Professional Documents
Culture Documents
to Best Practices in
SaaS and the Cloud
Graphic Designer
TechRepublic
Kimberly Smith
1630 Lyndon Farm Court
Suite 200
Louisville, KY 40223
Online Customer Support:
http://techrepublic.custhelp.com/
Contents
4 Introduction
5 Making a business case for the cloud
7 Automating business processes with cloud services
11 A true cloud model vs. “cloudwashing” by vendors
13 Why SaaS is not a buffer against “shelfware”
15 SaaS integration is costly and challenging
17 Reasons to pursue a multi-cloud strategy
19 How to avoid the hidden costs of cloud computing
21 Why encryption doesn’t solve the data sovereignty debate
23 Five SaaS adoption speed bumps to avoid
25 SaaS won’t work for all software
Introduction
Among technology professionals, the prevailing perception of cloud computing has undergone quite a trans-
formation in the past five years.
In the middle years of the last decade, the cloud was largely viewed among IT leaders as too insecure and
too much of a step backward toward the days of mainframes. However, after the budget crunch of the Great
Recession in 2009, the cloud became a life raft for IT, streamlining costs without substantially decreasing
services.
In the past couple of years, cloud computing has grown so prevalent that it’s become a cliché. In fact, many
IT pros are tired of hearing how it will solve nearly every problem. Yet its impact on IT is undeniable, and it has
become one of the IT department’s most potent tools—when used properly.
We’ve gathered the best material across our global network of TechRepublic and ZDNet writers and editors
in the U.S., Europe, Asia, and Australia and pulled it together into one downloadable PDF you can easily drop
onto your laptop or tablet or print and read the old-fashioned way.
For now, we hope these best practices and perspectives on SaaS provide you with useful insights to make
smarter decisions and steer your organization in the right direction.
Sincerely,
Jason Hiner
Editor in Chief
In Like it or not, it’s time to get a cloud strategy, I said that organizations need to stop making the same old
excuse and believing the falsehoods about why the cloud isn’t a plausible approach to computing and start
adopting a cloud strategy. To remain competitive, an organization needs to constantly devise ways to reduce
cost and increase its ability to scale and develop with the business—not against it.
Probably just as obvious, the more that is moved to the cloud, the less hardware, software, bandwidth,
and power an organization needs to buy. Furthermore, as most cloud providers’ pricing structures are on a
subscription or pay-as-you go basis, many upfront costs are eliminated. With more and more cloud providers
entering the market, these distributed costs will continually decrease as competition increases exponentially.
Dependability
In terms of dependability, the cloud often gets an unwarranted amount of attention—especially negative
attention. However, this is often a case of misdirection and really just echoes problems that have existed since
the dawn of the multi-tenant architecture. This can be narrowed down to data redundancy and recovery—
something cloud services like Windows Azure and Google Cloud Computing actually bundle in their offerings.
However, it has never been good policy to rely on one vendor to ensure data is backed up and can be recov-
ered, whether it is an “eventual” kind of recovery effort or something more mission critical that requires 99.99%
uptime. For organizations that flat-out refuse to enter into the cloud, a hybrid approach might be merited,
where backup and recovery are managed in-house, or perhaps vice versa (use cloud as the point of redun-
dancy). For those looking to fully vest themselves in cloud computing, regardless of the provider type (IaaS/
PaaS/Saas), there is a multitude of third-party vendors to engage with.
Security issues
Even more reproached and scrutinized than cloud dependability are its security measures. But this aversion
is more than likely to come from executives, as most IT professionals understand that firewalls are a matter of
networking and not so much where data exists. And just like any PC can be breached or infected, so too can
the cloud. Therefore, security in the cloud holds the same capacity to be secure as on-premise data centers,
and it’s solely a matter left to security personnel. Deliberately put, security is a means to apply cryptographic
methods and to control incoming and outgoing network traffic.
• Greater access to distributed (CPU) power, as applications now use virtual memory
• The ability to shift IT’s focus toward innovation by developing applications and managing critical busi-
ness information
• Fewer glitches/bugs, as applications serviced through cloud computing require fewer versions
• Increased mobility, as employees can access data from multiple devices through single-point in the
cloud
• The ability to improve cash flow and decrease capital expenditures and operational overhead, primarily
through subscription/pay-as-you-go/incremental pricing models
For eight years, Eccentex has maintained its goal of allowing organizations to automate business processes
using cloud services to reduce risk, increase efficiency, and improve customer service. The founders cut their
teeth as pioneers of business process automation and electronic document management when the cloud was
still in its infancy. This year, according to Gartner, the aggregate of cloud services is expected to hit the $150
billion mark, while annualized SaaS growth is now more than 40%.
