1 White Paper What to consider when choosing a SaaS or cloud provider A White Paper by Bloor Research Author : Fran Howarth Publish date : February 2011
2 When engaging a SaaS provider, organisations must plan carefully and thoroughly evaluate the service provider during the selection process, including the services and terms and conditions offered. Fran Howarth
3 Executive summary The use of Software as a Service (SaaS) offers many benefits for organisations of any size, but is especially beneficial to smaller organisations that lack the budget and resources to manage in-house technology deployments, or for larger, highly distributed organisations with large numbers of mobile workers. Because of the benefits it offers, usage is growing fast. However, there are many considerations to bear in mind when choosing a SaaS provider. This document is intended as a guide to aid organisations through the decision-making process when choosing a SaaS provider. It provides organisations that are interested in subscribing to such services with pointers as to what factors they should consider during the evaluation process to ensure that they gain the maximum benefit from use of SaaS. SaaS usage growing The term Software as a Service (SaaS) was coined towards the start of the 21 st Century and refers to the provision of access to software applications on demand as a subscription. SaaS contrasts with the traditional way of licensing software applications whereby a licence is purchased for each user and software is installed on every computing device that requires access. Today, the term SaaS is often used interchangeably with cloud computing, with the term cloud being a metaphor for the internet. With SaaS or cloud, applications are accessed via a web browser and the applications and data they process are stored on remote servers managed by the service provider. The market for SaaS is showing strong growth, including the use of security applications. According to research published by Infonetics Research in June 2009, the security SaaS market will grow at a compound annual growth rate of 46% over the next five years. Take up among organisations is highest in Europe and Asia, although growth is picking up in the United States. In January 2010, the Computer Technology Industry Association released its Third Annual SMB IT Spending Survey of 400 organisations in the US. This showed that 30% of SMBs in the US have plans to implement some form of SaaS in 2010, up from 22% in 2009 and 14% in Uses of SaaS Figure 1, which is echoed in many surveys, is taken from data collected recently by Bloor Research of 140 organisations worldwide. It shows the types of SaaS applications that are currently most commonly being used % Cloud Storage 35.7% Security ApplicaCons Backup Business Intelligence Office ApplicaCons CRM 31.4% 30.0% 27.1% 25.7% 24.3% Payroll 18.6% Archiving 14.3% Figure 1: Types of SaaS applications being used A Bloor White Paper Bloor Research
4 The benefits of SaaS The many benefits that can be gained through the use of SaaS are behind the high levels of growth being seen among organisations of all sizes. SaaS is particularly suited to small and medium organisations, which often lack the personnel resources required to administer and manage technology systems. According to analysts Techaisle, the sweet spot for service providers in Europe is to target organisations with between 10 and 50 staff. However, SaaS also provides benefits for larger organisations, and especially those with geographically distributed operations encompassing numerous branch offices, and with high levels of mobile working. Many of the benefits of SaaS revolve around the costs of the service as evidenced in Figure 2, which is taken from the same survey by Bloor Research referenced previously. Cost savings can be made in many areas, including lower personnel costs for administering the system, reduced hardware costs and lower licence costs as actual usage can be tracked to ensure that the organisation is not paying for more licences than it is using, and because the number of licences can be increased or decreased as required based on actual needs. Another prime benefit, related to cost, is that spending can be shifted from capital expenditures budgets to operating expenses because there are no upfront costs in terms of purchasing software licences and the hardware to house the technology. In addition, there are no maintenance fees associated with SaaS, and upgrades and enhancements are included in the cost of most services. Cost savings Reliability of service provider Access to services too expensive in- house Access to experfse not available in- house Overall reducfon of business risk profile Complexity of managing deployment and updates Need to reduce capital expenditures Compliance Extend access to mobile and remote workers 85.5% 85.5% 76.8% 75.3% 71.0% 68.1% 63.8% 62.3% 55.0% % saying important or highly important Figure 2: Reasons cited for adopting SaaS Bloor Research A Bloor White Paper
5 Barriers to SaaS adoption When asked what the perceived barriers are to their organisations adopting SaaS models of application delivery, the majority of respondents to the Bloor Research survey cited security and data protection issues as the greatest area of concern, as shown in Figure 3. This is echoed in the fact that more than half would prefer to keep data in-house owing to concerns about handing sensitive data over to a third party. Such concerns are heightened by the growing number of data loss and security breach incidents being reported in the media and the reputational and financial damage that could ensue. The importance placed on regulatory compliance issues, many of which demand high standards of security be applied to sensitive data, emphasises this point. However, the strict controls used by SaaS providers can allay such fears and actually add an extra layer of security. Cost is also perceived by some to be somewhat of a barrier to SaaS adoption even though the majority of respondents cited cost savings as one of the most important reasons for adopting SaaS. This is because many organisations and smaller firms in particular are unaware of the benefits that can be gained from the switch from purchasing technology as a capital expenditure to licensing applications on a subscription basis as part of their ongoing monthly operating expenses. Security and data protec>on issues 88.3% Regulatory compliance issues 75.0% Prefer to keep control in- house Poten>al disrup>on to business from non- technical concerns Internal staff reac>on or concerns Perceived higher cost 55.2% 53.0% 51.4% 48.6% % saying important or highly important Figure 3: Barriers to SaaS adoption A Bloor White Paper Bloor Research
