An Examination of SaaS Use Cases
Cloud computing has brought immense benefits to organizations seeking to lower their upfront capital expenditures, quickly scale resources up and down based on need, and focus on core competencies instead of Information Technology (IT) (Woodford, 2020; Mears, 2018). However, not every use case is a perfect fit for using cloud-based applications. Each use case has advantages and disadvantages that an organization must weigh when deciding to move forward with a cloud computing strategy. This paper will examine four specific use cases for cloud-based applications: business continuity, disaster recovery, storage, and applications.
Overview of Different Service Models for Cloud Computing
According to Mell and Grance (2011), there are three main types of cloud computing service models organizations can take advantage of: Software-as-a-Service (SaaS), Platform-as-a-Service (Paas), and Infrastructure-as-a-Service (IaaS). SaaS is where users access a cloud provider’s applications on cloud infrastructure and the “are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface” (Mell & Grance, 2011, p. 2). Examples of SaaS applications are ServiceNow, Microsoft Office 365, and Google Docs.
The PaaS service model allows users to load applications they have developed or purchased onto a platform the provider manages while IaaS allows users to “provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications” (Mell & Grance, 2011, p. 3). While PaaS and IaaS are important elements of the cloud computing process, this paper will focus on SaaS applications for its use cases.
Specific Use Cases for SaaS Applications
As previously mentioned, the advantages for organizations using SaaS applications are many. However, each use case presents its own peculiarities that can make a SaaS application either a good option for the organization or a bad option.
Business Continuity
Swanson et al. (2010) define business continuity as “sustaining an organization’s mission/business processes during and after a disruption” (p. 8). This is in contrast to disaster recovery planning which comes later in this paper. In effect, business continuity is a function of resiliency. In a SaaS application, it is easy to connect to the provider application from any node on the Internet. Indeed, this ease of connection is part of Mell and Grance’s (2011) definition of the SaaS service model. This means that an organization can, in the event of a business disruption, connect from another location via a web browser and reconnect to the application and continue to work. Another advantage to the SaaS service model is that they can easily replicate data. SaaS applications, and cloud-based environments, can make availability of data and assets easier (Amazon, 2022). This means organizations will never lose data if they enable replication.
Both advantages have a double edge, however. For connectivity, it is important to know whether and how users will connect during a disruption. Will they have browser-based devices they can use to connect? Does everyone have a laptop and a place to work from during the disruption where they can follow the prescribed processes that need to be continued? Regarding the ease of data redundancy, the same ease of replication means that organizations and providers can copy data and virtual machines into other regions or environments. Organizations must ensure any of the controls they develop to protect the CIA of their data and assets apply to these other regions as well (Hu et al., 2020). This involves enforcing a “policy synchronization” (p. 14) process.
Disaster Recovery
Swanson et al. (2010) define disaster recovery separate from business continuity. Whereas business continuity is about organizations ensuring they maintain processes during a disruption, disaster recovery planning involves addressing “major, usually physical disruptions to service that deny access to the primary facility infrastructure for an extended period” (p. 10). A relationship exists between business continuity and disaster recovery functions’; they have different focuses though. In a disaster recovery scenario, the organization executes a plan when the primary location is physically unavailable. With SaaS applications, that is no longer a problem. Much like the business continuity advantage, a user or organization can connect from any location; it does not need to connect from a specific physical locale.
Much like the disadvantage with business continuity, disaster recovery using cloud-based applications means organizations need to make sure employees can actually work from home. This is less an issue with SaaS applications than an overall disaster recovery planning concern. Because research shows there is a direct link between preparedness and resiliency, the organization needs to have a plan they can successfully execute when they declare a disaster (Sim et al., 2021). This plan needs testing and refinement over time to keep currency and effectiveness.
Storage
Using a SaaS application for cloud storage is perhaps the most obvious use case. Solutions like Amazon’s S3 buckets and EFS or Microsoft’s equivalent Blob or Files significantly reduces the need to on-premise file servers. Kochovski (2022) calls out many other advantages: remote file synchronization, automatic encryption, and ease of back-ups. However, he also notes specific disadvantages for such SaaS storage applications.
