This is “SaaS: Not without Risks”, section 10.8 from the book Getting the Most Out of Information Systems (v. 1.2). For details on it (including licensing), click here.

For more information on the source of this book, or why it is available for free, please see the project's home page. You can browse or download additional books there. To download a .zip file containing this book to use offline, simply click here.

Has this book helped you? Consider passing it on:
Creative Commons supports free culture from music to education. Their licenses helped make this book available to you.
DonorsChoose.org helps people like you help teachers fund their classroom projects, from art supplies to books to calculators.

10.8 SaaS: Not without Risks

Learning Objective

  1. Be able to list and appreciate the risks associated with SaaS.

Like any technology, we also recognize there is rarely a silver bullet that solves all problems. A successful manager is able to see through industry hype and weigh the benefits of a technology against its weaknesses and limitations. And there are still several major concerns surrounding SaaS.

The largest concerns involve the tremendous dependence a firm develops with its SaaS vendor. While some claim that the subscription-based SaaS model means that you can simply walk away from a vendor if you become dissatisfied, in fact there is quite a bit of lock-in with SaaS vendors, too. And in addition to the switching costs associated with switching on conventional software platforms, switching SaaS vendors may involve the slow and difficult task of transferring very large data files over the Internet. Having all of your eggs in one basket can leave a firm particularly vulnerable. If a traditional software company goes out of business, in most cases its customers can still go on using its products. But if your SaaS vendor goes under, you’re hosed. They’ve got all your data, and even if firms could get their data out, most organizations don’t have the hardware, software, staff, or expertise to quickly absorb an abandoned function.

Beware with whom you partner. Any hot technology is likely to attract a lot of start-ups, and most of these start-ups are unlikely to survive. In just a single year, the leading trade association found the number of SaaS vendors dropped from seven hundred members to four hundred fifty.M. Drummond, “The End of Software as We Know It,” Fortune, November 19, 2001. One of the early efforts to collapse was Pandesic, a joint venture between SAP and Intel—two large firms that might have otherwise instilled confidence among prospective customers. In another example, Danish SaaS firm “IT Factory” was declared “Denmark’s Best IT Company” by Computerworld, only to follow the award one week later with a bankruptcy declaration.R. Wauters, “The Extraordinary Rise and Fall of Denmark’s IT Factory,” TechCrunch, December 2, 2008. Indeed, despite the benefits, the costs of operating as a SaaS vendor can be daunting. NetSuite’s founder claimed it “takes ten years and $100 million to do right”Sarah Lacy, “On-Demand Computing: A Brutal Slog,” BusinessWeek, July 18, 2008.—maybe that’s why the firm still wasn’t profitable, even three and a half years after going public.

Firms that buy and install packaged software usually have the option of sticking with the old stuff as long as it works, but organizations adopting SaaS may find they are forced into adopting new versions. This fact is important because any radical changes in a SaaS system’s user interface or system functionality might result in unforeseen training costs, or increase the chance that a user might make an error.

Keep in mind that SaaS systems are also reliant on a network connection. If a firm’s link to the Internet goes down, its link to its SaaS vendor is also severed. Relying on an Internet connection also means that data is transferred to and from a SaaS firm at Internet speeds, rather than the potentially higher speeds of a firm’s internal network. Solutions to many of these issues are evolving as Internet speeds become faster and Internet service providers become more reliable. There are also several programs that allow for offline use of data that is typically stored in SaaS systems, including Gears and Adobe AIR. With these products a user can download a subset of data to be offline (say on a plane flight or other inaccessible location) and then sync the data when the connection is restored. Ultimately, though, SaaS users have a much higher level of dependence on their Internet connections.

And although a SaaS firm may have more security expertise than your organization, that doesn’t mean that security issues can be ignored. Any time a firm allows employees to access a corporation’s systems and data assets from a remote location, a firm is potentially vulnerable to abuse and infiltration. Some firms may simply be unacceptably uncomfortable with critical data assets existing outside their own network. There may also be contractual or legal issues preventing data from being housed remotely, especially if a SaaS vendor’s systems are in another country operating under different laws and regulations. “We’re very bound by regulators in terms of client data and country-of-origin issues, so it’s very difficult to use the cloud,” says Rupert Brown, a chief architect at Merrill Lynch.G. Gruman, “Early Experiments in Cloud Computing,” InfoWorld, April 7, 2008.

