Top Ten Mistakes Companies Make When Adopting SaaS

While billions of dollars will be spent on SaaS and cloud applications by the end of 2009, executives continue to question data security inside the cloud.  A recent article in CIO Magazine notes a growing majority of execs are worried about cloud security.  These executives recognize that each SaaS application, like Salesforce.com, represents a potential highway of highly sensitive corporate data outside the firewall and outside IT’s security protocol.  While no means exhaustive, here is a list of mistakes we’re seeing companies make when deploying SaaS applications, creating unnecessary risk and cost for their organizations:

1. Creating the ‘three-headed admin’ – granting multiple people administrator-level roles inside a single SaaS application, or having multiple admins share the same credentials.  Aside from the obvious security issues, resulting SaaS app management data typically ends up reflecting multiple perspectives of users and permissions.
2. Hoping that everyone ‘locks the door’ – relying on manual workflows, phone calls and emails to de-provision SaaS users’ access in an accurate and timely fashion across SaaS apps.   If there’s not an automated way to guarantee deprovisioning across all apps, then it’s unlikely that it’s happening.
3. Applying a short term ‘band-aid’ for management – using trouble ticketing and help desk systems to coordinate administration between central IT and departmental SaaS admins.  This is typically a short term fix that just kicks critical provisioning and identity management issues down the road, and does it in a way that creates more pain later.
4. Attempting the IT ‘end-run’ – not engaging IT on management and support until SaaS app(s) become “mission critical” within the organization.  As SaaS and cloud are now becoming more mainstream technologies, IT is regaining their seat at the table to help extend existing policies and controls – ignore this dynamic at your own peril.
5. Delegating policy enforcement – relying on individual SaaS administrators to enforce corporate policies for roles and permissions.  Most organizations have access control policies and controls exist for on-premise apps and data, but few think about how to extend them to SaaS and cloud applications prior to deployment, particularly in environments with distributed administration.
6. Believing in a management ‘silver bullet’ – assuming that existing on-premise directories (such as Microsoft Active Directory) or identity management tools (including SSO) extend to support all SaaS-related identity challenges.  They don’t.
7. Creating ‘two sets of rules’ – treating SaaS governance differently than on-premise applications with regard to user identity and compliance.  Governance frameworks and best practices should consistently apply to applications no matter how they’re delivered.
8. Failing to create a ‘rearview mirror’ for audit and compliance – failure to identify and approach for capturing an audit trail of access, usage, user change and permissions history.  Though delivered by a 3^rd party, companies are still responsible for implementing and enforcing access control policies, and for demonstrating it at audit time.
9. Forgetting about compliance reporting – wasting 20-30 executive hours each quarter to manually compile reports for internal or external compliance audits.  Forgetting to consider compliance reporting needs up front when evaluating SaaS vendors and overall SaaS/cloud strategy can be painful.
10. When in doubt, spending more – buying unnecessary subscription seats because of a lack of visibility to actual subscriptions and current usage.

We’d be interested in hearing what others are seeing and hearing in these areas as well…

The Three Key SaaS Management Challenges

We find very few people today that would dispute the notion that SaaS and cloud applications have become mainstream technologies in SMB and the midmarket.  The challenges for the SaaS industry are also changing as a result.   With the battle over the viability of the on-demand model largely won,  the questions are now turning to the operational and IT management  implications of a SaaS-centric environment.

Our customers and prospects here at Conformity are forward-thinking organizations that are aggressively leveraging the cloud delivery model for multiple, if not a majority of their business applications.  Given our strong  belief in the SaaS and cloud model, we believe that they are a good indicator of trends we’ll shortly be seeing more broadly in the market.    All of these organizations are struggling with what their management processes and approaches look like in a purely ‘on-demand’ model.   Among these multi-SaaS organizations we’re consistently seeing three general problem domains:

1. User provisioning and administration – as they’re optimized for different problem sets, all major SaaS applications have fundamentally different ways of thinking about users, roles, profiles and permissions.  Organizations have tended to have separate business administrators for say Salesforce.com, NetSuite and SuccessFactors.  Each of these admins as a result has had to develop a separate model of their organization, deparments and role structures, with the result being that various siloed identity stores have been created across the organization.  These stores are are all independent from each other and from on-premise directory services (Microsoft AD) and identity management solutions.  Normalizing these identity stores in support of centralized, streamlined administration and reporting is a common theme we’re hearing, and what what our solution here at Conformity is addressing.
2. Single sign-on (SSO) / authentication – another common challenge we’re hearing is the desire to provide end-users the ability to access multiple SaaS applications (and often on-prem apps as well) using a single set of credentials, both for end-user convenience and security purposes.  This is the problem set being  addressed by vendors such as Ping Identity, Tricipher and Symplified.
3. Data integration – the final theme we’re hearing is around cross-application data integration, and the desire to integrate multiple ‘best of breed’ applications across a common business processes or workflow.  This issue set consists of integration of cloud apps to both cloud and on-premise applications.   This is the domain being addressed by vendors such as Cast Iron Systems, Pervasive and Boomi.

