What’s holding users back? Potential security risks and a loss of IT control topped the list of perceived barriers to software-as-a-service (SaaS) adoption. With so much trepidation in the air, Computerworld decided to get the real scoop, so we interviewed six executives who have tackled SaaS projects.
What has been the greatest benefit from your use of SaaS?
Ken Harris, Shaklee Corp.: “The first, far and away, is the ability to get solutions up quickly. You don’t have to build out an infrastructure or expand your IT staff.”
Kevin Raybon, NEC Unified Solutions Inc.: “I call it value control. When I have features and functions that need to be developed, I can roll them out and keep moving. I’m not in the IT department. With IT, there is always a big-bang initiative that lasts about 18 months, and the pace of our business does not lend itself to that.”
Daniel Flax, Cowen and Co.: “The ability to deliver services to a worldwide audience.”
Daniel Wakeman, Educational Testing Service: “The key benefits are speed and the lack of capital investment.”
Kevin Harding, Imagine: “It’s being able to get more information out to more people. Managers can get real-time financial information on their departments.” The predecessor in-house financial system gave only monthly reports, he says.
Is security an issue?
Flax: “Security certainly is a potential problem, and anyone who says no is not being realistic. We vet our potential vendors very carefully, and we get our audit and compliance people involved as well.”
Daniel Chiazza, Harris Interactive Inc.: “Salesforce.com had a big scare with phishing recently. So they basically took a listing of all the IP addresses that access our applications — where our users are, where they log in from — and put that in a whitelist. They were very quick to react.”
Quicker than an internal IT department might have been?
Chiazza: “Yes, it can take forever to turn something around internally.”
Wakeman: It’s a “huge shortcoming” that SaaS vendors do not embrace “federated identity management” standards allowing centralized identification and validation of users via a single sign-on process, he says. “We have to manage the identities of our employees at multiple SaaS providers. We can’t say that this employee has terminated and automatically shut him off from all the systems he has access to.”
Raybon: “There are two ways to handle security. First, have strong contracts that hold people accountable should something happen. Second, we put information about processes in the cloud, but we keep all our proprietary corporate data back in our system of record. I keep track of sales opportunities in [Oracle CRM] On Demand, but once it turns into an order with credit information, that stays inside.”
Is loss of IT control a concern?
Harding: “It’s kind of a double-edged sword. Yeah, it’s not my baby anymore, but I also don’t have to worry about it. The only downside has been when they roll out upgrades. We do have the ability to test, and we do test, but sometimes the upgrade breaks things. So when we see an upgrade coming, we just plan on having some problems for the next week.”
Raybon: “I think I have more control. We can sit down with someone who doesn’t have to write code — business users — and we can rapidly prototype. We can bring things up without the need for technical resources.”
Flax: “You do lose some control. In return, you get some benefits.” The loss of control suggests that commodity applications go to SaaS while those conferring competitive advantage stay in-house, he says.
Wakeman: “You can put whatever you want into a contract, and we do — that we own the data, they have to give it to us, etc. But you know, they could still lose it, or they could be lying about how they back up data. It’s impossible for us, with the number of these things we use, to go and inspect all those places.”
Harris: “You absolutely need to negotiate the service. You need commitments — with economic rewards and penalties — to availability, to transaction-response times for one or two key transaction types, and to the response time to situations where the system is down and there are no work-arounds.”
Do you worry about vendor lock-in?
Chiazza: “There are things you can do. We do weekly downloads of the entire database. A few years ago, I would have felt a little bit locked in, because Salesforce.com was really the only one doing this. But other companies are catching up. Today, we could easily take our data and move it over [to another vendor].”
Wakeman: “That’s definitely a concern. We have that issue with internal applications, but with external, it’s a little more difficult if you are locked into a vendor that gets acquired or goes out of business. With internal, you can keep running it for some time while you figure out an exit strategy. But with external, you may have to make a rapid switch, and the switching costs could be high.”
Raybon: “With an in-house option, you devote a business process to the platform that the vendor supplies. I don’t think it’s more of an issue with SaaS. Also, we take snapshots of CRM On Demand, and we keep a much more robust data model in-house.
“In the unlikely event that Oracle CRM got dropped, it wouldn’t take me long to switch over to a competitor with another Web service.”
Are you able to customize SaaS?
Chiazza: “When we first implemented Salesforce.com more than five years ago, it was not customizable by the user. Slowly but surely, they started giving us the keys