Enterprise-Class SaaS Provisioning

As those of us at Conformity engage enterprise IT teams, we continue to explore the gap between existing provisioning options and SaaS deployments.  Enterprise customers are caught between the promise of cloud and SaaS solutions and the impact of this adoption on their already stretched teams and processes.   In the Conformity white paper, Enterprise-Class SaaS Provisioning, we describe the management challenges organizations face in adopting SaaS applications, and explain why IT groups struggle to utilize existing options for federating on-demand environments.

So, what information can we take away from the enterprise SaaS customers?  As pointed out in our other discussion threads, SaaS is not easily tamed by existing solutions.  We find that the cloud deployment model exposes the following shortcomings of existing alternatives:

• Disconnected Environments: The most obvious challenge is the separation of multiple SaaS applications and the management solutions.  This disconnect fragments the core IT capabilities, creating unique cloud-based silos of user identity, business policy, and administrative rights.
• Unexpected Deployment Complexity: IT teams can easily underestimate the impact of adopting SaaS as a solution platform.  Detailed SaaS configurations, coordination between applications, and evolving licensing models can exceed IT expectations, especially when the deployments were independently cultivated in the lines of business.
• Lack of Deployed Standards: Customers are discovering the industry standards for management and provisioning are not aligned with the aggressive SaaS expansion.  Many advertised standards such as SAML or XACML are focused on alternative use cases and designed for either an on-premise or cloud model, limiting their real adoption by SaaS ISVs.

These challenges have curtailed enterprise efforts to utilize current deployed technologies, and in turn have impacted SaaS rollouts.  IT teams continue to evaluate complementary but incomplete options including enterprise software vendors, cloud-based identity solutions, and unique SaaS ISVs themselves.  This discovery process has provided the benefit of allowing the enterprise teams to better understand the market challenges and applicability of existing solutions.

Working with these IT teams, we have defined a common set of issues for provisioning and management and select criteria for a new approach to federating on-demand environments.  Any solution must provision users to a fully functional state across the user life cycle, a distinct challenge with many SaaS and cloud implementations.   This provisioning must align with existing IT and business processes, leverage line of business expertise, and meet the organizations compliance, security, and data visibility needs.  And deployments must be flexible enough to align with and possibly impact developing standards such as SPML or federation options like Microsoft Geneva while supplying value prior to standards adoption.  In short, these attributes define a new breed of management platform that is designed for the SaaS and cloud-based environments.

For more information, read the Conformity white paper that outlines our findings.  And please feel free to reply and continue the discussion.

The SaaS industry, APIs and standards

A session titled “Herding Cats: Managing SaaS Sprawl” provoked some very interesting debate and discussion at Interop last week, as covered in this Network World article.  Several important themes emerged which we wanted to highlight and expand upon:

• Current state of APIs – the state of SaaS vendor APIs is clearly not where it needs to be – here at Conformity we see a broad range of SaaS vendor API maturity, with some vendors offering robust web services APIs to most of their data objects, and others offering literally no access whatsoever.  Unfortunately our experience is that most vendors tend to fall closer to the second camp, particularly when it comes to providing visibility required for effective management and control of user access and usage of SaaS applications.
• CIO expectations - as mentioned in the session, we also are seeing CIOs becoming more and more aware and involved in SaaS procurement, deployment and ongoing management and support processes. Experience managing on-premise applications has set expectations (rightly or wrongly) for CIOs and their teams, who many times are unpleasantly surprised at the lack of accessibility SaaS vendors provide to data critical to effective management and control, such as event logs.  The current lack of vendor APIs also frustrates IT teams, who are used to integrating on-premise applications into IT management processes and tools such as identity management tools and directory services.  These expectations for management and visibility of SaaS applications, users and activity are unlikely to change, and SaaS vendors will have to meet these expectations, versus attempting to modify them.
• Standards and adoption – we also agree Narinder Singh of Appirio who’s concerned about the potential impact that standards and compliance efforts could have on SaaS innovation and vendor API development.  Successful standards typically emerge after, not before a particular problem is solved by the industry, which could partially explain the relatively lackluster ISV adoption of SAML, SPML, XACML and other standards around authentication, access control and provisioning.  The challenge is for the industry to develop models and approaches for APIs and interoperability to solve the underlying problem first.  While the standards mentioned above may end up being the right answer (or part of it), the first order problem is for the industry to make sure it has a model for satisfying end-customer requirements around APIs and interoperability.

