Welcome to the Golden Age of SaaS. We're using it, we like it, and we're poised to bet big that it will continue to deliver benefits.
However, just like previous Golden Ages, there are some real problems that are being swept aside. Railroads had land grabs, TV had Milton Berle, the Greeks had budget problems they still can't fix. And SaaS providers are sometimes guilty of pitching overly simplistic, even downright fanciful, ROI models and assuring CIOs that the service can be "up and running tomorrow." These claims ignore some basic tenets of Economics 101 and gloss over expertise companies will need to acquire when expanding the use of SaaS and other cloud platforms.
More on ROI later. In our experience, more disruptive are skills gaps around integration and vendor management and the need for a more proactive security stance; better monitoring of the overall environment; updated business continuity plans; and an overall data plan that embodies the "enter once, use often" mantra taught in programming.
Yes, CIOs have to worry about all this stuff with or without SaaS. Unfortunately, though, when outsourcing enters the picture, bad habits become magnified.
1. Design Gaps: Interconnectivity
The speed with which SaaS can be implemented is cited as its biggest benefit, and this promise has held fairly true. In most cases, you can quickly get a trial version and start uploading data, whether it's into a CRM, project management, or HR application.
But how well will that app and its data be integrated into your overall infrastructure?
In most cases, the answer isn't pretty. Let's take Web conferencing as an example. Sure, it's boring and basic and mature. Many providers' platforms have existed for almost 10 years, including Cisco's WebEx, Citrix's GoToMeeting, and Microsoft's Live Meeting, while lots of smaller entries, such as Dimdim and Glance, bring innovative features. Web conferencing regularly comes up as the top SaaS application in terms of adoption--it led our 2008, 2009, and 2010 surveys.
So naturally, you've nailed down integration, right?
If you're not sure, answer these five simple questions: Did your team invest the time to integrate the appointment-setting features with your mail and CRM systems? Does the conference software use your global address book? How about the meetings themselves? Are the archives tied directly back to your project management or sales management systems?
And, last question: Did you take the time to integrate the conferencing interface into your Web support system so your clients won't have to uncheck the "and get a free trial of X" every time they do a Web conference with you? IT needs to either offer this level of integration or explain exactly why they've opted not to.
Which brings us to our next point: SaaS adds a whole new dimension to one rogue IT activity that can cripple your network: out-of-control data integration.
Case in point: Salesforce.com has some great options for enterprise-level data integration and some nifty tools for small organizations that want to get some data integration benefits. Business employees want these capabilities, and we've seen cases where IT failed to offer an official path to integration, so users opted for a DIY approach. For example, Salesforce has a neat feature that synchronizes Outlook with Salesforce databases. Cool for a small business, but if you let 1,000 users configure this themselves, you've created 1,000 mini-sync engines banging on your Exchange server, your network, and your connections to Salesforce.
2. Vendor Management
Our recent 2010 report on the business of outsourcing didn't just confirm IT's expanded use of services. It also shined a harsh light on our inability to manage the process. The numbers aren't pretty--30% of companies have fired an IT partner within the last year, with 8% citing catastrophic consequences.
This shouldn't be a shock to anyone. "IT isn't really good at outsourcing," says Terrence Gaughan, senior partner at enterprise staffing consultant DevSelect. "They tend to underestimate the time needed to manage and communicate with any type of outsourced partner. It's not a panacea."
We get that SaaS is really another form of outsourcing. However, unlike a body shop or subbed-out application development project, it includes the technology and associated staff. Take a hard look inward: If you're no good at managing your outsourced help desk or application developers, chances are you won't be any better at managing your SaaS vendors.
3. Proactive Security
It's no surprise that security is at the top of the list of concerns about cloud computing. In our InformationWeek Analytics 2010 Cloud GRC Survey, nearly half (45%) of companies that aren't using cloud services say the reason is fear of unauthorized access to or leakage of customer or proprietary corporate information. An additional 8% cite security defects in the technology.
However, most organizations adopt a "sign off" approach to SaaS security, reviewing the vendors' white papers and SAS 70 audits, then giving the blessing to move forward.
The problem is that a SAS 70 audit is far from infallible. "We have witnessed cloud providers that will provide a letter of attestation but refuse to provide a list of the SAS 70 control objectives," says Greg Shipley, CTO of risk management firm Neohapsis and an InformationWeek contributor. "This is akin to saying, 'Yes, we were audited, but no, we won't tell you what the auditors were looking at.'"
CIOs must mandate a proactive approach to testing any SaaS vendor's security capabilities. Start by reviewing the provider's incident response plans. Then put those plans to the test. Have your team create an incident to gauge response. A good place to start: the old "terminated sales rep" scenario. Imagine IT is informed that a rep has been fired for an unspecified reason. The VP fired him last Friday. Today is Monday. What are your steps? What are the vendor's steps? Whom do you call? Can you get a full listing of user activity, including deletions, backups, and exports, to make sure he didn't take your company's data with him?
Our other security gotcha relates to the broader issue of password policies and procedures. Almost every company has a standard approach thanks to robust directory systems and a plethora of authentication options. However, these are rarely translated 100% online.
