Software as a Service (SaaS)
Summary: The third article in our series about Software as a Service (SaaS) addresses SaaS from the perspective of the enterprise consumer. (17 printed pages)
Benefits of Consuming SaaS
The SaaS Continua
Considerations for Embracing SaaS
The Service-Centric IT
How SaaS Affects IT
Becoming a SaaS Provider
Further Discussion and Feedback
Software as a Service (SaaS) has the potential to transform the way information-technology (IT) departments relate to and even think about their role as providers of computing services to the rest of the enterprise. The emergence of SaaS as an effective software-delivery mechanism creates an opportunity for IT departments to change their focus from deploying and supporting applications to managing the services that those applications provide. A successful service-centric IT, in turn, directly produces more value for the business by providing services that draw from both internal and external sources and align closely with business goals.
This is the third article in our series about SaaS. The first two articles, which can be found by clicking here, focused on the details of developing SaaS applications and providing them to customers. This time, we'd like to turn the question around and look at SaaS from the perspective of the enterprise consumer: How can IT departments benefit from adding SaaS applications to their portfolio of services? What are the implications of adding externally hosted applications to an enterprise-computing environment? What will one have to do to get ready for SaaS? This article will address all these points and examine a few special cases in which it might make sense for your department to become a SaaS provider, as well as a consumer.
Simply put, SaaS can be defined as "software deployed as a hosted service and accessed over the Internet."
SaaS as a concept is often associated with the application service providers (ASPs) of the 1990s, which provided "shrink-wrap" applications to business users over the Internet. These early attempts at Internet-delivered software had more in common with traditional on-premise applications than with modern SaaS applications in some ways, such as licensing and architecture. Because these applications were originally built as single-tenant applications, their ability to share data and processes with other applications was limited, and they tended to offer few economic benefits over their locally installed counterparts.
Today, SaaS applications are expected to take advantage of the benefits of centralization through a single-instance, multi-tenant architecture, and to provide a feature-rich experience competitive with comparable on-premise applications. A typical SaaS application is offered either directly by the vendor or by an intermediary party called an aggregator, which bundles SaaS offerings from different vendors and offers them as part of a unified application platform.
In contrast to the one-time licensing model commonly used for on-premise software, SaaS application access is frequently sold using a subscription model, with customers paying an ongoing fee to use the application. Fee structures vary from application to application; some providers charge a flat rate for unlimited access to some or all of the application's features, while others charge varying rates that are based on usage.
On the technical side, the SaaS provider hosts the application and data centrally—deploying patches and upgrades to the application transparently, and delivering access to end users over the Internet through a browser or smart-client application. Many vendors provide application programming interfaces (API) that expose the applications data and functionality to developers for use in creating composite applications. A variety of security mechanisms can be used to keep sensitive data safe in transmission and storage. Applications providers might provide tools that allow customers to modify the data schema, workflow, and other aspects of the application's operation for their use.
Of course, just because you can add SaaS to your IT infrastructure is not by itself a reason to do it; there has to be a viable business reason, too. SaaS offers substantial opportunities for organizations of all sizes to shift the risks of software acquisition, and to move IT from a reactive cost center to being a proactive, value-producing part of the enterprise.
Traditionally, deploying large-scale business-critical software systems, such as ERP and CRM application suites, has been a major undertaking. Deploying these systems across a large enterprise can cost hundreds of thousands of dollars in upfront licensing cost, and usually requires an army of IT personnel and consultants to customize and integrate it with the organization's other systems and data. The time, staff, and budget requirements of a deployment of this magnitude represent a significant risk for an organization of any size, and often puts such software out of the reach of smaller organizations that would otherwise be able to derive from it a great deal of utility.
The on-demand delivery model changes some of this. SaaS applications don't require the deployment of a large infrastructure at the client's location, which eliminates or drastically reduces the upfront commitment of resources. With no significant initial investment to amortize, an enterprise that deploys a SaaS application that turns out to produce disappointing results can walk away and pursue a different direction, without having to abandon an expensive on-premise infrastructure.
