As the global Software as a Service (SaaS) market experiences a rapid growth, more and more SaaS based applications are flooding the market. Are all these applications really SaaS or the vendors applying the SaaS tag to just about everything? It will be interesting to know what exactly constitutes a Software as a Service (SaaS) application.
Some of the must have or nice to have features and key characteristics of SaaS applications are the following:
- - Multi-tenancy model
- - Automated provisioning
- - Single Sign On
- - Subscription based billing
- - High availability
- - Elastic Infrastructure
- - Data Security
- - Application Security
- - Rate limiting/QoS
- - Audit
Multi-tenancy is a kind of software architecture in which a single deployment of a software application serves multiple customers. Each customer is called a tenant. Tenants may be given the ability to customize some parts of the application, now a days applications are designed in a such a way that per tenant, the storage area is segregated by having different database altogether or having a different sachems inside a single database or same database with discriminators.
The users should be able to access the SaaS applications on the fly, which means the process of provisioning the users with the services needs to be automated. SaaS applications are typically used by B2B/B2C customers and this requirement demands creating companies/users just by invoking web services and provide the access credentials. Most of the SaaS applications provide this critical feature and a great example would be CREST API from Microsoft. Cloud Services Broker (CSB) platforms can automate this procedure to provide access to SaaS applications on demand basis. Another important characteristic is the de-provisioning ability - remove the access from the user/organizations whenever the customer decides not to use the Software as a Service applications. A good example for this is Salesforce, used by sales folks to manage the sales related operations. Typically, Salesforce tenant gets created for an organization with unique identification by invoking APIs of Saleforce. Another set of APIs are called to create users under the tenant and the access credentials are shared to user. Also delete API is called for when an organization decides to discontinue the application.
Single Sign On
An enterprise organization would want to have a single identity system in place in order to authenticate the various systems which are going to be consumed by users. Also, it is important for enterprises to have a single page to provide login credentials and access all Software as a Service applications provisioned to the respective users. So, Software as a Service applications should be easily integrated with various identity management systems without much change. It is also a big maintenance overhead for enterprises to store & maintain multiple credentials per system which are used by enterprise users. So it becomes important to enable Single Sign On for SaaS applications to authenticate against existing identity system and provide an experience of logging in once and use the various systems. Typically, Software as a Service applications use SAML or OpenID kind of impersonations to enable this critical piece. Also, another important factor is that the SaaS applications are multi-tenant, each tenant would want to authenticate against their own identity & access management system.
SaaS applications pricing do not involve the complexity of license cost & upgrade cost etc. Generally, the Software as a Service applications are subscription based, and this enables customers to buy the SaaS applications whenever they require them and discontinue whenever the enterprise decides that they are not needed any more. SaaS applications generally follow seat based charging type- the number of quantity purchased will decide the amount to be paid. It can have various pricing models and billing cycles such as monthly/quarterly/half yearly/annually fixed etc. Few modern SaaS applications also provide the ability to charge based on usage based billing. Another important characteristic is that the SaaS applications should be able to be invoiced. Typically CSB platforms will look for this critical feature so that they can dispatch a single invoice to their customers.
SaaS applications are shared by multiple tenants and the availability of kind of applications are expected to be really high throughout. So the Software as a Service applications should provide a high degree of SLA to their customers. Applications should be accessible 24x7 across globe. Also SaaS applications should expose management & monitoring API to continuously check the health/availability factor.
SaaS applications usage is generally not predictable, consumption can dramatically vary in some months. The infrastructure on the applications deployed should really have an ability to expand/shrink the resources used behind the show. These days, SaaS applications are designed in such a way that it identifies the behavior of the infrastructure. Monitoring agents reside within the deployment resources intimate the respective management servers about the accessibility of the resources. Typicality, policies and procedures are built as part of the core architecture to expand/shrink the infrastructure resources. Micro architecture based SaaS applications are the classic examples. Tools like Docker and Kubernetes are using to manage the elasticity of the SaaS applications. Another way is to build a policy engine to receive and react for an event; an event could be expand/shrink the infrastructure resources.
Ensuring that the data/business information is protected from corruption and unauthorized access is very important in today’s world. Since the Software as a Service applications are designed to be shared by different tenants, it becomes extremely important to know how well the data is secured. Certain types of data must be enabled with encrypted storage for a particular tenant and the same should not be accessible to another tenant. So, having a good Key Management Framework or ability to integrate/interface with external Key Management Frameworks becomes essential part of SaaS applications. Also integration with CASB (Cloud Access Security Brokers) system will increase the confidence with respect to data security. A very strong Role Based Access Controls need to be ensured in order to protect the data.
SaaS applications should be equipped with protection against vulnerabilities. Typically, they should be protected against OWASP/SAN identified vulnerabilities. Also, strong identity and access management controls should be enabled for SaaS applications. The other aspects that make the Software as a Service application secure are the following:
- Strong session management, protection against hijack the session
- Identifying unauthorized session, protection against multi-session etc.
- Usage of cookies not storing sensitive data, follow Cookie etc.
- Step-Up authentication like password lock out etc.
- Multi factor authentication
- Strong implementation on separation of duties
- Protection against DoS/DDoS
- Protection against buffer overflow attacks
- Also integration points open with CASB will help in gaining confidence of the customers.
Every business has preferred/important users apart from the regular list of users using the applications. These days, in order to provide better service to all class of customers, rate limiting is a good feature to have. The number of hits/ number of transaction can be technically limited to ensure the smooth business transactions. Also, SaaS applications can be enabled with Rate limiting/QoS configure-ability which helps organizations to manage their user base.
Generally SaaS applications are equipped with providing audit logs of business transactions and this enables customers to work out a business strategy by applying business intelligence plans. These services also should be able to comply with government regulations and internal policies.