Mirror check: Are your login and password policies the same for your internal applications and all of your SaaS vendors? How do users manage their many Web passwords? In too many cases, employees are left on their own, combining Web browser options with scraps of paper and unprotected Excel spreadsheets.
Remember, the SaaS vendor's agreement typically holds it responsible only for securing its systems and enforcing any restriction policy you configure on its platform. The rest falls on your team, like it or not.
4. Monitoring: Who's Watching The Store?
The need for more proactive security goes hand in hand with improved SaaS monitoring. Almost 70% of organizations don't monitor their SaaS applications themselves, relying on the vendor to do it for them, according to our outsourcing poll.
Seriously? Have we learned nothing from our basic Internet connectivity monitoring? Every savvy IT shop discovered very early on the criticality of monitoring its Internet router, its provider's router, and the downstream connections it uses. That practice quickly put an end to the standard "It must be on your end" telco brush-off.
Unfortunately, SaaS monitoring isn't as clear a case of "Point A to Point B" as it is with your Web pipes. Ensuring service-level agreements are met requires a bit of rethinking of your monitoring approach and a willingness to leverage multiple points of reference and some automated scripting or flow monitoring. At a minimum, establish performance benchmarks for certain basic tasks and run these tests from multiple connectivity points worldwide. This requires some custom scripting, leveraging your apps team and/or an investment in a broader set of monitoring tools, whether a beefed-up version of an internal system like HP OpenView or SolarWinds or a combination that includes SaaS application monitoring from vendors like Webmetrics and CA/Nimsoft.
This type of monitoring not only holds SaaS vendors to task, but it also focuses your organization on managing its data flow and related bandwidth requirements. For example, a classic error with SaaS integration involves setting up data synchronization on a set schedule that fails to account for traffic patterns. If you set a CRM app to sync every hour during business, you're going to run smack dab into your peak user activities. Don't believe us? Walk a sales floor that uses SaaS CRM between 10:00 and 11:30. If IT did a "set and forget" on the sync process, you'll hear that "the network is always slow this time of day."
5. Real Business Continuity
Simple truth: If you use SaaS, you will experience downtime. No way around it. The entire framework is based on the Internet backbone, for which no SLA is available. Someone, somewhere is going to lose connectivity. Now, it probably won't be as dramatic as the 15-hour outage SaaS provider Workday experienced last year; it will more likely be one of those nagging disruptions that hit your remote workers on cable modems, or a funky Google app issue that affects only a few users.
There are some things you can do to minimize problems, starting with connectivity redundancy. Most companies have multiple connection options at the main office, but they skimp on remote sites. Home offices generally use cable or DSL, while branches have largely stayed with telco connections. Check with cable providers in branch office locations; many now have low-cost business options to defend against downtime. To offer redundant connections for home users, consider wireless broadband. Many new laptops come with built-in cell modems, and providers offer a per diem charge if they're properly configured. You wouldn't want to use this for a month, but it can be money well spent if a key employee loses connectivity for a few days.
Your next level of continuity planning depends on your SaaS initiative, but here are a few recommendations.
SaaS-based e-mail: At a minimum, plan to spool incoming mail via a separate system in the event your main mail server is down. These services are offered by multiple spam-filtering and hosting providers, including McAfee, Microsoft, and Symantec. And while we're on the subject of spam, having two scrubbing engines should also be on your road map given the risks of e-mail-borne malware.
For outbound e-mail, you need to have a backup system ready to go. Hosting providers such as USA.net offer these as add-on options, but larger shops should consider building this capability in-house. It doesn't have to be a full-blown Exchange server, just a valid SMTP engine that can send outbound messages if your provider is down.
CRM/ERP: It may not be realistic to have a redundant CRM or ERP system, but you need to be ready for downtime--Salesforce, Salesnet, and even Sugar have all had outages within the past 24 months. Same for ADP and the previously mentioned Workday. The answer here is setting policy. Update the operations manual to give users the proper procedures in the event of an outage. For example, what's the process for submitting expenses if the site is down? What if it's the last day for submitting? Who makes the call? Who adjusts the payroll schedule?
You'll also need to test your data recovery procedures. Michael Biddick, CEO of Fusion PPT and an InformationWeek contributor, works with a client who decided to move away from its existing SaaS HR vendor. The company patiently waited three weeks for the data to arrive on DVD, only to find it was in a proprietary database format. It's critical to put in place cloud contracts that protect your data ownership.
Finally, we recommend maintaining direct control over your DNS entries. This gives your staff the flexibility to switch over systems in case of a prolonged Web or e-mail outage. Naturally, spread your DNS servers between two systems, then make sure you've got a documented procedure to make a switchover.
Our guiding principle: Think of SaaS as an alternative platform, not just a point solution. As a platform, it must be integrated with your operations and information framework, much as you'd add an internal app or integrate an acquisition's data set.
While we advocate toning down the claims of "live by lunch," do take advantage of the excitement surrounding cloud computing. It's a great opportunity to expand your operations the right way--with an investment in people and processes that will pay off long-term.
Michael Healey is president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments.
Write to us at [email protected].