The key to addressing the challenge the SaaS industry is facing around APIs is for vendors is to get started now, by exposing what they can around their objects and data models.  The SaaS vendors that we believe have made the most progress and who demonstrate the most maturity around APIs and interoperability decided to get started by opening up access to data and objects, not by first determining what API standard(s) to support.  Channel partners, customers and even other SaaS vendors can help solve the industry problem around what needs to be exposed via APIs and how.  Starting with standards first is a bit like putting the cart in front of the horse…

SaaS, the Cloud and the ‘Big Bang’

Here at Conformity we recently wrapped up some interesting market research on the topic of adoption of SaaS and cloud-based services and the management challenges it is creating for organizations and their IT departments in particular.  Conducted in conjunction with a leading analyst firm,  we spoke with IT and business executives at nearly 50 midsize and large enterprises that were adopters of multiple SaaS applications, and who were planning on extending their adoption of the model.  We’ve summarized our findings in a new whitepaper titled SaaS, the Cloud and the Big Bang.

The results?

In organizations we spoke with, business users drove the initial wave of SaaS adoption and largely took on the associated management and support responsibilities.   In a pattern similar to what happened with distributed computing 15-20 years earlier, as SaaS adoption hit ‘critical mass’ in these organizations (particularly those with compliance exposure),  IT has been brought in to extend existing management processes, controls and tools to SaaS and cloud-based resources.

The problem?  SaaS and cloud-based services are fundamentally exploding the traditional IT management model, due to:

• Decentralization of management – in ‘traditional’ management environments,  IT has near complete responsibility and accountability for governance and management of technology resources.  The focus on autonomous IT governance and managmeent has increased due to increasing regulatory compliance requirements (SOX, GLBA, HIPAA, PCI etc) and the resulting increase in adoption of best practice policy and control frameworks (ITIL, COBIT, ISO 17799/27001, 27002).   In the SaaS world, business users have taken on management and support responsibilities traditionally owned by IT.  For example activities such as user provisioning and permissions management, role and profile management, application customization and configuration, and vendor management are now decentralized and distributed in many organizations.

• Loss of control – in addition to the applications themselves, metadata on users, role and profile models, authorization and credential stores, usage activity and application performance all move outside the corporate firewall.  IT loses visibility and control over this critical management data that is now fragmented across heterogeneous SaaS service providers, in addition to the applications and users themselves.

• Broken integrations – many IT processes around application and user management are highly automated, supported by integration with on-premise directory services, identity management and systems management solutions.  These integrations largely ‘break’ in an on-demand world, and organizations are rapidly finding that creating a new management ‘blade’ for a given SaaS app in legacy management application is not a realistic, cost effective answer.  Additionally, SaaS applications must be integrated into existing business processes through configuration and management by line-of-business users, with little or no ability to automate integration into cross-application business processes.

While it is still early, clear perspectives are starting to emerge around what the characteristics of a new generation of management solutions that address the unique challenges of on-demand environments will need to include.  Organizations are finding that SaaS and cloud-based service models are driving a convergence in identity and systems management issues, which will require the reinvention of solutions that address these issues.   Areas such as  user access management, policy monitoring and enforcement, data integration and management and business process integration all need a fundamental ‘rethink’ in a cloud-based world.

If you’re interested in receiving a copy of the whitepaper, please contact us.

Is SaaS Adoption Getting Ahead of Itself?

Reviewing customer SaaS adoptions keeps sending us back to John Martin’s post on SaaS as the next disruptive “Big Thing” for IT.  Though referencing SaaS in terms of the CIO Corner’s disruption cycle may raise some eyebrows, I think we all agree SaaS is disruptive.  SaaS presents IT and LOB executives with a true strategic differentiator, challenges IT’s comfort level for areas such as control and compliance, and disrupts the entrenched legacy vendors and solutions.  Ironically, actually calling SaaS a disruptive technology may be exactly what is required to help ensure it really goes mainstream.