The Eccentex business model is based on its proprietary service platform, AppBase, which allows rapid de-
velopment and deployment of enterprise business applications in the cloud. I talked with Glen Schrank, CEO,
and Alex Stein, founder and chief strategy officer at Eccentex, about how their business is changing and the
specific value of having a platform like AppBase as a starting point.
Jeff: With a business whose clients are regularly repeating their decision to renew subscription-based services
as opposed to the multi-year, high-commission sales pitch, licensing purchase model, how do you evaluate
ongoing customer satisfaction?
Alex: Our primary success measure is the number of users we have benefiting from the system, but we do
also track specific customer benchmarks on an ongoing basis.
Glen: Our IT clients’ executives have the ability to analyze objectives based on business intelligence built into
each of our dashboards. We set custom ROI objectives for each business, like normal services uptime and
SLAs for availability. For more specific feedback, we also do detailed quarterly surveys of all our users both on
the customer side and for us internally, polling a different set of employees each quarter.
Jeff: What does your typical customer look like, and how has that been changing over the last couple years?
Alex: Within the area of dynamic case management, our job is automating workflows for the customer. That
is typically going to be a midsize company with regular processes that require knowledge workers to organize
data and make some kind of complex decision based on that data, such as insurance or financial information.
It’s often a company that uses technology broadly all through the stack to the customer, but not always.
Glen: Honestly, businesses in every industry can use this next-wave family of applications we work with to
manage service requests from work orders to employee onboarding to fraud investigations, which all have a
great deal of knowledge worker input. If you look at the classical core applications like ERP by comparison,
they are much more structured and automated and don’t require as much employee interaction.
Jeff: With the downturn in the economy and the general uncertainty of developments like changing benefits
requirements, has there been a reaction in terms of a reluctance to move as quickly?
Alex: The primary effect has been a greater need for efficiency among technology companies and knowledge
workers. In a tight financial climate, demand has become even greater for increased productivity.
Glen: One of the drivers has been the productivity of the knowledge worker with this family of applications.
The cloud affects everything from delivery to maintenance and the cost to make changes, particularly in get-
ting the applications up and running faster. The old way is more expensive, more structured, and takes too
long. At the knowledge worker level, people are happier because they have a tool that is more like a consumer
product. At the business level, management is glad that the workers are more productive. The IT department
has an easier job managing all this on the cloud because it is much more dynamic and accessible.
Jeff: What has been the effect of offshore outsourcing, where the knowledge worker jobs are being done from
a distance?
Alex: Case management systems make it much easier to distribute task assignments or even entire parts of
the process broadly among workers in remote locations around the world, in India, Ukraine, or Russia.
Jeff: In terms of business metrics and ROI, do you see the IT department being run more like an independent
profit center than it has been in the past?
Alex: The cloud has made the biggest change in the direction this is taking. In midsize companies where the
cloud is more accepted, the solutions are now driving the requirements. In the future, with companies us-
ing platform-as-a-service and acquiring more soft technologies, there is a trend toward IT becoming the link
between the business and the solutions because they don’t need to worry about the infrastructure. They need
to know that it can meet the business requirements for managing this project.
Glen: Personally, I don’t believe the role will change that much in terms of what IT was evolving toward before
the cloud. It really is a service center for the lines of business. That is under pressure in terms of delivering the
solutions more quickly, with greater flexibility, and with lower costs. With any one of our projects, we might
start off talking with the line of business manager and then IT gets involved or vice versa, but we see them
both collaborating toward the same goals. I don’t see the cloud changing that aspect of the relationship. The
value to IT is that they are able to deliver service to their internal constituents more quickly and at a lower cost.
Even more important, they can prototype solutions quickly, and say, “Let me just build something for you right
away and show it to you.” So in other words, I don’t think cloud is affecting the need for IT as much as chang-
ing the rules.
Jeff: Among the customers you work with, do you see more interest in the public cloud or private cloud or in a
hybrid?
Alex: It depends on the size of the business and on the particular solution, but most clients we work with are
more interested in private cloud. Right now, it can be contingent on whether the application is mission-critical.
I see that changing and moving more toward the public cloud over time. Government agencies are the ones
more consistently interested in public cloud right now.