Additionally, if custom integration is not required, SaaS applications can be planned and executed with minimal effort and roll-out activities, creating one of the shortest time-to-value intervals possible for a major IT investment. This has also made it possible for a number of SaaS vendors to offer risk-free (and often literally free) "test drives" of their software for a limited period, such as 30 days. Giving prospective customers a chance to try the software before they buy it helps eliminate much of the risk surrounding software purchase.
For more information about the business benefits of SaaS, see Architecture Strategies for Catching the Long Tail in the MDSN Library.
With SaaS, the job of deploying an application and keeping it running from day to day—testing and installing patches, managing upgrades, monitoring performance, ensuring high availability, and so forth—is handled by the provider. By transferring the responsibility for these "overhead" activities to a third party, the IT department can focus more on high-value activities that align with and support the business goals of the enterprise. Instead of being primarily reactive and operations-focused, the chief information officer (CIO) and IT staff can more effectively function as technology strategists to the rest of the company, working with business units to understand their business needs and advise them on how best to use technology to accomplish their objectives. Far from being made obsolete by SaaS, the IT department has an opportunity to contribute to the success of the enterprise more directly than ever before.
In the "pure" form of SaaS, a provider hosts an application centrally and delivers access to multiple customers over the Internet in exchange for a fee. In practice, however, the defining characteristics between an on-premise application and a SaaS application are not binary, but are graduated along three different dimensions: how software is licensed, where it is located, and how it is managed. Each of these traits can be visualized as a continuum, with traditional on-premise software on one end and pure SaaS at the other. In between are additional options that combine aspects of both.
Figure 1. SaaS applications are distinguished by their conceptual locations on three different continua.
For any given application or function, you can determine your SaaS readiness by plotting your organization's needs and expectations on each continuum, using Figure 2 as a guide.
Figure 2. Each continuum can be subdivided into three segments, representing traditional, SaaS, and hybrid approaches. (Click on the picture for a larger image)
If you mark all three boxes in the rightmost column, you're ready to explore making the move to SaaS. Marking all three boxes in the leftmost column means you should probably stick with a traditional on-premise solution for this application. Any other combination suggests that a hybrid approach might be appropriate; explore the marketplace to see if you can identify any solutions that are right for you.
Finding the right place on each continuum involves taking a number of considerations into account, each of which ultimately boils down to a tension between control and cost. Some of these considerations include the following:
Another factor to consider is the type and amount of data that will be transmitted to and from the application on a regular basis. Internet bandwidth pales in comparison to the gigabit Ethernet links commonly found in enterprise LANs, and data transmissions that take a few minutes to transfer between servers in your server room might take hours to transmit to and from a SaaS application located across the country. Because of this, it might make sense to consider a solution that takes network latency into consideration. An appliance-based solution, for example, might cache or batch.
Additionally, you might decide to delay implementing a SaaS replacement for an expensive or recently implemented application until it produces a satisfactory return on investment (ROI).
Sometimes, technical and financial considerations also can have legal ramifications, such as whether candidate SaaS providers will be able to meet your internal standards for data security and privacy in order to avoid legal exposure. Consider any legal obligations you have toward customers or other parties, and whether SaaS will allow you to continue to meet them.
We've discussed the benefits of SaaS in fairly specific business and technical terms. Ultimately, however, the biggest impact might be the fact that SaaS provides the right incentives for guiding IT towards a service-centric model.
If we examine the evolutionary role that IT has played in an enterprise over the last few decades, we will observe that technology has evolved from its past duty of performing mundane recordkeeping and calculation tasks to today's business-differentiating functions of streamlining workflows and communications.
Figure 3. Maturity model of the service-centric IT (Click on the picture for a larger image)
Figure 3 shows a maturity model that depicts the mannerism in which businesses procure and benefit from technology capabilities.
In the early stage, when a business initially considers incorporating technology, it is common for the business to associate the solution to its needs with a specific application that provides a narrow function. For example, if a user needs to interact with a partner on the design of a hardware component, they might be satisfied with a simple e-mail application as the primary collaboration and communication tool.
