| |
News
| |
September 27, 2010
5 problems with SaaS Security
By Jon Brodkin
As interest in software-as-a-service grows, so too do concerns about SaaS security.
Total cost of ownership used to be the most frequently cited roadblock among potential SaaS customers. But now, as cloud networks become more frequently used for strategic and mission-critical business applications, security tops the list.
"Security is the No. 1 reason preventing firms from moving to SaaS," Forrester analyst Liz Herbert writes in a recent report on software-as-a-service adoption.
Six misconceptions about cloud apps
Cloud computing resources are more highly concentrated than traditional network systems, in large part because of virtualization technology that allows a single server to hold many virtual machines and potentially the data of multiple customers.
If a server that has been hacked holds 15 virtual machines, "now 15 machines are at risk rather than one at a time," says Gartner analyst Neil MacDonald.
There are numerous security risks to look at before adopting software-as-a-service. Here are five problems to consider.
1. Identity management in the cloud is immature
Cloud providers themselves aren't always sophisticated about integrating their platforms with identity services that exist behind the enterprise firewall, says Forrester analyst Chenxi Wang. There are some third-party technologies that let IT extend role-based access controls into the cloud with single sign-on, from Ping Identity and Symplified, Wang says.
But overall, "this is a field that is still in the early stage," she says.
Google has a "Secure Data Connector" that forms an encrypted connection between a customer's data and Google's business applications, while letting the customer control which employees may access Google Apps resources. Salesforce provides a similar tool, Wang says.
But this approach may become unwieldy because customers that use numerous SaaS applications could find themselves dealing with many different security tools, she notes. Third-party products at least offer the advantage of connecting to many different types of SaaS applications.
Identity and access management in the cloud has a long way to go, according to the Cloud Security Alliance, an industry group.
"Managing identities and access control for enterprise applications remains one of the greatest challenges facing IT today," according to research from the Cloud Security Alliance. "While an enterprise may be able to leverage several cloud computing services without a good identity and access management strategy, in the long run extending an organization's identity services into the cloud is a necessary prerequisite for strategic use of on-demand computing services."
Unfortunately, the evolution of SaaS has outpaced efforts to build comprehensive industry standards, the Cloud Security Alliance says. Specifically, the group says there is "limited proprietary support for user profiles," and industry standards including Service Provisioning Markup Language (SPML) have not been significantly updated in several years.
2. Cloud standards are weak
"We've completed a SAS 70 audit" is one of the first things you'll hear from any cloud vendor touting its security credentials. SAS 70 is an auditing standard designed to show that service providers have sufficient control over data. The standard wasn’t crafted with cloud computing in mind, but it’s become stand-in benchmark in the absence of cloud-specific standards.
Better than SAS 70 is ISO 27001, an information security specification published by the International Organization for Standardization in Switzerland, analysts say.
While completing a SAS 70 audit is "more of a self-imposed exercise," ISO 27001 is a fairly comprehensive standard that covers a lot of the operational security aspects that customers might be concerned about, Wang says. "That to me is at least a starting point to evaluate how mature a SaaS provider is," she says.
Microsoft's data centers have met ISO 27001, and Amazon plans to comply with the standard as well.
ISO 27001 "is not perfect but it's a step in the right direction," MacDonald says. "It's the best one out there, but that doesn't mean it's sufficient."
There's no guarantee that your data will be safe with an ISO 27001-compliant vendor, however. One survey of IT managers commissioned by CA found numerous companies that claim to be compliant with ISO 27001 yet "admit to bad practices with regard to privileged user management," including sharing of administrator accounts between users and granting broader privileges to users than is necessary.
The case of Google engineer David Barksdale further illustrates the problem that companies may not follow their own guidelines. Google, like other vendors, have strict privacy policies for their employees. But those policies reportedly did not prevent Barksdale from accessing Google Voice call records and Gmail and Google Chat accounts of several Google users, and he was subsequently fired.
