It might sound like pie in the sky, but many companies now regard cloud computing as a secure way to procure and run cost-efficient business applications.

Software-as-a-Service (SaaS), which gives companies access to commercial applications delivered by third-party providers on the internet ‘cloud’, is now big business and getting bigger every day. Over the past year, SaaS deployments globally have grown significantly, across North America and Europe adoption in large enterprises grew 33% and adoption in the small and medium-sized business market grew 50%, according to a survey from Forrester.

The analyst firm found that HR applications, collaboration and CRM are the most popular choices for delivery as a service. Human capital management applications were the most widely-used SaaS technologies, deployed in 45% of companies. Other SaaS applications used by more than a third of respondents were collaboration software (38%), CRM software (36%) and order management software (35%). There are also increasing instances of multiple SaaS application usage.

Liz Herbert, senior analyst with Forrester, says that growth in SaaS adoption is being accompanied by a shift in the type of applications that are being delivered. Companies that have been running relatively low-level applications as services are increasingly considering the model for delivery of more mission-critical functions.

“As companies increase their usage of SaaS applications and deploy them for more mission-critical functions, they must be more prudent about their contracts with providers. Sourcing departments should take the initiative to help with best practices for negotiating the growing numbers of SaaS contracts,” says Herbert.

“Key considerations include data ownership, systems uptime and performance expectations, backup and recovery and support. Sourcing departments should also take responsibility for keeping repositories of contracts and tracking application usage so they can be more successful in future negotiations.”

Taking ownership
The importance of securing ownership of data was echoed by Clive Longbottom, service director at analyst outfit Quocirca. “Data is king and this means, first and foremost, intellectual property must be safeguarded. Firms need to have a ‘Plan B’ in mind and ensure they have a storage device they own and control ­ either in their own buildings or offsite ­ that holds their data. They must always have their data mirrored onto a machine that belongs to them and not to the SaaS partner, which may fail in the future.”

Herbert says Forrester clients often ask whether shared architectures and internet delivery put their sensitive data at risk. According to Herbert this should not be a significant concern if companies ensure basic safeguards are in place. “Vendors must take appropriate steps to ensure strong access rights, data security and physical security in the data centre. Leading firms are getting certifications such as SAS 70 Type II to prove their security to prospects and customers. Smaller vendors should partner with leading hosts to ensure physical security.”

According to Longbottom, companies that do not have technology as their core competency often find that outsourcing even mission-critical applications to SaaS partners offers compelling advantages. “The simple answer is that the SaaS model is ready to support mission-critical applications. However, the caveat is that companies must choose carefully which applications can be delivered in this way and also which partner is best placed to deliver them.

“In security terms, a professional IT provider should be better positioned and have a state-of-the-art infrastructure with very high levels of data and physical security. Security needs to address technical issues, but also physical factors such who has access to the physical machines hosting data. This is an area where many companies do not address well internally.

“In terms of reliability, companies must look at what levels of uptime they have with existing systems and compare these with the uptime guarantees offered in the SaaS provider’s service level agreement (SLA). Do not just assume that existing reliability levels are adequate; find out what they are and compare them to the SLA.”

Security concerns
Dave Armstrong, Google’s head of enterprise marketing in Europe, the Middle East and Africa, believes concerns over the security and reliability of mission-critical applications are rapidly being assuaged. “With cloud computing, we are at a point similar to when people started realising their money was safer in a bank than under their mattress.

However, the benefits of cloud computing will not be realised if businesses are not convinced of its security,” he says.

“Trust is at the centre of success and providers have to prove themselves worthy of that trust if hosted services are going to work. That’s why security is one of the most important factors we consider when we develop products that handle a lot of personal and business data.”

But far from being a concern for enterprises, the SaaS model can improve application security, according to Steve Farr, product solutions marketing manager at Microsoft: “With SaaS, businesses can be bolstered by adding extra security and data backup on top of their existing IT infrastructure. At a time where the security of business data is paramount, SaaS offerings can ensure a more sophisticated and reliable level of data protection.