6 Choosing a SaaS provider The market for managed security services began during the internet boom of roughly 1995 to Back then, service providers were known as application service providers or ASPs. Many early ASPs employed weak business models and lacked sufficient cash. They developed a reputation for being unreliable and many went out of business when the so-called dot.com bubble burst. Today, SaaS offerings are available from a wide range of players, from large technology vendors to specialist service providers that have spent years building out their services. Many providers have also incorporated a wider range of capabilities, such as combining and web security controls with anti-malware and archiving services on a single platform. This provides the benefits of an integrated service for countering threats across numerous vectors something that is vital given the complex and sophisticated nature of the security threats that are prevalent today, often blending different vectors of attack in an attempt to make their exploit more successful. Since the services are based in the cloud, organisations should consider the scale and efficiency of the threat intelligence services offered to provide higher levels of protection against such threats. When choosing a SaaS provider, it is essential that an organisation performs its own due diligence. It must look at the viability of the provider, what security controls it has in place for protecting the service and the data of the organisation, what pricing, licensing and billing terms are offered, the provisions of the contract and SLA offered, and the functionality provided by the service. Figure 4 shows activities that respondents to the Bloor Research survey consider to be essential to undertake prior to subscribing to a SaaS delivery model. Quality of service levels 75.7% Security assessments undertaken by ourselves 62.9% Third- party risk assessment Inves4ga4on into financial viability of provider Ascertain key risk and performance indicators of provider Nego4a4on of items to be included in SLAs Inspec4on of disaster recovery and business con4nuity plans AEesta4on of SAS 70 or ISO cer4fica4on 44.3% 42.9% 37.1% 35.7% 34.3% 32.9% Nego4a4on of exit strategy Background checks of employees Onsite inspec4ons 17.1% 15.7% 21.4% Figure 4: Activities to undertake prior to adopting SaaS Bloor Research A Bloor White Paper
7 Vendor viability One of the most important considerations when evaluating a service provider is the viability of that vendor. Organisations must consider the history, size, length of time in the business and financial health of the provider, as well as how many customers it has and how satisfied they are with its services. Red flags to look for include whether any one customer accounts for more than 10% of its business or customers that have been given access to the service for free or heavily discounted as early adopters of the service. The length of time that customers have been using the service is another important consideration. When looking at the size of the service provider, organisations should consider not just the overall staff count, but also the composition of employees. For example, how many are direct employees versus contractors, and how many support staff does it employ? Where numbers of support staff are low, this function may be outsourced to a third party, which means that their processes and procedures must be assessed as well. The size of the service provider may be an important consideration in terms of its reach. A large customer with geographically dispersed operations may need multi-continent support spanning different time zones and languages, whereas a small organisation may prefer the local touch of a provider that specialises in the particular region in which it operates. In some countries, such as Germany, assurances that data will not be transferred out of the country are an important consideration, especially for government organisations. Standards and certifications are also emerging for SaaS providers that enable auditors to assess the quality of the provider s general IT and security controls, including ISO and SAS 70. However, even when a provider touts such certifications, the onus is on the potential customer to verify that secure procedures are actually followed. Checklist 1: Vendor viability How long has the provider been in operation and how long has it offered SaaS? How big is the service provider in terms of employees, offices and support staff? In what locations does it operate? How is the provider funded? If it is VC-funded, how much has it received and what is the possibility of further funding? What customer references are available? How many customers does it have of a similar size and with similar needs to those of your organisation? How long have they been using the service? How many data centres does it have? Does it own them and where are they located? What support does it offer? Is 24x7 support offered? Is support provided by a third party or internal staff? Is support included in the SLA? How is it provided online, telephone etc? How has the vendor s recent performance been? What certifications does the provider have? For example, is it SAS 70 certified? Is the vendor a member of or endorsed by relevant industry associations or forums, such as the Cloud Security Alliance or MSP Alliance? A Bloor White Paper Bloor Research