Jeff: Are most of your clients already aware of the costs and benefits or do you find yourself educating them
on those things?
Alex: I have to say it’s much better today than it was two years ago, but we still need to educate on the
specifics. A lot of companies are already well on their way in the adoption process. For smaller companies, it
is much easier to communicate. The larger companies are always going to require more proof points around
things like infrastructure and security, especially when the applications are mission-critical.
Glen: These days, almost every company has adopted some type of cloud solution, whether it’s Salesforce or
SAP’s Success Factors, or Workday, so the conversation is not so much around doing cloud or not. It’s more
around the added value of case management being delivered through the cloud.
Jeff: Where does that type of offering make the biggest difference?
Glen: Forrester’s Wave Report on Case Management applications describes them as a wrapper around other
types of core applications like ERP. The organizations that need this kind of wrapper and have a high number
of knowledge workers are the ones that see the biggest value—industries like financial services, healthcare,
government agencies, and energy and utilities. The opposite of that is an industry where every piece of work is
completely automated. From the factory worker down on the floor to accounts receivable, more and more ma-
chines are doing the work. What’s left there is the work where you need archive tools, application templates,
and libraries, and those are the jobs where there is an immediate and significant return on their P&Ls.
A major impact is the change in mobility going on and that has to be a big part of our solution. Work when,
where, and how you want is our mantra in terms of how we address business. At one point a few years ago,
the enterprise was saying, you can’t bring that smartphone or that laptop to work. I don’t see that so much
now. I see organizations establishing policies around it, but allowing these devices and they are primarily
empowered by cloud technology. They don’t really work very well through the old client-server arrangement.
Jeff: What kind of impact on information management do you see from government control, for example,
since Sarbanes-Oxley? How have you seen regulation changing the way you do business?
Alex: That is a major reason companies need our solutions, because regulations are only going to do two
things: increase and change. They are never going to go away. The technology has to be dynamic because
of the frequency of change in regulation and the need to comply with things like the housing of data or data
encryption. Those are the things that affect all vendors. The cloud becomes a huge advantage when you need
to adapt quickly.
Glen: In the world where some of the alternative solutions were architected in the mid-90s, the knowledge
workers were sitting behind a firewall and on a client-server system. That’s not the world we have now. We
are a litigious society, and that can create precedents in an industry. When we use the word regulatory, it isn’t
necessarily limited to government. It’s everything that goes into corporate governance. For example, there are
new expectations in the social media world, where if a customer gets angry, it can immediately affect a brand.
It becomes more important for the ability to support changing requirements in your audience to drive the solu-
tions.
Jeff: When you look at the three- to five-year window and the changes happening now, what kinds of things
do you see coming about that will be the potential business drivers?
Alex: The first thing I see is analytics playing a major role in applications in the near future, with quicker
analysis, prediction, and resolution being possible with enormous amounts of data. It’s already playing a role,
but I think this is becoming one of the key components. Also creating a metasystem to allow all of these SaaS
applications to work together is very important—I would say in the next two years or so. From our perspective,
it is important to be able to link both internal and external resources to our solutions for critical tasks.
Glen: To build on what Alex is saying, Bring Your Own Device and the social enterprise are big trends right
now. What we create are knowledge worker applications, so what we are experiencing on the consumer side
is the ability to look for the thing that will help you to be more productive, click to find it on their smart device,
download it, and start using it. That’s a trend that’s going to happen in the B2B world, and we are enabling
that. Where someone who is looking for a certain purchase now goes to Amazon because it has what they are
looking for, we want to be the company where knowledge workers go for the apps they need. There are three
kinds of cases we describe: investigative work, incident processing, and service requests. Let’s say a customer
wants to build a solution around one of these areas. Our platform allows you to build and configure each of
these types of application from the ground up or to go to our application library and find a solution germane to
your situation that has already been built. It is completely dependent on your skill level and how much custom-
ization you are looking for.
The definition of software-as-a-service (SaaS) predates the rise of cloud computing, and it relates to the deliv-
ery of software from a centralized data center and its access by end users through some sort of “thin” client.
It’s easy to see how, in a cloud world, the thin client is the Web browser. And since software is Web-based, it
is necessarily distributed from a server to somewhere else. I believe, however, that the similarities between the
cloud-based software model and this basic definition of SaaS have led to a generalized misconception that
every piece of Web-based software is a service—and that has allowed vendors everywhere to “cloudwash”
their offerings.
