Renato Mascardo, Chief Technology Officer, Accela
Making the Most of the SaaS Experience
Government has embraced software as a service -- and with good reason. SaaS simplifies IT management, reduces costs, and strengthens the overall security posture of the enterprise. Some are moving to SaaS as they shift away from running their own data centers, while others are already running SaaS and are looking for ways to implement SaaS more effectively.
But what does it mean to implement SaaS effectively? More than just a contract for services rendered, SaaS represents a relationship between the software provider and the end user. And just as in any relationship, you only get out of it as much as you’re willing to put in.
Whether you’re already engaged in a SaaS deployment, or considering a move to as-a-service offerings, it’s helpful to give close consideration to three key factors, in order to understand how best to make use of the SaaS model: Uptime, sustainability, and security.
Up and running
Uptime is a key consideration for the IT team. Smooth and seamless operations ensure a satisfied end user and successful mission completion. High uptime also frees IT to devote its attention to more pressing matters than routine care and maintenance.
To craft a meaningful service level agreement, it’s important to do some internal exploration at the outset. Admins need to define what is considered an outage, what is degraded performance versus a true hard-down.
They need to look at uptime as a function of the work at hand. Which are the critical components you care most about? It’s important to understand the downstream ramifications of downtime, in order to define the needs around uptime.
There’s a temptation to say: “I want it all up, all the time.” But that’s neither practical nor especially helpful, since uptime is the product of complex factors. Production environments have unique traffic patterns and usage that is hard to replicate in performance testing environments. Platforms can be customized, in which case specific actions may trigger issues. And SaaS services are usually delivered via the public internet, which means transit plays a role in uptime.
In a more effective approach to SaaS, IT will define what the most critical systems are and what their performance thresholds need to look like. A meaningful strategy around SaaS uptime starts with deep internal examination and prioritization.
In the world of conventional software, IT might buy a product, run it until it has outlived its usefulness, and then move on to something else. SaaS doesn’t work that way: It’s an investment over time, one that grows and evolves to meet the changing needs of government. That’s “sustainability” in SaaS.
To determine whether a SaaS partner will be sustainable, IT will need to look at the software’s capacity to evolve over time. You’ll want to consider whether there are APIs inherent in the SaaS offering that will make it easy to implement needed features and functions as they emerge.
Ideally the SaaS offering will have inherent flexibility: A flexible security model, a flexible data model. Key processes should be able to adapt with changing workflows, and IT should have an application interface, a way to manage through those changes beyond just the base user interface. Scripting engines, APIs, a mobile interface – these are a few of the key indicators that help describe a sustainable SaaS offering.
SaaS isn’t just about a single application, a single approach to solving a problem today. Rather, the value of the SaaS offering lies in this long-term proposition. No one knows exactly what tomorrow’s needs will bring. A service-based offering should include not just the application – that’s table stakes – but rather a full suite of tools and controls to empower IT to make best use of the solution now and in the future.
There’s a myth around SaaS that needs to be laid to rest: That securing the software is the vendor’s sole responsibility. In order to use SaaS most effectively, IT leaders need to consider their own role in the security equation, and they need to work in close cooperation with the vendor to craft a holistic approach to the fast-changing threat landscape.
First order of business: For organizations with a CISO, that person needs to have a seat at the table. Those responsible for information security can play a key role in helping define the parameters around what is needed to effectively secure a SaaS deployment.
Organizations then need to look internally at the needs around compliance, defining clearly the standards that are required given the particular functional needs and how the software will be utilized. What standards does the organization need to align to? What kind of data is there to protect, and what level of protection is actually necessary?
Two-factor authentication, SSL protocols, security standards for communication: In the data center all these fell under IT control and could be implemented as needed. In the SaaS environment, IT still has the power to adjust the parameters, but government will get greatest value if it takes an internal deep dive at the outset, defining what is needed and working hand in glove with the vendor to ensure the desired standards fit well within the proposed solution.
The security landscape is shifting every day. That makes the relationship between the vendor and SaaS customer especially important. By working together to clearly define and implement security protocols, SaaS can enable government to be proactive rather than reactive in a rapidly-changing security landscape.
Which versions of encryption are in play? What are the communication protocols between systems? What are the username and password constraints? What two-factor authentication elements are available? Security in SaaS is an ongoing conversation, a dialog in which IT engages the vendor proactively in order to tailor security to the specific business need.
For those considering a SaaS implementation, and for those already consuming software in a service-delivery model, it’s important to seek out vendors who appreciate the nuance. Government needs a partner who is willing to sweat the details, who can have meaningful conversations around – and give meaningful answers to -- concerns around such key issues as uptime, sustainability, and security. Open and flexible technology helps agencies address specific needs today, while ensuring they are well prepared for the emerging challenges of the future.