“It’s important to understand that even if you go with a hosted service, you still have to manage the quality of that application,” says Irwin Lazar, analyst with Nemertes Research.
In the SaaS model, applications are hosted by providers over the Internet and companies are charged for usage rather than ownership. Lazar says the benefit of this approach is that IT groups do not have to spend limited budgets to buy and operate complex infrastructure.
In the financial sector, more than 60% of the top 150 U.S. banks use at least one service-based cash management or small-business banking application, and more than 90% of community-sized banks (those below $4 billion in assets), use a shared service platform to offer customers Internet or small business banking. Sean O’Dowd, analyst with IDC’s Financial Insights research firm, says SaaS enables banks to forego large upfront capital expenditures, such as licensing and servers, and spread out costs over time, increasing revenue predictability.
Lazar agrees. “What’s driving this move to SaaS is cost. If I’m an IT manager looking at the next version of a productivity suite, I can either buy a license at $200 a seat and have troubleshooting, infrastructure and management costs, or I could subscribe to a service. It’s a no-brainer,” he says.
He points out that the SaaS model is most attractive for commodity applications, such as customer relationship management, human resources, payroll and Web conferencing, not core software, such as programs supporting research and development. “There’s a lot more sensitivity around the company’s crown jewels,” he says.
No matter how common the task, companies must be on their toes when dealing with outsourcers, says Danny Allan, director of security research at Web application security vendor Watchfire Corp. in Waltham, Mass. ““The biggest risk in SaaS is you don’t know how secure the provider is, and internal data is outside the organization,” he says.
He counsels IT managers to examine five key areas when deciding on an SaaS provider: privacy and security policies; transparency into the provider’s organization; metrics regarding audits and response to security breaches; strong feedback loops; and continuous education for customers.
Organizations should guarantee that authorization and access controls are strong not only between them and the provider, but also among the providers’ other customers that share the infrastructure. Allan admits that this can be difficult to gauge so he recommends asking to see a written policy. “This will tell you whether the organization is mature.”
He also encourages IT teams to write into their contracts that they will have access to testing schedules, software development life cycles, and upgrade and patch deployments. “If you don’t know when they are running upgrades, there is a serious risk of downtime,” he says.
Just as important as transparency is having a backup and exit strategy for data. Tim O’Brien, director of the platform strategy group at Microsoft, says companies need flexibility and insurance built into the SaaS model.
“As your business changes, you may want to bring the application on-premise. You can’t be locked into a certain data set. You need portability and you need to know how you’re going to migrate data [off their servers],” he says. Microsoft has several SaaS offerings, including Dynamics Live and Office Live.
O’Brien says IT managers should pay close attention to their provider’s accounting methods. “You should know how the billing mechanism on the back-end works. How are your charged? On a per-transaction basis or monthly?” he says. One of the many advantages of the pay-as-you-go model is the built-in reporting it offers. Everything is metered so companies can see usage trends, he says. With such detail, there is opportunity to negotiate optimal rates.
Before organizations even consider SaaS as an option, they must do some legwork, according to Rachel Lyubovitzky, director at SaaS-vendor KnowledgeSum. IT teams must first inventory all their on-premise applications and tasks and decide what’s core and what’s commodity. They then need to consider how much customization and integration with other software they’ll need for optimal user productivity. Finally, she says IT managers must consider the requirements they have around data ownership, such as security, privacy regulations, and federal and private sector mandates.
Once you approach the provider, Lyubovitzky says it’s important not to get pinned down. “If anything is unclear – data security, compliance or service levels – and you don’t feel 100% sure, then just walk away,” she says.