Its important to understand that even if you go with a hosted service, you still have to manage the quality of that application, says Irwin Lazar, analyst with Nemertes Research.
In the SaaS model, applications are hosted by providers over the Internet and companies are charged for usage rather than ownership. Lazar says the benefit of this approach is that IT groups do not have to spend limited budgets to buy and operate complex infrastructure.
In the financial sector, more than 60% of the top 150 U.S. banks use at least one service-based cash management or small-business banking application, and more than 90% of community-sized banks (those below $4 billion in assets), use a shared service platform to offer customers Internet or small business banking. Sean ODowd, analyst with IDCs Financial Insights research firm, says SaaS enables banks to forego large upfront capital expenditures, such as licensing and servers, and spread out costs over time, increasing revenue predictability.
Lazar agrees. Whats driving this move to SaaS is cost. If Im an IT manager looking at the next version of a productivity suite, I can either buy a license at $200 a seat and have troubleshooting, infrastructure and management costs, or I could subscribe to a service. Its a no-brainer, he says.
He points out that the SaaS model is most attractive for commodity applications, such as customer relationship management, human resources, payroll and Web conferencing, not core software, such as programs supporting research and development. Theres a lot more sensitivity around the companys crown jewels, he says.
No matter how common the task, companies must be on their toes when dealing with outsourcers, says Danny Allan, director of security research at Web application security vendor Watchfire Corp. in Waltham, Mass. The biggest risk in SaaS is you dont know how secure the provider is, and internal data is outside the organization, he says.
He counsels IT managers to examine five key areas when deciding on an SaaS provider: privacy and security policies; transparency into the providers organization; metrics regarding audits and response to security breaches; strong feedback loops; and continuous education for customers.
Organizations should guarantee that authorization and access controls are strong not only between them and the provider, but also among the providers other customers that share the infrastructure. Allan admits that this can be difficult to gauge so he recommends asking to see a written policy. This will tell you whether the organization is mature.
He also encourages IT teams to write into their contracts that they will have access to testing schedules, software development life cycles, and upgrade and patch deployments. If you dont know when they are running upgrades, there is a serious risk of downtime, he says.
Just as important as transparency is having a backup and exit strategy for data. Tim OBrien, director of the platform strategy group at Microsoft, says companies need flexibility and insurance built into the SaaS model.