3. Secrecy
Cloud vendors argue that they are more able to secure data than a typical customer, and that SaaS security is actually better than most people think. But some customers find this hard to believe because SaaS vendors tend to be rather secretive about their security processes.
In particular, many cloud service providers release very few details about their data centers and operations, claiming it would compromise security. However customers and industry analysts are getting fed up with all the unanswered questions and hush-hush nondisclosure agreements.
Analysts in Gartner's Burton Group recently accused Amazon CTO Werner Vogels of not being transparent enough about Amazon's internal security practices. In general, the analyst firm says customers should assume the worst-case scenario in terms of security when a vendor is being secretive.
"If a vendor is not being transparent, it's not that we distrust them, it's that they haven't given us enough evidence to trust them," MacDonald says.
Microsoft has done a pretty good job publishing details about its cloud security model, MacDonald believes. When vendors are not transparent, customers need to be aggressive in demanding details about how data centers are secured and how vendors segregate data in multi-tenant systems.
"The question is how are they delivering multi-tenancy," MacDonald says. "Give me technical details, all the way up and down the stack, from the application itself down into the application where data is stored. … I want to understand how my stuff is kept separate from [other customers'] stuff."
The ability to analyze the security of SaaS applications is more limited than the ability to analyze the security of in-house systems, but that shouldn't prevent customers from demanding proof of vendor claims.
In a report titled "Analyzing the Risk Demands of Cloud and SaaS Computing," Gartner analyst Jay Heiser advises "Be skeptical of vendor claims, and demand written or in-person evidence."
Service-level agreements (SLA) have sometimes proven deceptive or confusing. But at least in theory, enterprises should be able to receive strong guarantees in SLAs, particularly if they have the time and expertise to negotiate with the vendors beforehand.
"The entire software-as-a-service environment is really driven by SLAs," says CTO Joe Coyle of technology consulting and outsourcing firm Capgemini. "If you really think about it, there's nothing you would do in SaaS that isn't SLA-based."
In some cases, if the vendor is willing, a customer may be able to bring in its own experts and attempt to hack the vendor's network in order to test security, Coyle says.
4. Access everywhere increases convenience, but also risk
One major benefit of software-as-a-service -- that business applications can be accessed wherever there is Internet connectivity -- also poses new risks. Coupled with the proliferation of laptops and smartphones, SaaS makes it even more important for IT shops to secure endpoints.
"Because of the nature of SaaS, it's accessible anywhere," Senior Vice President Rowan Trollope of Symantec Hosted Services notes. "If I decide to put my e-mail on Gmail, an employee could log in from a coffee shop on an unsecured computer. It's one of the benefits of software-as-a-service, but it's also one of the downsides. That endpoint isn't necessarily secure. The data is no longer in your walls in the physical sense and in the virtual sense."
Maintaining control over e-mails and documents is easier when those files are stored on your local servers, rather than in the cloud, Trollope says.
Enterprises that make use of SaaS need to implement policies to control connectivity, MacDonald says. A customer could, for example, work with the SaaS vendor to make sure a service can be accessed only from certain IP addresses, and require remote users to go through a VPN, he says.
Access can also be regulated by using secure Web gateway appliances from Cisco or Blue Coat, which broker the connection between a customer and cloud services. In one simple example, a company could allow employees access to Facebook, but block the chat feature. The approach of blocking access to certain types of functionality can be applied to business-focused cloud services as well, MacDonald notes.
There is also the problem of employees accessing SaaS products without IT knowledge. The keys to preventing this, Wang says, are educating employees and using various network monitoring and Web filtering technologies.
5. You don't always know where your data is
Regulations such as the Federal Information Security Management Act (FISMA) require customers to keep sensitive data within the country. Although keeping data within U.S. borders seems like a relatively simple task on its face, cloud vendors will often not make that guarantee.