While the data integation challenge is fairly distinct from the first two challenges, significant market confusion exists around provisioning and SSO, and whether a solution in one addresses both areas.  The short answer is no – the very simple analogy we use is that SSO tells you if you should let the visitor knocking on the front door into the house – provisioning and permissions management provides guardrails around what they can and cannot do once they’re in the front door.  Both are needed, but complementary capabilities – more to come on this….

Recap: The Enterprise SaaS Working Group

It’s been an exciting few days here at Conformity after our recent GA announcement and the kickoff of the Enterprise SaaS Working Group yesterday.  We had a very lively, engaging debate on the key issues the group believes need to be addressed for SaaS and cloud applications to become ‘mainstream’ technologies in the enterprises.  The group featured a diverse set of executive perspectives from cloud vendors, thought leaders and practitioners, and included:

• Peter Coffee, Director of Platform Research, Salesforce.com
• Tom Fisher, VP of Cloud Computing, SuccessFactors
• Ryan Nichols, VP Cloudsourcing and Cloud Strategies, Appirio
• Steve Coplan, Senior Analyst, Enterprise Security Practice, The 451 Group
• Doug Harr, CIO, Ingres Corporation
• Scott Carruth, VP Information Systems, Initiate Systems
• Michael Amend, Director of Enterprise Architecture, Dell Inc.

A quick highlight of some of the discussion yesterday:

• PaaS/SaaS – which model ‘wins’ in the enterprise? While opinions differed, a common sentiment shared by the panel was that there’s not going to be ‘right answer’ for all organizations.  Depending on the industry vertical, business process or IT management model PaaS or SaaS could be the ‘right answer’, and in many situations organizations could have PaaS and SaaS offerings sitting side by side.   
• Private clouds – part of the answer or indicative of SaaS market immaturity? As with the PaaS/SaaS discussion a common theme was ‘it depends’.  The core advantage to SaaS and cloud delivery models is the ability to share resources – what part of the stack organizations decide they’d like to share will likely be driven primarily by security concerns and issues.  A likely scenario, as with PaaS/SaaS, is that different models will likely be adopted by different types of organizations depending on security and operational requirements.
• Enterprise SaaS adoption – when does it overtake on-premise? Two different perspectives were discussed around when SaaS will overtake on-premise apps in the enterprise.   A common belief of the group was that SaaS is winning in a majority of new deals in the enterprise today, with the perspective shared that 50-75% of enterprises would ‘flip the switch’ on cloud in some manner by approximately 2012.  Peter Coffee of Salesforce also shared his belief that total installed base for SaaS would outnumber on-premise apps by 2020, though there would also likely be 1-2% of the market that would be ‘holdouts’.
• Any applications that SaaS/cloud won’t be able to penetrate? If architected and deployed correctly, there are no perceived areas in which SaaS and cloud application models could not be leveraged with Peter Coffee of Salesforce , Tom Fisher of SuccessFactors and Ryan Nichols of Appirio all providing compelling examples of large scale, transaction intensive customer deployments.

The full recording of the webinar is available and can be access by clicking here.  Also, Ryan Nichols at Appirio had a great post on their perspective on our discussion topics here.

Please drop us an email as eswg@conformity-inc.com to be added to our mailing list, and to be notified of future Enterprise SaaS Working Group news and events.

Mark your calendar – Enterprise SaaS Working Group webinar

We’re excited to announce that on September 30th at 11:00am PDT / 2:00pm EDT we’ll be holding the first event in our Best Practices webinar series, featuring a roundtable discussion with the Enterprise SaaS Working Group. Comprised of recognized thought leaders and visionaries in SaaS and cloud computing, the group will discuss the challenges and issues that need to be overcome for SaaS and cloud applications to become truly ‘enterprise-ready’. Participants in the session will include:

• Michael Amend – Director of Enterprise Architecture at Dell Computer
• Scott Carruth – VP, Information Systems at Initiate Systems
• Peter Coffee – Director of Platform Research at Salesforce.com
• Steve Coplan – Senior Analyst, Enterprise Security Practice at The 451 Group
• Tom Fisher – VP of Cloud Computing at SuccessFactors
• Doug Harr – CIO at Ingres Corporation
• Ryan Nichols – VP of Marketing and Product Management at Appirio

The discussion will focus on critical issues and corresponding best practices in the areas of management, governance, security and compliance, and will include a Q&A session open to all attendees. Click here for more information and to register for this exciting event!

