Familiar TerritoryBy John Jainschigg | Posted 2008-06-26 Email Print
IT leaders polled about software as a service confirm that it delivers robust applications—typically at lower cost than conventional deployment and licensing models. But implementation is slow in the enterprise core, where data security, availability and ease of integration remain key concerns.
Reviewing the responses to survey questions reveals a striking metatrend, which is borne out in CIO interviews: Planning around SaaS is no more complex than working with conventional models of software deployment—and the problems are solved just as easily with commonsense solutions.
Survey respondents were pretty good at estimating the time required to get up and running on their SaaS applications. The majority—58 percent—reported that they had pegged the time correctly. Ten percent said the implementation took less time than expected, while 4 percent said it took much less time. In contrast, 23 percent said it took more time than expected, and 5 percent said it took much more time. The big time-consumer was integration, with end-user training the close runner-up.
Actual startup intervals ranged from as little as a week (6 percent) to more than 12 months (8 percent), with just under half the deployments requiring one to six months.
Respondents also were reasonably good at predicting total costs associated with their SaaS deployments: Only 5 percent said costs were much higher than predicted, while another 5 percent said they were much lower.
What did surprise survey respondents was the infrequency with which some of the feared downsides of SaaS actually happened. This was most notable in the area of security, where almost half expected a greater security risk, but only 18 percent actually experienced it.
As Steggles of RIMS says: “We find that our critical data is actually safer in the hands of our application host than it might be on our premises. This makes sense because they’re functioning at scale in active support of a single application, which they created. They clearly understand the security and integrity risks surrounding that application better than their typical customer does, and they’re equipped to manage access controls, backups and so on with great efficiency.”
Where security can get dicey, it turns out, is in the managerial void that opens in the wake of transitioning internal processes and infrastructure to the SaaS framework. One place where the rubber meets the road is in managing end-user access to a remote application.
“We explored the possibility of single sign-on and will continue to revisit it,” says Burns of the MacArthur Foundation. “For the moment, that’s impractical, so we have to ask our users to manage different passwords and access modes for each remotely hosted application.”
That lack of central control can be problematic when users leave the company, as IT management may forget to revoke their access to SaaS applications.
Elsewhere, though, users more closely anticipated the downsides of SaaS, so experience was much in line with expectations. For example, roughly 42 percent of respondents had predicted issues with Internet connectivity, and about 45 percent reported experiencing them.
The enterprises surveyed had established some controls for managing SaaS applications. More than half had plans for disaster recovery/business continuity, 45 percent had a process for provisioning and deprovisioning users, and 40 percent had incident response and investigation procedures.
“It’s critical for companies implementing SaaS to put the right protections in place,” warns Burton’s Roth. “There are a number of areas to consider, including backup and business continuity, provisioning and deprovisioning, data integrity issues, confidentiality, contract negotiations, audit controls and whether there will be penalties for any downtime.”