SaaS: A Viable Alternative for IT

If your IT group isn't evaluating SAAS (software as a service) options for your next application project, you can bet line-of-business managers are. SaaS is a viable alternative to licensed software for businesses of all sizes.

IT departments that resist SaaS may find themselves overruled or undercut by other business units that need an application today, not six or 16 months from now. With their low deployment costs and Web delivery mechanism, SaaS applications can be in place with or without IT's help.

So rather than fight it, IT execs should embrace SaaS to demonstrate their ability to facilitate and support business initiatives. And line-of-business types need IT's technical expertise and guidance in every stage of a SaaS deployment. That includes evaluating whether on-demand options will be a good deal three to five years down the line, grilling providers on details (such as uptime and application enhancement), and helping customize the application and integrate it with other business processes.

Although there are some sticking points to watch out for, SaaS offers several benefits, such as more flexible payment terms and tiered feature sets, over the conventional model of licensed software. In addition, SaaS can reduce deployment burdens and time to deployment.The State Of SaaS

SaaS is no longer a revolutionary idea. It has been embraced by established software vendors, including Microsoft and Oracle, which are trying to reconcile the typical license model with the service model. SaaS is also sometimes called "hosted" or "on demand" software, but these terms are also used to describe a variety of delivery mechanisms.

Strictly speaking, users interact with SaaS apps through a Web browser over the Internet. A service provider operates and manages all the requisite hardware and software and rolls out new features and upgrades. Rather than pay for the entire license up front, customers make monthly or quarterly payments (though the provider will likely require an annual contract). In addition, pricing may be tiered according to features and amount of data storage required.

The best-known example of a pure-play SaaS provider is Salesforce.com. But the market is alive with a variety of players offering everything from CRM (customer relationship management) to network-management services.Hosted solutions are similar to SaaS in that the hardware and software may be provisioned and managed by a third party (the software vendor or a reseller), but a customer pays the full license fee at the outset, and the application may require a full desktop client. In a hosted environment each customer has its own dedicated server and database hardware. In contrast, a SaaS provider usually shares hardware among multiple customers.

Oracle offers several hosted software packages, for example, including Oracle Database and Fusion Middleware, in which Oracle will host the hardware in its own data center or manage the hardware and software (it will patch and upgrade the systems, for instance) in the customer's data center.

Myth Busters

Many of the myths that grew up around SaaS in its revolutionary phase still exist. IT executives evaluating SaaS offerings must dispel these myths before they can make a useful evaluation. The three most persistent myths are that SaaS is mostly for small enterprises, it is cheaper than licensed software and it's all about CRM.

First, the small-business myth. Although small businesses are logical candidates for SaaS because it doesn't require a large IT staff or expensive capital outlay to deploy, these qualities are just as attractive to big companies. According to a survey by AMR Research, nearly as many enterprise customers (defined as companies with more than 5,000 employees) use SaaS as small companies, according to AMR Research (see "Use of SaaS for CRM" left). Forrester Research says 26 percent of enterprises are using SaaS (see "SaaS Usage" right).

Perhaps even more attractive for enterprise customers is the fast deployment time of a SaaS application. Instead of an 18-month rollout of a huge CRM package, a service will put the app in your users' hands with a minimum of IT hassle and within a shorter time frame. (Keep in mind, however, that some speed bumps, such as importing existing customer records to the provider's database, are likely to crop up.)

For this reason, SaaS is making its way into enterprises through departmental purchases. Many SaaS deployments are spearheaded by line-of-business managers, such as the sales or marketing department of a large enterprise. These departments constantly seek tools to improve productivity and drive sales. They also often have sufficient budget to cover the low capital expense of a service and are sometimes able to make an end run around any IT bottlenecks. (For more on the problems that this aspect of SaaS can create, see "No Exit?".)

In addition, research indicates that an increased use of SaaS corresponds to a higher ratio of IT staff to employees (see "SaaS Adoption Rates By IT Department Size" right).

