How To Recognize Key SaaS Software Differences

Hosted Software Delivery Differences

While each of the SaaS providers deliver their products over the Internet from a hosted data center, that’s where the similarities end. Probably due to the infancy of the business model and a lack of recognized best practices, SaaS hosting and remote application delivery varies greatly among the SaaS vendor crowd. Key hosting differences include strategies and measures in the areas of reliability, security, performance, service level agreements and environmental friendliness.

Reliability simply means 100 percent continuous uptime or the avoidance of system downtime. Business may come to an abrupt halt if sales people cannot access their prospect information or customer service reps cannot enter new tickets. The best criteria to measure and forecast reliability include redundancy, diversification and uptime history. Redundancy applies to software, hardware and data center infrastructure items. Most reputable data centers use the term “N+1” indicating that for every point of failure there is a real-time backup device in place to mitigate and avoid that failure. My observation shows that about half of the CRM and ERP SaaS companies offer N+1 redundancy. To my knowledge, Aplicor is the only business systems SaaS provider which offers N+2 redundancy. It’s not a coincidence that Aplicor is also the only CRM SaaS provider to achieve 100% uptime since 2003.

Diversification leverages multiple data centers to achieve redundancy in the event of entire data center site down conditions. Salesforce.com operates multiple high availability (HA) data centers in the US while Aplicor operates multiple HA data centers in the US and Europe. In both cases, either company could lose an entire data center and the remaining data center(s) would absorb the total load so no service disruption would result for any users. I’m not aware of any other SaaS provider which operates more than one data center to achieve this level of assuredness. Uptime history is the ultimate litmus test. Ask your vendor for the number of unplanned AND planned system down occurrences for the last three years before you commit (however, be prepared to sign an NDA and even then you may not get the answer to your question).

Information security interest or concern varies by prospect. Regulatory requirements such as SOX, GLBA (Gramm Leach Bliley Act) and HIPAA often bring this concern to the forefront. Even if your company isn’t regulated by these acts, nobody wants to be in the headlines because a backup tape with their client information fell off the truck or a hacker gained access to privileged information. The two best criteria to measure information security effectiveness are independent audits and onsite reviews. ISO 27001 is an internationally recognized audit which covers information security in the data center and at the operational levels. The audit is relevant, stringent, performed annually and a worthwhile attestation for security conscience customers. SAS 70 is another audit and certification I see from time to time. However, my own investigation shows that it is not internationally recognized, lacks information security depth, is largely void of prescriptive security-related criteria and is basically granted upon the will and discretion of your local CPA. Nothing against CPAs, I used to be one, however, I don’t think their information security depth is as profound as their accounting knowledge and I believe the extremely vague criteria of the SAS 70 to be of marginal value. Just my opinion. I think the SAS 70 does a better job of providing additional consulting revenues to CPAs than providing any type of information security attestation that can be relied upon by a consumer. Again, just my opinion.

Hosted delivery performance is generally most influenced by peak period demand and distance-imposed latency. My observation is that most SaaS hosting companies have more than sufficient processing power and peak period variations are limited to a few players. Latency on the other hand is a performance factor suffered by most users outside North America. Eliminating excessive latency was one of the key reasons why Aplicor began implementing data centers abroad.

Service Level Agreements (SLA) provide the backing or proof for all other data center claims. Unfortunately for the industry, SLA availability is hit or miss depending upon your particular SaaS vendor. Also, there are some vendors which provide SLAs, however, negate their value by voiding ‘scheduled’ downtime or burying downtime under the guise of ‘maintenance’. A good SLA should limit the exclusions, provide financial penalties for non-conformance and offer visibility for data center and network performance. Aplicor provides a Performance Delivery web site monitor as does Salesforce.com. To date, no other SaaS vendors have followed suit.

It’s been a pleasant experience for me to be questioned more frequently on data center environmental friendliness. Data centers are extreme consumers of energy and variations in infrastructure management can result in material changes in emissions and environmental impact. Operating a green data center will be a plus to some and irrelevant to others. There are many criteria which can be evaluated to understand the differences in data center efficiency and environmental impact among SaaS companies. If this criteria is important to you, I suggest you view the blog entry titled SaaS is GREEN to see how much merit you want to put into this part of your evaluation.

Continue on to review differences in information security among the SaaS companies