What do SaaS implementations mean for IT?

Essential business functions are being delegated to SaaS providers, changing IT's major job functions as the "fix it" team.

The data center at the University of Maryland's Robert H. Smith School of Business is somewhat of a ghost town.

The school used to maintain a large Lotus Notes environment for faculty, students and staff, but in 2012 began migrating to Google Apps, a software as a service (SaaS) offering that provides all the necessary email, calendaring and collaboration tools, plus a productivity suite. Now the school only maintains a small handful of servers: Citrix for XenApp and VMware for VDI, plus some custom applications, for a total of about 75 virtual machines across four VMware hosts.

"There's not a whole lot that we've kept in-house," said Chris Gleeson, virtualization architect.

Nor does he really miss it. "It's actually been quite nice. Our data center is looking sleek, and we have a huge stack of equipment we need to take down to the Terrapin Trader" -- the university recycling center.

This scene promises to repeat itself across IT organizations with increasing frequency: data centers that were once stuffed to the gills with infrastructure running important business applications are being pared down to a handful of servers. Those critical business functions are being offloaded to SaaS providers, whose cloud-hosted applications provide most of the functionality of on-premises equipment on a subscription basis, for substantially less muss and fuss.

These offloaded applications prove that SaaS is no longer a fringe service that's only suitable for less-critical tasks. It's now front and center for many enterprises, and it means managing a number of new relationships -- not just with providers, but also with the users and new technologies. That doesn't mean IT is less necessary, but it does mean a big change in their role. And even when things go well, there's plenty to get used to about consuming and managing applications that are beyond IT's direct control.

Outsourcing IT?

SaaS has worked out nicely for the University of Maryland's Gleeson, whose job has become easier. "I have a lot less work to do on our email and collaboration stuff, because I don't need to do much to keep it running," he said. Training users is a breeze, since most of them are familiar with the Google Apps interface, and the support desk receives just 20% of the calls that it used to.

Gleeson is now freed up for higher value projects, such as putting in place a new virtual desktop infrastructure (VDI) implementation which the school will use as the basis of a new distance learning program.

For AMAG Pharmaceutical in Waltham, Mass., SaaS means that IT has moved away from being a fix-it team. Since the company began its transition to SaaS in 2009, the long list of its cloud-hosted apps includes Google Apps in lieu of Exchange; Lucidchart for Visio; SmartSheet for MS Project; and Join.me for WebEx. The company also uses SaaS-based human resources and ERP software -- even clinical and safety products, as well as SaaS-based data backup and email tools Spanning and Google Postini.

Adopting SaaS has helped the firm move away from "a massively broken model," said Nathan McBride, vice president of IT. "We wanted to be able to access data from anywhere. We wanted to stop fixing things, instead just replace a computer or sub it out," he said.

It's also ended up saving the firm "quite a bit of money," McBride said, even though he viewed cost as "an ancillary benefit."

The first hurdles

But it's not all sunshine and roses when SaaS comes to town. "SaaS-delivered apps are just another huge IT nightmare," said Bernd Harzog, CEO at APM Experts in Alpharetta, Ga.

For some shops, SaaS problems start to rear their head as soon as the user logs in: authentication and access control.

Early adopters of SaaS had a common complaint: "They said to us, ‘My users will not use more of this stuff if they're getting barraged by names and passwords,'" recalled Eric Berg, vice president for product marketing at Okta, a cloud identity management firm founded in 2008.

identity management poses a challenge for IT staff too, notably around integrating SaaS applications with the organization's internal directory -- usually Microsoft Active Directory. IT wants to provide its users with the convenience of single sign-on for all users' SaaS apps, from inside or outside the organization, but don't trust an outside provider with access to their Active Directory domain.

"People tend to be very conscientious about Active Directory credentials. They don't want it stored outside of their firewall," Berg said.

At the same time, Active Directory doesn't work so well with today's highly distributed, outside-the-firewall applications. "AD was built for a world where all the desktops were Windows, domain-joined and that's how you got access to the apps. A lot of stuff today breaks that," Berg said.

Okta and cloud identity management services like it bridge that gap by installing an agent on the organization's internal domain controller and connecting back up to its service, syncing up users and their SaaS accounts in different ways based on user location. When at the office and domain-joined with AD, Okta verifies that the user is authenticated and lets them log in to apps secured behind Okta. From home or the road, the user goes to their company's okta.com domain, and logs in with their usual AD credentials.