As an enterprise realizes that specific business needs are best met through perhaps a class of related applications, and not just one application, it evolves to adopt a more service-centric view for its application portfolio. Going back to the partner-interaction example, the enterprise might realize that the collaboration effort can be enhanced through a Web portal that incorporates document sharing with versioning support, threaded discussions, real-time whiteboarding, and slide-presentation support. As a result, the enterprise might decide to purchase and deploy a portal solution to expand the collaboration IT service capability that currently only has e-mail features.
With more and more platform and line-of-business applications getting delivered through the SaaS delivery model, enterprises are presented not only with greater number of vendor options, but also increased choices for where and how the applications are being delivered. As mentioned earlier, SaaS influences an enterprise's allocation of resources through a variety of licensing, operation, and management models. The smart enterprise will be able to trade direct control (over service-implementation details) for the additional flexibility, to optimize the strategy and execution of its core mission. However, the extent to which an enterprise can exploit SaaS is directly related to its ability to transfer and mitigate risks, and getting a good handle on service-level agreement is a key part of the risk-management game. Therefore, expanding the boundary of an IT's service portfolio beyond its firewall signifies another level of business and technical sophistication from the service-centric IT.
Beyond risk mitigation, an enterprise that has embraced SaaS as part of its service-centric IT must learn to maximize the business gains from using features and data exposed through the portfolio of on-premise and in-the-cloud services. Ensuring that business data processed by the disparate systems is clean, consistent, and secure is usually the foundational step in building the business-enabling IT. Integration technology helps deliver this cornerstone through data transformation and process orchestration. This is analogous to the mise en place routine that is frequently practiced in established restaurants: Recipe ingredients, such as garlic, herbs, and so on, are properly diced, minced, and ground in preparation for the final cooking "repertoire" performed by the top chefs. By the same token, an efficient integration architecture helps consolidate and organize the information assets in the enterprise for upstream user consumption through composite applications. Composite applications provide the computing fabric for which business functions and information can be effectively composed (or mashed-up) for the end users. When interacting with a composite application, the end user is unaware (and has no need to be aware) of the true source of information, but is instead focused on synthesizing and analyzing business information with minimal technology-related context switches.
The last two sections of this article provide more details on how integration and composition architecture play crucial roles for assimilating SaaS into the enterprise-computing strategy. Before we do so, however, the next section will look into the impact of SaaS on IT governance and roles in the service-centric enterprise.
After you've made the decision to pursue SaaS, the next step is to prepare for the transition by assessing how the deployment will affect your existing IT assets, and by taking steps to ensure that the transition can be handled smoothly.
Performing due diligence is a routine part of any successful IT infrastructure deployment project, so the basics should already be familiar to you. Some factors, however, deserve special consideration. Some areas to address in your due-diligence checklist include:
As mentioned earlier, adding SaaS to the enterprise IT mix can cause a fundamental shift in the IT department's role as a provider of information services. Business units are sometimes caricatured as being afraid of change, but IT departments are not immune to organizational politics, either, and institutional resistance to SaaS can come from IT itself, as easily as from elsewhere in the company. In the past, the nature of software deployment has put chief information officers (CIOs) and their staffs into the role of gatekeepers who could exercise a veto over any proposed software deployment by simply declaring that they would not host it in the data center. With SaaS as an option, control of the data center does not necessarily equal control over the entire enterprise-computing environment, and this can cause the gatekeepers to fear a loss of control: A "rogue" vice president could just subscribe to a SaaS application for their department, bypassing IT entirely.
Of course, a CIO who relies upon control of the data center to control the greater computing environment has governance problems, anyway. Successful CIOs engage with business units, educate them about the impact of certain purchases on their future agility, and work with them to determine whether their needs would be best met by on-premise software or SaaS. By performing this consulting role, as discussed above, the IT department can add value directly to the business by matching up business units optimally with technology.
Statement on Auditing Standards No. 70 (SAS 70) is an international auditing standard that enables businesses that provide services to other organizations to provide an independent, trustworthy account of their internal control practices. An SAS 70 audit is performed by an independent auditor and results in an SAS 70 report, which the service provider supplies to its customers and clients for use when they themselves are audited. SAS 70 is not a law, but auditing and disclosure standards in various jurisdictions around the world (such as Sarbanes-Oxley in the United States) make up-to-date SAS 70 reports a de facto requirement for any business that provides services to other businesses, and any SaaS provider should consider having one readily available for examination.
