SaaS is software you access over the internet instead of installing on your computer — and it's probably how you run most of your business already, whether you've called it that or not.
Welcome to another entry in the NerdSquad IT Dictionary. SaaS is one of those acronyms that sounds more complicated than the idea behind it. If you've ever used Microsoft 365, QuickBooks Online, Salesforce, Google Workspace, or Dropbox, you've used SaaS. Here's what it means, why it changed how businesses buy and manage software, and what it means for your IT and security posture.
SaaS = Software as a Service. Software delivered over the internet, hosted by the vendor, and accessed through a browser or lightweight app — rather than installed on each machine from a disc or download.
Before SaaS, software worked like this: you bought a license, got a disc (or a download), installed it on each computer, and managed updates yourself. When a new version came out, you bought it again. When your server died, you lost access until it was restored. When you added a new employee, IT had to install software on their machine.
SaaS flipped that model. The software lives on the vendor's servers. You pay a subscription — usually per user per month — and anyone with credentials and an internet connection can access it from any device. Updates happen automatically. Backups are the vendor's responsibility. Adding a user is a few clicks in an admin console.
It's why most software pricing has shifted from a one-time purchase to a monthly subscription. The recurring revenue model works better for vendors, and the always-current, anywhere-accessible model works better for most businesses.
SaaS simplified a lot of things — and complicated others.
Simpler: No local servers to maintain for those applications. No manual patching. Easier to scale up or down. Accessible from anywhere, which supports remote and multi-location work.
More complex: Your data now lives in multiple vendor environments instead of one place you control. Security configuration varies by platform — and "the vendor handles security" is only partially true. The vendor secures their infrastructure. You're still responsible for how your users access the platform, what permissions they have, and what happens to the data inside it.
This is the shared responsibility model: the SaaS vendor handles physical security, infrastructure uptime, and application security. The customer handles identity and access management, data governance, and configuration. Most SaaS data breaches happen on the customer side — misconfigured sharing settings, weak credentials, no MFA — not the vendor side.
This is one of the most common misconceptions in small business IT: "It's in the cloud, so it's backed up." Not necessarily. Most SaaS vendors protect against infrastructure failure — their servers going down — but they don't necessarily protect against user error, accidental deletion, ransomware that propagates into synced cloud storage, or data loss from account termination.
Microsoft 365, for example, retains deleted items for a limited window — but it is not a substitute for a proper backup. NerdSquad recommends dedicated SaaS backup solutions (like Datto SaaS Protection or similar) for any business-critical cloud application, particularly in HIPAA-regulated environments where retention requirements apply.
The ease of signing up for SaaS tools has created a new IT challenge: shadow IT and SaaS sprawl. Employees sign up for tools on their own — a project management app here, a file-sharing service there — and suddenly business data lives in a dozen unauthorized platforms IT doesn't know about and can't manage or audit.
In a compliance environment, this is a serious problem. Data flowing into unvetted SaaS tools may not meet the security or contractual requirements your compliance framework demands. Managing SaaS sprawl — knowing what tools are in use, which are authorized, and which need to be shut down — is an increasingly important part of IT governance for any business handling sensitive data.
We help clients manage their SaaS environment as part of managed IT services — inventorying what's in use, ensuring SSO and MFA are applied across business-critical platforms, configuring sharing and access settings correctly, and making sure backup coverage exists for applications where the vendor's native retention isn't sufficient. For healthcare and financial services clients, we verify that any SaaS tool touching regulated data has the appropriate Business Associate Agreement or data processing terms in place.