A Short Note on SaaS [Software As A Service].
IMHO, I am building upon a short post on SAAS, this is not exhaustive, but I encourage the readers to share their valuable comments to improve this post.
SaaS is an abbreviation of Software As A Service.AKA Software on Demand, where the vendors develop, host and operate on the software and make it available on the internet for its consumers / customers.
SaaS is the most mature category of cloud service, since it evolved from the application-service-provider model of software hosting.
With SaaS, software applications are rented from a provider as opposed to purchased for enterprise installation and deployment.
SaaS is the most mature category of cloud service, since it evolved from the application-service-provider model of software hosting. With SaaS, software applications are rented from a provider as opposed to purchased for enterprise installation and deployment.
Users
Can range from small group to multitude
SaaS Considerations
1. Faster time to market & Agile
This point is with respect to the global availability of the application and its agile driven development / upgrade process applicability.
2. Costing
Versatile [Monthly / Quaterly / Yearly subscription or per user based licensing model] the ability to pay for only what is used.
2. Infrastructure
Approx 70% of the cases use shared platform and shared instances [ Pure Multi-tenancy] solutions that could scale up and down based on demand.
3. Security
The very nature of SaaS poses security challenges. In order to detect and prevent intrusion, strong encryption, authentication, and auditing must be a part of the application design to restrict access to private and confidential data. Liabilityfor the cost and damages associated with any data breach typically rests with the SaaS provider.
3.1 Authentication
Mostly preferred is SSO and some do have options for managing Personal Profiles
3.2 Security Rating
Rating of the security on data should be made to ensure the protection level and may demand a physical inspection of the SaaS provider's premise
3.3 Regulatory compliance
Storing sensitive data like employee bank account particulars in the cloud may be non-compliant for some countries
Use of federation for user identification and enablement within and accross domains
Capability of using SSO to facilitate multiple cloud application access
Rolebased access control to the user's
Tenant should be responsible for managing his own users and can allow delegated administration
Tenant controllable encryption mechanisms for safe transfer of data across the wire
Regulatory controls for auditing the user actions and also ensuring user access from controlled countries
Data security to ensure which data is accessible to whom and by what means
Data Security mechanisms should be in place during the data in transit and when in the database.
Monitoring
Diverse tools to monitor the performance
Tools should be provided the poll the application services and infrastructure services to get health status and take necessary actions if required.
Performance
Performance of the application under voluminous user and transaction operations. i.e. the application's performance in the case of a single customer's transaction as well as the simultaneous transactions.
Mostly favored aspects of SaaS
Configuration over customization
Configuration requirements for each tenant w/o downtime of the application
1. Metadata configuration
2. Metadata engine configuration or the business rule engine to gain a finer control of the business behaviors
3. Tenant based configuration of the data security to have a means to allow or restrict the user access to the data
4. Configuration for handling and logging exceptions
Scaling requirements
Ondemand scaling up and scaling down.
Loadbalancing is required in order to scale the application across myraids of servers increasing the application availability and this results in a fail-safe and redundant data. However, there must be a mechanism in place to keep all these servers in sync so that no stale data is rendered to the users operating simultaneously.
horizontal scalability refers to the process of adding a servers to serve the application across different requests.This enables location transpareny
Mutli-tenant efficient
should be capable of managing tenants with a single shared instance
Presentation tier
should be intuitive & user friendly & localizable
cross device presentability
Reporting
Application specific pre-defined reports and ad-hoc reports
Syncing data with external data
In the case of synching external data with the SaaS application data, there should be pointers to identify the right version of the data and which are available for sync.
Also, some data will be added to the SaaS application asychronously i.e in the back-end requiring that the data will be uploaded from the onpremise application to the SaaS application for some reporting or other purposes.
Metering indicators should be provided to indicate the usage, availability, failures and response times etc..
Disaster recovery plans
This should be in place which will be as a part of the application development and also in the course of usage.
This also should define a set of procedures and/or plan should identify mission critical data and how often it should be backed up, describe where data is housed, backup procedures, what tests are run to ensure the probability of recovery, and whatresources are responsible for data recovery. Additionally, a clear path should be detailed as tohow easy a customer can retrieve data, both
raw and processed, if a decision is made to leave aparticular SaaS provider.
Deployment
1. Any multi-tenant application will be using the common code base and a shared database [pure form of multi-tenancy] and be accessed simultaneously. The user experience should be similar to that of an on-premise access.
Audits
There are two types of audit that are required
1. Security audit
SysTrust and SaS 70
In a SysTrust audit, the auditor evaluates whether a particular managed services provider is reliable when comparedagainst the principles set for security, availability, processing integrity, and confidentiality of sensitive information which may be set forth in the form of an SLA between the managed services provider and its customers.
The major difference between the SysTrust and SAS 70 audits is the scope of the audit. While the SAS 70 audit provides a report on the effectiveness and adequacy of internal controls for a managed services provider, the SysTrust Audit provides a report covering an application’s reliability.
2. Information audit
Application updates
To deliver the enhancements of an application to improve the user interface or the functionality of the system or a performance improvement aid.
Patches are the issue fixes for the bugs identified in the system in due course of operation or testing after release or as a part of a new feature integration.
Ratio of the updates to onpremise and SaaS application is 4-6 months Vs 4-6 weeks for a SaaS application.
