Q&A: How to Choose a SaaS Provider

The benefits and drawbacks of software-as-a-service, plus tips for choosing a SaaS provider.

There's no question that cloud computing and software-as-a-service (SaaS) has grabbed the minds (and budgets) of data center managers. Although we frequently hear about the benefits of these technologies, we wanted to know more about any drawbacks IT should consider, and how best to select a SaaS provider. For answers, we spoke to Dmitry Sotnikov, director of cloud solutions for Quest Software, a firm focused on reducing IT management costs.

Enterprise Strategies: Cloud computing has gained significant attention in recent months. Can you share your thoughts on why this is?

Dmitry Sotnikov: In recent years, consumers have become increasingly comfortable “in the cloud” and I think this has started to affect our business systems as well. Cloud systems are not new by any means, however, they have grown sophisticated enough to be a viable business option.

How does software-as-a-service (SaaS) differ from traditional software models?

There are a few key points that differentiate SaaS solutions from traditional models. The first is the flexible licensing options afforded by the SaaS model, which allows IT departments to select a provider whose licensing model is best matched with the overall business structure. For example, say you work for a smaller company that prefers to invest on a monthly basis rather than making a large capital investment up front. In the SaaS model, you can select a provider that will enable this option by charging a per-month or per-use fee versus purchasing a traditional license.

The second differentiator is that applications can be optimized for distributed operation and scalability in the SaaS model. SaaS applications are generally designed to operate in a distributed data center environment. As a result, they can take advantage of server and bandwidth scaling to provide access to more users, run at a higher performance level, and handle more data. Because there is no need to redesign the software or redeploy installations, you get the same service regardless of how many users you have and you don’t have to provision any new hardware or systems.

Finally, software implementation and upgrades are eliminated in SaaS solutions. Generally speaking, locally installed software is expensive to deploy, update, and upgrade. The deployment process can be time-intensive and difficult, even with software deployment automation. When you work with in the SaaS model, all ongoing maintenance and solution upgrades are managed by the provider, which significantly frees up time and unnecessary cost.

What are some security concerns companies may encounter when using a SaaS model?

Using SaaS solutions means that your data is stored elsewhere, processing is done by another party, and connectivity is through the Internet. These factors give rise to a few security concerns that fall into four basic categories -- choosing a reliable provider, ensuring adequate redundancy for data storage and fault tolerance, technical security safeguards, and physical security safeguards. I recommend that anyone considering using SaaS solutions examine the security processes of the providers you’re evaluating to make sure they’re compliant with your internal security standards as well as with the regulations impacting your business.

Are there other downsides or concerns that an enterprise should consider before moving to the clouds?

There are general considerations applicable to any purchase decision: evaluating the service, seeing what kind of integration with other systems is available, and so on. More importantly, the move to a public cloud effectively means a move from buying tools to subscribing to services. Your relationships with the vendor become much more strategic.

To give a simple example, in the tools world, if the vendor you buy from goes out of business or does not support you well, at least you have the local installation and data which you can keep using on your own and from which you can design your way out to an alternative solution. In the services world, if the vendor stops offering the service, you stop getting it. This makes risk evaluation, contingency planning, and vendor selection much more important.

What are some considerations companies should make when choosing a SaaS provider?

Each company will have select criteria for choosing a SaaS provider that is unique to its business model and needs. There are a few common considerations companies should keep in mind, however. These include transparency, accreditation, and certification, compliance, financial stability, and trust. The last one may sound clichéd but it rings true. When you discuss deploying services, software or any type of infrastructure with a provider, you have to determine whether you trust the provider to meet your security needs.

I'd like you to elaborate on some of these points, because they are not often discussed. When you mention transparency, what do you mean? Transparency of what, exactly?

A SaaS application does not have to be a black box. If a cloud vendor wants you to trust them, they need to provide information on how they run their service: what is the application architecture, where is the data stored, how is service availability maintained, how is data from different customers segregated and isolated, are there back doors for provider's own employees (such as technical support engineers)? These days, it is extremely easy to set up a shiny Web site -- developing a stable and secure SaaS application requires a certain level of knowledge and maturity. SaaS providers that are more transparent about how they run and secure their services deserve more trust than those who go the security-by-obscurity route.

What accreditation or certification should an enterprise look for, or does that vary by industry?

Generally speaking, regulations and certifications are lagging, and most of them still need to be updated to take into account the cloud shift. The two certifications that ensure that the data-center operations meet high security standards are SAS 70 Type I and Type II and ISO/IEC 27001:2005. Although these do not guarantee that the actual services you consume from such a data center are not flawed, at least you can be sure that proper physical security and operational procedures are in place and this is not just a server running under someone's desk.

What should an organization expect from a service provider to demonstrate compliance?

All your standard compliance measures apply to the SaaS applications you use the same way they apply to any other system. If you need to ensure proper access management and audit trail across your systems, make sure that the SaaS services you are about to use also provide the mechanisms to get that.

How do you measure or evaluate trust? Is it more than a "warm and fuzzy" feeling you get from meetings you conduct with a potential service provider?

Trust needs to be built based on all the other things we discussed earlier: from vendor's maturity and financial stability to their openness and responsiveness of their technical support. Your SaaS vendor is your partner -- not a sales guy you meet at a store whom you'll never meet again.

What are some best practices you can employ to make the best possible selection? For example, should you run a trial on a small application first or jump in on a larger application with a limited number of users?

All the standard application and vendor selection practices apply. Watch the demos, get a test account, and try the service. Most available services have free trial periods and are not intrusive to your environment, making trials easy and low risk. Obviously, you might look for a more controlled lab environment or alternative services if this is not the case. Just as obviously, just perform a Web search about the company and the service to learn more. Ask questions on their support forums to see how responsive they are. SaaS and the Internet make choosing the right vendor and service so much easier!