Disruptive technologies referenced in Gary Beach’s blog drove the market to revisit established processes and controls, sometimes reluctantly.  SaaS is no different – discussions positioning SaaS as ‘just a delivery model’ or a simple extension for legacy IT solutions ignore the business and IT challenges.  SaaS shifts key business processes, user information, permissions, and policy to an off-premise model that is configurable – but not fully customizable.  Add in the fact that multiple best-of-breed SaaS applications may enable a full business process like CRM, we find the overall market must adapt or risk artificially limiting the SaaS opportunity.

To keep SaaS adoption from getting ahead of itself, we must turn the collective focus to driving market adoption and removing barriers to enterprise deployment.   As with any emerging industry, the solutions that enable SaaS to move beyond early adopters lag the initial SaaS deployments.  In response to this lag, SaaS customers are barraged with existing vendors quickly repurposing older technologies to capture $$$ and industry experts clamoring for ‘SaaS 2.0’.  Neither market reaction meets the real adoption needs of SaaS customers – especially in larger organizations.

It is not clear how may “IT events” failed in Gary Beach’s disruptive model, but the successful ones must have been embraced by a proactive community and industry.  Customers are demanding solutions that allow IT to move beyond old approaches, limited point solutions, and empty promises.  These solutions will have to focus on coordinated provisioning, alignment of business policy, risk and regulatory compliance, and cross-application visibility, to name a few.  If we want SaaS to be the next “Big Thing”, it is time to step up and focus on the real market needs, providing IT with robust solutions needed to drive adoption.  Let’s raise the visibility of this conversation to match the ongoing debates around next generation standards and modification of legacy approaches for SaaS.

Some additional thoughts on SaaS user provisioning…

As the term ‘provisioning’ tends to have different meanings depending on who you talk to, we wanted to follow-up on our post last week on SAML / SPML-based ‘just-in-time’ user provisioning to provide some quick additional thoughts…

Effective user provisioning requires much more than just ensuring users have an active account and access to a given service or SaaS application.  User authorizations and permissions within the service also need to be consistent with role-based access control (RBAC), least privilege and segregation-of-duties (SOD) concepts.  This requires that organizations ensure that permissions and authorizations are consistent across services, not just within each individual SaaS silo.   What makes provisioning challenging is that each SaaS service provider has their own unique role, profile and authorization model optimized around the particular problem set they address.   Virtually all SaaS user attribute and permission models are unique to the individual vendor, with some services providing the ability to configure over 50 different user attributes.  In our mind, proper user provisioning ensures that user accounts and all associated authorizations are consistent with corporate policy, which is a much deeper, more challenging problem that it first appears…

SaaS and Federated Provisioning

Some quick thoughts on the idea of just-in-time (JIT) provisioning of users based on combined use of SAML and SPML between an organization and the SaaS vendor / service provider (or federated provisioning), which has been recently discussed in a variety of forums including Network World and the Burton Group…

From a practical point of view SAML/SPML enabled JIT provisioning (or federated provisioning) is still in the category of ’science project’ – theoretically possible, but currently an unrealistic approach in actual live customer environments.  Based on our discussions in the industry SaaS vendor support for SAML has been modest at best, SPML even less so, and without vendor implementation the approach doesn’t even get to square one.  While we’re fully supportive here at Conformity of SAML/SPML and the need for a more standards-based approach to user authentication and authorization across SaaS applications, we also recognize that customers need to address the SaaS provisioning problem today, which means working with the proprietary APIs and connectors that do exist.

Even in a theoretical world of fully SPML-enabled SaaS providers (if and when that day arrives), the fundamental challenge of attribute mapping will remain (as noted by Mark Diodati at the Burton Group).   Each application will continue to have its own individual set of user attributes that will have to be mapped back to the internal schema of the requesting provisioning service, certainly a non-trivial exercise.

There are also a variety of  business considerations the JIT model needs to account for that at worst could ‘break’, and at very minimum create significant impediments to actually implementing the model.  The vagaries of vendor licensing models, customer provisioning workflow and processes and role and permission change management are just a few of these considerations that need to be taken into account.