In highly virtualized systems, data and virtual machines can move dynamically from one country to another in response to load balancing needs and other factors. Google, for example, would note that if an end user in California goes on a business trip to London, it's better (or at least faster) for that user's data to be served up by a data center in Europe.
Google Apps has received FISMA certification for its government cloud, but that same guarantee is not available to private industry. This isn't just a problem for U.S. customers either.
"If you're in Switzerland, that's just a law, period," Trollope says. "If they can't guarantee that information will be on servers in Switzerland, that's a non-starter."
"The typical SaaS vendors have held the view that it doesn't matter where the servers are," he continues. "We understand your laws, but the Internet doesn't work that way."
Symantec, which has data centers in 14 countries, does offer an in-country guarantee, according to Trollope.
But this is still considered a relatively rare feature. Even if data stays within a country, customers need to be able to verify the data's location in order to meet regulatory requirements. That's why EMC says it is developing technology to track and verify the location of virtual machines in cloud networks. But this technology will not hit the market until early next year, and it requires integration between EMC, VMware and Intel products.
"Right now, there's nothing that provides any verifiability of where a virtual machine lives," says Chad Sakac, vice president of the VMware technology alliance at EMC. "There's nothing stopping you from moving a VM from one place in the world to somewhere else, and more importantly, there's no way to audit that at any sort of scale."
Back to top
|
|
| |
April 14, 2010
Globalization Software Success in 2010
By Jacob Hsus
2010 is a pivotal year for software companies to examine their globalization strategies. The axis of globalization is starting to shift from Western to Asian markets, choice abounds and the very nature of product development is changing. Increasingly companies need to tap into the best expertise and the best cost efficiency globally to compete effectively.
Innovation outsourcing can help companies face market shifts and play a pivotal role in globalization software success.
What Globalization Means to Software Companies Today
There are two important areas software companies need to focus on where we see major shifts. The first is the globalization of markets. In the past three decades of software, it has primarily been a US-dominated software market. As such, most software companies built software products for the US, and then localized them for different international markets. But today, markets around the world have gotten much more sophisticated, and there are a lot more choices for buyers in every category of software technology -- whether enterprise software, web applications, or mobile software. The axis of globalization is also starting to shift from being focused primarily on Western markets to Asian markets especially with the rise of China and Korea as maturing markets for global software technologies. Simply taking a US-centric software product and then localizing it for another market just isn't good enough anymore. Increasingly, the largest technology leaders of the world are establishing multiple R&D sites around the world.
A second area of globalization focus has to do with how software products are produced. It used to be US-centric products would be localized to be sold everywhere else in the world. Now you are seeing the rise of locally designed and produced software tailor-made for target markets. An example of this is how Android has been heavily tailored for the China market by China Mobile and other Chinese partners to the point where they have named it the OPhone. The OPhone runs OMS (Open Mobile System), a China Mobile-branded fork of Google's Android for use on China Mobile's proprietary TD-SCDMA 3G network (incidentally, also a homegrown 3G standard). Dell, HTC, and Lenovo already have new phones based on OPhone, and Samsung, LG, ZTE, and Motorola are all expected to support the platform as well. The definite trend going forward is leaving a lot more room in products to accommodate market-specific innovations and customizations.
Benefits of Globalization
Globalization can enhance both the top line and the cost line of your business. There are very few investments that can add to both growth and save on costs the way globalization can. Globalization can be seen from both a market and an engineering perspective. And starting with one generally leads to another. For example, if a company started off establishing an offshore development team in China, they now have a base of product specialists who have some level of expertise in that company's product and value proposition. It becomes quite natural to layer over that offshore development team a smaller team of market and sales specialists that can develop the market potential for China and the rest of Asia from that initial core offshore development team. At least half of our clients are using this strategy quite successfully - starting with offshore development and then evolving that team into market development. The cost savings center starts to generate new sales for you, and you get the bottom-line benefit first, and the top line growth comes after that. It also works the other way around, but the ROI for getting top line growth takes longer than the quick ROI benefit for setting-up an offshore development team.