IMHO, I am building upon a short post on SAAS, this is not exhaustive, but I encourage the readers to share their valuable comments to improve this post.
SaaS is an abbreviation of Software As A Service.AKA Software on Demand, where the vendors develop, host and operate on the software and make it available on the internet for its consumers / customers.
SaaS is the most mature category of cloud service, since it evolved from the application-service-provider model of software hosting.
With SaaS, software applications are rented from a provider as opposed to purchased for enterprise installation and deployment.
SaaS is the most mature category of cloud service, since it evolved from the application-service-provider model of software hosting. With SaaS, software applications are rented from a provider as opposed to purchased for enterprise installation and deployment.
Users
Can range from small group to multitude
SaaS Considerations
1. Faster time to market & Agile
This point is with respect to the global availability of the application and its agile driven development / upgrade process applicability.
2. Costing
Versatile [Monthly / Quaterly / Yearly subscription or per user based licensing model] the ability to pay for only what is used.
2. Infrastructure
Approx 70% of the cases use shared platform and shared instances [ Pure Multi-tenancy] solutions that could scale up and down based on demand.
3. Security
The very nature of SaaS poses security challenges. In order to detect and prevent intrusion, strong encryption, authentication, and auditing must be a part of the application design to restrict access to private and confidential data. Liabilityfor the cost and damages associated with any data breach typically rests with the SaaS provider.
3.1 Authentication
Mostly preferred is SSO and some do have options for managing Personal Profiles
3.2 Security Rating
Rating of the security on data should be made to ensure the protection level and may demand a physical inspection of the SaaS provider's premise
3.3 Regulatory compliance
Storing sensitive data like employee bank account particulars in the cloud may be non-compliant for some countries
Use of federation for user identification and enablement within and accross domains
Capability of using SSO to facilitate multiple cloud application access
Rolebased access control to the user's
Tenant should be responsible for managing his own users and can allow delegated administration
Tenant controllable encryption mechanisms for safe transfer of data across the wire
Regulatory controls for auditing the user actions and also ensuring user access from controlled countries
Data security to ensure which data is accessible to whom and by what means
Data Security mechanisms should be in place during the data in transit and when in the database.
Monitoring
Diverse tools to monitor the performance
Tools should be provided the poll the application services and infrastructure services to get health status and take necessary actions if required.
Performance
Performance of the application under voluminous user and transaction operations. i.e. the application's performance in the case of a single customer's transaction as well as the simultaneous transactions.
Mostly favored aspects of SaaS
Configuration over customization
Configuration requirements for each tenant w/o downtime of the application
1. Metadata configuration
2. Metadata engine configuration or the business rule engine to gain a finer control of the business behaviors
3. Tenant based configuration of the data security to have a means to allow or restrict the user access to the data
4. Configuration for handling and logging exceptions
Scaling requirements
Ondemand scaling up and scaling down.
Loadbalancing is required in order to scale the application across myraids of servers increasing the application availability and this results in a fail-safe and redundant data. However, there must be a mechanism in place to keep all these servers in sync so that no stale data is rendered to the users operating simultaneously.
horizontal scalability refers to the process of adding a servers to serve the application across different requests.This enables location transpareny
Mutli-tenant efficient
should be capable of managing tenants with a single shared instance
Presentation tier
should be intuitive & user friendly & localizable
cross device presentability
Reporting
Application specific pre-defined reports and ad-hoc reports
Syncing data with external data
In the case of synching external data with the SaaS application data, there should be pointers to identify the right version of the data and which are available for sync.
Also, some data will be added to the SaaS application asychronously i.e in the back-end requiring that the data will be uploaded from the onpremise application to the SaaS application for some reporting or other purposes.
Metering indicators should be provided to indicate the usage, availability, failures and response times etc..
Disaster recovery plans
This should be in place which will be as a part of the application development and also in the course of usage.
This also should define a set of procedures and/or plan should identify mission critical data and how often it should be backed up, describe where data is housed, backup procedures, what tests are run to ensure the probability of recovery, and whatresources are responsible for data recovery. Additionally, a clear path should be detailed as tohow easy a customer can retrieve data, both
raw and processed, if a decision is made to leave aparticular SaaS provider.
Deployment
1. Any multi-tenant application will be using the common code base and a shared database [pure form of multi-tenancy] and be accessed simultaneously. The user experience should be similar to that of an on-premise access.
Audits
There are two types of audit that are required
1. Security audit
SysTrust and SaS 70
In a SysTrust audit, the auditor evaluates whether a particular managed services provider is reliable when comparedagainst the principles set for security, availability, processing integrity, and confidentiality of sensitive information which may be set forth in the form of an SLA between the managed services provider and its customers.
The major difference between the SysTrust and SAS 70 audits is the scope of the audit. While the SAS 70 audit provides a report on the effectiveness and adequacy of internal controls for a managed services provider, the SysTrust Audit provides a report covering an application’s reliability.
2. Information audit
Application updates
To deliver the enhancements of an application to improve the user interface or the functionality of the system or a performance improvement aid.
Patches are the issue fixes for the bugs identified in the system in due course of operation or testing after release or as a part of a new feature integration.
Ratio of the updates to onpremise and SaaS application is 4-6 months Vs 4-6 weeks for a SaaS application.
Comments
Post a Comment