As cloud deployments increase, so too does overall understanding of how best to approach this new computing model and work with service providers.
It's about developing cloud smarts, if you will. The savvier you are about the cloud, the less prone you are to focus only on basics such as cost, back-end infrastructure and security provisions. Yes, even the latter has become a bit of a no-brainer.
"Originally everybody worried about security. But reputable cloud vendors have incredible security stats, and are able to provide potentially much better security than most corporations have right now because of the way they've designed their software," says Julie Smith David, director of the Center for Advancing Business through IT at Arizona State University. She also wrote a recent cloud integration report from the Society of Information Management's Advanced Practices Council.
This doesn't mean that security isn't a critical asking point, but one that's easily enough satisfied with proof of SAS-70 certification and the like, as well as through interviews with existing users, says Dave Strasser, IT infrastructure services director at Sterling Savings Bank, in Spokane, Wash. Strasser recently put Proofpoint, an e-discovery, compliance and e-mail security software-as-a-service [SaaS] provider through its paces. "We look at published success rates of the solution, and validate those with customer references. It's important to make sure what the sales channel at these vendors are telling us is really the same thing as customer experience."
Have the tough talk
On the flip side, Smith David says, as security concerns lessen and enterprises lock themselves in with a SaaS provider, the greater the risks associated with that vendor. "Vendor survivability or changes in vendor strategy are becoming much more important," Smith David says.
As you evaluate providers, you've got to look not only at the here and now, but also weigh potential futures. The idea of being a big fish in an upstart SaaS provider's small pond may be appealing, but what happens if that company gets acquired and suddenly you're a little fish in a big pond? Not only does your influence diminish, but you're likely paying the same rates for less functionality, cautions Smith David, citing the experience noted by a case study subject she recently profiled.
"Because the functionality was in a proprietary data set, the company was unable to transition to a different SaaS vendor. It had picked the original provider because it had some unique capabilities -- and it still has those -- but the risk of vendor lock-in has proven greater than it would have with on-premises software," she says.
It comes down to having the hard discussions with potential providers about worse-case scenarios. "Every time you adopt a new solution you need to have in place a roadmap of how, if the vendor were to disappear or be acquired, you would be able to take your data, transport it to another platform and be back up and running in how much time," Smith David says.
This makes data-integration capabilities -- or partnerships, as the case may be -- a critical discussion point with cloud providers. "The integration is the avenue to do that data extraction and transformation," Smith David notes.
Experienced cloud users agree about the criticality of data integration. "What APIs are available?" figures among the top questions Schumacher Group asks of potential cloud providers, says Doug Menefee, CIO at the Lafayette, La., emergency management firm. Schumacher Group has 85% of business processes running in the SaaS model today and fires up IaaS server instances in Amazon's Elastic Compute Cloud.
"Figuring out integration requirements and how providers handle those and getting everything in sync have been among our tougher challenges," warns Steven Birgfeld, CIO at Hostess Brands, in Irving, Texas.
To date, Hostess uses SaaS-provided benefits, employee portal, lead management and recruiting applications, Birgfeld says. In these providers' cases, he says, "the models are preset and we've had to push our way into what they have."
For example, he says, all the providers need core employee data such as name and address. "We built one extract but then had to tweak that for each of these players -- you'd hope they'd have more flexibility, but in these cases, they didn't."
First comes SaaS strategy
On the SaaS side, IT executives need to be just as shrewd about how they're going to embrace services as they traditionally have been about developing internal architecture standards. The onus of doing so becomes increasingly clear, as SaaS adoptions mature and enterprises realize that long-term success hinges on how well the applications can integrate into their technology architecture, Smith David says.
"You've got to ask yourselves, 'Are we going to go with platform as a service [PaaS] so we can develop custom solutions on top of and pre-integrated with the solutions that we're getting ... or are we going to allow best of breed, where we look for ideal SaaS solutions and then rely on an integration approach to make those work seamlessly throughout the business processes?'" she says. Because most SaaS providers' footprints are limited, many IT organizations today will default to the best-of-breed approach -- and that should trigger a bunch of integration-related questions for potential SaaS providers, she says. The most basic among them is whether they've got data integration services or are partnering on integration, she adds.
