Risks of SaaS

Posted on: 20 September 2021 20 September 2022
Categories: Business, Cloud, Disaster Recovery, Opinion, Security, Tips & Tricks
Tags: Availability, Cloud, Digital Transformation, SaaS, security

With the use of Software as a Service offerings increasing, with 99% of businesses projected to use one or more SaaS solutions in an industry that is worth $165Bn a year. There are 15,529 companies providing SaaS solutions , and so it seems like a logical choice to start using the systems that need no patching or updates, have guaranteed uptime, easy to use, and can be accessed from any [modern] device that is connected to the Internet.

Risks of SaaS

However, there are risks of SaaS that you should be aware of

The vendor may change the functionality of the product, subtly or significantly, and sometimes without notice or reason. The SaaS vendor my suddenly decide to remove a functionality that you depend upon, increase prices, move a standard feature into a higher price band, alter functionality so that you need another separate product, or just change something so it is no longer convenient or easy. There is not a lot that you can do in this situation, as contracts and license agreements rarely cover the functionality of a product or service. Putting aside risk budget and also having a documented understanding of the features and functionality that you use and depend upon can help with this risk of SaaS.
The vendor may fail, or withdraw the product. Particularly with smaller companies, they can fail to meet their financial objectives and suddenly stop providing the product or service. This can be particularly true with hyper-specialised systems that have a niche market, or a SaaS service that only does a few functions. To deal with this, ensure you have a documented awareness of what the SaaS product actually does, and keep an eye on the market for competitors – where you can either move to them, or be aware that they may cause your chosen product to be pushed out of the market.
The provider may have an outage that you cannot control. Things happen, and it may not always be something that the provider can control. Most SaaS solutions are hosted on AWS or Azure, or other third party clouds – so the risks of SaaS also affect SaaS providers themselves.
You must have a connection to the Internet. Whilst a connection is considered to be ubiquitous today, there are always possibilities of outages – your Internet provider, the telecommunications carrier, your authentication provider, even DNS outages. When it is not your own IT team that you can depend upon to fix it, you have to just sit and wait. Whilst there are Internet problems, can you continue to operate your business? What can you do whilst offline?
If you use SaaS for everything, you have may no other way of communicating. As the largest provider of business email is Microsoft Exchange Online (who has a 49% market share) and of SaaS online productivity tools is Microsoft Office 365 (with 48% market share), there is a probability that if there is a Microsoft outage, you have no other way to get to your email, or other messaging tools like Teams. This means you need to use another system to communicate to and with your clients. Consider this when you make a Disaster Recovery Plan, to ensure that your suppliers have a trusted way of knowing an email from another system is actually you!
You must use their process and features, even if your business model differs – you need to train your users on how the software works, and either how your business model needs to alter, or how the function of your software needs to be re-interpreted for alignment with your needs. I have always supported changing business process to match what the software does – after all, the business software will have been tuned from the needs of multiple other businesses that do the same thing as you. However, if you are unique, then you may have to ignore parts of a SaaS system, or use a component in a way that is different to how it was designed. What happens when the SaaS provider changes the functionality of that components? That is another of the risks of SaaS.
Can you restore your own backup? Will a backup be portable? If you feel confident that you have a backup, don’t forget that the 9 big mistakes in disaster recovery planning include that all backups are not the same. If you manage to get a backup, where can you restore it to? Can you get usable data from it, or can it be imported to a competitor product? It may be that your backups are actually exports, if that is a format that is more usable for you.
Integrations are limited to what the vendor offers – bespoke or custom development may not be available. This can be particularly difficult in hybrid situations where there are on-premises systems that need to be secured, proxied or use authentication methods that the SaaS does not support or provide. Integration with SaaS can be better, but it can also be very hard if the SaaS product does not provide the right type of connection. Integration platforms (IPaaS) and API brokers may need to be used.
Sprawl and high number of users. As with anything that is easy to use and consume, pretty quickly there will be a growth in users and consumption of the system. This can lead to sprawling systems that can include users who have left, and excess configuration that is not needed. With a consumption-based billing approach, this can mean that costs quickly spiral. As with all cloud services and systems, regular audit is critical to ensure that you don’t pay for stuff you don’t need, and that only the required users have the access they are required to have.
Unknown external users and data interaction may mean your data is being stolen, and you don’t know about it. Another reason to increase the pace of audits and checks. Did that consultant account ever get disabled? Did a test/trial integration get left behind, and it now has full admin access to your SaaS data? Risks of SaaS can be persistent threats that you don’t notice. Do you really know who has access to your data? Is the vendor, and their suppliers completely trustworthy?
It is hard to get your data out – significant work would be needed to move to a new platform or provider, due to different data structures and formats. Ensure that the vendor provides a data export function, or that there is a capability to contact the vendor to arrange data extraction.
Selecting the wrong options, subscription or product. It is very easy to get started with SaaS, but also very difficult to switch. If you have selected a higher-level subscription than the one you need, some SaaS solutions will not let you down-grade, or require work to de-configure users or profiles to remove the extra features if you choose a lower subscription plan.
Security – one misconfiguration and you can be in trouble. I have always maintained that cloud security is better than on-premises capabilities, but it is very easy to make a mistake and leave your data wide-open. Again, audit is your friend here, but the flexibility of cloud services is one of the risks of SaaS.