Innovation Outsourcing without Borders
The nature of product development is changing, and increasingly companies need to tap into the best expertise and the best cost efficiency globally - which is what we mean when we talk about innovation outsourcing without borders. This can very quickly become a complex process for companies to manage. We have products that are being built for our clients across three development centers in three continents, and that's because the expertise to build the best UI (User Interface), and the best applications, and the best system software and hardware design are located in different areas around the world. We are able to provide our clients with globally sourced expertise and cutting-edge innovation, but with a very simple single point of contact around the world. If our client so chooses, they can always work with a local team that takes all the complexity out of "follow-the-sun" product engineering. Here at Symbio, our clients leverage the scalability, cost efficiency, and engineering firepower of global teams across 22 locations around the world, but with the simplicity of working with a local partner who knows their business and the way their company works.
Innovation outsourcing is about working with a partner who can help you build products that are differentiated and win in the marketplace. Companies that can tap into the best domain expertise and technology specialists in the world to design and make enhancements their products, and then implement those designs and enhancements using the most cost-efficient, scalable, and extensible product development processes across the globe are the ones who will succeed in today's market.
The biggest danger in innovation outsourcing is not putting enough effort into the front-end engagement planning process. There are no silver bullets in outsourcing, and success comes from mutual trust and planning.
The short-term measures are... Have we saved money? Has the quality of deliverables gotten better? Have we shipped faster than before? But more strategically, the measurable impact comes over the longer term (1 to 3 years)... Have we been able to produce innovations that are creating new sales in the marketplace. Are the products that we built together with our outsourcing partner differentiated and winning in the markets we sell in?
The Future of Globalization
The pace of change for a technology company is only going to get faster and faster. Product lifecycles are shrinking, and as such, companies are going to need to be even more agile than before. However, by working with the right partners, these companies will be a lot more agile because they won't be locked into the same economies of scale issues as before. In the old days, if you were a Web company, it would be unthinkable to move over and create a mobile phone. But today, that is exactly what is happening, and companies are able to reconfigure and retune their product portfolios and business models quickly by working with a trusted outsourcing partner. I also believe that five years from now, we will see the rise of "engineering-free" software R&D and design houses, just like the rise of fabless semiconductor design houses. When that happens, you are going to see the next golden age of software innovation when any software idea or design can be quickly built and brought to market with just a fraction of the old R&D investment required.
The most successful companies are going to be the ones who can reinvent themselves continually. Successful companies are only limited by their intellectual and creative bandwidth. And with the right innovation outsourcing partner - the world's best technology expertise, greatest engineering scale and cost economies can be realized for a winning strategy.
Back to top
|
|
| |
November 23, 2009
Is open source virtualization getting any love?
By Nicole Lewis
Virtualization is unarguably one of the biggest trends of the past few years, and open source software has been on the IT radar for a while now. So does that make open source virtualization twice as much of a good thing?
At least some corporate IT departments think so. They're turning to open source software as part of their virtualization mix. Sure, savings are a big factor, but so is the ability to tweak the software to suit specific requirements.
Just ask Stan Yazhemsky, manager of IT operations at Legal Aid Ontario (LAO), which uses Citrix's XenServer, a management tool running on the open source Xen hypervisor.
XenServer's open APIs give him and his team of three Linux engineers better access to and control of advanced functions, especially security, Yazhemsky says.
LAO, a nonprofit corporation that provides legal advice and services to low-income individuals, has 200 locations across Ontario and hosts three data centers. Those data centers house 239 Windows servers and 68 Linux servers. Some 95% of LAO's servers are running XenServer.
LAO has 154 terabytes of sensitive data such as client/lawyer information, financial files and individual case loads that span everything from burglaries to theft and murder. Security is a key concern.
"If an attack manages to break into the system, our embedded script will shut down the compromised virtual machine immediately and bring another virtual machine up, in real time with no effect on users. That's something that you can't get from any closed source solution," Yazhemsky says.