On the second level, we have platform-as-a-service, or PaaS, vendors. These companies offer an abstrac-
tion layer on top of the basic computing infrastructure for tasks such as storage or messaging, so that the
end user can accomplish certain computing-related tasks more easily. Examples of offerings on this layer are
Microsoft’s Windows Azure and Google’s App Engine.
Finally, on the uppermost layer of the cloud, we have software-as-a-service, or SaaS, companies. These are
fully featured, Web-based software offerings that are sold to end users as a closed package. There are literally
thousands of companies in this space, offering everything from Web-based email and calendar to ERP solu-
tions. Even though all cloud-based software is necessarily software-as-a-service, the opposite may not always
be true.
What’s in a name?
The basic definition of SaaS is concerned mainly with how software is distributed, making no distinction as
to how the software is priced and sold. This means that a vendor could charge annual licensing fees from
customers, just as with traditional software, and still get labeled as “software-as-a-service” as long as the
software follows a Web-based model. In fact, there are several “cloud” software solutions that are sold this
way: The annual fee is disguised as a monthly payment with the possibility to opt out along the way, and
customers are happy.
On the IaaS and PaaS layers, services are charged on the basis of usage metrics that make sense for the end
user. Servers are bought based on how many CPUs and how much memory you’ll use and on how long that
server will be active. For computing platforms, you pay for the tasks executed, such as storage transactions
and space, messages sent and received, computations performed, and so on. This establishes some basic
premises for the cloud: that systems can be scalable and that control over expenses can be fine-grained.
However, these premises don’t hold true for software offerings. There are still several vendors that insist on
charging monthly or per-user fees (or both). This is just the replication of the traditional software model using
the Web as a new distribution channel.
To truly follow the cloud model, software should be sold based on usage metrics that make sense to the end
user. If I’m using email, charge me for the volume of messages that are sent, received, and stored. If I’m using
an office suite, charge me for documents (or spreadsheets, or anything else) created and shared. By moving
away from the traditional pricing model, companies can build a stronger value chain, where products can be
created using others as a foundation and everyone can earn money.
While the service model is related mainly to the distribution channel, the cloud is an economic model. It
encompasses not only the ideas behind the service model, but also other ideas, such as transparent scalability
and always-available resources. We can see that while all true cloud software is software-as-a-service, not all
software sold as a service fits into the cloud model. By understanding these differences, customers can better
choose their cloud providers.
Software-as-a-service (SaaS) spares companies from having to fork out money to pay additional fees, such as
maintenance and upgrades typical of the on-premise package. But companies must realize even SaaS does
not necessarily always prevent onerous expenses if they get lured by discount deals and end up subscribing
for software they don’t actually use.
SaaS brings substantial costs savings and benefits, since the provider takes on most of the responsibilities
formerly shouldered by the customer, said Ray Wang, CEO and principal analyst of Constellation Research.
On the other hand, with on-premise software, a company gets tied down with several things, from training and
upgrade processes to testing and capital depreciation of infrastructure, like servers.
“These all require a labor force with experts in each of those areas, which means staffing expenditure. And
realistically speaking, upgrades in the on-premise world never fall into precise timings as companies would
hope, thus impacting business,” Wang said.
For on-premise software, he said, a hardware change could be delayed for a software change, and all these
delays result in a slower pace of innovation—something one doesn’t need to worry about in the SaaS world.
Another benefit of SaaS is the major savings with regard to “shelfware,” Wang said. The term is industry slang
for software a company buys but ends up never using.
For example, if a company spent a million dollars for on-premise software, and 25 percent of it ends up as
shelfware, it is “wasting” around US$250,000 in maintenance for the software license. By contrast, the pay-as-
you-go model of SaaS means the company pays only for what it uses, Wang said.
Many providers offer attractive economies of scale, increasing the number of discounts as a customer’s vol-
ume commitments grow. Buyers can get lured into oversubscribing for services in a two-to-three year contract
term right from the start, because the discount looks appealing, Sood said.
“In many cases, we see this leading to shelfware-as-a-service, where customers pay subscriptions for soft-
ware that they have not used for months, sometimes even years.”
SaaS offerings are usually based on per-user and per-month subscription models analogous to conventional
telephone and utility billing, so adapting to this kind of billing cycle is easy for companies. It is also transparent,
and customers won’t find themselves getting billed for things such as software upgrades, patches, or other
maintenance processes, said Charles King, principal analyst at Pund-IT.