SaaS systems are often accused of being less flexible than their installed software counterparts—mostly due to the more robust configuration and programming options available in traditional software packages. It is true that many SaaS vendors have improved system customization options and integration with standard software packages. And at times a lack of complexity can be a blessing—fewer choices can mean less training, faster start-up time, and lower costs associated with system use. But firms with unique needs may find SaaS restrictive.

SaaS offerings usually work well when the bulk of computing happens at the server end of a distributed system because the kind of user interface you can create in a browser isn’t as sophisticated as what you can do with a separate, custom-developed desktop program. A comparison of the first few iterations of the Web-based Google Docs office suite, which offers word processing, presentation software, and a spreadsheet, reveals a much more limited feature set than Microsoft’s Office desktop software. The bonus, of course, is that an online office suite is accessible anywhere and makes sharing documents a snap. Again, an understanding of trade-offs is key.

Here’s another challenge for a firm and its IT staff: SaaS means a greater consumerization of technology. Employees, at their own initiative, can go to firms such as Socialtext or PBworks and set up a wiki, WordPress to start blogging, or subscribe to a SaaS offering like Salesforce.com, all without corporate oversight and approval. This work can result in employees operating outside established firm guidelines and procedures, potentially introducing operational inconsistencies or even legal and security concerns.

The consumerization of corporate technology isn’t all bad. Employee creativity can blossom with increased access to new technologies, costs might be lower than home grown solutions, and staff could introduce the firm to new tools that might not otherwise be on the radar of the firm’s IS Department. But all this creates an environment that requires a level of engagement between a firm’s technical staff and the groups that it serves that is deeper than that employed by any prior generation of technology workers. Those working in an organization’s information systems group must be sure to conduct regular meetings with representative groups of employees across the firm to understand their pain points and assess their changing technology needs. Non-IT managers should regularly reach out to IT to ensure that their needs are on the tech staff’s agenda. Organizations with internal IT-staff R&D functions that scan new technologies and critically examine their relevance and potential impact on the firm can help guide an organization through the promise and peril of new technologies. Now more than ever, IT managers must be deeply knowledgeable about business areas, broadly aware of new technologies, and able to bridge the tech and business worlds. Similarly, any manager looking to advance his or her organization has to regularly consider the impact of new technologies.

Key Takeaways

The risks associated with SaaS include the following:

  • dependence on a single vendor.
  • concern about the long-term viability of partner firms.
  • users may be forced to migrate to new versions—possibly incurring unforeseen training costs and shifts in operating procedures.
  • reliance on a network connection—which may be slower, less stable, and less secure.
  • data asset stored off-site—with the potential for security and legal concerns.
  • limited configuration, customization, and system integration options compared to packaged software or alternatives developed in-house.
  • the user interface of Web-based software is often less sophisticated and lacks the richness of most desktop alternatives.
  • ease of adoption may lead to pockets of unauthorized IT being used throughout an organization.

Questions and Exercises

  1. Consider the following two firms: a consulting start-up, and a defense contractor. Leverage what you know about SaaS and advise whether each might consider SaaS efforts for CRM or other enterprise functions? Why or why not?
  2. Think of firms you’ve worked for, or firms you would like to work for. Do SaaS offerings make sense for these firms? Make a case for or against using certain categories of SaaS.
  3. What factors would you consider when evaluating a SaaS vendor? Which firms are more appealing to you and why?
  4. Discuss problems that may arise because SaaS solutions rely on Internet connections. Discuss the advantages of through-the-browser access.
  5. Evaluate trial versions of desktop SaaS offerings (offered by Adobe, Google, Microsoft, Zoho, or others). Do you agree that the interfaces of Web-based versions are not as robust as desktop rivals? Are they good enough for you? For most users?