As for SaaS being cheaper than licensed software, this is less of a myth than a half-truth because the acquisition costs for SaaS are lower than licensed software. The problem is that it's easy to be blinded by the difference between a conventional license and SaaS pricing and not bother to cost out the solution over two, three or even five years, which is where SaaS costs accumulate. Common expenses include adding users, features and storage.

Companies that want to wring the most value from a SaaS deployment will also have to invest in customizing the application to meet its needs, and integrate the service with other applications. These steps have their own costs, whether from consultants or internal IT staff.

Finally, SaaS isn't just for CRM or payroll applications. These markets have received the most attention from vendors and the media, but the service model has been applied to a variety of markets, including storage, messaging, vulnerability management and even network management.

IT And SaaS: Friend Or FoeFor IT executives SaaS can seem like a devil's bargain. On the one hand it can speed up application deployment and relieve the department of time-consuming maintenance, such as patching and upgrades. On the other hand, the more successful SaaS deployments occur, the more questions arise about the value of the IT executives.

The fact is, IT is in competition with SaaS vendors. When it comes to particular functions or types of applications, IT has to ask whether a provider can do a better job of delivering them. IT must rate itself against the provider. You can be sure that various departments are doing it already.

"There's a fallacy that if it's important, you should do it yourself," says Beniot J. Lheureux, a research director at Gartner. "This is simplistic. It doesn't mean a service provider won't do it right. It means you should assess the provider's ability to deliver the service."

Rather than be sidelined by a service, IT should embrace SaaS and work with other stakeholders to make sure a SaaS deployment is right for the company. IT has the expertise to evaluate a provider's capacity to deliver the service, construct appropriate TCO (calculations to measure the long-term costs of licenses versus the service), and ensure that the company gets the most value from the application.

Enlightened IT departments will treat SaaS as a helper. "We have less overhead now to maintain applications," says Scot Stoney, vice president of IS and IT at Select Business Solutions, a 100-employee software-development company. His company uses Salesforce.com's CRM software. With just a three-person IT department, he's happy to leave the "gut work" of maintenance to Salesforce."I don't have to worry about installation and backup," Stoney says. "I don't need to experiment with ways to send information to our end users' BlackBerrys. Salesforce.com takes care of it. We can concentrate on our core competencies rather than maintain systems."

And even when a SaaS provider is brought onboard, IT still has a significant role to play when it comes to customization and integration. "We didn't see IT as becoming irrelevant," Stoney says. Anything but.

IT plays a critical role in squeezing as much capability as possible out of the application. For instance, this spring the executive team wanted to drill down on customer renewal data. They turned to IT to tweak the Salesforce application to make that data visible to sales reps. "It was a way of customizing to meet a topical business objective," Stoney says.

There are also less glamorous tasks related to SaaS. IT must massage certain features, for instance. "There will be a case where the marketing department is getting data from a source that doesn't fit Salesforce fields, so you need to make a view of the data," Stoney says. "It's minor reconfiguring, but those fall to IT to do," he says. There are also issues such as tracking costs. If you find you are exceeding storage limits, for example, you have to pay for more storage or convince users to delete information.

IT also plays a role in creating tools that the service can't provide. "As part of the same campaign, sales management wanted to analyze which customers were signing multiyear maintenance contracts," Stoney says. "It was beyond Salesforce's capability, so we had to make a small application that pulled the data out of Salesforce and delivered it to management."Strategic Vs. Tactical SaaS

You can divide the use of SaaS into strategic and tactical deployments. Strategic and tactical SaaS services share a set of benefits: low up-front costs, minimal IT requirements and speedy deployment. They also share similar risks, including service outages, loss of direct control, potential data mishandling and a provider going belly-up.

A strategic SaaS deployment is one in which the service underpins a critical business need and/or provides a competitive advantage. A strategic SaaS deployment may require customization and integration. It will also be harder to walk away from service that has been highly customized or has deep hooks into other systems.

A tactical SaaS deployment meets a specific business need efficiently and cost-effectively. It provides a majority of required functions but may lack specialized capabilities or customization. A tactical deployment is also easier to disengage.