SAS 70 is not a stamp of approval, in that it does not dictate a minimum set of standards that an organization must meet. An SAS 70 report only documents the internal control practices of an organization, without offering any judgment as to whether they are satisfactory. Due diligence therefore requires that you not only request an SAS 70 report from a prospective SaaS provider, but that you examine it thoroughly to determine whether the provider is able to comply with your own internal standards for privacy, data security, and so on. For example, if a local privacy law requires that your customers' personal financial data be stored in an encrypted form at all times, a provider's SAS 70 report will reveal whether the provider's own data-storage practices will enable you to remain in compliance with the law.
For more information about SAS 70, visit the Web site of the American Institute of Certified Public Accountants.
Subscribing to a SaaS application means housing business data outside the controlled local network, within the Internet "cloud." The integration architecture specifies how you bring this outside data into your logical infrastructure, so that infrastructure components can interoperate with one another (whether they are hosted internally or externally) and each component has access to data it needs, regardless of where the data originates.
In most cases, implementing a SaaS application involves transferring data from one or more existing applications or data repositories into the new system. Common scenarios might include:
In many cases, however, integrating a SaaS application into your environment will mean creating data dependencies that require data to be synchronized and moved between the SaaS application and one or more in-house applications, to facilitate processing. An integration broker is used to manage data movement and system integration.
Many enterprises already are using some kind of integration broker for exposing application functions, orchestrating business processes, and integrating with internal backend systems. In many cases, the same integration broker can be customized and configured to perform integration and routing functions for a variety of internal and external data sources, including SaaS applications.
Figure 4. An integration broker brings together internal and external data sources into a unified whole. (Click on the picture for a larger image)
Data can originate from different sources, using different protocols and a variety of mutually incompatible formats. The job of the integration broker is to take data from a variety of sources, determine how and where the data needs to be processed and routed, and send each piece of data to its destination in a form that the target system can use. The broker takes the form of a pipeline architecture to which you can add and remove modules that perform specific integration operations. Multiple logical pipelines can be used to process data traveling in different directions. In a typical case, for example, one pipeline would integrate data from sources on the Internet with local data sources, and another pipeline would take local data and integrate it with SaaS data on the Internet.
Data enters and exits the pipeline through data channels that define the protocols used to communicate with data sources. For example, one channel might be established to transmit data from a particular Web service to the broker using SOAP; another might transmit the data from the broker to a SaaS application using FTP. (See "Data-Transfer Patterns," later in the article, for more information about data transfer.)
The modules plugged into the pipeline determine how the data is processed, routed, and integrated with data at the destination. A metadata service provides the configurable rules that each module uses to do its job. Common integration operations include the following:
A data-availability service provides the means by which the integration broker can detect when new data is available. See the next section, "Data-Availability Patterns," for more information about the methods that can be used to determine data availability.
Synchronizing data involves transferring new and changed data from the source to the target (the data sink), either at regular intervals or when precipitated by an event. Three basic patterns are used to trigger data synchronization between a local source and a SaaS application:
Different approaches are appropriate for different data, and you may decide upon a combination of approaches for a single application. The correct approach to use for detecting data changes can depend on a number of different factors, including whether data changes must be reflected at or near real time, and how many data sinks must be integrated with the data update. In some cases, you might have to seek a compromise that balances opposing interests. For example, a push approach is usually best for data that must always be kept up to date; but pushing data out to a large number of interested sources can be computationally and network intensive, and might degrade application performance. Whichever approach you choose, you must develop rules to govern implementation details, such as polling frequency, syndication format, and so forth.
Data can be transferred between two endpoints using synchronous or asynchronous communication techniques. A synchronous transfer is akin to an interface: When one party requires information, it connects to the other party and requests it, expecting to receive the result immediately. This connection can take place in a variety of ways. Synchronous transfers can be simple file transfers, or they can take place through FTP, HTTP, or some other method.
In an asynchronous transfer, the information can be transmitted by the sender and processed by the receiver at different times. Asynchronous transfers are typically message-based: One party sends a message to the other party requesting information, without expecting an immediate response. When the second party has processed the request, it sends a response back to the first party in another message. Messages can be sent by e-mail protocols such as SMTP, for example, or by message-queuing technologies.
