Debunking SaaS Debunking

Debunking SaaS Debunking

Businessweek recently published a surprisingly negative article about SaaS, saying that its hype can be largely undeserved for a number of reasons.  Now, I like BS-calling as much as the next guy (maybe a bit more, actually), but I found Gene Marks’s reasoning to be too generalized and all-encompassing.

Marks says:

Myth 1: SaaS is cheaper. No, it’s not. In fact, it can be a lot more expensive. Most service providers charge each user by the month. If you’ve got 10 people using a product, and they’re costing you 50 bucks a person each a month, that’s $6,000 a year. Most in-house systems have one-time licensing fees and optional support agreements. Spreading out the payments is nothing new, either; tons of software leasing companies will finance your purchase and spread out monthly payments over time. When you look at SaaS over the long term, it’s usually not a cheaper option.

Considering that on-premise enterprise software for a large firm can easily run into the millions just for new license acquisition, this argument pales quickly.  And support (maintenance) agreements for such systems are not “optional” — they’re mandatory.  Seeing how I’ve seen annual maintenance bills upwards of $400K/year, we’re not talking spare change, either.

And really — let’s not get into the costs associated with new hardware investments or modifications to existing infrastructure.  Let’s not get into new servers, new application security policies, network provisioning, desktop client modifications, and permissions.  Let’s not get into end-user performance issues and the time and expense needed to troubleshoot and remedy them.  And let’s also not get into aggregate IT staff allocations on a man-hour basis, because the numbers get crazy quickly.  Suffice to say that all of these get figured into the equation when trying to calculate the TCO of on-premise enterprise software.

SaaS may not be cheap, but it certainly might be cheaper.  And there is value in having fewer on-premise headaches with trashed servers, corrupt databases, and angry end users that the internal helpdesk must deal with.  It becomes an intangible quality-of-life discussion for the enterprise.

Myth 2: SaaS reduces hardware investment. Well, this is only half right. Sure, the SaaS providers deal with the servers, and all the Windows headaches and patches and builds and versions and whatever. That’s their problem. But you still need fast access to the Internet. And that means workstations running versions of up-to-date operating systems, which generally means up-to-date computers. And they’ll need to be tied in, by wire or not, to hubs and routers to access the Net. And there will still be internal security and firewall issues. So you’re really not completely eliminating the IT guy. He’s like the smell from your cat’s litter box. It kind of never goes away.

Raw bandwidth capacity is cheaper than DB, app server, webserver, security, middleware and network configuration.  All day, every day.

For the client-side, PC-level arguments, I say this: the browser is the environment.  The browser is the platform abstracted away from the desktop OS in most cases.  I can hit Salesforce.com agnostically from my Mac or my Windows machine — Firefox is the relevant platform.  (I can even navigate it perfectly well on my iPhone.)  So, for most SaaS apps, give your users a modern browser that can validate to the appropriate level of security and has the proper plug-ins, and you’re set.  Network routers, switches, hubs are a red herring: they’re part of your corporate IT infrastructure no matter what.  You need them for access period, whether you’re browsing Facebook or logging into your Workday HCM instance.

Myth 3: SaaS is quicker to set up. This is like Ikea saying its furniture is easy to assemble. One look at the lopsided bookcase in my den proves that little theory wrong. The same goes for software. Sure, if you’ve got a basic setup, then no problem: Just flick the switch and go. But what if your needs are more complex? What if you need customization? Snazzy reports? Integration with other systems? Now you’re adding complexity. And whether an application is sitting on a server in Taiwan or a server in your office, someone’s got to do the work.

I dunno.  I got my son’s Ikea stuff set up really quickly, and nothing is lopsided.

Anyway.