One thing to be aware of is that with SaaS, tactical deployments often morph into strategic ones as the application matures, gets more widely deployed in the enterprise and, kudzu-like, extends its roots into the soil of the business. Although this is true of all applications, you must keep this eventuality in mind as you evaluate a service and provider.AdvancedMD exemplifies a strategic SaaS deployment. The 100-person company is itself a SaaS provider, serving physicians' offices and clinics with patient and billing management applications and electronic medical records.

In 2003, AdvancedMD wanted a CRM application and accounting software. The company chose NetSuite because it provided both. At the time, a key driver was the remote access offered by NetSuite. "The licensed CRM offerings that had Web access didn't have the flexibility we needed for our sales force and field trainers," says Ken Meyers, president of AdvancedMD. "Now employees can work from home, from the road, telecommute."

But now the company has made the NetSuite service a cornerstone of its business. "We use this thing to the hilt," Meyers says. Salespeople can enter a prospect into the system and then push that information through as the prospect turns to a lead and then a customer. From there it gets handed into accounting and customer support.

The company has also put significant effort into shaping the application to a variety of needs. "We use between 200 and 300 custom fields in our everyday operations," Meyers says. The company also uses the application to track software bugs inside its own applications, manage IT changes and workflow. And AdvancedMD is working on a project to take data from the application and put it into NetSuite to create bills based on variable usage.

Meyers says the efficiencies that come from the Web service (remote access and a customer life-cycle system, to name two) give AdvancedMD a competitive advantage. "We can track information at the point of use so employees can make the best decisions. IT can focus on other issues rather than maintenance," he says. And because employees can access the system from anywhere, they are more productive.Meyers says NetSuite also can match his company's growth, which has quintupled in size since 2003. "We qualify as a midsize customer. We aren't at the top end of their service by any means."

Select Business Solutions, the software developer, is an example of a tactical SaaS deployment that grew into something more.

Four years ago, its small department of 10 salespeople needed a CRM product. Select Business Solutions had existing homegrown applications for internal use, but this group was spearheading a project that required a new software package and wanted to deploy something quickly. Rather than wait to get a development project in the pipeline, the department ran a pilot of Salesforce.com. And because there was no local IT staff, the department manager oversaw the initial configuration and management of it himself.

Then that department manager was promoted to CEO of the entire company, and he decided to roll out Salesforce enterprisewide. Today the service is a key business tool. Of the numerous applications developed in-house, Stoney says the company has integrated only two of them across the company--the rest have been replaced by Salesforce.

"A lot of value was that [the company's homegrown] systems were division-specific, not companywide," Stoney says, "so using SaaS we got things into a common denominator."Tactical SaaS

Tactical SaaS applications meet a business or technical need without necessarily extending tendrils into the enterprise.

Case in point is Internet Securities, which delivers information on emerging financial markets for investment banks, corporations and other subscribers. The company uses a network management service from Klir Technologies. Klir deploys a thin client on a dedicated server on the customer's network. The thin client gathers data from IT assets over MIBs and passive network monitoring. The information is sent back to Klir's data center, where it's analyzed and packaged into reports, which the customer accesses via a browser.

Antonio Monteiro, chief information officer of Internet Securities, uses the Klir service to monitor the Internet connections at 15 remote offices at locations all over the world, and he plans to double that number.

"We don't have one global provider, so we have lots of IPSs all over the world and no central console," Monteiro says. "Klir lets me plug in the remote device and get charting and reporting on what different ISPs are doing."The information includes throughput, uptime, traffic peaks, time of peaks and applications in use. Monteiro says the service helps him decide whether to upgrade service, get another link, switch providers--or chastise users for consuming bandwidth with music downloads, streaming and other non-business uses.

"I have a dashboard view, so when I get a request from the guy in Bulgaria asking to upgrade the ISP connection, I have empirical data over a period of time that says whether a link is over- or underbooked," Monteiro says.