There might be the few rare circumstances where extra billing kicks in, he said, although he has not observed
any occurrence yet. Hosting services, for example, allow customers greater latitude in choosing specific
systems to host only their applications and data for a greater sense of security, so it might be possible that
maintenance and upgrade costs of those specified systems are passed on to the customer.
Companies want to escape IT equipment and support costs, but there are also certain applications and data
that large enterprises especially are unlikely to ever let out of their sight and perimeters, King said. That is why
the hybrid model works pretty well for many companies right now.
Still, there will be times where owning and managing their own applications and data is the preferable course
for companies, even as SaaS becomes an increasingly bigger part of any organization’s IT strategy, he said.
It boils down to whether companies need specific customizations for the software in question, Wang said.
There may be instances where the organization wants its data to be located in a specific geography or want to
modify the code for a certain application, which is when on-premises software will be appropriate.
Sabharinath Bala, research manager of enterprise applications at IDC Asia-Pacific, said companies increas-
ingly prefer a hybrid IT environment that combines existing on-premise software with SaaS applications. To
facilitate this integration, some SaaS vendors offer a number of connectors or adaptors in their software.
But in reality, he said, not all protocols and standards are sup-
While some SaaS
ported by existing software and this creates gray areas that make
vendors claim their
integration a pain and concern for IT professionals.
applications are easily
Access control and monitoring, for instance, is one of these gray integrated with on-
areas. The conventional access control functions are centralized, premise apps, the
and support for control and monitoring are sometimes not ex- general feedback
tended to SaaS apps. This would be a problem for IT departments, from the industry has
as they would not know who has access to its corporate systems, been negative.
Bala said.
“While some SaaS vendors claim their applications are easily integrated with on-premise apps, the general
feedback from the industry has been negative, saying that even if it happens, the process flow tends to break
along the way. The integration is not seamless compared to both [groups of] applications operating separately,
[and] application security is compromised when integrated,” Periakarruppan said.
After all, a poorly planned integration could result in siloed apps that do not communicate with each other,
which wipes out the benefits of using SaaS. Relying on SaaS vendors to provide integration management will
create a long-term dependence on the service provider, and this would also eliminate public cloud services’
cost advantages over traditional software, Bala said.
“Essentially, these services help in connecting on-premise and SaaS applications without the need for any ap-
pliances or software coding and are usually hosted and managed by an external vendor,” Bala said.
Vendors that offer integration-as-a-service include Dell-owned Boomi, Informatica, and CloudSwitch.
Periakarruppan said that these on-demand services do not come cheap but are worthwhile investments
considering how SaaS apps can help companies better cope with workers using their personal mobile devices
for work.
It is an unfortunate fact of life that things fail. Vehicles, utensils, appliances, even buildings eventually break
down in one way or another, and something in them stops working. With IT it’s no different. Everyone who
has worked in IT for any period of time has experienced some issue related to failures, from hardware—faulty
disks, broken PCs, power surges—to software failure—buggy software, application crashes, unhandled
exceptions. If anything, the failure of hardware and software seems to be accepted as the norm, rather than
the exception, by end users. Just think about how routine it seems to reboot a laptop, or even a server, if
something isn’t working properly.
Cloud computing is the same: Even if your cloud provider offers a 100% uptime guarantee for all the services
you rely on, these services will eventually fail. You need to be prepared for when they do. While part of being
prepared means having redundancy built into your cloud-based application, many times this redundancy is
limited to running redundant copies of your application on separate data centers of the same cloud provider.
While this is recommended—it is, after all, one of the reasons why all the large providers have multiple data
centers in separate geographical locations—another possible strategy is adopting multiple cloud providers.
Reducing risks
By adopting a multi-cloud strategy, that is, by running your cloud-based deployments on multiple cloud provid-
ers, redundancy is taken to a whole new level. By selecting data centers from different providers to host your
cloud servers, you can effectively eliminate the risk associated with the business continuity of the infrastructure
provider, as well as risks related to electricity suppliers, networking providers, and other “data center” issues,
since each cloud provider will usually operate separately.
A multi-cloud strategy also reduces other risks associated with having a single provider. Let’s say someone
discovers a vulnerability on the virtualization platform your current infrastructure provider uses. If you are
deploying on multiple clouds, you can simply shut down the servers on the vulnerable provider with little or no
impact to your operations. The same mentality applies if suddenly your provider decides to increase its prices,
or even change its terms of service: Shut down your servers and move your business to someone else.
