"It's like waiting in line at the airport when your flight's been cancelled. If the agent's not giving you enough information to make a decision on what you should do next, you become frustrated. It's how you handle crisis management -- do you hide information from customers, or tell them everything you have so that they can make decisions?"
Google, meanwhile, had a nearly two-hour outage on Sept. 1 that affected all of its enterprise customers, including Genentech, Hamilton Beach, and Johnson Diversey, and another later in the month that affected a small group of customers.
Still, in the roughly 10 years since hosted software services have been available, the average rate of uptime for any given SaaS vendor is likely higher than what typical IT shops experience with comparable applications installed on-premises, Wang said. But when apps are in the cloud, "these providers are going to have to be responsible for a lot more," he said.
Google, which offers an ongoing Apps Status Dashboard on availability, notified all users in a blog, but large enterprise customers were offered one-on-one post-mortem calls with Google executives.
There can be varying levels of vendor responsibility, depending on what arrangements have been made. For example, companies such as Oracle offer to host software in a customer's own data center. If the customer's hardware running the software causes an outage, then the SaaS vendor might not be responsible for it.
Not all SaaS vendors are willing to do service-level agreements, particularly if it's a low-cost service notes Todd McClelland, a Washington, D.C.-based attorney who represents both cloud computing customers and vendors on deals. "If you're not paying a lot, then the vendor is not going to take a whole lot of responsibility," McClelland said. "We're only seeing discussion of SLAs in very large deals."
Still, as interest in SaaS and other types of cloud computing picks up, there's more discussion of how to formalize vendor expectations around both performance and security, McClelland said.
For example, some customers are asking for vendors to show SAS 70 certification, McClelland said. That stands for Statement on Auditing Standards No. 70, Service Organizations, and was established by the American Institute of Certified Public Accountants as a way to assess how well a firm handles sensitive data. But in recent years it's been used by non-accounting firms to audit the quality of security systems, processes and controls. Google, for example, has pointed to its SAS 70 certification as proof that its cloud computing services are secure.
Companies need to "consider whether vendors should be holding and hosting certain types of customer data," said McClelland. "The Amazons and IBMs of the world will implement security measures that are greater than customers would have on their own systems," he said. "But even though large vendors' systems are more protected, there [are] more people who will want to hack into those systems because there's so much more data."
InformationWeek has published an in-depth report on new software models. Download the report here (registration required).