The data that the service collects also helps him predict his connectivity costs and provisioning requirements. "As we expand offices we can forecast what ISP costs should be. We can also account for bandwidth per heads--if I add 20 percent more people to an office, I need X percent more bandwidth," he says. "It becomes more of a science than an art."

Monteiro chose the service because of the speed and ease of deployment. "You call them up, sign the contract and deploy it in 10 minutes. It's painless," he says.

It was significantly less expensive than other solutions. "You could do HP OpenView or Tivoli, which are very flexible and have lots of features, but most of them wouldn't get used," Monteiro says. "You'd also buy $100,000 worth of software, and implementation would be expensive."Another option was a traffic-management/QoS (quality of service) appliance to sit inline and monitor the link. "That route was tempting but the up-front cost was significant--$8,000 to $10,000 a piece," Monteiro said. With a large number of locations to monitor, the appliance solution was too expensive.

By contrast, Monteiro says the Klir service costs Internet Securities about $1,000 a month, with pricing based on the number of devices deployed.

For Monteiro, the Klir service is clearly tactical. "It's not at the core of our business," he says. "If Klir stops working, it doesn't stop us from working. It would be inconvenient, but it's not mission-critical. This was a conscientious decision on our behalf."

Unlike AdvancedMD and Select Business Systems, Internet Securities isn't ready to run key business systems using SaaS. "There isn't a lot of flight hours in some of these companies. I'd be hesitant to go with something really important to our people," Monteiro says.

That said, he hasn't written off a strategic SaaS deployment in the future. If the company ever decided to deploy a new CRM system, he'd strongly consider SaaS over a conventionally licensed package because of deployment issues. "I remember the pain," he says. "Our current system works well, but if we had to do CRM 2.0, I would seriously look at a service."The 80 Percent Solution

Another concern when evaluating a SaaS provider is how many of your business needs the service can meet. Or, to put it another way, what kinds of features might you have to give up?

"You don't get 100 percent of the features," Stoney says. "There's a level you get to where things don't work so well, where you're not getting the last 20 percent." For instance, he says his company has run into limitations on Salesforce's ability to generate reports that fall outside the service's predefined formats.

Monteiro has run into the same issue. He would like to be able to block particular kinds of traffic or deny specific protocols, but that's outside the capability of the service offered by Klir. "With a traffic-management product, you can set protocols that aren't allowed," he says. "With the Klir service, you have to turn it off at the firewall."

He'd also like more granular reporting, such as the ability to track protocols or applications back to individual users. Again, it's a function unavailable to him at this time."When you buy into a SaaS model, you have to drink the Kool-Aid on what they believe the model should be," Monteiro says.

Although many SaaS applications offer high levels of customization, customers will run into barriers where the cost to customize the application outstrips the value of the feature. Thus, IT must evaluate a SaaS provider to ensure that the application can provide critical functions.

Are You Being Served?

The Achilles' heel for SaaS is outages--something users are definitely concerned about (see "SaaS Adoption Factors" below). When you outsource a critical application, you give up the capability to leap on a problem and must wait for the provider's resolution. Case in point is Salesforce.com's December outage, which lasted about 7.5 hours and affected an unknown number of customers. News reports have also noted intermittent downtime of the application or key components during the past year.

Select Business Solutions was one of those affected by the December disruption. "Our people were frustrated," Stoney says, "but it didn't stop business. However, if we lost a sale because of an outage, there would be people arguing for a different product."

When evaluating a service it's essential to look at the history of the service's reliability, including root causes for outages and the time to restore service.

This evaluation should also be compared against your own internal operations. Outages of IT-run applications due to misconfigurations, maintenance, patching issues and so on are common. The question then becomes, do you think your IT organization could match or beat the service levels of a SaaS vendor?

When it comes to availability, SaaS vendors have taken a page out of the telco/ISP playbook. Most offer a service-level agreement tied to a basic metric, such as three or four "nines" availability. Evault, which provides a backup-and-recovery service, is an exception. The company says it strives for 99.99 percent uptime, but doesn't have an SLA, or service level agreement, in its contract.