Virtual power
For a while, during the early years of cloud computing (which was no more than three or four years ago),
adopting a multi-cloud strategy was hard. Cloud providers operated on proprietary closed architectures that
made migration a headache. You’d need to effectively download whatever data you had, rebuild your virtual
machine from scratch on another provider, and then upload everything again. Today, however, these barriers to
change are dropping fast.
Motivated by the need to enable the interoperability of existing corporate data centers with their own public
infrastructure, cloud providers are facilitating the upload and download of entire virtual machines so that copy-
ing your VMs from one provider to another is much easier. There are data migration solutions that allow you
to move data from one service provider to another with ease. There are even cloud-based service providers,
such as Cloudability, that make it easier for you to manage multiple cloud providers at the same time.
Like what happens in any market where competition abounds, on the cloud there are significant differences
between providers. Some will offer better support, some will offer better SLA terms, some will have lower
prices, some will have better APIs, and so on. The best way to understand these differences and choose the
providers that fit your needs is to experiment with them. I spent a good six months experimenting with different
infrastructure providers before settling on the ones (three at any given time) I currently use, and I’m always
evaluating new alternatives. With the tools and functionality available today, there is no excuse for not going
the multi-cloud route.
We all know the conventional wisdom about cloud computing: It’s cheap, fast, and easy. But is it really that
much cheaper? Or is it simply optics that makes it appear cheaper?
But optics aside, is that $99/month per user SaaS application just another $20,000 per year enterprise ap-
plication? Is that $0.25 per hour virtual machine just another $85 per year hosted VM? No, it’s not the same.
Because the pricing models are not just optics but an indication of the buying pattern that is possible. If you
buy it the same way you do traditional IT, then yes, the math says, there’s little difference here. The key to
cloud economics is to not buy the cloud service the same way you do traditional IT. The key to taking advan-
tage is to not statically and rotely consume the cloud. Instead, consume only what you need when you need
it—and be diligent about turning off when you aren’t.
That said, however, there are cost gotchas to watch out for. Otherwise, you will face the hidden costs of
the cloud. So what are these gotchas and how to you avoid them? You have to look at this question in two
groups: SaaS and cloud platforms.
SaaS services nearly always carry a perpetual, per-user license (you pay monthly on an annual or multi-year
term). The hidden costs here fall into three areas:
• Customization: The more you can use the SaaS solution as it was designed, the lower your costs.
Customizations can quickly lead to development and maintenance costs you didn’t anticipate. This is
the most common error enterprises make. It is more cost effective to teach your employees to use the
SaaS as it is designed than to try to bend it to your processes. This isn’t always possible but should be
used as a rule of thumb.
• Integration: You will inevitably integrate SaaS services with in-house applications, data stores, and
other SaaS services. These integrations must be built, managed, and maintained. Best practice is to
define a clear integration architecture via as few means as possible.
• Sprawl: A SaaS app you bought initially for just 15 employees sounds like a great investment and
low-cost solution until you open up the app to 1,500 employees. Suddenly, $99 per user could be more
than an in-house solution. Be diligent about who you grant access to any SaaS app.
On the cloud platform front, these services tend to have a pay-per-use model that can be positively be af-
fected by application behavior rather than use pattern. Thus the hidden costs to avoid are:
• Not turning things off: It’s easy to see how pay-per-use makes your startup costs low and simplifies
elastic scaling as traffic rises. But it is just as easy to overlook application use/load patterns when they
go the other way. This is where you can save tremendous money by turning off resources that are no
longer needed.
• Not managing storage: Storage grows; it never shrinks. On a pay-per-use service, you are constantly
reminded of this. You need to actively manage your storage consumption by moving data to lower cost
services when they are no longer in constant use, leveraging caching as much as possible, and deleting
files or copies of files if you don’t need them.
• Not activating cloud economics: Not every application is a fit with a pay-per-use platform. The best
suited are those that take advantage of the pricing model through either elastic scale or transiency.
Elastic scale means the app increases or decreases its resource consumption based on use. Best-fit
apps are those that do this as granularly as possible. Transient apps are those that are not active all
the time and can be parked or completely shut off when not in use. Batch work, high performance
computing, and seasonal or cyclical applications are all good examples. An app that just sits there 24/7
consuming the same resources is usually a bad fit and should be moved back into your data center or
to traditional hosting.