Data transformation means taking data from one source, and altering its format and/or content so that it can be used by the data sink. Exchanging data with a SaaS application can involve some degree of data transformation. For example, one of your existing on-premise systems might exchange data using the EDIFACT standard, while the SaaS application you are integrating uses an incompatible XML-based format to send and receive data. Data emanating from an on-premise system must be transformed before it is sent to the SaaS application, and vice versa.
Transforming data is a multi-step process. Firstly, the incoming data should be validated against the appropriate data formats and schemas, to ensure that it will be usable after transformation. Optionally, the data can be enhanced by combining it with data from another source. Finally, the data itself is converted to the target format.
From the user's perspective, as we noted earlier, whether the application is physically hosted inside or outside the enterprise firewall should not be an issue: Applications in multiple locations should be made accessible in a convenient and consistent way. One very significant component of this consistent user experience is single sign-on: Users enter their user name and password when signing on to the Microsoft Windows operating system at the beginning of the day, and thereafter can access applications and network resources without having to present their credentials separately to each one. In addition to convenience, single sign-on means that users have fewer sets of credentials to keep track of, and reduces the security risk of lost or misplaced passwords.
From the IT management and governance perspective, single sign-on means that support staff will not have to manage independent sets of credentials. It also facilitates identity integration in other ways, such as enabling the reuse of existing application-access policies to control access to SaaS applications. For example, a policy might indicate that a certain manager has the power to approve any purchase under a certain price, and you'd like a SaaS application also to recognize that permission. Integrating your directory service with a SaaS application means you won't have to replicate policy information manually when setting up your account.
SaaS applications can provide single sign-on authentication through the use of a federation server within the customer's network that interfaces with the customer's own enterprise user-directory service. This federation server has a trust relationship with a corresponding federation server located within the SaaS provider's network.
When an end user attempts to access the application, the enterprise federation server authenticates the user locally and negotiates with the SaaS federation server to provide the user with a signed security token, which the SaaS provider's authentication system accepts and uses to grant the user access.
Figure 5. A federation server provides enterprise customers with single sign-on authentication to a SaaS application. (Click on the picture for a larger image)
Implementing a federation server that uses well-known standards for remote authentication, such as WS-Federation or Security Assertion Markup Language (SAML), will help ease the process of implementing single sign-on with a wide range of SaaS providers.
Microsoft provides a number of resources for working with directory federation. For more information, see Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0 and Overview of Active Directory Federation Services (ADFS) in Windows Server 2003 R2.
Composite application is where business functions and information can be integrated effectively for the end users. The business benefits of a well-designed composite application are many and include reduced redundant data entry, better human collaboration, heightened awareness of outstanding tasks and their statuses, and improved visibility of interrelated business information. Generalizing the principles of composite applications at a more theoretical level, we observe that presenting information as a unified whole, instead of as isolated streams of data, carries benefits for users. It enables them to better see relationships between data from different sources, and apply their own "domain intelligence"—their own preexisting knowledge of how the business and its processes work—to better make informed decisions. It also enables the creation of better "process intelligence," which gives users an improved view of their own tasks and responsibilities.
Consider a doctor in a hospital. During the course of the day, the doctor might have to work with a wide variety of information related to patient care: X-rays, patient histories, prescription and pharmaceutical information, insurance-coverage restrictions, bulletins from the government health ministry or disease-control center, and so on. Normally, each of these kinds of information can be tracked by a separate application, which creates inefficiency for the doctor. The hospital, its staff, and its patients might all be better served if each of these functions was integrated into a single application that integrates business intelligence (like the kinds of information listed above) with process intelligence (like the operating-room schedule and the status of the doctor's active-patient queue), as well as collaboration tools that facilitate consultations with colleagues.
In a service-centric IT department, applications and other resources become ingredients that can be combined together in just such a fashion, to create task-focused composite applications that bring "business intelligence" and "process intelligence" together in a single package. Creating a composite application is not easy: It involves bringing together different applications, protocols, and technologies that weren't necessarily designed to communicate with one another, and integrating them into a seamless whole. The composition architecture is intended to make this possible.