The Enterprise SaaS Working Group – Coming Soon…

As frequently discussed in this blog, here at Conformity we believe that there are a fundamental set of issues that the SaaS industry as a whole needs to address for SaaS and cloud applications to become truly ‘enterprise-ready’.  These issues range from management access and APIs to SLAs and performance monitoring.  To provide a forum to further surface, discuss and propose solutions to these issues, in September we will be introducing the first Enterprise SaaS Working Group.  The group will discuss challenges that need to be overcome to accelerate adoption of on-demand solutions in the enterprise, and will include a broad range of perspectives from thought leaders and practitioners alike.  Participants will include:

• Enterprise CIOs and IT executives
• SaaS vendor executives
• SaaS consultants and service providers
• Industry analysts

We will be formally introducing the group at an exciting event we’re going to be hosting in late September.  Please stay tuned for more details…

Success in the Enterprise – Making SaaS Manageable

As we heard once again last week at Catalyst from end-users, partners and vendors alike, many large enterprises are now finally taking a serious look at how to effectively leverage SaaS and cloud applications in their environments.   As we’ve observed in this blog before, enterprise CIOs are also finding that there are no easy answers to how to address the fundamentally disruptive impact that SaaS and cloud-based applications have on current IT management approaches.

The issue comes down to this: if a third party controls the software, data and access, and the CIO no longer has the capabilities to directly monitor and manage software operations, how can the CIO fulfill his or her responsibility for governance and compliance?  It’s a question that SaaS vendors must address if they expect to effectively compete and succeed in the enterprise marketplace

Our new white paper titled Success in the Enterprise: Making SaaS Manageable examines the CIOs need to manage SaaS applications as part of the larger responsibility for systems management in the enterprise.  It also looks at steps SaaS vendors can being to take to meet this need, and outlines best practices in the following areas:

• APIs
• Activity access
• Performance monitoring
• Back office visibility
• Standards

The enterprise continues to present an enormous opportunity for SaaS vendors, but to capture this opportunity vendors need to take the next steps to ensure their services provide the management visibility needed to be truly enterprise-ready, and that they address the unique identity and systems management challenges created by the SaaS model.

This is the first in a series of best practice white papers that Conformity will be publishing for SaaS vendor executives to help the industry meet the needs of enterprise CIOs and their teams.  Please visit our website to download a copy of Success in the Enterprise and to subscribe for future white papers, and to learn more about how we can help SaaS vendors address IT enterprise challenges.

Closing the gap between IT and SaaS

One of the big challenges the SaaS industry continues to face (which we talked about at our presentation at SaaS University last week in Chicago) is the gap that exists between the APIs/management access that SaaS applications provide today and the expectations of CIOs and IT teams, particularly in the enterprise.  The end-customer CIOs we’re working with are typically surprised at how difficult it is to integrate most SaaS applications into their existing management processes and solutions –  a CIO we recently spoke with just assumed that all major SaaS applications supported direct integrations into Active Directory and LDAP.  On the flip side, most SaaS vendors are being faced with IT requirements and expectations they haven’t yet considered, let alone support in their services (though there are exceptions) particularly in identity-related areas such as user authentication and access control.

Why is this important?

IT is regaining its seat at the table when it comes to SaaS.  In mid-size enterprises, as SaaS adoption has accelerated cross-functionally organizations are beginning to look to IT to centralize management and governance of SaaS applications and users to minimize compliance risks and administrative costs.   In a recent survey we found that IT was involved in management and administration of SaaS applications in 72% of multi-SaaS organizations.   In larger enterprises that are now taking a serious look at SaaS, IT is involved from the start to determine how the applications will be integrated into broader business processes and other on-premise applications, as well as management processes and solutions.  We’re starting to hear from both types of organizations, as well as the SaaS vendors that serve them, that application ‘manageability’ is becoming a consideration in sales cycles – in fact we’re aware of several situations where an incumbent SaaS provider was displaced by an offering with improved API and management access.

