Members of the SIM Advanced Practices Council (APC), a forum for senior IT executives who bring transformational solutions to their organizations by commissioning research and sharing cross-industry perspectives, are very familiar with the benefits of SaaS, including lower costs and faster deployment at a time of shrinking IT budgets and greater pressure to deliver more with less. But hard-won experience has warned them of the coming challenges of integrating SaaS applications into their many legacy applications.
To address their concerns, they commissioned research on how best to integrate SaaS into their legacy environments. The report, “SaaS, IaaS and PaaS: Realities and Emerging Integration Issues,” written by Julie Smith David and Michael T. Lee, provides them with guidance on weighing the benefits of SaaS with its risks, and recommends integration options.
SaaS benefits have been touted widely by vendors: low initial cost for the needed functionality; predictable payments based on usage; vendor responsibility for hardware and software upgrades, maintenance and operations; quick implementation; potentially more scalable and agile environment for businesses to exploit strategically; reduced need for IT support staff; and best practice backup, security and recovery procedures in place and on demand.
SaaS users often mention security as a serious risk. They worry that data and information that reside on shared infrastructure outside the physical walls of their organization can be hacked by others that use the shared infrastructure. The fact that the software can only be used through an Internet browser also raises concerns about availability. Unlike traditionally installed software, which is available whenever the local computer is turned on, SaaS is only available if there is fast Internet connection and access. Subscribers also worry about the SaaS vendor’s uptime performance.
According to researchers David and Lee, a subscriber’s security concerns with SaaS may be unjustified. Security can be violated by simply sending proprietary data and information through a business email. Many proponents of SaaS have argued that data and information that reside within an organization are just as susceptible to corruption and theft. SaaS vendors can secure data and information either in their facilities or offsite ones with robust disaster recovery procedures. Issues related to privacy and hacking can be managed by the vendors’ experts, who design and implement best practice security measures.
Many SaaS vendors have earned independent certifications to demonstrate that their environments are secure, perhaps even more secure than their clients.
Another concern is potential lock-in because proprietary platforms use languages and technologies specific to the SaaS vendor, thereby increasing the switching costs for subscribers. Associated with lock-in is the concern about vendor survivability. There may be disastrous business consequences if the subscriber cannot read or manipulate the data stored in a particular format by a SaaS vendor that becomes commercially unviable.