There is a long-standing argument that encrypting all data sent to the cloud could make the data sovereignty
debate irrelevant, enabling Australian companies to make use of cheaper, offshore clouds.
The basis of the argument is that data, once encrypted, is random and cannot be read, so the problem is
shifted toward the issue of key management—which can be solved by ensuring that keys remain onshore.
But security vendors Trend Micro and Sophos, and systems integrator CSC, have argued that encrypting
everything isn’t necessarily the answer for everyone and that doing so would come at too high a cost.
At a media briefing, Trend Micro vice president for Data Centre and Cloud Security Bill McGee stated that
encryption brings about additional challenges that have flow-on effects in terms of scaling a cloud solution and
the financial implications that brings.
“At some point, deduplication does not work on encrypted data, so then you’re going to pay a storage cost,”
he said. He added that this could blow out significantly for larger datasets and doesn’t even take into consid-
eration the additional network costs.
CSC’s Global Security Solutions CTO, Gordon Archibald, said that its his company’s role, as a systems inte-
grator, is to ensure that the level of security meets the risk profile of the businesses. This includes covering a
minimum level of risk, but also not over-covering the business, so that they don’t pay for what they don’t need.
“If they did pay for it, what we would do is help them understand [things like their] risk profile—where is your
data, how is it encrypted, where is it used, where is the key—and we’d create a risk profile that’s right for their
business. What’s right for [the Department of] Defence is slightly different from what’s right for a health fund [or]
for manufacturing.”
Archibald said that it would be rare to see anyone whose business is at such a high risk that they need com-
plete encryption.
“Depending on what your threat profile is, you may want to go down the full-encryption path, but at the mo-
ment, what we’re selling in our datacentres, we’re not fully encrypting the data,” he said.
In fact, Sophos managing director for Asia-Pacific, Stuart Fisher, told ZDNet that he has never seen anyone
even consider the idea.
“I don’t think every piece of information in an enterprise needs to be encrypted under any circumstance.
That’s not the intent, and I don’t think there’s any organisation, government or otherwise, that would consider
encryption of every piece of data.”
To make matters more complicated, McGee said that even if a company were serious enough to undertake
such measures, technology changes so quickly that entire datacentres may need to be updated, as process-
ing power could increase to a point where encryption becomes easy to break.
“It’s a slightly more esoteric argument, but it is fair that the data can be around for years and years… when it
comes to a disk drive. So there’s the ‘is it strong today, is it going to be strong 10 years from now’.”
All three organisations agreed that while encryption is an important tool in the security industry, its real power
comes in the form of protecting data that is not at rest.
“Do you need to encrypt every piece of data in the datacentre? No, I don’t think that’s the case, but you don’t
have to have a physical breach of a physical datacentre to have a loss. That’s not the risk. The risk is a mobile
user who leaves their laptop in a hotel room unsecured, [or] an email that’s misinterpreted or caught,” Fisher
said.
Saurabh Sharma, senior analyst of IT solutions at Ovum, observed that many enterprises leap toward a SaaS
delivery model without first having a specific, well-thought-out cloud strategy in place.
“Embracing SaaS without understanding the attached [consequences] definitely increases the risk of creating
a sinkhole, be it [in terms of] efficient utilization of operational budgets or governance,” he said.
So while the SaaS model has the potential to deliver cost savings and
When integration
benefits such as greater IT agility and flexibility, the migration road-
between the cloud
map must be well-planned to take care of issues such as integration
software and other
and expected savings.
systems becomes
Sharma said that on average, SaaS applications provide total cost of too complex,
ownership (TCO) savings over three to five years before “diminishing” companies require
in the following years. Companies should thus plan their cloud spend extra processes
based on this timeframe. or additional
customization
Yanna Dharmasthira, research director at Gartner, said that
to facilitate the
companies need to conduct a proper TCO analysis to avoid potential
deployment.
cost overruns and suggested that a five-year model is typically
appropriate.
The analysts highlighted five key issues regarding SaaS implementation that may potentially cause migrating to
cloud services to be more of a hassle than it promised to be.
1: Integration
When integration between the cloud software and other systems becomes too complex, companies require
extra processes or additional customization to the program to facilitate the deployment, Dharmasthira said.
This is an area that IT leaders generally overlook and do no provision for when considering for the integration
of SaaS and on-premise applications, Sharma added. The lack of an integration plan is often one of the big-
gest reasons for time and cost overruns.