8 Security Given that security and data protection concerns are cited as the greatest barrier to adoption of SaaS, organisations should pay close attention to the security of the services offered. It is important to ensure that high levels of security are provided and that they are documented so that the organisation has redress should security issues be encountered. Figure 5 shows what security concerns are being voiced by respondents to the Bloor Research survey that are using SaaS services. Clearly, protections placed around data, and access to it, are top of mind for many organisations. Logging and audit services Use of strong passwords or and passwords 72.7% 72.7% of via priveleged user access 54.5% must have the right to audit 48.5% of data to pre- agreed standard 48.5% tenant architecture Data to be located within specified legal or geographical 39.4% 39.4% Single tenant architecture 25.8% Figure 5: Security concerns voiced by organisations adopting SaaS Are security controls documented? Checklist 2: Security Where is the data stored? What data is stored and is it encrypted? Where is the backup data centre and how often are backups made? What encryption is used and are all communications encrypted? What access controls are used, including use of strong authentication or passwords, firewalls, encryption and privileged user access controls for segregation of duties? Are privacy controls documented? What physical security controls are in place for the data centre? What logging and audit services are provided? When required, is data destroyed in a secure and certified manner? Does your organisation have the right to audit the service? Is data stored only in a specified jurisdiction? Bloor Research A Bloor White Paper
9 Pricing, licensing and billing conditions Among the prime benefits of subscribing to SaaS-delivered applications is the predictable monthly cost that is associated with the service. Therefore, an organisation should closely scrutinise the terms of the service to ensure that there are no hidden costs involved. Other important conditions to be considered are whether the service has a minimum timeframe associated with its use and the terms under which an organisation can terminate, reduce or extend its use of the service. Since updates and enhancements can be pushed out easily to all users of the service, they should be included in the cost and provided on a regular basis. Checklist 3: Pricing, licensing and billing conditions Is pricing transaction or usage based? For example, is it based on users logging in or on true usage? How easily can the number of users for which the service is licensed be changed? Are guarantees provided that the price of the service will not be increased within a specified period? What is the minimum contract length and what is the cancellation period? How is the subscription to be paid for? Is it invoiced, done as a standing order or payable by a debit or credit card? Are there extra charges involved, such as for storage, updates or enhancements? Are there any penalties or fees for early termination of the service? Are training, set up and support costs included? A Bloor White Paper Bloor Research
10 Contracts and service level agreements (SLAs) The terms and conditions of any service that an organisation subscribes to should be clearly laid out in a contract, backed up with a strong SLA that provides assurance that those terms and conditions will be adhered to. This documentation must include details of remediation steps to be taken by the provider should an incident occur and any other penalties to which it might be subject in case of a dispute. As Figure 6 shows from data from the Bloor Research survey, this is important since two out of five organisations state that they will take legal action. Service provider fixes problem at own cost 57.6% Service provider pays a penalty in case of security issue 47.0% Will take legal acaon 40.9% Processes in place for orderly return or secure disposal of assets 34.8% None 9.1% Figure 6: Remediation processes should something go wrong Checklist 4: Contracts and SLAs Are guarantees provided in the SLA for service availability and access, and for the quality of service provided? Is support included in the contract and does this specify the level and conditions of service, as well as response times? Are commitments included in the contract for regular updates and enhancements to the service? Are logging and audit guarantees specified? Are assurances provided as to what data is stored, where it is stored and who has access to it? Does the contract include written privacy and security policies? What remediation is available should problems be encountered with the service and are there caps on liability? Does the contract give your organisation the right to audit the service? Are assurances provided over remote backup and how often backups are performed? Are termination rights specified in the contract? Is attestation included that the provider is complying with any necessary regulations, such as data protection? Are written procedures included in the contract governing the return of data on request or on termination of the service? How flexible is the contract in terms of being able to add or remove users from the service as required? Bloor Research A Bloor White Paper