Seeking SaaS clarity

But what IT really wants to know -- and control -- is what users are actually doing inside those SaaS apps.

An obvious question is whether users are even using their licenses. That's especially relevant for expensive SaaS applications like Salesforce.com, whose per-user cost approaches $1,000 per year, said Daniel Sarfati, CEO at Applango, whose software helps customers monitor and track spending on SaaS software.

Just as important as whether users are using licenses is how they are using their licenses, Sarfati said. In the case of Salesforce, for instance, business leaders want to identify salespeople who are focused more on closing deals than on lead generation. If they're doing the latter, "chances are that they are leaving the company soon," he postulated.

IT administrators sometimes have more pedestrian SaaS utilization questions. 2U, an online educational software provider, is a heavy user of Google Apps, which it has been using since its inception in 2008. Last year, the company began using FlashPanel from BetterCloud to manage its Google Apps environment, instead of Cpanel, Google Apps' included management suite. Right away, FlashPanel's reports helped the firm resolve a longstanding problem of users unexpectedly hitting up against their space quotas, said Daniel Berman, IT network manager at the firm.

"It was really eye-opening in terms of what people are doing," Berman said.

Then, after time spent exploring things like "what's there, what's happening with my data, who's using my data?" IT admins can then move on to bigger things, said David Politis, BetterCloud CEO: cleaning up unused licenses, getting documents into compliance, or setting policies to prevent users from going out of compliance in the first place.

When IT's hands are tied

In addition to the everyday how-does-this-thing-work challenges of SaaS, there may be deeper technical or cultural issues at play.

Deployment problems arise when an organization contracts with a provider that isn't able to scale to meet demand, said Joe Sanchez, an independent consultant and blogger at vminstall who has implemented SaaS applications for users and for the service providers themselves.

"If they're not prepared, you're going to start having performance problems, and you in IT are going to have to deal with that," Sanchez said.

In these cases, IT ops is between a rock and a hard place: IT has no ability to go in and fix the problem itself, but users still turn to IT to resolve their problems.

"Before, you could have managed that internally, but now you're in the middle, trying to triage issues. And bottom line, you're still responsible for making sure that the [end user] customer is happy," Sanchez said.

That's a situation that has the potential to go south in a hurry.

Indeed, organizations that adopt SaaS software are largely at the mercy of the provider when it comes to the availability of the application, Harzog said. Traditional monitoring tools are of little help with SaaS apps, since they require an agent on the application server. "Salesforce.com is not going to let you do that," he said, referring to the popular hosted customer relationship management suite. Meanwhile, application performance monitoring tools tend to monitor code, which is also a non-starter for SaaS-delivered apps.

While some providers try to provide visibility into their uptime, there are still too many things outside of IT's control, and that will stymie SaaS adoption for all but consumer-class applications, Harzog predicted.

Harzog compares SaaS to virtual desktop infrastructure, or VDI, which has been around for years, but never really took off. "There are people who thought VDI was going to take over the world, but guess what? Without connectivity, you have no apps, you have nothing. You have a brick," he said.

Likewise, a SaaS app is only as good as its network connection, and providers' unwillingness to assume responsibility for it "will serve as a long-term limitation of SaaS."

In the SaaS driver's seat

Some SaaS-centric IT shops scoff at those concerns, saying that performance and service-level agreements are the least of their concerns. In practice, large SaaS providers have demonstrated very good performance over the years, and when they don't, the SaaS subscription model makes it easy to move to another provider, said McBride of AMAG Pharmaceuticals.

"SLAs are really irrelevant. What's relevant is that they're up when you need them," he said.

But what happens if a SaaS provider makes a habit of not being available? "If they have problems, we are going to dump them," McBride said. "Where I'm at right now, half of my vendors might be going away by the end of 2014," something that's made possible by declining to sign any long-term contracts.

"Signing contracts of two to three years is shooting yourself in the foot," he said.

So while at first glance, implementing SaaS can seem like IT is giving up control, it's the customers who hold the purse strings -- and ultimately the power.

Keep that in mind as your organization shifts to more SaaS apps over time, said Applango's Sarfati, because the likelihood that you'll revert back to on-premises software is slim.

"SaaS is a one-way street," he said. "Once you go there, it's hard to go back."

Dig Deeper on Managing Cloud-Native Applications