Orchestrating a Hybrid Cloud Using SaaS Solutions with On-premise Applications
By Bill VanCuren, CIO, NCR Corporation
Customers are demanding faster time to market, ease of use, and greater business agility. Because of these demands the industry has seen considerable growth in Software as a Service (SaaS) solutions. The heavy investment in cloud alternatives demand that enterprises adopt a hybrid cloud strategy in order to stay ahead of their competition. Enterprises must address four key factors to be successful when moving to a hybrid cloud: supplier management, security, integration, and data management.
Negotiation and due diligence with suppliers must be done up front. Doing this will make managing the suppliers easier during the move to the cloud. Contract language, upgrades challenges, and lack of perpetual ownership of the solution, are all key supplier management issues that need to be addressed in the move to the cloud. A standard SaaS contract template with important elements to protect and support the business is highly advised. The template should include stronger language for the Service Level Agreement (SLA), indemnification, source code escrow, length of the term, performance guarantees (along with response and resolution times), provisions for data backups, and other elements important to the success of the business. Also, the enterprise needs to understand its supplier’s upgrade approach. Enterprises do not want to lose control over when/how their application is updated.
"Each business organization should have a single point of contact to avoid confusion when moving between on premise and SaaS solutions"
Gone are the days of the perpetual license where an enterprise can continue to operate a system whether maintenance was paid or not. In today’s SaaS licensing models, the enterprise no longer owns the license. When the SaaS solution is no longer being paid for, the supplier will remove the ability to get to the solution based on the contract that was signed up front. As a standard practice, due diligence on the upgrade approach and terms should be performed before signing anything.
Other key considerations to be aware of include the direct business owners relationship with the SaaS suppliers, the maturity of the SaaS solutions, and when to perform due diligence. Know that the business users are having conversations with the SaaS suppliers as well and will be drawn to the “flashy” user interfaces and promises of data analytics built in. That doesn’t mean the system behind it will fully protect the enterprise from certain risks. Keep in mind, the maturity of SaaS suppliers varies widely. Just because a software supplier is large or has historically delivered high quality on-premise software, doesn’t automatically imply that it has a mature SaaS solution yet. Again, performing due diligence up front will allow the enterprise to make sure the supplier’s integration approach, security practices, and SLA is in alignment with the enterprise needs. If they are not, negotiating a contract that supports the enterprise is critical before signing anything. Also, the big guys tend to dictate their terms while the smaller suppliers are willing to negotiate terms, such as frequency of upgrades.
The enterprise needs to establish security standards, create a standard checklist to help perform due diligence, and follow industry best practices. When moving to a SaaS solution, assign an IT security architect early in the product selection phase. Doing this ensures the data gets classified properly, the supplier’s security practices are understood, and the SaaS solution’s data security limitations are verified.
Protecting the enterprise starts with classifying the data in the systems. Doing this helps establish the appropriate security controls. In many cases, the enterprise may need to define how it will manage its intellectual property in a shared environment. Part of the security due diligence needs to uncover how the SaaS solution separates the company’s data from other companies’ data, especially if the solution is multi-tenant (e.g., many customers use the same instance of an application). Understanding the security practices of the SaaS providers is extremely important. The industry has seen improved security practices of SaaS suppliers in the last couple years, but this area is still evolving.
Many SaaS providers are not SAML compliant which prevents the company from enabling single sign on across the enterprise or managing security in a central place. One of the data security limitations of a SaaS solution is data at rest encryption. Selecting SaaS providers that encourage multiple levels of encryption across their solution (i.e., the user interface is secure, the movement of data is protected, and the data is encrypted when stored) will dramatically limit or prevent loss.
When planning integrations, the first step should be understanding how the systems communicate and what can be done to make the company more agile. The company needs to look at which integration technologies are used by its current systems, how often they pass data, and how well the business processes are being supported. The current systems integration approach will impact the ability to leverage data across SaaS and on premise systems.
Legacy approaches to systems integration (i.e., file-based, direct database connections, etc.) will make it very difficult to create a flexible set of connected systems. Direct database links and static point-to-point connections are brittle, slow, and can cause system outages when the SaaS solution is upgraded by the supplier. Likewise, the enterprise needs to understand how often its systems need to communicate. Depending on how often they communicate and how much data is being sent each time, the company may need to plan for additional investments.
The business processes will drive the type of integration and how often the systems need to communicate. That’s why it is critical to understand the company’s business processes, especially those that leverage multiple systems.
It is important to adhere to industry norms (standard models, etc.), monitor the data, and communicate the data governance decisions and actions. A few of the data management issues are establishing a common data model, creating a “data hub” for the master record, and governing the company’s data.
A common data model is key to allowing multiple systems to communicate effectively while reducing errors. Pick a standard data model and make each system leverage it to communicate. This will allow the company to add or replace systems in the enterprise much more quickly and reduce the cost of integrating its systems.
Companies should create a “data hub”, outside any specific SaaS solution to centrally manage the master record for their critical data subjects (i.e., customer, product, organization, contract, etc.). This provides a single “source of truth” for their critical data that must be shared across multiple SaaS systems and hybrid cloud architectures. By doing this the company can avoid having incorrect or outdated information across the enterprise.
Companies also need to have a strong business supported governance team monitoring each data hub to ensure the data aligns with the business needs. This team should include a business data owner and data steward, typically outside IT, who are responsible for identifying the master systems and resolving data conflicts.
A transformational change in the organization may be required to achieve these key success factors. The company should look at its organizational structure, internal processes, and the maturity of the IT environment. Each business organization should have a single point of contact to avoid confusion when moving between on premise and SaaS solutions. The company should also look at its internal processes to make sure they are optimized for a hybrid cloud environment. Finally, make sure the IT infrastructure and security systems are able to support a hybrid cloud. The business depends on it. By focusing on the four key success factors mentioned above the journey to cloud will be more manageable.