Stay tuned as we’ll soon have much more to say about SaaS, provisioning and user management…

The Open Cloud Manifesto – there’s work to be done…

Without commenting on the motives of the players involved in  The Open Cloud Manifesto published this week, we do have to agree with one of its core tenets – that to drive further adoption and acceptance SaaS and cloud providers must work together to improve overall governance and management of offerings.  At a fundamental  level SaaS and cloud-based applications ‘break’ the models and approaches organizations have implemented for managing users, identity and applications in a primarily on-premise world (particularly in large enterprises).   SaaS and cloud based applications nearly all have their own unique, individual approaches for managing users, profiles and permissions, and do not easily integrate into existing management solutions and directory services.  To date the only standards that emerged in the broad area of  ‘management’ address access and authentication issues (SAML, OpenID etc), and none of these have even gained significant traction with SaaS ISVs yet.   When looking at the new broad, cross-vendor governance and management issues created in a multi-SaaS environment, access and authentication is only the tip of the iceberg, which is why we also believe there’s significant work to be done here…

The Data has Left the Building…

In light of the mass layoffs unfortunately occurring these days,  somewhat terrifying results were recently released from a study conducted by the Ponemon Institute and sponsored by Symantec on data theft by former employees.  Major high(or low) lights of the study of approximately 900 employees who lost their jobs in 2008 includes:

• 59% of respondents kept corporate data after leaving their job
• Approximately one quarter of respondents said they had the ability to access data after they had left the company
• 32% of survey participants said that they had successfully accessed corporate systems using their credentials after leaving their job

While the survey didn’t distinguish between data residing in SaaS vs on-premise applications, we have to believe that the relatively immature access controls and distributed approach most organizations take towards SaaS user management would lead to even worse numbers for on-demand applications and related data…

SaaS and the Great Recession – the early results

Conventional wisdom has held that the current ‘Great Recession’ would help to actually accelerate SaaS adoption, due to the fact that SaaS offers a ‘right-sized, zero-CAPEX alternative to on-premise applications’ as IDC describes it.  Many believe it could be the tipping point that finally drives SaaS into the mainstream – this in fact could become a reality if SaaS draws significant new customers to the model, and customer sat rates maintain their current lofty levels.  Now that we have a full quarter of  market and economic meltdown under our belt so to speak after the September 15th collapse of Lehman, we thought we’d take a look at some of the data to see how the thesis is holding up.  First are the announcements from the major publicly traded SaaS vendors that have reported calendar Q4 2008 results to date:

• RightNow announced 25% growth in Q4 revenue year-over-year, with the highest total bookings in any quarter in the last two years.
• Concur reported 19% Q4 revenue growth over 2007, with new customer additions up more than 50% year-over year.
• SuccessFactors achieved profitability for the first time in the quarter, growing revenue 77% over 2007 and growing their user base to 4.5 million unique, paying customers.
• NetSuite reported a Q408 revenue that was a 31% increase over 2007.  International revenue actually grew 51% year over year.

This all in an environment where NetSuite notes business spending on equipment and software fell nearly 28%.  While granted these results reflect the impact of sales cycles that likely began much earlier than Q4, the fact that this much business actually closed (instead of getting cancelled or deferred) is notable.

The post-crash news from the analyst world is reinforcing what we’re seeing from the vendors and hearing anecdotally as well.  IDC has boosted their 2009 growth projection for the SaaS market to 40% from 36% previously, and is now actually estimating that by the end of 2009, 76% of US organizations will have deployed at least one SaaS app.

The caveats? 

Salesforce.com has yet to weigh in yet with their Q4 2008 results (currently scheduled to be announced February 25th), which obviously is the most watched bellwether in the SaaS industry.  Also, all the vendors above cautioned about their outlook going forward, with several providing downward guidance to prior 2009 earnings forecasts.  And finally the unpleasant reality that the Great Recession may have only just begun…

Come see us at Interop NY

If you’re going to be at the upcoming Interop New York Conference on September 15-19th, please swing by the Thursday SaaS track panel discussion on ‘SaaS Chaos: Managing the Islands‘. Moderated by Jeffrey Kaplan of THINKstrategies, the session will look at the challenges of running multiple SaaS portals across an organization – from reporting and management to single-sign-on and administration.  In addition to Scott Bils of Conformity, Ed Sullivan, President and CEO of Aria Systems and Rick Nucci, Co-Founder and CTO of Boomi will be also be participating in the discussion.  Look forward to seeing you there!