Figure 6. Composition architecture is designed to draw from a number of different sources of different types and in different locations.
At the lowest architectural level of the composition architecture are the sources that provide stored or processed data as "raw materials." Sources can include internal applications, internal databases, SaaS applications, Web services, flat files, and numerous other sources. Many SaaS applications provide APIs that expose various properties and methods that you can use directly.
The composition layer is where the raw data is aggregated and provided to the user in a new, unified form. Its function is to transform data into business information and process intelligence, and vice versa.
The composition layer is itself composed of a number of components that manage access, data, workflow, and rules. Applications, databases, Web services, and other resources "plug-in" to this layer through service agents, which take care of the details of negotiating connections and exchanging messages with each service. The identity-management component ensures that users are properly authenticated and authorized, and can also manage credentials for communicating with Web services, which often require credentials that are different from the one the user supplies to access the local network.
The data-aggregation component of the composition layer takes the information from data sources and transforms it in ways defined by the application entity model. For instance, a catalog entity might need different pieces of product and inventory information from different systems. This information is then presented as a unified, correlated set of data to the end user. The workflow component organizes the information with conditions and flows to guide human interaction and collaboration; and the eventing mechanism enables notifications to be sent and received when specified conditions are met, so that the end user can react appropriately.
The user-centric layer presents the composite data to the user in a central, integrated, task-focused user interface that provides both information for decision-making and functionality for taking action. This is perhaps the fullest expression of the potential of the service-centric IT: combining the best aspects of any number of applications and data sources into a single application that is focused on the needs of the user, instead of on the capabilities and limitations of any one system.
There are many more business, architecture, and technology details that can be written about composite applications. The upcoming Architecture Journal Issue #10 will cover this topic in greater depth.
We've discussed how businesses can benefit from becoming SaaS consumers. In some cases, businesses can benefit from becoming specialized SaaS providers, too.
Becoming a SaaS provider can benefit a business that has dependent entities—such as franchisees or resellers—with which it has a strong business relationship, but poor IT process automation and information transfer. For example, consider a fast-food chain that operates through the franchise model. Some or all of its restaurants are owned by independent franchisees who contract with the franchiser for branding, recipes, and perhaps stock and facility rental. The franchisees have neither the personnel nor the budget to deploy and maintain satellite IT infrastructures at their location, so most or all of their communication with the franchiser tends to be done the old-fashioned way: through the postal system, by phone, during periodic meetings at a district office, or using some other non-technical method. A better IT relationship between the central business and its franchisees could raise the quality of services by improving information transfer and enabling certain processes to be automated.
This is where SaaS comes in. By becoming a SaaS provider, the central business can host specialized applications for its franchisees, for business functions such as inventory control, accounting, promotions, loyalty programs, and so on—applications that franchisees around the world can access using only an ordinary personal computer and broadband connection. This arrangement benefits all the parties in the relationship. In the example given, the franchisees benefit from applications that would otherwise not have been available to them. Similarly, through the usage of these applications by the franchisees, the franchiser receives enhanced feedback and data that contribute to more accurate and valuable business intelligence.
An enterprise might also consider becoming a SaaS provider if it has developed a valuable IT asset that could be monetized by providing it to other businesses. For example, a bank that has developed a sophisticated fraud-detection system for internal use might develop a commercial version and offer it for subscription as a SaaS application. The same principles that make it feasible for an enterprise to consume services from the Internet cloud can make it possible to offer services to the cloud, too.
Enterprises would do well to consider the flexibility and risk-management implications of adding SaaS to their portfolios of IT services. Integration and composition are critical components in your architecture strategies to incorporate SaaS successfully as a fully participating member of your service-centric IT infrastructure.
Finally, we believe that the future of enterprise computing is not going to be purely on-premise or in-the-cloud. Instead, like the yin and yang, they will exist in symbiotic harmony.
For his help with technical writing, many thanks to Paul Henry.
For further discussion on this topic and many other SaaS-related topics, visit Fred Chong's blog and Gianpaolo's blog. For feedback about this paper, please e-mail either Fred Chong or Gianpaolo Carraro. Thank you.