No, software-as-a-service won't automatically simplify operations and cut costs
Doing SaaS right needs at least half-a-dozen add-ons
Software-as-a-service (SaaS) is sold to line of business people as a way to get the applications they need, without all the hassle, time and expense required to have an IT department build and run an application.
But while off-the-shelf SaaS can do an awful lot for a business, doing SaaS well needs ancillary tools that SaaS vendors don't sell.
The Register has been asking around about what it takes to do SaaS right and has come to believe that among the tools you'll probably need are:
Backup, which may seem an odd item on a SaaS shopping list given vendors' promises of super-redundant data centres that never go down.
SaaS backup assumes those promises are right, but aims to protect against SaaS operators' occasional failures and, more importantly, accidental or malicious data deletion committed by users with valid logins. All the security in the world can't stop someone with the right permissions from doing the wrong thing, so SaaS backup mirrors SaaS data to another cloud.
Data Loss Protection (DLP) Whether your data is on-premises or in a SaaS application, you need to make sure it can't fall into the wrong hands. Most SaaS apps don't have native DLP, the technology that monitors data to ensure sensitive material isn't being e-mailed to unknown parties, saved onto removable storage media or otherwise exfiltrated. DLP's become a standard issue on-premises security technology. It's a no-brainer for SaaS users
Context-aware security Imagine you work in London and that one afternoon, a few hours after you last logged in on a known good IP address, someone logs into your SaaS account from Eastern Europe with an unrecognised IP address.
It's entirely conceivable you flew to Eastern Europe and logged in from a hotel. But it is also entirely sensible for your systems to ask for an extra authentication factor when you log in from somewhere known to be less trusted than your permanent place of business.
Gartner analyst Steve Riley believes DLP rules should also be aware of such changes, so that perhaps you cannot read contracts from that Eastern European hotel room, on the off-chance it's not you in that room.
Cloud Access Service Brokers (CASBs) Now imagine you use multiple SaaS applications and that the context-sensitive logon and DLP policy described above needs to be implemented in all of them.
Learning the ins and outs of several SaaS platforms is not what line of business people buy in to when they buy into SaaS. Happily, CASBs can handle policy implementation across multiple SaaS applications. Add it to your list, and your budget.
Interconnect services Users hate even short delays when using software and that doesn't change with SaaS. On your own networks, you can control the user experience. But SaaS nearly always has to traverse a big slab of the the public internet … unless you pay for interconnect services that the likes of Equinix and Digital Realty offer to pave a fast lane between you and your preferred SaaS applications.
Mobile device management A very good reason to adopt SaaS is that most applications are ready to roll on mobile devices from day one.
Which is great, but means that when you or a team member loses a phone it's a gateway to lots of lovely data. Mobile device management (MDM) tools let wipe devices with SaaS access
Which is also great, until you realise that bring-your-own-devices (BYOD) are full of family photos nobody wants to lose.
MDM is therefore now considered a bit old hat and Enterprise Mobility Management (EMM) has become more popular. EMM improves on MDM by creating phones-inside-phones so that BYOD can access SaaS from a special secure zone. If a phone goes missing, or an employee goes rogue, you can wipe that zone and leave their happy snaps alone.
Will SaaS vendors explain this stuff?
As we noted in the opening to this story, SaaS vendors' pitch is all about speed and simplicity. So will they even acknowledge that the accessories mentioned above are useful?
Salesforce.com told The Register “All of our customers commence with the ‘Getting Started’ journey, a series of engagements which are business focused and complements our events and training programs. These programs cover a wide range of business and technical topics, including security and data management, and are delivered via a number of channels such as webinars and forums.”
Bu when we checked out some of those resources they appeared a little scanty. Here, for example, is a question from the Understand the Rising Security Threat' quiz in the Salesforce. from its security guide.
Salesforce.com's 'Understand the Rising Security Threat' quiz
Answers “A” and “B” look a little light-on, for a line-of-business person trying to learn about SaaS, and likely to cause nervous laughter from an IT pro.
Other vendors offered more detailed response. Oracle's Doug Hughes, the company's veep for Cloud Applications Development in Japan and Asia Pacific, told us that Big Red parachutes in people “customer success managers” to hand-hold line-of-business manager through SaaS adoption.
Hughes reckons one of the key things they do is to make sure the IT team gets involved early.
But he also warned IT teams that when they see colleagues considering SaaS, they need to get on the front foot and show how they can add value. HR and marketing types have learned not to to send their best people to liaise with IT, he said, because talks can drag on for ages. IT departments therefore need to work hard to show relevant expertise when they learn of SaaS projects.
The bottom line? Doing SaaS right needs a lot more than a credit card. Another Gartner analyst The Register consulted, Craig Lawson, advised “to budget an extra 10 per cent” for security on top of SaaS. He also advised paying for all SaaS accessories monthly, just like you pay for SaaS.
But he also warns everyone not to rush into SaaS just because it's the cool new thing. Investors, he points out, are rightly enamoured of the SaaS business model because it means monthly revenue rather than the usual bi-annual licence upgrade. And vendors know they need to satisfy both investors andusers. ®