Software as a Service – a resiliency look

Preamble: I wrote this a while ago, and moved it to this blog in draft mode. It is being republished because… I do not have time to write anything new. Comments welcome.

—–

Starting point for ruminations was this – IBM Recruiting ISVs, Partners to SAAS:

Viewing the software-as-a-service market as a major new-growth industry, IBM is offering a package of services and incentives to help software companies and channel partners deploy their products as hosted applications.

IBM is looking for a wave to catch to vault it over Sungard and other, smaller, companies specializing in hosting company’s backup servers and data. It is worthwhile, I think, to look at the generalizing principle on software-as-a-service (SAAS). What are its implications from a resiliency and continuity perspective?

For starters, SAAS goes beyond the now well-understood Application Service Provider (ASP) model. ASP implies that an application, usually one which covers at least one complete business process, is hosted by a service company rather than an internal IT department. From a computing perspective there is often little difference. After all, most large and medium-sized companies today have widely distributed IT deployments and most users do not know whether the web application they are using is coming to them from a data center 3 floors above or 3 thousand miles away. So what does it matter whether someone else is running a web server instead of your organization? Better organized resiliency programs certainly take this outsourcing into account when creating plans, treating ASPs as critical vendors as much as someone else supplying financial data or iron ore might be.

SAAS is a slightly different beast. One can think of an ASP provider as an implementation of SAAS, providing that “service” in SAAS in fairly large and monolithic chunks. But it need not remain that way. What if a SAAS provider is someone like former hitbox, providing a very specialized service of web analytics, or qualys continuously searching your network for vulnerabilities. In both cases, data might be downloaded and analyzed by a tool hosted by some other 3rd party, or internally. This software service is now provided as a small part of an overall business process, and may not even be known to the business unit as a component of the process that is provided by an outside vendor. To re-use the examples of services in this paragraph, we can consider the following scenario for web analytics:

IT Department provides traffic report and analysis to all departments in the enterprise. Most likely 90% of the department could not care less about the accuracy and granularity of the results. Marketing; however, is an exception. While it carefully tracks website usage all the time, a day-long outage of analytics would not be a major problem unless it coincides with a test run of a new marketing campaign. At which point and to which internal customers should IT direct an awareness campaign of the outside vendors it is using for the moment? Once a service become part of the enterprise services, their origin becomes largely transparent to the business level consumers of the service. It is worth noting that for most services only a small number of users will have a critical need of it. How should vendors be now evaluated for reliability and contracts structured?

Previously, when a department wanted to use an ASP both that business unit and IT would be involved in the evaluation process. However, SAAS will now allow both IT and business units to go it alone. That’s where things can start falling through the planning cracks since a lot of the services may not be part of the primary impact analysis process. In our scenario Marketing may not be aware that web analytics is separate from web server maintenance, and IT may not know that its outsourced analytics service is critical to some group – in this case Marketing – 3 weeks out of the year.

Similarly to how cheap Windows and Linux servers proliferated in workgroups a few years ago, cheap and transparent services will have a huge impact on how applications and business processes are assembled and executed in the future. Different providers may even be used for similar process steps in various locations or processes across the enterprise. How should customers reconcile their needs for efficient and cost-effective services with an increasingly flexible software services environment? One way, of course, is for an organization to forbid the casual use of outside software services and require than any allowed uses go through a rigorous evaluation process for each service, with clearly identified IT and business level integration points and fully performed cost-benefit analysis. That would work to keep smaller service vendors out, but they are also the most innovative ones.

Another way is for someone like IBM to step in. Salesforce is already doing something similar with its AppExchange, and I think other players are gearing up. IBM has an advantage over Salesforce and others, such as SAP or Oracle in that it has a much more independent platform. IBM can become, effectively, a guarantor of a service, whether it was developed by them or not. By providing the infrastructure, IBM can make sure the basic hosting things go well – such as service uptime, bandwidth, power, etc. Furthermore, IBM can host the same service in different configurations – critical for Marketing and delayed for other department, for example. Its market power would require service vendors to certify their products for stability and scalability, and remove the uncertainty from customers of dealing with a small and unknown entity. Organizations could then provide business rules for department to use, or at least test services, provided they comply with certain requirements – certified by IBM, and are hosted by a reliable vendor – such as IBM. At some point a need to both a certified host and certifying authority will become too strong not to produce a whole sub-industry. Currently, Accentures & Delloite’s of the world have the lead on certifying implementations (information security, for example). However, IBM already has a host of certification programs for its WebSphere Catalogue, as well as Ready for Virtualization and others relevant to organizational resiliency. Moreover, IBM has the ability the Accenture and its ilk lack of becoming insourced not only at the customer level, but vendor level as well. What that means is that vendors could develop services and solutions concentrating on their core competencies, not peripheral requirements of hosting an on-demand software service, for example.

As someone who works for a small vendor, I know that I would not very excited about having to build up a tremendous amount of infrastructure and support capabilities instead of farther developing our product. We did what we needed to do for our customers, but the less we have to do of things we have no competitive advantage in, the more value-added activities we can engage in. I am sure many other vendors feel the same way, and I think a lot of customers would be much happier if they could both easily use innovative services and have world-class hosting support to guarantee the robustness of that service.

This entry was posted in Resilience, Web. Bookmark the permalink.