In the fifth installment of our Cloud Possible series we discuss Software as a Service (SaaS), the most commonly known cloud operating model. This is because you probably utilize a SaaS solution today in your personal life, such as a product from the Google G Suite, like Gmail.
The SaaS Model is typically a consumer-like delivery model for internal employees, customers, and/or partners as end-users. SaaS solutions are generally procured/contracted with a user-based subscription. While this model is straight forward and convenient from an operating and support perspective, the utility will also have the least control and flexibility in terms of functional capability and customizations. The application features, version control, and scheduled maintenance windows will be controlled by the SaaS Cloud provider, and the ability to customize the application will likely be minimal. Consequently, customers looking to migrate to a SaaS environment need to be rigorous in their understanding of how the capabilities, features, environment, and performance meet their business requirements before they contract for the services. This should include the rights regarding your data on a SaaS platform, how is the data backed-up and recovered and how you can retrieve your data if required. Additionally, mapping to regulatory requirements should be well understood, since customization for specific regulations may not be contemplated. Common SaaS services include email, collaboration, customer relationship management, and file sharing applications. You are likely to be using a SaaS Cloud service today, if your company uses Office 365, Salesforce, Concur, Dropbox, or Cisco Webex.
Companies like SAP and Oracle are introducing SaaS models and some very specifically for Utility Mission Critical applications and functions, like Customer or Call Center type functions. It is always incumbent on the Utility to explore and determine whether these packaged solutions are sufficient to meet the demands of Utility business of serving your customers, location of your customer data, access to your customer data, as well as meeting regulatory requirements.
The SaaS Cloud Service Provider (CSP) is responsible for the entire support stack up to the user help desk. The infrastructure scales on demand based on the active users’ consumption and data storage. Users often access the SaaS environment via the internet, without the need to install or maintain any endpoint device software outside of a browser. The Utility’s technical team would use APIs, if available from the SaaS provider, to integrate with other applications in their overall IT footprint. Please note, companies often underestimate the size, time, and cost required for this integration when deciding to migrate to a SaaS application. While the cost and complexity to maintain the overall platform is decreased, the cost and complexity to manage the integration footprint of your Utility will be impacted. The extent of the impact will be influenced by the complexity and number of custom legacy integrations required.
Google Apps, Microsoft Office365, Salesforce, Cisco Webex, Ariba, Concur, Dropbox, and SAP Cloud for Customer.
Support plans under the SaaS Operating Model are by far the simplest. You will likely want to train some internal specialist in the help desk to support users with simple issues or questions – traditional Level 1 support (training typically available from the SaaS provider). The SaaS provider support will cover the remainder of the support layers. Again, the Utility should plan on redirecting some of their previous operating costs to governance roles overseeing the SaaS Cloud provider performance and SLAs. SaaS platforms are often accessed via the internet, this may require your security policies and access controls to be updated. Companies often still embed business analysts to ensure business integration of the solution is managed within the organization and that organizational requirements are communicated to the SaaS provider for consideration in their roadmap. The concept of an owner’s engineer is applicable here – a resource to oversee the footprint of the SaaS solution, governance across the SaaS provider, and also integration with other applications in the Utility’s overall IT landscape. As with the PaaS solution, while the complexity and effort to maintain the application technology stack decreases, the complexity of managing partners and integrations increases, making a leadership role to manage this is critical to getting the best value from the SaaS solution and overall technology footprint.
All Cloud Operating Models require an overall security plan with negotiated shared responsibilities. Under the SaaS model, the Utility is still typically responsible for user credential management and personnel training. SaaS platforms are often accessed via the internet, so this may require your security policies and access controls be updated.
The same certifications - ISO 27001, SSEA 16, SOC2, and PCI-DSS, are valid and applicable to SaaS deployments. The SaaS provider should be responsible for executing and auditing the following (the Utility will inherit these audited controls):
Application, operating system, database and middleware: access control, vulnerability management, credential and password management, and audit trails
Vulnerability management for cloud infrastructure and management systems
Access control, credential management, and training for all personnel accessing cloud components
Isolation of client data and systems (e.g., firewalls, encryption, access)
Physical equipment and data center controls
NOTE: Important to perform the necessary due diligence on the security controls and data protection associated with any APIs that are utilized to access the SaaS application/data
Again, depending on the requirements of the overall security plan, network providers may be responsible for encryption, internet VPNs, and DDoS security services.
As you look for the best cloud operating model for your business, you must consider the application, its requirements, the benefit of each model, and the resources you can procure outside of the CSP. The SaaS operating model might be the best option for your less critical applications or even applications that don’t have the resources in house to support.
If you like this post or would like to be notified about the final installment of our Cloud Possible Series, follow us at https://www.likedin.com/company/validos/.