As is usual with SLAs, the devil is in the details. Savvy IT execs will look for an SLA that measures service based on metrics around the end user's experience. An outage is a gross measure, but a Web application with long response times can also cause high levels of user frustration and lower productivity.Also be sure to investigate the provider's infrastructure. Look for redundancy at the database and Web server levels, as well as backup power systems.

You may also want to get a sense of how open the company is about problems and resolutions. BlueTie, which provides messaging services, publishes availability statistics, including elements such as Web server response times. It also issues postmortems so customers can see what the problem was and how BlueTie addressed it. Find out if your provider offers a similar view into its operations.

Protecting The Crown Jewels

Data privacy and backup are other key areas where IT can play a key role in evaluating a service provider.

On the privacy front, your customers aren't going to care if a breach was the service provider's fault--you'll still get the blame and have to face the consequences. So before signing on the dotted line, ask for specifics from the provider about how it will protect your data. Transactions between users and the provider should be protected using SSL. At the provider's end, get details about how the provider manages the technicians and administrators that have access to the databases where your records are stored. Look for multiple layers of authentication and regular audits of administrator activity. If information is encrypted, ask about key management and data recovery.The provider also should be taking steps to prevent external attacks against its network, particularly denial-of-service attacks and Web-based attacks, such as SQL injection. If the provider undergoes third-party security audits (and it should), ask to see results. Many providers operate out of collocation facilities, so you should also review the physical and network security procedures for each location.

On the backup front, you should be able to get access to your data to perform your own backups. Your provider should also have multiple tiers of data storage, including offline backups in secure locations. Note that providers will factor storage into your bill, so make sure the provider has tools to help you monitor capacity levels.

Andrew Conry-Murray is Network Computing's business editor. Write to him at [email protected].

No Exit?

SaaS vendors say that if you don't like the service, you can simply turn it off. In some cases this is true, but in enterprises where the software-as-a-service application has grown deep roots, it's not quite a simple matter of throwing a switch.SaaS providers are increasingly opening their applications to customization and providing tools to tie the service into other business processes. Although this helps extend the value of the service, it also makes it harder for you to walk away from the provider if the relationship sours.

SaaS vendors create stickiness "by letting you put in your own intellectual property and custom integration," says Robert Bois, research director in the customer management practice at AMR Research. "You've put IP into a system you don't own, and that would make switching costs a great deal higher."

When evaluating a service provider you must anticipate the long-term needs of the users, feature requirements and upgrades, and whether the provider can scale with you as you grow. But you also have to consider what might happen if the service stops meeting your needs.

"I think while there's stickiness and we have an incentive to stay with the service, it's not an absolute requirement," says Scot Stoney, vice president of IS and IT at Select Business Solutions. "If we were pushed by cost considerations or other reasons, we could go with an alternative." He says the data is well structured and they have full access to it. "It's not like it's been trapped and you have to screen scrape it to get it out," he says.

Some SaaS vendors recognize that customers may eventually migrate away from the service. Although they aim to provide as much integration and customization as possible, they also provide a clear exit strategy (sometimes to a licensed version of the SaaS application)."Customers won't sign up if you don't have a clean exit strategy from the service," says David Koretz, CEO of BlueTie, which offers e-mail, IM and other messaging and collaboration functions through a service.

BlueTie gives customers the option to replicate e-mail and calendaring on Outlook so that all the data stays on the desktop, making it easier for customers to pick up their ball and go home if they choose.

And some providers anticipate that customers will migrate away from the service some day. "As the amount of data grows, there's a threshold where it becomes less cost-effective to outsource it and more cost-effective to manage [data backups] on their own," says Richard Heitmann, vice president of product marketing at EVault, which sells backup software both as a service and as a licensed product.

That threshold depends on a variety of factors, including company size, IT staff size and technical sophistication, but Heitmann says companies begin to migrate off the service as storage amounts go above 400 GB or their infrastructure grows to more than 50 PCs or servers.

EVault and Everest Software, among others, offer a migration path from a service version of their products to a licensed version.0