Why the disconnect between SaaS vendors and IT?  Based on our experiences and interactions with both sides of the issue, the gap that exists between SaaS applications and IT is driven by two factors:

• SMB legacy – the majority of leading SaaS vendors (including Salesforce.com) grew from an initial focus on SMB customers.   Applications were architected and optimized to solve a specific functional business problem for this initial class/size of customer, with (understandably) limited focus on how the application would have to integrate into multi-SaaS or enterprise environments.
• IT as ‘the enemy’ – the ease of deployment and flexibility of SaaS eliminated the need for business users to involve their IT organizations in the selection, configuration and management of SaaS applications.   As IT historically has neither been a decision-maker or influencer in the sales process, most SaaS vendors haven’t been exposed to IT organizations, particularly in the enterprise.  In fact, IT was and is often times (and often unfairly) characterized as the enemy of SaaS adoption, needlessly entangling business users in red tape and bureaucracy.  IT teams have also been part of the problem, often taking little interest in administering or managing SaaS applications.  In either case, most SaaS vendors have had relatively limited interactions with enterprise IT organizations, particularly when compared to on-premise ISVs.

We fundamentally believe that for SaaS adoption to continue to accelerate in both midmarket and large enterprises that the gap between IT requirements and SaaS application capabilities will need to be closed.  SaaS vendors need to improve APIs, management access and visibility in areas such as user and identity management, activity logging and monitoring, service management and back-office/financial management.  More on this to come….

Enterprise-Class SaaS Provisioning

As those of us at Conformity engage enterprise IT teams, we continue to explore the gap between existing provisioning options and SaaS deployments.  Enterprise customers are caught between the promise of cloud and SaaS solutions and the impact of this adoption on their already stretched teams and processes.   In the Conformity white paper, Enterprise-Class SaaS Provisioning, we describe the management challenges organizations face in adopting SaaS applications, and explain why IT groups struggle to utilize existing options for federating on-demand environments.

So, what information can we take away from the enterprise SaaS customers?  As pointed out in our other discussion threads, SaaS is not easily tamed by existing solutions.  We find that the cloud deployment model exposes the following shortcomings of existing alternatives:

• Disconnected Environments: The most obvious challenge is the separation of multiple SaaS applications and the management solutions.  This disconnect fragments the core IT capabilities, creating unique cloud-based silos of user identity, business policy, and administrative rights.
• Unexpected Deployment Complexity: IT teams can easily underestimate the impact of adopting SaaS as a solution platform.  Detailed SaaS configurations, coordination between applications, and evolving licensing models can exceed IT expectations, especially when the deployments were independently cultivated in the lines of business.
• Lack of Deployed Standards: Customers are discovering the industry standards for management and provisioning are not aligned with the aggressive SaaS expansion.  Many advertised standards such as SAML or XACML are focused on alternative use cases and designed for either an on-premise or cloud model, limiting their real adoption by SaaS ISVs.

These challenges have curtailed enterprise efforts to utilize current deployed technologies, and in turn have impacted SaaS rollouts.  IT teams continue to evaluate complementary but incomplete options including enterprise software vendors, cloud-based identity solutions, and unique SaaS ISVs themselves.  This discovery process has provided the benefit of allowing the enterprise teams to better understand the market challenges and applicability of existing solutions.

Working with these IT teams, we have defined a common set of issues for provisioning and management and select criteria for a new approach to federating on-demand environments.  Any solution must provision users to a fully functional state across the user life cycle, a distinct challenge with many SaaS and cloud implementations.   This provisioning must align with existing IT and business processes, leverage line of business expertise, and meet the organizations compliance, security, and data visibility needs.  And deployments must be flexible enough to align with and possibly impact developing standards such as SPML or federation options like Microsoft Geneva while supplying value prior to standards adoption.  In short, these attributes define a new breed of management platform that is designed for the SaaS and cloud-based environments.

For more information, read the Conformity white paper that outlines our findings.  And please feel free to reply and continue the discussion.

SaaS, the Cloud and the ‘Big Bang’

Here at Conformity we recently wrapped up some interesting market research on the topic of adoption of SaaS and cloud-based services and the management challenges it is creating for organizations and their IT departments in particular.  Conducted in conjunction with a leading analyst firm,  we spoke with IT and business executives at nearly 50 midsize and large enterprises that were adopters of multiple SaaS applications, and who were planning on extending their adoption of the model.  We’ve summarized our findings in a new whitepaper titled SaaS, the Cloud and the Big Bang.

The results?