As a result, the organization is able to invest less in security than it would otherwise have to, he says. His calculation is that LAO spends about 40% less in security software and management costs than it would have otherwise, "because we can script events that proactively search for any changes," Yazhemsky says.
Open source virtualization: tiny but growing
Despite its fans, the overall market for open source virtualization is very small indeed, though it is expected to grow.
"Open source is less than 5% of the overall server virtualization revenue market share, but could nearly double by 2012," says Alan Dayley, a Gartner Group research director.
Open source hypervisors including Red Hat's KVM and Xen, used by both Citrix and Oracle, and the management tools running on top of them are gaining strength in both adoption rates and advanced features formerly found only in the likes of VMware, the virtualization market leader, Gartner says.
Gartner's 2008 figures show that for the hypervisor market, in units not revenue, Citrix had 2% and Virtual Iron held 1%. For 2012, Gartner's projections are that Citrix will hold 6% of unit share, and Red Hat 2%.
Nevertheless, open source virtualization will likely always remain a small piece of the pie. "While companies like Citrix and Red Hat are going to see great growth, they are not going to take significant market share," says Gartner analyst Phillip Dawson. "Most of the share change will be between Microsoft and VMware."
And that's a shame, says IDC analyst Gary Chen, because open source virtualization software has a lot to offer. "A lot of people don't really know how good Citrix XenServer 5.5 has become," says Chen.
One potential huge market for open source virtualization: cloud service providers. "If you're a large service provider and you're building a cloud, you may have very custom specific needs, [and] you may need to modify the source code and you can go with open source," Chen says.
As companies like Amazon.com build out their cloud computing strategy and virtualized literally thousands of servers in their data centre, they will be looking at vendors offering cheaper virtualization solutions with well developed management tools that they don't have time to build, predicts Bill Claybrook, an analyst with New River Marketing Research.
Under this scenario, he says, Citrix's attractiveness will increase. "Citrix is one company out of all of those vendors that could make some money in cloud computing by providing a free Xen hypervisor and marketing its management tools at a reasonable price," Claybrook says.
Is Oracle's role broadening?
Oracle's recent acquisitions of Virtual Iron and Sun Microsystems, and their respective virtualization technology, could prove interesting in the long term. While most observers expect Oracle's open source virtualization software to be a hit primarily in existing Oracle shops, Sun's large customer base may give Oracle a chance to penetrate a greater number of corporate IT departments, says Claybrook.
"Oracle will probably end up with the largest open source for virtualization installed base of any one of their competitors," Claybrook predicts.
For its part, the University of Massachusetts is running Oracle VM because it is such a huge Oracle shop in general, says Michael Poole, chief technology officer "It made sense to choose Oracle VM... especially with the significant number of Oracle applications we support." He says the university has realized significant performance gains and considerable cost reductions in its operations.
UMass is in the middle of an infrastructure transformation project that consists of many sub-projects. While planning a new primary data centre and a more robust disaster recovery and testing data centre, UMass investigated many options and chose to standardize on open source Xen virtualization with Oracle VM and Oracle Unbreakable Linux support. UMass started implementing Oracle VM a little over a year ago.
By next summer, the target date for the infrastructure project's completion, Poole says the university will reduce its physical servers from 500 to fewer than 300. It also expects to save close to $100,000 (£60,000) a year in power and cooling costs alone. And UMass will have totally switched from VMware over to Oracle VM.
The university's IT infrastructure is managed and monitored with Oracle Enterprise Manager, and UMass makes extensive use of Oracle's PeopleSoft ERP, Oracle Enterprise Linux, Oracle DB, Oracle Real Application Clusters RAC and Oracle Web Logic servers. UMass is adding Oracle Business Intelligence Suite and the Oracle Identity Management Suite to its lineup.
"We're a big Oracle shop. It was important to us to buy into the logic that says Oracle is developing and testing all of their applications on the Oracle infrastructure components, including Oracle VM, and getting the kinks out of the system, or at least reducing them before they get into general release," Poole says.