First, as noted elsewhere, is connectivity. Without a network connection, reading or manipulating files stored in a SaaS application is impossible (outside of offline copies assuming the organization has configured that option), according to Kochovski (2022). The second element Kochovski (2022) calls out is security. SaaS applications for storage are complex; this leads to a potential but significant issue of misconfiguration. Organizational leaders must consider such concerns a primary issue with cloud adoption (Nobles, 2022). While best practice guides and recommendations exist for locking down cloud storage, researchers expect, through 2025, 90% of organizations will improperly configure their cloud settings leading to data breaches and unauthorized sharing of data (Gartner, 2019). This can lead to financial losses from fines and reputational damage for the organization; Microsoft itself recently suffered such damage for exposing its own customer’s data from a publicly accessible Blog (Vijayan, 2022). Even professional organizations can easily make configuration mistakes.
Applications
When using the SaaS service model for applications, organizations need to determine if the provider’s solution meets certain criteria. Those criteria are reliability, compliance, and security (Badger et al., 2012). Cloud-based applications, as shown above, are excellent choices for reliability with their ability to be accessible from anywhere with a network connection and the ability to replicate data in multiple environments and locations. From a compliance viewpoint, most providers have a certification such as a SOC 2 or ISO 27001 certification they can provide to show how they comply with various regulatory frameworks.
Security is more challenging. As with storage, cloud applications contain many configuration settings leading to enormous complexity and therefore the opportunity for misconfiguration. This can expose the organization to risks of liability and data breaches. Badger et al. (2012) also cite concerns with browser-based attacks. The MITRE ATT&CK Framework (2021) describes one particular tactic threat actors use where a compromise of web services can lead to abuse “during later stages of the adversary lifecycle, such as during Command and Control” (para. 1). Badger et al. (2012) recommends organizations only use certain classes of applications in the cloud-based model: business logic, collaboration, office productivity, and software tools.
Conclusion
Organizations that leverage SaaS applications can receive great benefits from them. However, not each use case is appropriate for a cloud-based application. It requires an understanding of the business context of the use case and the willingness of the organization to mitigate potential risks around the SaaS application in that context. Knowing these things about each use case will help organizations maximize its IT and not waste resources on bad decisions.
References
Amazon. (2022). Disaster recovery is different in the cloud. Amazon Web Services. Retrieved October 19, 2022, from https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-is-different-in-the-cloud.html
Badger, L., Grance, T., Patt-Corner, R., & Voas, J. (2012). Cloud computing synopsis and Recommendations. NIST Special Publication 800–146, 1–81.
Gartner. (2019, October 10). Is the cloud secure? Gartner. Retrieved October 21, 2022, from https://www.gartner.com/smarterwithgartner/is-the-cloud-secure
Hu, V. C., Iorga, M., Bao, W., Li, A., Li, Q., & Gouglidis, A. (2020). General access control guidance for cloud systems. NIST Special Publication 800–210, 1–34. https://doi.org/10.6028/nist.sp.800-210
Kochovski, A. (2022, May 31). Benefits of cloud storage 2022 [advantages & disadvantages]. Cloudwards. Retrieved October 21, 2022, from https://www.cloudwards.net/the-risks-and-benefits-of-cloud-storage/
Mears, J. (2018, February). The rise and rise of ID as a service. Biometric Technology Today, 5–8.
Mell, P., & Grance, T. (2011). The NIST definition of cloud computing. NIST Special Publication 800–145, 1–7.
MITRE. (2021, October 17). Compromise infrastructure: Web services. Compromise Infrastructure: Web Services, Sub-technique T1584.006 — Enterprise | MITRE ATT&CK®. Retrieved October 21, 2022, from https://attack.mitre.org/techniques/T1584/006/
Nobles, C. (2022). Investigating cloud computing misconfiguration errors using the human factors analysis and classification system. Scientific Bulletin, 27(1), 59–66. https://doi.org/10.2478/bsaft-2022-0007
Sim, T., Han, Z., Guo, C., Lau, J., Yu, J., & Su, G. (2021). Disaster preparedness, perceived community resilience, and place of rural villages in Northwest China. Natural Hazards, 108(1), 907–923. https://doi.org/10.1007/s11069-021-04712-x
Swanson, M., Bowen, P., Wohl Phillips, A., Gallup, D., & Lynes, D. (2010). Contingency planning guide for federal information systems. NIST Special Publication 800–34 Rev 1, 1–149.
Vijayan, J. (2022, October 20). Microsoft data-exposure incident highlights risk of cloud storage misconfiguration. Dark Reading. Retrieved October 21, 2022, from https://www.darkreading.com/cloud/microsoft-data-exposure-incident-highlights-risk-of-cloud-storage-misconfigurations
Woodford, C. (2020, October 18). Cloud Computing. Explain that stuff. Retrieved March 16, 2021, from https://www.explainthatstuff.com/cloud-computing-inttroduction.html.
