SaaS, Governance & The IT Bypass

My last SaaS posts were mostly about SaaS from a SW company's strategic perspective. This one is as a SaaS consumer - from the viewpoint of business and IT users.

As a business user, SaaS represents a wonderful opportunity to find and start using new applications that make my job easier. All I need is a credit card, a computer and an internet connect. Great - after 10 minutes I can hit the ground running with my free trial. One monthly price and I have no IT budget hassels (hence the bypass), no servers to install, no backups to worry about and no datacenter costs. Personally, at IQ, I use a variety of SaaS solutions and wouldn't want it any other way. Neither would our technical team - they are too busy building innovative technology. So, for a small to mid-sized business or department of a large organization, the model is cost effective and works well.

The picture is not so rosy for larger IT organizations. Imagine this very real scenario: Mary in accounting needs a better way to organize and store invoices, so she get a SaaS subscription to InvoicesAreUs (a SaaS startup) for herself and 5 other team members. Bob in marketing wants to store his collateral online and make it available to the sales team, so he gets a Google Sites account and creates a quick intranet. Meanwhile, the CIO has just paid $10 million dollars for an enterprise Documentum license. Fast forward 3 months, InvoicesAreUs goes out of business and Bob gets fired? There is suddenly a crisis. Nobody has a record of the invoices, since Mary scanned the hardcopies into InvoicesAreUs and then destroyed them (naturally the InvoicesAreUs database is no longer available); Bob still has access to the online Google Sites since nobody has revoked his authorization (there is no tie-in to a central LDAP or similar security directory); and the CIO suddenly has to figured out why employees are paying monthly fees for something that he has already bought.


Could this fiasco have been avoided? Well, yes with 3 main governance components:


(1) All SaaS purchases must be approved to ensure that there is no overlap with existing or planned systems that the purchaser is unaware of;

(2) All SaaS user accounts must be authenticated against a central LDAP (or similar) directory so that users can have their access to the systems withdrawn;

(3) All SaaS data must be provided on a backup schedule with a mechanism to view and manipulate the data outside of the SaaS application.


So, what's the bottom-line? SaaS can be incredibly useful, valuable and cost effective, but to be successful, SaaS vendors need to support coporate IT's governance and security requirements.