“The challenge of working on mission-critical applications in the cloud is that users have to rely on an online connection, which can’t always be guaranteed. As such, future development in the cloud will depend on the ability to work both online and offline,” says Farr.

However, Rhys Sharp, chief technical officer for systems integrator SCC, points out that, although overall SaaS adoption is relatively strong, some of the newer services have yet to break through as serious mainstream business options.

“The more challenging part of the equation is the emerging environments from organisations such as Google, Amazon and Microsoft’s Azure platform. These are less mature and people are only just starting to work out how to use them, so it’s true that widescale adoption is a little bit away. Even then, I think it will only be six to 12 months before those environments become fully mature and everybody understands the cost model associated with them,” says Sharp.

“In companies where commodity components are already being outsourced, the day-to-day business transactional functions are still frequently being retained in house, so we could be 10 to 15 years away from large companies pushing all their technology requirements into the cloud. The process is already underway, however, and in many smaller companies we are already seeing the demise of the internal IT department as a result,” he says.

Choose carefully
Robert Whiteley, vice president and research director at Forrester, says, “Your selection of SaaS solutions must begin with an understanding of the business capabilities you need to provide and any financial, procedural, regulatory, or other constraints on the decision. Once you understand what you hope to gain from an SaaS deployment, make sure you vet potential vendors with an eye toward your priorities.

“Without active IT guidance, business units can rush into SaaS deployments that work well for specific functions but require large IT investment to integrate. Instead, spearhead the due diligence required to find a solution that addresses business needs without neglecting IT concerns.”

Google’s Armstrong shares these concerns, but points out that moving to a cloud computing model requires FDs and other senior business decision makers to change the way they manage IT. “More than anything, the hosted model provides a stimulus for innovation and when you’re breaking new ground, businesses and their users have to trust the internet and their service providers if they want to bring flexibility, choice and innovation to their organisation,” he said.

“This entails changing the way they manage enterprise technology. Previously, enterprise technology was highly predictable, but also highly siloed and controlled. The inevitable paradigm shifts in IT were more disruptive since the ability to quickly implement new changes was not there.”

However, Twiggy Lo, principal research analyst at Gartner, is less upbeat about the current value of SaaS. “Hesitation over the true cost of SaaS solutions and concerns regarding how successfully SaaS applications can be integrated with other applications all point to issues that will need addressing and resolving,” Lo says. She thinks providers will need to focus on reducing costs and facilitating easier deployments that can be integrated into “real-world” corporate IT systems which typically include a variety of technology systems.

SAAS checklist: put due diligence first
As companies increase their use of SaaS across multiple applications, larger populations of users and more mission-critical applications, due diligence becomes even more crucial during provider selection, warns Forrester. According to the analyst group, businesses should ensure they cover the following areas:

• Security, backup and recovery – ­ Find out where data is physically hosted. It is advisable for some to have their own security teams to do physical audits. Check for compliance with emerging SaaS security standards such as SAS 70 Type II. Ask your SaaS provider if it has data physically backed up at a second location, about the frequency of backups and how long it would take to restore your data and the application in the event of a problem.
• Integration and customisation capabilities – ­ Some SaaS buyers get into trouble because they do not thoroughly evaluate integration or customisation capabilities at the time of purchase. They later go to IT with requests that the application simply cannot support.
• Pricing, SLA and data ownership considerations – ­ Companies often forget about contract terms such as uptime considerations, payout for unplanned downtime and helpdesk or support expectations. It is up to the sourcing team to ensure such oversights do not occur. Also, detail expectations around price, such as a percentage cap on renewal rate, increase at the end of the contract. Finally, make sure you are clear on any costs associated with getting your data back at the end of your contract and fees associated with terminating your contract early.

Source: SaaS Clients Face Growing Complexity, Forrester

For more information or to view this article online please click here