Poole explains that one of the university's biggest successes to date has been the virtualization of its Blackboard Vista learning management system. Through this, professors distribute content, exchange emails and engage in live discussions over the Internet with 63,000 students.
Before it was virtualized, the Blackboard Vista application ran on 40 separate Solaris-based application servers. Today the number of physical servers running the application has shrunk to 5 and performance has quadrupled, Poole says.
By using Oracle VM to virtualized Blackboard Vista, Poole says, We've seen a very significant reduction in hardware while at the same time dramatically improving upon performance and scalability."
But before going with open source virtualization, it's important to have a staff with the right Linux/Unix background, recommends Richard Cote, systems architect and technical lead at the University of Massachusetts.
"If I were making a decision at a small company that only had Windows-savvy tech administrators I'd probably look at VMware or HyperV if I did not have a Linux or Unix group to support me. If you come from a traditional Unix-savvy staff then you're going to be drawn toward Xen," Cote says.
Small businesses may find much to like
Server virtualization growth is expected to increase in small- to mid-size businesses, and there, too, open source could gain a foothold.
Gartner classifies small business as companies with 20 to 99 employees and less than $50 million (£30m) in revenue. Mid-size companies have 100 to 999 employees and $50 to $500 million in revenue. "We expect the [SMB] growth rate for virtualization adoption to be higher than the overall market through 2012," Dayley says.
And even companies that are using VMware and/or Microsoft's HyperV may still find a place for open source.
Interactive One provides web properties for millions of African Americans and has split its IT infrastructure in two. Its office environment uses VMware to run Microsoft Exchange, Microsoft SharePoint and Windows File Server. On the production side, to power the websites, the company has deployed Oracle VM.
"We weren't a good candidate for VMware's advanced functionality because these boxes aren't mission critical, single point of failure systems," says Nicholas Tang, Interactive One's vice president of technical operations. "As a result, we don't do a lot of VM-level clustering and automated failover."
After discussing the possibility of using VMware for the firm's production environment, Tang's assessment was simple: "VMware doesn't do any better job than Xen does quickly building a virtual environment and efficiently reallocating resources. VMware cost two or three times more than what we paid for Oracle VM, and in the end it wasn't worth it."
Since using Oracle VM, Tang says, he's retired 60 servers, has realized greater utilization of resources and is using open source tools like Fedora's Cobbler, a network installation tool, and other software like cfengine, a configuration management tool, to build more functionality into the company's virtual server environment.
While analysts continue to speculate, and vendors continue to improve their products, in the end, IT managers will have to make up their minds based on their needs.
"Customers have to do the tests, ask themselves will it work in their IT environment and will it meet their business requirements at the right price and with the right skills," LAO's Yazhemsky says.
Back to top
|
|
| |
August 11, 2009
Gartner: Cloud Computing Hype 'Deafening'
By Alex Goldman
Cloud computing and service-oriented architectures (SOA) are transformational technologies that will deliver sweeping changes in IT's focus and capabilities -- but while SOA is maturing, IT managers will need to cut through the hype surrounding the cloud if they're to take advantage of it as well.
That's according to IT researcher Gartner's (NYSE: IT) "Hype Cycle for Emerging Technologies" report, which concluded that as a result, IT managers have their work cut out for them in narrowing their options in the cloud.
"The levels of hype around cloud computing in the IT industry are deafening, with every vendor expounding its cloud strategy and variations, such as private cloud computing and hybrid approaches, compounding the hype," the report said.
Cloud computing vendors need to have a strategy now, and enterprise IT organizations should be studying the technology, Gartner added.
"Vendor organizations must clarify their cloud strategies in the next 12 months, while user organizations must demand road maps for the cloud from their vendors today," David Mitchell Smith, Gartner vice president and fellow, wrote in the report.