In organizations we spoke with, business users drove the initial wave of SaaS adoption and largely took on the associated management and support responsibilities.   In a pattern similar to what happened with distributed computing 15-20 years earlier, as SaaS adoption hit ‘critical mass’ in these organizations (particularly those with compliance exposure),  IT has been brought in to extend existing management processes, controls and tools to SaaS and cloud-based resources.

The problem?  SaaS and cloud-based services are fundamentally exploding the traditional IT management model, due to:

• Decentralization of management – in ‘traditional’ management environments,  IT has near complete responsibility and accountability for governance and management of technology resources.  The focus on autonomous IT governance and managmeent has increased due to increasing regulatory compliance requirements (SOX, GLBA, HIPAA, PCI etc) and the resulting increase in adoption of best practice policy and control frameworks (ITIL, COBIT, ISO 17799/27001, 27002).   In the SaaS world, business users have taken on management and support responsibilities traditionally owned by IT.  For example activities such as user provisioning and permissions management, role and profile management, application customization and configuration, and vendor management are now decentralized and distributed in many organizations.

• Loss of control – in addition to the applications themselves, metadata on users, role and profile models, authorization and credential stores, usage activity and application performance all move outside the corporate firewall.  IT loses visibility and control over this critical management data that is now fragmented across heterogeneous SaaS service providers, in addition to the applications and users themselves.

• Broken integrations – many IT processes around application and user management are highly automated, supported by integration with on-premise directory services, identity management and systems management solutions.  These integrations largely ‘break’ in an on-demand world, and organizations are rapidly finding that creating a new management ‘blade’ for a given SaaS app in legacy management application is not a realistic, cost effective answer.  Additionally, SaaS applications must be integrated into existing business processes through configuration and management by line-of-business users, with little or no ability to automate integration into cross-application business processes.

While it is still early, clear perspectives are starting to emerge around what the characteristics of a new generation of management solutions that address the unique challenges of on-demand environments will need to include.  Organizations are finding that SaaS and cloud-based service models are driving a convergence in identity and systems management issues, which will require the reinvention of solutions that address these issues.   Areas such as  user access management, policy monitoring and enforcement, data integration and management and business process integration all need a fundamental ‘rethink’ in a cloud-based world.

If you’re interested in receiving a copy of the whitepaper, please contact us.

Is SaaS Adoption Getting Ahead of Itself?

Reviewing customer SaaS adoptions keeps sending us back to John Martin’s post on SaaS as the next disruptive “Big Thing” for IT.  Though referencing SaaS in terms of the CIO Corner’s disruption cycle may raise some eyebrows, I think we all agree SaaS is disruptive.  SaaS presents IT and LOB executives with a true strategic differentiator, challenges IT’s comfort level for areas such as control and compliance, and disrupts the entrenched legacy vendors and solutions.  Ironically, actually calling SaaS a disruptive technology may be exactly what is required to help ensure it really goes mainstream.

Disruptive technologies referenced in Gary Beach’s blog drove the market to revisit established processes and controls, sometimes reluctantly.  SaaS is no different – discussions positioning SaaS as ‘just a delivery model’ or a simple extension for legacy IT solutions ignore the business and IT challenges.  SaaS shifts key business processes, user information, permissions, and policy to an off-premise model that is configurable – but not fully customizable.  Add in the fact that multiple best-of-breed SaaS applications may enable a full business process like CRM, we find the overall market must adapt or risk artificially limiting the SaaS opportunity.

To keep SaaS adoption from getting ahead of itself, we must turn the collective focus to driving market adoption and removing barriers to enterprise deployment.   As with any emerging industry, the solutions that enable SaaS to move beyond early adopters lag the initial SaaS deployments.  In response to this lag, SaaS customers are barraged with existing vendors quickly repurposing older technologies to capture $$$ and industry experts clamoring for ‘SaaS 2.0’.  Neither market reaction meets the real adoption needs of SaaS customers – especially in larger organizations.

It is not clear how may “IT events” failed in Gary Beach’s disruptive model, but the successful ones must have been embraced by a proactive community and industry.  Customers are demanding solutions that allow IT to move beyond old approaches, limited point solutions, and empty promises.  These solutions will have to focus on coordinated provisioning, alignment of business policy, risk and regulatory compliance, and cross-application visibility, to name a few.  If we want SaaS to be the next “Big Thing”, it is time to step up and focus on the real market needs, providing IT with robust solutions needed to drive adoption.  Let’s raise the visibility of this conversation to match the ongoing debates around next generation standards and modification of legacy approaches for SaaS.