Archive for March, 2008

SaaS Governance

The other day, I was talking to a company that posed an interesting question to me – they are a typical ISV developing on-premise software products, however, they have a need to develop and expose certain (hosted) services that need to by consumed by their end customer, which these customers can customize to a certain extent. So the question was – who is responsible for supporting these services if something does not work and how do we know what the underlying cause of failure was so that we can determine who is at fault and who should be fixing the problem?

It’s a very good question, because this ISV is entering a hybrid model – where their on-premise business model is now complemented by their hosted services model (not really SaaS because it might not be a multi-tenant single instance architecture). Before, they could create their product, package it, sell it and then let the customer worry about the operational aspect of it – if there was infrastructure downtime, it was the customer’s headache. But now, if the customers consume these hosted services which they can also customize and something goes wrong with the service, who now supports the problem? Was the problem due to the customizations that the customer did? If so, is it the customer’s problem? If not, then it should be the ISV’s problem. And how does one determine what caused the problem in the first place?

This is an issue many ISVs who are moving to SaaS struggle with. Every SaaS customer should have the ability to customize – customize the UI, customize workflows, customize the data model to extend it to suit their needs. Yet, every SaaS provider is faced with the challenge of providing uptime while at the same time allowing their customers to tweak the service. So how does the provider and consumer figure out who is using which service, when, under what conditions and what should be done in the event that something goes wrong?

That is where SaaS (and in general, SOA) governance comes into play. Governance is one of those overused words that is thrown around casually and it can mean different things to different people. Governance to a developer means something different than to an auditor. Governance, especially SOA/SaaS governance is about conformance and compliance. Are my developers writing code that complies with my Enterprise Architecture standards? Are my developers conforming to the standards and frameworks that should be used for developing certain products or projects within the enterprise? How are my product/project artifacts being advertised to other development teams? Who is reusing my artifacts during development, on which projects and how much time is it saving them? Who is consuming my service at runtime? Is the service doing what it advertises it does? All of these questions, and many more, fall under the realm of governance. Keep in mind that what I am talking about here is mostly SOA/SaaS governance, not IT Governance, which encompasses many other things like architecture, data and infrastructure governance, corporate governance (SOX, etc), disaster recovery and business continuity, etc.

So coming back to SaaS governance, how can it help this ISV to solve their problem? The answer is Service Level Agreements (SLAs). Most product companies do not have a lot of experience when it comes to crafting SLAs, simply because it has never been a concern for on-premise product companies. As I mentioned before, they are used to creating software, packaging it and selling it under a license and once the product is sold, it’s deployment and operations are now really the concern of the customer that just bought the product. However, SaaS brings with it it’s own set of challenges for companies, in particular ISVs who are now held responsible for the operations of the service that they are selling. So what exactly is an SLA and how does it help protect both the service provider and consumer?

In simple terms, an SLA is a a contract that exists between the SaaS provider and their customer that describes the level of service that the provider will provide and the customer should expect from that service. It details the availability, performance, operations and other areas of relevance to the service being provided and in many cases will even provide details around the penalty should these terms not be met. For the provider, it is a way to set realistic expectations for their customers. The for consumer, it is a way to hold the provider accountable should the provider violate the SLA agreement. The point of importance here is that the SLA should not be loathed by the provider or be seen as a way to hold the provider hostage by the consumer. It should be viewed as a way to open up the communication channels so that both parties can come to terms on what is acceptable and should be used as an objective way to measure usability, quality and accountability by both parties. But make no mistake, there is some level of negotiation that definitely happens as part of crafting an SLA. An SLA goes into great detail outlining the availability, reliability, performance, the types of support available along with the associated timings, penalties should these metrics not be met (usually in the form of credits), classification of problems and associated response times, etc.

In summary, it is important to remember that an SLA is not a guarantee of service uptime. It is merely an insurance policy. However, it is an absolute must for both service provider and consumer to have an SLA in place so that both parties are protected in the event of an event. In my mind, an SLA is not just there to benefit consumers. Just as providers have a responsibility to their customers to provide their service in a highly reliable, available and scalable environment, consumers too have a responsibility to use the service responsibly, to not interject anomalies into the system by trying to do something that is not supported by the provider which should be clearly states in the SLA, etc. The SLA helps to open up communication between both provider and consumer and helps manage customer relations.


March 4, 2008 at 4:43 am Leave a comment

Add to Technorati Favorites
March 2008
« Feb   Apr »

Recent Posts