SaaS certainly has its share of integration work: you have to figure out what data you’re going to integrate from existing datastores, scrub the data of all nontranslatable artifacts, format it properly so it hooks to the SaaS app cleanly, and perform the integration work.  You have to set user roles and permissions.  You need intra-business unit security policies.  You need custom reports or dataviews, usually defined by functional role.  You need to define error handling and integrations with ancillary support systems.  You need to do quite a bit to move in-house data from discrete legacy systems to a cloud model.  No question.

Thing is, you have to do most (if not all) of this with a new on-premise solution as well, but the SaaS model spares you infrastructure planning,  hardware costs, QA/pre-production environment sandboxing, maintenance, and helpdesk/end user training.  That stuff isn’t 11th-hour oversight material: it’s serious pain in the ass country.  Any IT worker who’s lived through a wide-scale ERP implementation knows that it’s the slush factor of the project that really winds up having everyone in the datacenter at midnight wondering why Starbucks isn’t open 24 hours.

Myth 4: Your data are secure and backed up. Baloney. They’re about as secure as the personal data on 650,000 customers lost by GE Money (GE). Or that confidential Al Qaeda data left on a train by a British intelligence agent. Or Willie Randolph’s status as the Mets’ manager until about a month ago. I don’t care how many redundancies and data centers and encryption are baked into the system. Accessing your data over the Internet in 2008 is fraught with risk.

There’s no such thing as absolute security with respect to enterprise data.  I remember having my Standard Federal debit card number stolen from some transaction company that had it’s database hacked by an outside source, and suddenly I had purchased $1800 worth of camera equipment in downtown Tokyo.  Was SaaS a factor?  Of course not.

Point is, security is an elusive target, and many companies are content with feeling secure rather than being secure.  For every example of SaaS compromising user data, there’s 10x more instances of an internal system getting breached by outside aggressors due to poor firewall/webserver configurations.

Breaches happen.  It’s cat-and-mouse.  Always has been, always will be.

I’ll grant Marks this: when SaaS gets compromised, there’s the potential for much more commercial damage due to SaaS’s inherent multitenancy.  Instead of one pissed off CIO demanding to talk to who’s responsible, you have 20.  Or 50.  Or 500.  The threat of commercial damage is multiplied many times over due to the centralized nature of most SaaS apps.  (Although I’m sure there are security policies and provisions in place by enterprise SaaS players like Salesforce.com, Taleo, etc.  I just can’t speak intelligently about their details.)

Myth 5: You’ve actually been using SaaS for years—look at your bank account. Right. And when my SaaS vendor is backed by the Federal Deposit Insurance Corp., maybe this story will hold. But in the meantime, what if I’ve got a billing dispute with you, and you decide to shut off my service? What if you send me my data on a CD, and I can’t even open the data because I don’t have your application? What if the government or some competitor subpoenas you for my information? What if the unthinkable happens and, gulp, my Internet connection goes down. Gasp. How do I get my work done? Yes, I realize that we’ve “hosted” our financial data with banks for many years before SaaS. But we’re talking a totally different set of rules, so let’s not even go there, girl.

The point I’ll grant here is the government subpoena issues: I use Gmail for all of my personal email, and if the day ever came where Google was ordered to relinquish its data to the feds, I’d feel violated, as would most anyone else.

Is this the price of convenience and ubiquity, for ultimate thin-client computing?  Probably.  But then again, what happens if you’re accessing your work data via VPN and your company’s VPN connection dies?  What happens if your UPS guy falls asleep at the wheel and decides to drive his truck into the cabling that keeps your home Internet connection alive?  What if what if what if?

You can disaster-scenario each side of the fence until you pass out, and the best you’ll get is a wash.  Call it a tie game, but with scoring coming from different angles.

And please — no SaaS provider is going to be sending you a CD full of your information that requires a specialized application to open.  That’s what SaaS is all about: nothing on-premise.  Unless you consider XML exotic, you’re probably safe.

I understand warning people of the dangers of SaaS, but to dismiss its merits as hype and then not back your arguments up fully isn’t exactly what prospective SaaS clients need.