses become more comfortable with the idea, the SaaS model will be the infrastructure of choice. Compared to the traditional model of having to purchase an application and the hardware to house and deploy it, it just does not compare.
There are risks (as outlined in your article) but these are vastly overshadowed by the advantages….but I would say that seeing as I own a SaaS provider π