Best practices for scaling up SaaS

Guardian Life Insurance isn't about to take big risks when making IT investments, and CIO Frank Wander will be the first to tell you that he doesn't have a cloud computing strategy, per se.

RELATED: SaaS vs. IaaS vs. PaaS

But over the past five years, the $10 billion financial services company has moved 18 applications into the cloud. It shut down a compute grid and moved its actuarial modeling application into an Amazon EC2 cloud. And it's now in the process of broadly deploying two major software-as-a-service suites.

One of the two is Workday's human resource management suite. Guardian wasn't ready to reveal the other, but at the Atmosphere conference last fall, Google announced that it had signed Guardian as a Google Apps customer.

There's no cloud agenda at work here, says Wander. Each service has earned its seat at the table by undergoing a rigorous technology acquisition process that has been updated to include considerations unique to SaaS and other cloud services. Each service has also passed through a collaborative review process that involved the legal, security and sourcing groups in addition to IT.

"We don't do anything because it's cloud. But if the financials look right, if the risk profile looks right, if the richness and robustness look right, we go with that solution," says Wander.

The sheer breadth of Guardian's move to the cloud puts the company on the leading edge among Fortune 250 organizations. The extent of its commitment to cloud services is also changing the business's IT infrastructure and redefining roles in the IT organization.

As more corporate infrastructure moves to SaaS, it's important for organizations to build a strong foundation of best practices to manage risks around security, uptime guarantees, compliance, limitations of liability, remedies and other contract details, say Wander and other IT executives. The business must be fully engaged in the technology acquisition process, and the organization must follow best practices that are well thought out -- from the initial request for information to integration, ongoing management and contract renewal.

Computerworld talked with several organizations about the challenges they face in scaling up with SaaS and other cloud services, why the technology still isn't the best fit for some applications or business requirements, and why they decided to sign on -- or walk away.

Leading by Example

Wander "is a real leader," says Robert McNeill, vice president of research at HFS Research. In many organizations, he says, SaaS "happens" to CIOs as business units bypass IT. "What's interesting is that he is using SaaS in IT -- an area that he controls. He is embracing SaaS as a way of changing the business," says McNeill.

Fine Print

Would you sign this contract?

The following terms and conditions have been summarized from actual SaaS vendor agreements. It pays to read the fine print. What's more, users may encounter a "click-wrap agreement" that pops up, even if they have a separate contract. Which agreement takes precedence if a user clicks OK? Make sure your contract spells that out, says Russell Weiss, a partner at Morrison & Foerster.

aC/ The SaaS vendor can suspend your right and license to use services, or terminate the agreement in its entirety, for any reason or no reason, at its discretion at any time, with, at most, 60 days' notice.

aC/ In the event of a suspension of service, the SaaS provider will not intentionally erase your data (but will not represent that it will preserve it) and can condition return of your data upon your compliance with terms and conditions that the SaaS provider may establish in the future.

aC/ Your access to services may be suspended without notice, and the SaaS vendor will have no liability with regard to such downtime.

aC/ You bear sole responsibility for adequate security, protection and backup of your data, even though the other party is hosting it.

aC/ The contract terms can be changed at any time by the SaaS vendor.

aC/ Your company must indemnify the SaaS provider from all claims relating to your use of the vendor's services, with no limitations on liability.

Source: Morrison & Foerster

-- Robert L. Mitchell

But Wander isn't alone in his thinking. The number of SaaS implementations is climbing in other enterprises, says McNeill. He adds, "We're seeing global implementations of cloud services across the very largest of organizations," including even core enterprise applications to some extent. McNeill sees the use of horizontal SaaS applications globally or across large swaths of the corporate user base as a key trend.

That view is backed up by research from Gartner. The overall market for SaaS-delivered enterprise applications will increase from $9.97 billion to $23 billion by 2015, representing a compound annual growth rate of 17.9%, according to a November 2011 Gartner report.

Cindy McKenzie, senior vice president of enterprise application services at Fox Entertainment Group, has also moved aggressively into the cloud. Transferring 11 shared services applications, ranging from recruiting to tax reporting, over to SaaS providers was "the riskiest business decision I have made in the last 18 months," she says. The global SaaS deployments, which host personally identifiable information and other sensitive data, "pushed information security, audit and legal [departments] past their comfort zones," but allowed the business to get strategic initiatives up and running more quickly and at a lower cost than on-premises alternatives, says McKenzie.

This year, Fox plans to move more corporate applications to the public cloud, including payroll and HR. The new system is easier to use than the existing PeopleSoft application, has passed a five-year total-cost-of-ownership evaluation and can be online in much less time than it takes to upgrade PeopleSoft.

The most critical success factor, McKenzie says, was involving the audit, security and compliance departments from the beginning. "It saved a lot of headaches. If you try to do that work after the fact or when you're signing a contract, you've lost your negotiating power," she says. "The biggest surprise was how immature the governance processes were for some of the smaller SaaS vendors. We ended up pushing a number of vendors to make changes to meet our standards."

Guardian's team follows a well-defined, formalized process from start to finish, says CTO Richard Scott. "Together we evaluate all aspects of technology solutions. It's based on a matrix and scoring and a very pragmatic, objective way of looking at the solutions," he says.