Workday, an HR and financial management SaaS provider, offers integration on demand through Enterprise Service Bus technology gained in the 2008 acquisition of Cape Clear. Salesforce has Informatica data integration tools available in the cloud through AppExchange.
What you want to determine, Smith David says, is not only what integration services your SaaS provider offers, but also whether those will be sufficient to work with other partners - to pass data back and between Workday to Salesforce, for example.
What's more, if a SaaS provider has an integration platform, you also have to ask whether it has process modelers so you can specify the rules for your organization, Smith David says. If your first choice doesn't have a process modeler, and you've got in-house integration expertise, you could extend your premises-based tools should your vendor offer APIs through cloud vendors. "Many integration vendors are providing good business process modeling tools that allow businesses to specify the process steps and then have either preconfigured integration adapters that allow those to fire or to have an IT person handle some of the mapping across the systems."
If you don't have resident integration expertise, then seeking out SaaS providers with integration as a service is the wise move, she adds. Smith David uses this example:
Say you need to switch from one SaaS CRM provider to another, for whatever reason, and you're evaluating eight stable providers. "If your integration vendor already has adapters between four of those, then it's easy to say, 'Extract my data out of the current system, transform it, and push it out to my second choice system.' That integration vendor has already done the mapping of fields, the logic and can port data out of one and into another.
"But what if the SaaS functionality is in an area that hasn't matured to the level where there's standard data structures, like in knowledge management? For collaboration, one vendor might use Wikis and the other Word docs updated sequentially. Without the adapters, passing data from one out to another will be difficult," she says.
No standing still
Being cloud smart also means probing into the policies providers have in place for software updates, change control and disaster recovery, cloud users and experts say.
With SaaS, you've got to be ready to accept updates when the provider pushes them out - but that shouldn't mean being forced to use them. "The smart vendors give you the option of turning that new functionality on or off depending on your needs," Menefee says. He says Host Analytics and Salesforce.com are good at this.
Likewise, you've got to understand a provider's change control cycles, Birgfeld says. He cites one example in which Hostess discovered that a SaaS provider's implementation was missing some fields that it required. "It had to make a change on its side and we on our side. We were done in a day or two, but the provider couldn't incorporate those for two weeks because the update would have been outside of its change control cycle -- so that delayed the whole process," he says.
Early cloud experiences also have shed new light on what to ask of cloud providers regarding disaster recovery, Smith David says.
"When we started working with companies two to three years ago, we thought if we argued for offsite storage with nightly backups and escrowed software then we were doing a really responsible job of disaster recovery," she says. "But it turns out that that's not enough in this environment because you're going to have to find an alternate platform quickly should you need to move from your existing vendor to somebody else."
With that in mind, she says, you need to be asking about the data structure and demanding that you can get access to the data from your own facility and not just from a third-party off-site location.
"If your SaaS goes out, there may not be any place to put that data. Going and getting it out of some secure facility isn't going to help you if you can't use it on your systems," Smith David says. "We've worked with companies that have gotten data dumps from their SaaS providers that weren't even in a data structure that any of the databases they have can read. So they get a file, they have the off-site backup but it's data that's absolutely unusable to them."
What you want from your SaaS provider is the ability to extract your data and do your own local backups at least once a month, but perhaps more often, depending on how critical that data is, she advises. You need to be sure you can use and manipulate the data should the need arise, she adds.
Such cutover plans have begun working their way into SaaS service-level agreements, Smith David says. "However, I haven't worked with any companies that have used those yet, so I don't know how effective they'll be. Still, that'd be something I'd definitely be looking for during my negotiations with SaaS vendors."
Schultz is a longtime IT writer and editor. She can be reached at firstname.lastname@example.org.