IT will become a service provider rather than a technology management organization. IT managers "will watch portfolios of owned technologies decline as service portfolios grow," Smith added.
SOA on the rise
In contrast to cloud computing, service-oriented architecture (SOA) technology has passed the hype peak and is now widely adopted.
"Survey data from 2008 indicate that nearly 80 percent of organizations were using SOA or expected to use it by mid-2009," the report said.
The report defines SOA as modular software that can be distributed and shared -- designed so that services are separate from the user interface, and those services can therefore be accessed by more than one application.
SOA benefits enterprise IT because it "clarifies system design, isolates the modules from each other and increases the interface documentation," the report said.
Gartner positions SOA on the "slope of enlightenment," well on its way to mainstream adoption. However, some enterprise developers have not gained all the benefits that SOA promises, the report indicated.
"Some organizations have been disappointed by the low level of service sharing ('reuse') that they have achieved. Some SOA projects have encountered problems in governance, testing, configuration management, version control, metadata management, service-level monitoring, security and interoperability," the report said.
Back to top
|
|
| |
July 30, 2009 - Reducing the Cost of SaaS Implementations
By Subraya Mallya, FOYOPA
Customers need vendors to work harder to alleviate the cost and stress associated with SaaS deployments. Here's what needs to be done.
In the on-premise enterprise software world, I have seen many software implementations go awry despite ballooning implementation expenditures. Customers never see their ROI until many years into the implementation, by which time they are so deep into upgrades, manpower turnover, shrinking IT budgets, IT organizational fiefdom - you get the picture - that ROI is the last thing on their mind.
As the customer struggles, the software vendor bears very little risk. The company has pocketed the license dollars and issued the press release on the customer acquisition.
With SaaS, the tables are turned. The SaaS software vendors (to their own detriment) have perpetuated this notion that, with SaaS, implementation will be effortless. But as we all know, enterprise software implementation is much more than just installing the software. Vendors must work harder to reduce deployment cost and improve ROI for their customers. Here's how.
The High Cost of Implementation
Recently I met with a CEO friend of mine who runs a late stage SaaS company that sells a industry specific business process automation software. The company is currently going through the infancy-to-adulthood transition. They have a great product and a excellent customer base, but the downturn and reluctance on the part of customers to sign checks has made them look for efficiencies in other places. During our conversation about the general business environment and challenges faced by companies naturally we delved into the topic of managing the cost of customer acquisition, implementation costs, maintaining profits etc. Most companies are in the same boat - managing their operations efficiently cutting costs, reducing the burn and maintaining the margins.
To really get to that state of customers doing their own implementations and onward to use the application, the vendor has to invest a lot in creating guided implementation tools, migration tools, WYSIWIG integration tools. If you look at the current stable of SaaS vendors, very few have that kind of maturity.
Most smaller SaaS companies operate more in the Software+Services model than pure Software model. Me, I think this is a flawed strategy. As a startup you are much better off building a product that is simple to implement by the customer themselves with guided implementation wizards etc and focus all your energies on building a great product. Selling a product is tough enough, then to add a service fee on top of that for implementation will only result in additional approvals and prolong the sales cycle. Nevertheless, the reasons companies go with this strategy is usually twofold.
* Firstly, the technology they are building is still evolving so there are only few people beyond the employees of the company who can implement and guide customers through this process. That way, working closely with customers the companies can understand the gaps better and manage the bumps on the road much better.
* Second and more important reason is, being small, the companies can ill afford to lose the revenue that comes via the services arm. The services revenue helps in augmenting the minuscule subscription revenue when the product footprint is small.
In the eagerness to close the deals, companies try to sign customers to deals where they underestimate the effort involved in implementation. Unlike in a license deal, the subscription fees that make up the MRR, includes all cost of sales and cost of operations. As a SaaS vendor, while you can charge customer for actuals in implementation, if you overshoot the implementation cycle, you are doing it on your own dime, as most of the implementations are typically fixed price.
