One of the three main cloud computing categories alongside infrastructure as a service and platform as a service, software-as-a-service (SaaS) is a web-based software distribution model in which a third-party provider hosts applications that it makes available to customers over the internet. The software vendor hosts and maintains the servers, databases, and code that constitute an application.
SaaS applications are available for foundational business needs, including email, customer relationship management, billing, sales management and collaboration, among others. Pricing is typically based on annual or monthly subscriptions, accounting for the software license, support and most other monetary costs. Leading SaaS providers include Intuit®, Microsoft®, Oracle®, Salesforce® and SAP, among others. Providers often integrate with each other to augment productivity for customers. For example, a provider that offers an email application might store attachments in another provider’s cloud-based file storage.
SaaS applications provide tremendous value to end users. Research firm IDC predicts SaaS delivery will significantly outpace traditional software product delivery, growing nearly five times more quickly than the traditional software market, with expectations to surpass $112.8 billion by 2019. Why? The economics of SaaS, and cloud computing in general, empower enterprises. SaaS offers easy setup and collaboration capabilities that change the way organizations do business, allowing employees to access the tools they need to effectively do their jobs and essentially putting enterprise customers back in control of IT spending.
However, while incredibly useful for driving business productivity, along with this exponential growth in SaaS application usage come security concerns much like those faced in traditional on-premise network infrastructure. For example, Microsoft OneDrive® or SharePoint® is used to easily store and share files, but along with the ease of use are opportunities for accidental shares, when a user unintentionally sends access to the wrong people.
Similarly, applications like Exchange and Salesforce easily store important, structured data for users, but these too are open to accidental data exposure or threat insertion risks, often acting as vectors or entry points for malware, which can spread over time. For example, if a sales representative uploads an infected invoice document to Salesforce, a sales operations person who downloads the file will also become infected, and so on.
Reducing this type of risk in SaaS applications, where organizations’ most sensitive data often resides, is key to securing enterprise IT infrastructures of the future. As a result, governance and protection of this data has catapulted to the top of CISOs’ priority lists.
As businesses have become increasingly concerned about the volume and sensitivity of data being transferred, stored and shared within SaaS environments beyond their visibility and control, the result has been a rapid evolution and adoption of the cloud access security broker market. A CASB accesses cloud-based services, primarily focused on addressing security gaps within highly productive and collaborative SaaS applications, where traditional security products have not been able to keep pace. Driving its popularity, a CASB provides organizations with three key SaaS security functions:
More information on these security features can be found in “SaaS Security: A Next-Generation Platform Approach.”
A CASB can typically be deployed as a service – a SaaS application in the cloud – or as a virtual or physical appliance. There are several modes by which a CASB can deliver its functions – outlined below. In addition, note that a combination of these options is recommended to ensure maximum security.