March 06, 2009, 12:28 PM — Amid the growing popularity of software-as-a-service, IT managers are faced with a sometimes monumental task of developing big-picture strategies and policies to govern service-based applications as well as defining performance metrics and support.
Devising corporatewide standards for online service deployments is a way to ensure that services are run under the same sort of parameters mandated on internal networks for things such as security, backup, storage, data integration and integrity, and business processes. But to what end?
Studies show that near-term strategies can be shortsighted because savings can diminish over time and complexity can arise as more services are deployed. In addition, those deployments can bring compliance risks and auditing issues, and one-off service contracts may eventually need to be altered to align with any enterprisewide strategy.
The need for such a big picture look is becoming critical as the use of services within companies begins to grow.
A recent survey by Cutter Consortium shows that 63% of respondents are using the SaaS model in their organization while 28% are considering it. Last year in the same survey, 32% were using SaaS and 36% were considering its use.
Furthermore, Saugatuck Technology says that by year-end 55% of North American businesses will have deployed at least one SaaS application, and Gartner predicts that by 2013, functional equivalency between SaaS and on-premises software will be commonplace across a range of applications.
A Gartner study last year found that SaaS deployments in most large companies began without the CIO knowing about them or having any involvement. As part of the findings, Gartner recommended that CIOs "develop a SaaS strategy and incorporate it into their application strategy and portfolio management."
Getting the message
Some executives are pioneering the advice and starting to include long-term strategy when considering the promise of short-term gain.
Derrick Jackson, systems and database manager for Mapp Construction, headquartered in Baton Rouge, La., has formulated a policy that gives his company an "exit strategy" for when it might want to take an application in-house.
"You have to evaluate these providers on whether or not they have a plan in place to get you off the SaaS model, sort of an exit strategy, in the long term," he says.
Mapp uses iEnterprises' Empower CRM software, which is hosted on IBM BladeCenter servers, IBM WebSphere, DB2 and Lotus software. That configuration, Jackson says, provides him with the ability to move in-house when and if the time arises.
"You have to plan five years from now for when the application is growing out and is a cornerstone and how you get it back into your environment if you want to do that," he says.
Jackson's view is borne out in recent Gartner research that says cost savings begin to break down after the first two years of a SaaS deployment.
Jackson says having services that run in a hosted infrastructure that somewhat aligns with the internal infrastructure can make moving applications more cost effective.
Others are looking at SaaS providers as partners who can help educate internal staff for that possible in-house move or to augment the service with in-house work.
"We partnered with our provider to help train our Web application programmers," says Anna Sherony, a privacy and information officer for a financial services firm who last year contracted with WhiteHat Security to provide Web site security services.
The company's programmers learn the ins and outs of the service and how to write more secure code. "It is important when looking at these solutions to have a partnership. You have to be able to build a relationship with the vendor," Sherony says.
Those relationships can prove to be important as SaaS expands beyond its traditional roots in CRM and human resources applications. A recent Forrester Research study shows that applications such as collaboration, content management, market automation and order management are beginning to find interest among SaaS adopters.
In the Forrester survey, titled "Software-as-a-service adoption expands", IT executives are encouraged to create best practices guidelines that explore such things as backup and disaster-recovery policies, and adherence to corporate identity and access management policies.
The study also states that IT executives should develop standard contract language around performance, uptime and help desk support "so that SaaS buyers have a stronger sense of what to ask for when signing new agreements."
Another reason to develop corporate strategies is centered on the fact that SaaS is breaking networking down into increasingly smaller pieces.
"When SaaS vendors first started they needed the whole data center stack," says Rob DeSisto, an analyst with Gartner. "What we are seeing now is a breaking apart into specialized vendors. When you look at security or billing or integration services those are specialized needs that one vendor can't offer."
Those specializations are being fueled by the needs corporate users have to link internal systems to external services.
Start-up Symplified runs an identity federation service that lets companies keep their identity credentials on their own network but build a single sign-on (SSO) pipeline to all its online services.
"We provide the SSO and users don't have to do one off integrations," says Darren Platt, CTO of Symplified. Platt says the next pain point will be auditing, logging and compliance.
"Users have to relay on their service provider to tell them what users did and in some industries that is not good enough [for compliance]. People are just starting to realize that now," Platt says.
There are also security issues as companies start handing out passwords for each and every service.
"One of the benchmarks for security is how many separate passwords your employees have," says James Tu, former information security officer for commercial real estate firm CB Richard Ellis. "It's a nightmare to manage those passwords, it destroys security."
He says Symplified provides a nice SSO layer, and he says other services will have to come along to provide users with a single provisioning and account termination infrastructure.
"I think we need to see more infrastructure solutions that integrate SaaS and the stuff behind the firewall," says Tom Halter, director of IT for Whitney Automotive. Halter uses a Microsoft Exchange e-mail hosting service from Intermedia, which initially forced him to maintain two directories, one on each side of the firewall. Now, Intermedia provides a directory synchronization feature.
While Halter says his company has not come up with an enterprise services strategy; the surrounding issues have all been centralized within IT for evaluation and testing.
Another company servicing infrastructure needs is Hubspan, which does data integration.
"We eliminated the need to do [data] transformation and for our customers to buy integration software," says Nick Marchetti, head of commercial supply chain management for Visa's Commercial Solutions division.
The division set up an Accounts Payable Automation service 18 months ago using Hubspan as the provider to transform data from banks into a format Visa could process.
Now Visa can set up accounts and data mappings in two weeks instead of two months. In the next year, the system will be expanded into Europe and Asia.
"When looking at it from an infrastructure perspective, yes, you can leverage SaaS for infrastructure but you have to have that mindset from the beginning. You need architecture and vision for that from the start," Marchetti says.
Of infrastructure and platforms
Another corporatewide decision point emerging is platform-as-a-service (PaaS) with providers such as Amazon, IBM, Google, Salesforce.com, NetSuite, Microsoft and others.
"What appeals to me about SaaS systems like Salesforce is they act as a platform more than as an application," says Erika Bjune, vice president of IT for Tides Center, a nonprofit fiscal sponsor to activists and organizations.
Tides Center is using Salesforce to host a portal that houses financial information and for a custom application Bjune built to qualify organizations. Bjune also uses open source business integration software from Jitterbit to connect Tides Center's Microsoft SQL Server infrastructure to Salesforce.com.
"The three-year vision we have here is that we are pursuing platforms on which we can build all the kinds of applications and services and workflows that we need not only to do our business but to collect metrics," Bjune says.
Experts say PaaS is just another services area where companies need to make long-term decisions.
"From the standpoint of someone looking at PaaS and building applications, you have to do the same due diligence you did when you looked at buying your first Java server," says John Rymer, an analyst at Forrester. "Platforms have different tooling, some are better for business applications, some require new languages, some have high proprietary content, some provide billing services -- it's all over the map."
Experts agree that the downturn in the economy is helping boost SaaS as an alternative for some organizations, but they advise that decisions should extend beyond the initial glow of cost savings.
"What a lot of enterprise decision makers are getting back to is the fundamental vendor selection process, looking at vendor viability in addition to solution functionality," says Jeff Kaplan, managing director of ThinkStrategies.
And others add that Saas, PaaS and cloud computing are fundamentally reshaping the role of IT.
"The IT department goes from one of implementer to one of inspector," Gartner's DeSisto says.