Five Ways to Lower Implementation Costs
Considering this dichotomy, I've created a list of five things a SaaS vendor can do to acquire customers without giving a sticker shock (of the initial implementation costs) while maintaining your margins.
1. Map-Gap Analysis
As anyone who has done software implementations will attest, the most challenging part of implementation is the part where you need to define the business process. You can spend a lot of time just capturing all the information about the business process from the numerous pockets in a company. If you have a implementation deal which is a fixed price - 1 week - $10,000 dollars, you might spend a lot of time in honing in on the business process. So to mitigate this you should define business process blue prints (like workflows diagrams) and have the customer map their current process to it even before you quote a implementation price. This way you will be much closer to the actual implementation scenario than uncovering the facts as part of a pre-costed implementation.
2. Best Practice Templates
Unless you are one of those companies that does not clearly know where you fit in, you should exactly know your customer demographics across target industry segments. Based on that you should go ahead and create best practice configuration templates. Here are things I would include as part of the templates: standard business process, workflows, setup data, roles and responsibilities, meta data, and labels, instructions and error messages.
While it is a one-time thing for you, you can reap the rewards over and over across multiple implementations. This will allow you great latitude to aggressively price the implementations. As you tailor specific customer needs over and above the best practice templates, you can keep dovetailing those needs back into the blueprints and revving them up. This will also be a significant competitive advantage in terms of TCO and creating mind share.
3. Crowd Source
One of the great things of the times we are in is companies and individuals in those companies are opening up to concept of sharing and reaping the benefits of collaboration. Collaboration, when done properly, can create value for all the parties involved. When you are a SaaS startup, you want to keep the operations lean and optimize all the activities. One such way is to leverage your existing customer base to help you get better. As you incorporate your learnings from one customer implementation to another, it makes for a more compelling story if it is actually being told by the customer impacted by it. Not to mention that your next customer coming from the same industry can relate to them much better than you portraying the scenario.
Most companies invariably sell to customers who might be die-hard rivals in their own industry. So it is easy for a technology vendor to wonder if it would be wise to connect two such customers and if they would be open to such propositions. Also factors into it is the fear that the two customers might end up discussing the parameters of the deal for the software and the sweat-heart deal you gave to one might become the standard deal for all. But I am here to tell you, that no matter what you do, that information will end up getting shared, if it has to.
So instead of worrying about those things, think of all the value it generates when two leaders in a industry collaborate on your software platform. They might just end up helping you define your future product strategy. I think that is a great problem to have. Getting customers into a collaborative self-help community might go a long way in reducing the bumps along the implementation path and reduce your cost of implementation.
4. Implement in Phases
It is always tempting and some time seems easy to do a big bang implementation than to do it in phases. To me if you are not being able to recommend logical phases of implementation it indicates a software vendor trying to make things easy for themselves. As with any software, implementing the entire product invariably involves multiple stakeholders, teams at customer site and some time multiple locations. This is where the implementation can end up ballooning. So as a software vendor (and a trusted adviser as I would like to think of myself, being a software vendor), it is incumbent upon me to define the logical phases and impress upon the customer the value of doing so. I like to call it "peeling the onion". Always keep at the forefront and highlight the ROI that can be achieved in each phase and it will be an easy thing to explain. It also allows you do a soft landing when it comes to the implementation costs.
5. Smell the Roses
In the initial stages it is a difficult thing to do things for free but you will have to bite the bullet. Customer pays for something which is fully-functional but your solution might be far from it. They don't understand the intricacies of software implementation. So at times, be benevolent and let some of the costs go as it is in your interest to make those early or critical customers happy. Also look at it this way, the customer is ready to take a chance on your incomplete product and let you bake it on their stove (and dime). So all along the way enjoy the experience and don't make the fact that you are incurring a small loss spoil the experience.
The market for SaaS products is growing and changing quickly. As vendors mature, addressing the need for improved implementation will only serve to grow the market even further.
Back to top
|
|
|
|
|
|
|
