Cloud Strategy: Two Overlooked Challenges of SaaS Adoption

Welcome to your cloud strategy boot camp! Cloud computing is hot today, and for good reason. It offers a world where digital experiences wow customers in ways that haven’t been possible before. A successful journey to the cloud begins by linking a company’s vision and business strategy to the benefits offered by cloud computing while at the same time controlling risk. Interestingly, the benefits can actually work against you if you don’t analyze thoughtfully.

In this post, we’ll examine a well-known benefit of cloud computing, along with its potential dark side. You’ll find out how to realize the benefit while effectively controlling the risk.

Automatic SaaS Updates Can Be Seamless

Software as a Service (SaaS) is a great cloud service model—perhaps the best one if your intention is to get maximum value from third-party software for minimal maintenance costs. SaaS is common in servicing employee needs.

For example, HR software offers little differentiation to a firm, but it’s necessary for the firm’s operation. The rule of thumb is to pay commodity prices for commodity value. As a result, a heavyweight on-premises install of an HR solution, with the mandatory maintenance and support procedures for in-house staff, no longer makes sense. Also, if SaaS offerings are available for other business processes, it’s almost always worthwhile to consider buying over building.

The desired benefit of SaaS over on-premises software is the ease of applying updates and getting new functionality. If you have on-premises installed software, getting updates for vendor software ranges from irritating to impossible. First, you’ll tie up all manner of technical staff executing such a project for little value-add. Second, you may decline new functionality altogether or defer it to a critical mass, making upgrades that much harder. Now compare that process with SaaS.

For SaaS by definition, the entire upgrade process—just like ongoing maintenance and support—is out of your hands. As a result, the marketed benefit is you’ll seamlessly receive software updates on an ongoing basis with no downtime and no effort. Sounds great, right?

There are two areas where you’ll need to keep your eyes open to benefit from SaaS: customization and security. Let’s look at them one by one.

Customization

Think about a business as the sum of its processes. Regardless of the industry or size, every business defines and executes processes to meet its goals. These processes involve everything from how hiring decisions are tracked to contact center workflow to setting new policies.

Many companies think that their processes, having been built up over many years, can’t change. On the one hand, why should they? As long as the firm is operating effectively, the conclusion is those processes are the reason. In addition, shouldn’t processes evolve from changes in strategy or business process analysis and not limitations in software? Why should a software vendor dictate processes to a company at all?

The reality, though, is that not all processes are created equal.

Utility Processes and Strategic Processes

For the sake of argument, let’s divide these processes into two groups: utility and strategic.

Utility processes are necessary to operate a firm, but they don’t differentiate the firm in the marketplace. For example, HR as discussed above is one such unit, but Finance, IT, and Marketing also tend to fall into this category.

On the other hand, strategic processes are the core business processes that are a differentiator. On balance, then, it makes the most sense to perform utility functions as cheaply as one can (as a commodity) and maximize resources used strategically.

So what’s the problem? Customization.

Customization vs. SaaS

Many companies struggle to understand that any customization to software increases future costs. Customization means that vendors must keep a version of their software wholly unique to you. Then, when the company advances their base product to a new version, vendors must take great pains to update your version.

These pains result because the customizations they made for you may conflict with extensions to the base product. Or maybe the base product has gained a similar feature, making yours redundant, and that must now be reconciled. For on-premises software, this greatly complicates upgrades because you can’t simply accept the new base version of the product and install it through the vendor’s tested update process. Instead, either you or the vendor has to undertake expensive and complex analysis to determine a unique upgrade process. Invariably, this process is difficult, costly, and error-prone.

Now let’s look at the SaaS world.

In true SaaS, a vendor won’t customize software for you. Instead, they’ll expect you to use the software as is. Their reasoning has two parts.

  1. The cost savings and benefits of SaaS exist because the vendor gets an economy of scale from offering the same service to everyone, which simplifies the vendor’s operations. As a result, it’s simply too expensive for the vendor procedurally to offer you a bespoke version. As shown above, those same difficulties for upgrading a custom version still exist for the SaaS solution, but now they’re entirely on the vendor. And you’ll probably still want your in-house staff to test it after the upgrade, thereby eliminating a lot of value.
  2. Vendors believe they’re experts in this particular space. They’ve studied it and determined that their solution’s processes fit the concept of “best practices.” Why customize what’s already best?

Resolving the Conflict

This conflict resolves much more easily when you see it through the lens of utility vs. strategic processes.

For utility processes, it absolutely makes sense to use SaaS products. You should generally update your processes to mimic those of the software as much as possible. Yes, it’ll be uncomfortable, but what value do you gain from enforcing your own view of IT service management processes instead of theirs? Not much.

For strategic processes, you’ll need to more diligently consider when and how you can use SaaS with your strategy. For example, it might make sense to adopt a SaaS solution and alter your business processes to fit it. In others, you’ll decide to use your scarce resources to build a solution to suit your unique need because the process is such a differentiator for you.

Last, if for some reason you truly do need a customized SaaS solution, set a rule that the vendor must customize through configuration in the vendor’s platform instead of through custom source code. As a result, you’ll factor this into the procurement decision-making and ideally retain the benefits of customization without the cost of a custom version.

Now let’s talk about how the cloud affects security.

Security

Not a week goes by that you don’t read about some data leak in the news. Whether it’s a hack or a find by a security researcher, these leaks expose sensitive customer data to the public. Unfortunately, the problem is getting worse, and there are three big reasons why.

  1. Businesses and other organizations are storing more customer data in digital platforms and moving it among more digital platforms, including SaaS solutions, than ever before.
  2. The increasing use of cloud computing puts more of that data into a public, multi-tenanted system.
  3. Despite long-held fears that the public cloud is insecure, it’s actually misconfiguration by clients that’s exposing it.

Anytime your company decides to buy software, it’s critical to assess the security posture of the software and the firm beforehand. That was true of on-premises installed software and it remains true of cloud security now. For SaaS, though, there’s a few twists on that old favorite you need to consider:

  • Regular penetration testing of the SaaS platform, either by a firm of your choice or the vendors. Either way, you’ll want a copy of the report.
  • Recurring access to audit and access logs for your own analysis
  • Service-level agreements, policies, and procedures around vulnerabilities, breaches, and incidents that align the vendor’s teams and yours
  • Certifications held by the vendor firm, such as SOC 2 or similar
  • Keep the data stored in the SaaS platform to the absolute minimum for the intended business processes. Don’t store more data in it “in case it comes in handy.” Instead, make sure it’s tied to a specific business process and that the risk of each data point is understood.

You may want to check out these seven principles of security design and think about how your security measures up.

Conclusion

SaaS is a great cloud service model to get more software functionality for cost and staff effort. That said, there are gotchas inherent in the model that you must understand and manage properly to get the most from it. Minimizing business process customization and being diligent about security are critical components of your cloud strategy. You’ll need to apply these consistently to get the most from SaaS solutions.

Daniel Longest
Daniel Longest