"We have good vendor management processes," which are part of Guardian's governance model, Wander says. Guardian has the same operational processes for SaaS and on-premises software. "We have operational performance management. We check response times just as we would do internally. And we take end-user satisfaction measures over time," he says.

A Disciplined Approach

Start scaling up SaaS with a centralized procurement model, these executives say. Before Guardian developed its federated approach to technology acquisition, its SaaS deployments didn't always go through IT, says Doug Greene, vice president of corporate systems, security, risk and compliance at Guardian. That's a common problem, especially in large companies, according to Robert DeSisto, an analyst at Gartner.

Changes Afoot

How cloud is redefining IT roles

As the number of SaaS and other cloud service deployments continue to increase in the enterprise, IT executives are rethinking IT roles. The demand for new skill sets is leading to new job descriptions, and some traditional functions will eventually fade away.

"There will be a disruption in the IT talent base, and you need to retool and plan for that," says Mark Nathan, head of technology, planning and governance in the Corporate Office of Technology at Guardian. The insurer has 20 SaaS deployments in place or underway and recently turned off a large compute grid that powered its actuarial modeling application and moved it to the cloud. With even more functions likely to move into the cloud, Nathan is already planning for how to prepare the IT team for the transition.

So what's out? Guardian's migration to SaaS has meant fewer "rack and stack" administration jobs and less work for internal software developers. Rather than code changes, IT staff increasingly deals with configuration changes. But the need for integration specialists, contract managers and business transformation experts has increased, as has the need for specialists trained to monitor vendor performance and service level agreements. "Our plan is to retool IT toward these skills over the next five to 10 years," says Nathan.

Fox Entertainment Group has recently both deployed a private cloud and migrated 11 applications to SaaS providers. "With SaaS, our roles have lessened considerably. We have a whole lot fewer software developers assigned to staff and we don't have server admins," says Cindy McKenzie, senior vice president of enterprise application services. But database administrators are still actively involved, and project manager and project analyst roles have increased. It's a big change, she says: "The management oversight is larger, but overall the IT roles are smaller."

The Boeing Co.'s internal private cloud is also bringing changes. "Traditional roles that do a lot of designing and standing up of servers and creating customer solutions are going to go away," says Federico Genoese-Zerbi, former vice president of information technology infrastructure. Instead of building and administering servers, "IT will focus on continuing to upgrade the design patterns of the infrastructure, predicting volumes, and optimizing the way that the multitenant environment gets consumed." In the future, he says, "servers will be self-provisioned and IT will spend more time examining what that service looks like."

"The IT skill of the future is capacity management," says Amit Singh, a partner at Avasant, an outsourcing advisory and consulting firm based in Manhattan Beach, Calif. He sees an increase in the need for contract and license management, billing and invoice management and contract compliance monitoring. "A lot of training will be required. So think it through and retrain your people," he says.

-- Robert L. Mitchell

"I get calls from sales organizations that are buying directly from outside of the IT procurement process," he says. One client he spoke with had 19 individually negotiated contracts, none of which went through IT. That business was losing its volume purchasing power, and contracts weren't getting the scrutiny they deserved, DeSisto says.

Both McKenzie and Wander say it's also critical to understand the fully loaded costs of hosting applications on-site and to include that in the technology acquisition model when comparing costs to SaaS alternatives. "We always do a five-year total-cost-of-ownership evaluation that includes all costs, such as power, data center resources and staffing," says McKenzie.

But Tom Check, CIO at Visiting Nurse Service of New York, says organizations shouldn't draw any conclusions based on IT costs alone. The $1.5 billion provider of home healthcare services has about a half-dozen SaaS deployments, including HR and CRM.

There's also one application that its nearly 4,000 clinicians in the field use to order medical supplies. In that case, Check says, "the software subscription was higher than what we incurred in the past, but the overall cost of the business process has gone down and the value to the business has increased."

At Guardian, upgrade-and-refresh cycles have traditionally consumed 12% of the shared services budget. The move to SaaS, and an intense focus on expense optimization, has transformed Guardian's IT budget. "What makes SaaS valuable is the continuous upgrading without the burden on our organization," says Scott.

Today, 40% of the budget goes toward running and maintaining existing operations, down from about 60% a few years ago, leaving more money to invest in solving other business problems, says Wander.

Scaling Up the Contract

The contract sets the tone for the relationship with a cloud services provider, says Wander. If you want to be successful, he says, "focus on the contract."

Unfortunately, "cloud computing often is not amenable to in-depth negotiations," says Russell Weiss, a partner at Morrison & Foerster, a law firm that specializes in negotiating service agreements. "Click-wrap agreements" -- the ones users typically opt for when signing up for SaaS offerings online -- are the norm for small and medium-size businesses. "They're full of 'outs.' When you read the fine print, it can be very alarming," he says.

Fox's McKenzie says it's critical to think about contract terms and conditions early in the process by making clear what terms the organization can live with and which ones are nonstarters. "I have a requirements template, request for information and request for proposal templates, and a contract template with all of our criteria," she says. Included are canned paragraphs covering important areas such as information security. "If they can take that, we don't need to involve information security again," McKenzie says.

1 2 Page 1
Page 1 of 2
IT Salary Survey 2021: The results are in