“This oversight leads to disappointment and one is forced to believe that the shift to SaaS was not the correct
decision. Most SaaS apps are sold on the promise that their integration with on-premise and other SaaS apps
will be easy, but organizations find out such projects often turn into complex messy affairs,” Sharma said.
2: Vendor lock-in
Sharma also reminded companies that service degradation is a “truth of life,” and they will inevitably look for
other services in the market when standards of the existing software begin to fall. However, given the amount
of time and money invested in integrating the program initially, switching vendors might pose a challenge for
these companies. At the same time, he added, not all cloud apps are interoperable and this is another point of
risk for vendor lock-in.
And since most SaaS products are for general purpose use, they might not be comprehensive enough for
complex business operations compared with on-premise software, she said. An example of this would be the
integration and automation of business processes that involve several business units or departments.
4: Hidden costs
There are hidden costs that companies may fail to consider too, Sharma said. For example, they might not
be aware of the premium charges associated with having additional computing resources to support greater
loads during peak times. They might also not consider the substitution costs related to the add-on coding
needed to ensure that on-premise apps are compatible with the cloud environment and that there is proper
interaction between cloud and on-premise software.
5: Network instability
Dharmasthira identified latency issues as another issue that often hampers SaaS deployments and said that
isolating the root of the network problem is challenging, given most companies’ complex and multiple-end-
point environment.
While SaaS has enabled new ways for IT shops to solve problems, Matt Healey, program director of software
and services at IDC Asia-Pacific, said that there was a lot of hype around it—which companies should “take
with a pinch of salt.”
“People read about SaaS, that it is perfect and the greatest thing out there, so it must be applicable to every
single software market. It’s not [and] I am skeptical of any solution [that claims to be] one-size-fits-all,” he said.
Healy describes SaaS as a “great invention and delivery model,” but he noted that only certain software types
were a “natural fit” for SaaS, such as customer relationship management (CRM).
“CRM is perfect for SaaS. It is mainly used by salespeople who tend to be mobile, and companies hire and
fire salespeople often, so they need a solution that is mobile-friendly and can be easily scaled up or down and
add new users.”
Human capital management (HCM) is similarly attractive for SaaS for the same reasons of easy and fast scal-
ability, he added.
In contrast, software such as enterprise resource planning (ERP) and product lifecycle management (PLM) are
not a good fit with SaaS because those end users are not necessarily mobile and the level of scalability is not
as fast, Healey said.
Somak Roy, lead analyst for enterprise solutions at Ovum, similarly noted that in Asia and worldwide, CRM,
HCM, and collaboration are the few software “blockbuster success stories” that see high SaaS demand.
Both analysts’ comments come in light of an announcement from SaaS vendor Salesforce, which last month
reported record billings for its CRM products, and recent acquisitions of cloud-based HCM vendors by IT
giants including SAP and Oracle.
For instance, business process management (BPM) software has nothing to do with where an application
is delivered from and everything to do with organizational complexity. In terms of total ownership costs, the
software acquisition, integration, customization, process reengineering, and training are high, whereas the
hardware and software infrastructure are low.
Under these circumstances, the cost advantages of SaaS “cease to be a big deal,” Roy said.
He pointed out that the competitive pricing of SaaS remains a main driver for adoption, so unless a SaaS
vendor can offer a cost advantage regarding a particular software type, that market will not see it become on
par with non-SaaS offerings. “That is why SaaS is a peripheral low in so many markets, such as BPM, supply
chain management (SCM), and business intelligence,” he said.
Analysts nonetheless acknowledged that while SaaS is not applicable across all software categories, the
market for SaaS is definitely expanding.
Healey, for one, noted that SaaS will only continue to get more developed alongside cloud maturity, which
opens up opportunities for business continuity and disaster recovery. For instance, SaaS will be useful for
companies that must quickly return to operations and recover their data after losing their data centers in a
natural disaster, he said.
In addition, as emerging markets such as those in Asia-Pacific mature and broadband penetration grows,
companies will start having more advanced needs and seek different ways of consuming IT to meet these
needs, which might lead to SaaS adoption.
He suggested three pointers for companies to consider when determining whether a SaaS offering is
appropriate:
• Companies should look at the distribution of the targeted end-user base. In many organizations, users
are desk-bound with little overseas travel, and a traditional on-premise hosted IT function makes sense.
• Companies should think about how quickly their software solution needs to be scaled.
• Companies should consider how important the security of the data is. For example, organizations with
highly confidential and sensitive data will find SaaS less attractive.