11 System functionality Last, but not least, organisations should thoroughly evaluate the functionality of the services offered by a provider to ensure that they match their needs and expectations. Where more than one service is offered, they should check that the applications are tightly integrated with common reporting mechanisms for greater visibility into the effectiveness of the security controls in place. This is especially important if any applications are provided from a third party, regarding which the contractual arrangements should be discussed. To ensure that the service meets its needs, an organisation should consider conducting a trial or evaluation of the services prior to committing to them. Organisations should also investigate whether or not all the devices and operating systems that they wish to use to connect to the service are supported and that the service is quick to set up and intuitive to use. The service should also offer protection against a range of security threats even those previously unknown for which no signature has yet been written. This requires that advanced detection techniques be used by the service provider, ideally backed up by global threat intelligence research capabilities to identify and provide countermeasures for new threats as they are encountered. What is the update cycle offered? Checklist 5: System functionality Is help available for set up and integration with other applications? How easy is the service to set up and use? What application and device coverage are offered, including mobile? Is protection provided for unknown threats and exploits? Are advanced security services offered, such as black and whitelisting, and content rules? Is a free trial or evaluation offered? Is a third-party service or product, such as anti-virus, used as part of the service? Is support provided for all the main browsers, including those used by the Mac operating system and mobile devices? Is there a need for any software to be installed locally? Are all communications encrypted? Is training required? What reports are provided and how often? Is personalisation or customisation of the service possible? Does the service provider offer global threat intelligence services as part of its offering? A Bloor White Paper Bloor Research
12 Summary When engaging a SaaS provider, organisations must plan carefully and thoroughly evaluate the service provider during the selection process, including the services and terms and conditions offered. This is especially true where sensitive company information is involved, which requires that high levels of security and privacy be adhered to, backed up a strong SLA that spells out the penalties should something go wrong. Price alone should not be the primary consideration. With due diligence adequately performed, organisations of all sizes will find there are many benefits in the use of SaaS-based delivery mechanisms, including the key benefit of having a service maintained, enhanced and supported by a team of specialists and experts at a lower cost than an organisation could achieve if the system was delivered through traditional mechanisms. Further Information Further information about this subject is available from Bloor Research A Bloor White Paper
13 Bloor Research overview Bloor Research is one of Europe s leading IT research, analysis and consultancy organisations. We explain how to bring greater Agility to corporate IT systems through the effective governance, management and leverage of Information. We have built a reputation for telling the right story with independent, intelligent, well-articulated communications content and publications on all aspects of the ICT industry. We believe the objective of telling the right story is to: Describe the technology in context to its business value and the other systems and processes it interacts with. Understand how new and innovative technologies fit in with existing ICT investments. Look at the whole market and explain all the solutions available and how they can be more effectively evaluated. About the author Fran Howarth Senior Analyst - Security Fran Howarth specialises in the field of security, primarily information security, but with a keen interest in physical security and how the two are converging. Fran s other main areas of interest are new delivery models, such as cloud computing, information governance, web, network and application security, identity and access management, and encryption. Fran focuses on the business needs for security technologies, looking at the benefits they gain from their use and how organisations can defend themselves against the threats that they face in an ever-changing landscape. For more than 20 years, Fran has worked in an advisory capacity as an analyst, consultant and writer. She writes regularly for a number of publications, including Silicon, Computer Weekly, Computer Reseller News, IT-Analysis and Computing Magazine. Fran is also a regular contributor to Security Management Practices of the Faulkner Information Services division of InfoToday. Filter noise and make it easier to find the additional information or news that supports both investment and implementation. Ensure all our content is available through the most appropriate channel. Founded in 1989, we have spent over two decades distributing research and analysis to IT user and vendor organisations throughout the world via online subscriptions, tailored research services, events and consultancy projects. We are committed to turning our knowledge into business value for you.
14 Copyright & disclaimer This document is copyright 2011 Bloor Research. No part of this publication may be reproduced by any method whatsoever without the prior consent of Bloor Research. Due to the nature of this material, numerous hardware and software products have been mentioned by name. In the majority, if not all, of the cases, these product names are claimed as trademarks by the companies that manufacture the products. It is not Bloor Research s intent to claim these names or trademarks as our own. Likewise, company logos, graphics or screen shots have been reproduced with the consent of the owner and are subject to that owner s copyright. Whilst every care has been taken in the preparation of this document to ensure that the information is correct, the publishers cannot accept responsibility for any errors or omissions.
15 2nd Floor, St John Street LONDON, EC1V 4PY, United Kingdom Tel: +44 (0) Fax: +44 (0) Web: