SaaS Customer Life cycle

Understanding the life cycle of a customer is a useful thing. Are there differences between and enterprise SaaS client and other models of software delivery? Yes I think there are.

The SaaS customer life cycle can be broken down into the following parts







There is nothing earth shattering about this diagram, but there are some significant differences between SaaS life cycle and installed software life cycle.

My goal is to cover each of these parts over the course of the next number of posts.

SaaS, Security, Privacy and Compliance

If your target market is the enterprise for your SaaS offering it is highly likely you will need to deal with issues surrounding security, privacy and compliance. These issues will likely need to be addressed in the sales process and likely during implementation.

All three of these items are typically lumped together, but in fact are three different issues so let's try to untangle them.

Security is typically related to, well security. Seems obvious right? In most instances this is referencing mitigations against attack vectors that would put data at risk. This last part of this sentence is the crucial phrase. Clients, especially enterprise clients, are taking some level of risk by passing and/or hosting data at a 3rd party. This can be a significant barrier for adaption of SaaS technologies for many enterprise organizations. 

Enterprise clients are looking to ensure that there is proper mitigation in place for attack vectors related to an organizations infrastructure as well as the software itself. There will likely be some sort of Q & A which can be informal conversations, or formal artifact. Typically areas of questions can be broken out into physical and logical security. The physical security questions will likely be focused on access to machines, data centers, etc. The logical security questions will likely be focused on things such as protection for the edge of your network, controls between tiers, and data segmentation between clients, cross site scripting, SQL injections, etc.

Privacy is a different matter entirely. There is obviously a connection; data that is stolen is clearly no longer private, but data obtained through a breach is a security matter more than a privacy matter. Issues of privacy are primarily related to applications that handle some flavor of end user data (HR, CRM, web 2.0 applications, anything related to health care, etc) as well as how back-ups are handled. Clients /prospects are likely going to question what compensating controls are in place to ensure that an end user can control how their data is used, how end users are informed about data is used, and what mechanisms are in place to enforce those data control / access policies.

Compliance can be broken down into two distinct sets of compliance questions: one related to any / all regulatory oversight a client may be subjected to and therefore any vendor must comply with (the usual suspects include HIPPA, SOX, GLB, etc). 

Another category of compliance may be focused specifically on your organization. This may include such things as employee screening and training as well as internal controls and policies. There are some specific certifications an organization can seek to provide some assurances to prospects and clients, SAS-70 is one type certification, however these types of certifications can be costly and time consuming for a small or medium SaaS organization.

As organizations become more educated around the benefits of going with a SaaS solution the market grows, however that education comes with a price. Organizations are also understanding the risks associated with SaaS solutions. If your organization is focused on an enterprise space you should be prepared to address each of these issues. 

Project Management and SaaS, part 3

so this post has been fairly epic. If you missed this first two part they can be found here:

Project Management and SaaS, part 2

Project Management and SaaS, part 1

In the last post I discussed three ways to categorize client feedback during a SaaS implementation:

• Trivial
  
• Education Required
  
• Non-trivial
  

For each of these types of feedback and organization needs to have a strategy with a plan and tools. Each request type may require a different tool and perhaps a different strategy.

Trivial requests, in theory, are the easiest ones to handle. An effective tool to manage this type of feedback can be specification documents, or other similar artifacts. For a SaaS organization these documents should capture configuration changes that collectively determine the functionality of our software as it has been designed to function. These artifacts act as a record of decisions that have been made to ensure that the software aligns with the stated business goals.
These artifacts should have a standard set of values based on best practices. These documents should be effective at capturing configurations that have already been anticipated and built into the application. Changes made to any of these decision points can be made with confidence that they will not cause unintended consequences or impact functionality or delivery time of the project.

I feel the need to once again stress that it is the job of the PM to carefully consider requests. If it is not known what the impact of the change might be it is best to consult with engineers / developers to confirm PRIOR to committing to a client that the task is trivial. A good rule of thumb is to consider any request / feedback not captured by a standard specification artifact as a non-trivial request.

Education Required requests are, well exactly that. The tool to assist with these requests is product documentation. The nature of product documentation for client education purposes is different than the type of documentation that the product development team uses while constructing the software.

It is sometimes difficult for individuals who are intimately familiar with the product to write effective client facing documentation. If there is an end user support group within the organization they are the most likely candidates to know what the most common types of stumbling blocks for end users are and should be used as a resource to ensure any / all product documentation covers as many potential requests as possible.

Non-Trivial requests are handled with a scoping document. The document is an artifact that can serve as the communication method between organizations and their clients, however it should be created only after consulting with internal resources. This will most likely include engineering, QA, and whatever additional relationship management staff are involved. If we accept the premise we started with (that tasks we have never attempted before are impossible to accurately estimate) it is crucial to communicate to clients that estimates are exactly that, a guess.

It is also important to develop internal guidelines as to what types / levels of non-trivial requests will be scoped. The effort involved with scoping should not be discounted when looking at resource allocation across an organization. These guidelines might include some broad criteria around what clients non-trivial requests will be accepted from at all. For example this could be determined by the size of the client, the dollar value of the relationship, the strategic value of a request, the impact of this request on the project calendar and budget, etc.

Clearly there is much more to discuss about project management as it relates to a SaaS delivery model but this particular post is already way too long so I'll wrap it up for now

Some random links

In an effort to break up the seemingly endless post on project management and SaaS here are a couple of links I have stumbled across recently you might find interesting:

• Article at readwriteweb that is focused on the types of companies that are embracing SaaS and why. They also take a pass at reasoning as to why other organizations are resist

• I was also recently made aware of an interesting paper published by a research team at IBM led by Jonathan Appavoo called Project Kittyhawk. The team theorizes that they could build the worlds computer. Yes a single computer that would be capable of powering the entire world; think the cloud that hosts the cloud. Interesting stuff. Perhaps the most interesting aspect of the idea would be the social / economic implications. Imagine if you or I could access the same infrastructure as Google....
  

• And finally what would any SaaS conversation be without some mention to the King of all SaaS (would that be KoaS?), salesforce? Here is an article summarizing some recent news from the biggest player.

Project Management and SaaS, part 2

Let's start with an assumption: Things that you have never done before are impossible to accurately provide an effort estimate. We can propose an estimate based on past experiences and pad it by some measure and cross our fingers. This is one approach. Any exercise to measure our estimates against the actual time taken is simply a measure of our padding. If we find that we are routinely late in delivering, then all we have learned is that we should pad more.

I am not downplaying the value of that notion, but we should be careful to not accept that as having solved the real problem. We have only adjusted our stance to include more margins for unknowns.

This is not new. It does however point to an issue that is fundamentally different for a project that is building a software product from scratch versus implementing a SaaS product.

In theory an implementation of a SaaS product should contain easily known components, tasks that have been executed many times over, and concepts that have been thought about, mulled over and vetted. This is the expectation that drives us toward the idea of having a schedule that is knowable, defined and repeatable.

However here is where the trouble lies: How can you ensure that each deployment mimics the previous deployments?

Unfortunately this means fewer choices and/or completely unrealistic expectations around the ability for a client to turn around approvals when building the project plan.

An additional challenge is around customizations. When was the last time an enterprise client did not request some sort of modification?

In a SaaS model this becomes the conflict point that can make / break a deployment calendar. The key to managing this conflict point involves some framework around client feedback.

A client will likely provide feedback they deem appropriate and necessary to make the solution align with their ideas of what they need. Some of those modifications will be trivial (and we need to be extremely cautious of this word, as seemingly trivial requests are typically the ones that we end up in trouble over), some will be requests that require further education and some will be nontrivial, but the client can present a valid business case for the necessity of the modification. We should look at each of these cases individually:

• Trivial: these changes can include such things as cosmetic changes, changes to field labels, etc. The trick with these requests is that requests that seem trivial may in fact have very far reaching implications to the way the product has been constructed. This is where the notion of the PM having some level of detail about how the product is constructed is crucial. There are occasions where simply changing the label of field is trivial, and other instances where the change of the label might have a functional impact. Without getting into a long tangent about subtleties of language and the nuances that inhabit our world suffice it to say that what clients think of as A, what the deployment team may see as B, and even more importantly the product team may have build like C. If the product is designed with SaaS at it’s core then the bulk of these requests from clients are simply configuration changes that can easily be accommodated.
  

• Education required: These are tough ones to wrangle and they also frequently deal with issues of language. A client is requesting that the product accommodate X, but in a specific manner. The product may indeed already accommodate X, but in a slightly different manner. The more a client uses the product, the more education they have around the functions and abilities of the product the easier this set of requests is to handle. This will not happen organically. There needs to be a training aspect to any / all client delivery methodologies.

• Non-Trivial: In some ways these requests are a little easier to deal with, which is not to say these requests do not have the largest potential project impact. In a SaaS model the answer to these requests is, well, no. An organization needs to have a feedback mechanism to the product team so that all of these types of requests can get back to the right people. These requests then need to be considered and either rejected or placed on the product road map. If the request is rejected then a solid justification should be provided. In either event this loop needs to be closed with the client. By providing responses to clients it provides credibility, even when the request was denied.

For each of these three types of requests the organization needs to have a strategy with a plan and tools. Each request will require a different tool and perhaps a different strategy. I’ll touch on that next post….

Project Management and SaaS, part 1

There are a glut of IT Project Management methodologies in the world. In fact there are even publications that focus solely on comparative project management methodologies. The majority of those methodologies are focused on a project life cycle as it relates to either custom software development or some other blue sky / green field type project .

Is there a difference between a development project for any custom system or large integration project and a Software as a Service deployment?

On the most basic level the answer is most likely no. Virtually all of the same fundamental issues, concerns and strategies are the same. The goals are certainly the same: deliver the project on time, on budget to a happy client.

The principles governing the success or failure of both types of projects are subject to all the same conditions: time, scope and budget. The pitfalls are certainly similar: clear definition of business goals and what constitutes success, scope creep, managing expectations, gathering complete business requirements, finding the right stake holders to provide input for those requirements and having strong senior backing to ensure project success (among others).

There are however some small differences, and those small differences can have a big impact on the efficacy of a project manager and the delivery of a successful project. This is an attempt to identify some of those differences and provide some strategies and tools to mitigate the risks they present.

While the range of projects that encompass the IT industry as varied and vast a large majority of the work that project managers are involved with are not projects involving brand new products. Many projects involve working within the confines of a system that has already been defined and constructed in some manner. This is especially true of organizations with Software as a Service business model.

As with any organization there are different types of projects that managers will need to be involved with. These might include: initial deployment for new clients, ongoing support requests, ongoing requests for customizations and upgrades. This conversation will focus on initial deployment for new clients, however it is important to keep all of the additional project types in mind, especially the upgrade, while rolling out the initial deployment.

At the end of the day all project managers and all project management methodologies have the same goals and intentions.

Limitations of Project Management when dealing with Software as a Service

Unlike a project that begins with a clean slate and blue sky all projects in a SaaS model will begin with a majority of the systems functionality defined. This may include things like data model, business logic, user interfaces.

While this may seem obvious the importance of this cannot be overstated. It is crucial that project managers understand the core functionality as thoroughly as possible. This does not mean that the project manager needs to have the same level of technical detail as the system developers do, however knowing as much as possible provides the project manager credibility with the client.

The PM at a SaaS vendor involves a combination of subject matter expert, client services and project management (with a small percentage of sales throw in for good measure).

Understanding the high level business objects is crucial in every project, however in SaaS the PM needs to be able to present lucid and valid business value propositions when any deviation from the standard product configuration is encountered. Education is the key, and the earlier and more comprehensive the education process can be the more efficient the process will be.

It is the PM's role to understand the business need from the client and demonstrate how that business need is address with the standard product functionality.

This may not be an easy task as frequently clients will not be able to separate the process used internally to accomplish a specific business objective with the objective itself. A large part of this process is educating clients about the core capabilities of the product.

The level of configuration that is available for a client varies depending on the organization's maturity level. The more mature the organization the more configurable the product may be, however there will be less flexibility to introduce customized features. Additionally the more mature an organization is the longer the cycle to add new feature to the product.

It is important to remember that unlike many software projects the SaaS client implementation is specifically designed to be upgraded in the relatively near future. Any customization for a specific client that is not incorporated into the code base for every client will likely present a barrier when the organization moves to the next version of the software.

Working with restrictions involved with SaaS, requirements gathering largely becomes an exercise in gap analysis. Where are the true differences between what a specific client needs to make their program a success that all of your other clients do not? If the product / organization is mature those gaps should become increasingly small.

There are of course exceptions. One exception might be a client that operates in an industry that has never used the product before. When deploying these clients an important factor to consider is how representative is this client for their industry? For example are business requirements being driven by government regulations that would apply to every organization in that industry or are they being driven by specific corporate mandates?

If one of the organization's goals is to attract more clients from this industry investment in implementing new features might be worth developing, however any schedule would need to be adjusted to ensure that proper QA time is being incorporated for new features.

up next time, how to handle feedback from client, further discussions around customizations and other random thoughts...

How the Service part of SaaS can help out in troubled economic times (say like now for instance).

So as the pool of money organizations has to spend on external programs shrinks does this have an impact on SaaS providers?

The honest short answer is, of course it does. However with lower initial costs and quicker times to deployment SaaS solutions also begin to look attractive as compared with installed software solutions (there is an advantage to a SaaS solution), however lower spending means fewer new opportunities.

The big challenge for a SaaS organization revolves around the ability to quickly recognize contracted recurring monthly revenues. This means the sooner you can move from contract signature to deployed solution the better.

What are the barriers to a quick deployment? There are the internal barriers for any SaaS provider; things like how long can you actually roll something out? Does it take a team 6 months of work, or can you roll out a solution to production in a matter of days? These factors are entirely within the control of the provider.

In my experience some of the biggest barriers to launch (the key milestone to recognize revenues) are clients, especially in the enterprise space. The more dependent upon a client your deployment process is, the longer it will take. That is a pretty straight forward equation. This seems to be easily solved by limiting the number of decisions clients need to make, however as each product offering becomes increasingly complex the number of decision points increases.

This is where the Services part of Software as a Service can come into play. Having a set of well defined best practices around configuration of your product is crucial to shortening deployment times. These best practices need to be well documented, and backed up with demonstrable experiences (i.e. stats, research, metrics, etc).

All of your best practices needs to be able to tie back to the specific business goals the client has purchased your product in order to attain. If your product can address multiple business goals then you need multiple sets of documented best practices and all client facing deployment teams need to be confident they know and understand them and all the nuances that entails.

Large enterprises are used to being able to dictate requirements, however in a SaaS model that flexibility doesn't necessarily exist. Large enterprises also can get stuck being focused on minutiae and lose sight of the larger goals. It is the job of the services team to keep clients focused on the larger business goals to stay on target for the quickest possible deployment.

That is an easy statement to type, harder to realize. I recognize that, but the services side of the Software as a Service is a crucial component that should help ensure that time to recognize that monthly recurring revenue decreases. Documented best practices is often a tool that is overlooked and underutilized.

Formal UAT thoughts

If you have spent any time with enterprise clients you know there are a number of things that are inherent in the process of rolling out a 3rd party hosted technology solution. These can range from the relatively minor challenges like the numerous approvals required for seemingly mundane items that add to the project calendar to more fundamental challenges, like formal user acceptance testing.

The requirement for formal UAT is one that puts enterprise clients directly at odds with SaaS. If a client insists on running formal UAT for every new release before it goes live this puts a significant burden on the vendor to support this requirement.

A formal UAT process involves creating test plans and test cases and standing up a test environment to perform the actual tests. Even if a client has a vetted set of test cases for regression testing, there will be new features that require creating new test cases.

In theory the 3rd party vendor can simply send over the test cases that have been developed in house to the client, and in fact many clients may ask for such cases. I am personally skeptical of the value here. If the vendor is sending over the test cases and the goal of UAT is to provide a legitimate independent certification that the application is functioning correctly then those two things seems to be at odds with each other, no?

The truth of the matter is that in many instances internal resources at large organizations are overwhelmed with the amount of work they need to accomplish. Having the vendor send over the test cases saves them a significant amount of work.

Creation of test cases aside the process to execute a formal UAT cycle with an enterprise client can easily take 4 - 12 weeks, depending on the size of the project.

If a SaaS organization has a release cycle of once a quarter the UAT effort is one that will never end, and will add to the overhead of any SaaS organization. This means resources in terms of relationship management staff, project management staff as well as possibly other technical resources, and this is just the effort to handle the UAT portion of a migration to a new code base.

This is a potentially significant hidden cost to the client. It is one that is rarely discussed when an organization is considering the total cost of ownership with any SaaS solution.

None of this should be taken as saying that formal UAT is not valid, or has no place for an enterprise organization with a SaaS vendor, but carefully spelling out what the impact of such requirements can / will be moving forward is crucial. The right spot to address this is pre-sales of course, but that rarely happens as this conversation is too detailed for a sales cycle.

Setting some threshold at which a formal UAT would need to occur could also help. For example no formal UAT required for small incremental releases, but for all major releases some version of UAT.

Finally there has to be some level of trust between the enterprise client and vendor. This trust can only come with a history of successful migrations to the latest version of the code that occur without incident. This can only come with time.

SaaS market to collapse in 2 years

I am always willing to read ideas that contradict my own.

Here is an interesting interview with Harry Debes, CEO of Lawson software. I don't think I agree with much of what he is saying, but worth reading.

Time will tell if he is right, and two years go by really quickly.

Chrome and the enterprise

I have run across a number of posts lately that are touting how Chrome will change the browser landscape. This may very well be true, however I just cannot see how any enterprise will really start allowing their employees to this browser officially.

Just a point of reference: most of the clients we deal with on a regular basis are still officially using IE 6 as their corporate browser. Enterprise IT approvals move slowly. As frustrating as this may seem it is for good reason. These departments are responsible for the stability and safety of the corporation's infrastructure (and all of the assest that represents). While moving slowly cuts into the ability for an organization to react quickly it also means that things are stable. If I am in charge of the infrastructure at a large enterprise I will value stability at the cost of agility in most instances.

There a number of posts I have seen lately that are excited about Chrome as it relates to SaaS, try this one for instance. I just can't see how any privacy / compliance manager at any enterprise organization will allow their employees to use Chrome, if for no other reason than all the instances where Chrome is sending browsing information back to Google. Read the privacy policy and the EULA carefully.

Let's not even mention the potential security holes.

I just cannot see how any enterprise will embrace Chrome. I am not the only one who sees things this way. Dennis Howlett at ZDNet has a good post that aligns with our exeperience in the real world here.

upgrades and contracts

I have been spending a fair amount of time lately thinking about contracts.  If you are delivering a SaaS solution to the enterprise there are a number of challenges that exist that aren't there when you are delivering a consumer service. That statement seems obvious enough, right?

The essential challenge is around how to provide protection / assurances to normally risk averse organizations (the Fortune 100 set) around upgrades and yet ensure your organization is not stuck supporting old code bases indefinately.

I started writing a post about some of the nuances, but it quickly became too long for even me to remain intersted.

I think ulitimately the best answer to ensure your client base wants to upgrade. This can only be accomplished by continuing to provide the right features, the right enhancements so that clients are excited about upgrading.

Ultimately if you can't make that happen and you are reliant upon a contract clause to force a client to accept the latest version of the code you have a much larger relationship issue. Those issues aren't going to be fixed by any contract clause.

Why Code Escrow provides no protection

Escrow provides little to no protection for a client. There I said it. 

The reasons for this are numerous, however here are a couple of the main reasons:

1.) If the company providing the service does default in some way and the customer receives the code in escrow there is very little chance they will have the ability to re-create that application. I realize in a perfect world the code would be so perfectly documented that anyone could re-constitute that application, however that just isn't the case. No matter how diligent and well meaning a development staff may be there is still so much knowledge that is institutionalized and not in any documentation that it would be impossible to simply take that escrow code and make it work

2.) Even if the code was perfectly documented it is unlikely the infrastructure is. As web-based applications become more complex, the ties to infrastructure become specific. Even if the client knew much about the particulars (for example what web server, application servers, OS, DB, framework, etc) the work effort to recreate it exactly would be far from cost-effective

3.) In a SaaS model the escrow code is most likely outdated by the time an customer would need to re-constitute anyway. In a perfect world this would also not be the case, but in reality this is just the truth. 

I could go on, but you get the idea. What an educated client really cares about is the data, or at least what an educated client should care about. If the customer owns the data, and receives it on a regular interval they stand the best chance of protecting themselves in the event an escrow clause would need to be invoked.

If a customer has their data they can either move to a competitor more easily, or evaluate what the work effort to internally build the application. In all likelihood the best choice would be to move to a competitor. If the customer were moving from one SaaS solution to another that work could most likely be leveraged across multiple clients for the new vendor, and as such the effort wouldn't be "one-time" work for the new vendor, if it wasn't done for a previous client already.. 

That provides protection for the client, but also the mechanism that most likely will get them up and running as soon as possible.

If the ultimate goal is to provide some level of protection, code escrow just isn't going to do it. If your SaaS vendor doesn't have a mechanism in place for a customer to get their data on a regular schedule through some process (self-serve, asynchronous or synchronous data transfer) then choose another vendor.

"Delivery over the Internet"

One of the key concepts of SaaS is that the application is "delivered over the internet". 

This seems simple enough, however there are some significant talking points hidden in that sentence. This is not boxed software that is purchased at some retail outlet, in fact this means the only way to purchase this software at all is through whatever sales channel the SaaS organization has set up. In most instances this means directly from the organization that has produced the software. 

Another challenge is licensing and pricing. Unlike boxed software that can be controlled with required serial numbers it is not possible to limit. This poses challenges to an organization to secure their IP. There is also additional risk assumed by the organization in terms of having confidential information for users.

The primary means of limiting use/controlling access to features, etc is through the application of roles and privileges. This requires users to log into the application which now necessitates the need for the application to store that information in some way. This also means that it is possible for the application to track usage and behavior patterns which boxed software companies would normally not have access to.  What additional legal / moral / ethical obligations does that entail? 

Another factor around delivery over the internet and that is around performance. As a company cannot be responsible for performance of any of the vat network that makes up the total access to the application it is impossible for an organization to truly control any performance related issues and end user may have.

The final thought is around security. Any application that is delivered via the internet must contend with all the security issues that entails.

SaaS Defined

I am the SaaS Master. This is tongue in cheek of course, however there is an awful lot of discussion lately around the notion that SaaS is taking over the world. I am endeavoring to define what exactly SaaS means. This seems like a reasonable starting point.

This definition is from wikipedia:

"Software as a service (SaaS) is a software application delivery model where a software vendor develops a web-native software application and hosts and operates (either independently or through a a third-party) the application for use by its customers over the Internet. Customers do not pay for owning the software itself but rather for using it. They use it through an API accessible over the Web and often written using Web Service or REST. The term SaaS has become the industry preferred term, generally replacing the earlier terms Application Service Provider (ASP) and On-Demand."

This sounds simple enough, although I have some doubts around the issue of Web Service / REST as requisite to be considered SaaS but I will leave these doubts aside for the moment. I don't have any doubt that to be a successful SaaS organization this would be required, but to make this part of the definition seems to be limiting.

The key concepts here are the delivery over the internet, developed and hosted by a vendor, possibly some ability for the application to be extended in some manner using APIs and the notion of a fee to access the application as opposed to a one time cost to own a copy.

What I think it interesting is that the ASP term is being used in a manner that indicates it is interchangeable with SaaS. I am not so convinced that is true.

Over the next few posts I want to explore how each of those key concepts actually work as well as the differences between SaaS and an ASP organization.