The end of April 2011 witnessed an interesting event. Amazon’s Elastic Compute Cloud (EC2) service was struck by a large scale outage that lasted for 4 long days. While Amazon scampered around to deal with the worst outage in cloud’s history, the world watched on with fascinated horror. Nobody had ever thought that a cloud computing giant like Amazon would encounter an outage. But it did and it took down almost 70 sites with it including bigwigs like FourSquare, Reddit, Quora, parts of New York Times, and more.
Now who owns the blame here? The world is unanimously pointing its finger at Amazon. But is Amazon solely responsible? What about the enterprises that chose to use cloud services? How could they blindly trust Amazon’s reputation and not worry about cloud related risks? Wasn’t it their responsibility to understand the risks of cloud architectures and mitigate them appropriately? A school of thought prevails that when an enterprise chooses to use a cloud service it indirectly assumes the responsibility of understanding and addressing the risks associated with it. But does that really happen? How many times have we heard cloud adopters asking “who is responsible if something goes wrong” or more importantly “who will fix the problem”.
Amazon’s outage has really brought out some deep-rooted risks of cloud platforms. The issue gets further complicated when it comes to a SaaS based service. A SaaS provider has to provide uptime and at the same time allow the consumer to tweak the service and customize it for his own needs. Now what happens if the customization itself triggers an outage? Who would own the responsibility here? Your service level agreement will not suffice in such a case. What we really need here is a SaaS governance policy framework in place.
SaaS Governance in Enterprises
In 2010, Gartner came out with a report that showed that enterprises were slow in adopting SaaS governance policies. The survey that spanned across 9 countries from APAC, Europe, US, and Canada showed that while enterprises had policies in place to govern on-premise software the policies related to SaaS services were given a cold shoulder. The situation doesn’t seem to have changed much in 2011. Despite there being rapid adoption of SaaS offerings by enterprises there hardly seems to be any governance framework in place for them.
So if we were to frame a SaaS focused governance policy today what should we focus on? Our first area of focus should be Strategic Alignment of SaaS Solutions. All our SaaS offerings should be in harmony with the core strategy and vision of the enterprise. There is no sense in hoarding up SaaS solutions and not using them because they do not serve a business purpose.
Then comes Risk Management. There are many different risks associated with different SaaS offerings. Our policy should set up a structured and streamlined framework for addressing and mitigating these risks. Next in line is Performance Management. If an enterprise is adopting SaaS services then there has to be some way of evaluating and managing their performance. Our policy should define such performance benchmarks.
The next area of focus should be Resource Management. SaaS solutions are not self sufficient. They all depend on the human factor. Thus, it is very important that our SaaS governance policy focuses on this factor. Right kind of people at the right position can optimize the utilization and performance of the SaaS solutions. And finally, Value Delivery. The policy should focus on identifying and defining the processes that would ensure that our SaaS offerings continue to deliver business value.
A SaaS governance framework would clearly address and work out the doubts usually present in SaaS engagements. This would in turn improve the relationship between SaaS vendors and consumers in the long run. It would create a win-win situation for both the parties involved.