Wednesday, January 28, 2009

Visibility and Control Over API Use and Volume is Crucial as Enterprises Ramp to SaaS and Cloud

Transcript of a BriefingsDirect podcast on how visibility and control lead to better governance and security in cloud and SaaS operations.

Listen to the podcast. Download the podcast. Find it on iTunes and Podcast.com. Learn more. Sponsor: Sonoa Systems.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you're listening to BriefingsDirect. Today, we present a sponsored podcast discussion on bringing enterprise IT expectations on visibility, control, and security to software as a service (SaaS), and cloud-based applications delivery.

As established enterprise IT expectations meet up with cutting-edge cloud delivery models, there's a clear need for additional trust and maturity in order for enterprises to further adopt cloud-based services.

We're going to examine how one SaaS provider, Innotas, has developed a more matured view into services operations and application programming interfaces (APIs) and how they can extend the benefits from that visibility to their customers.

We'll hear how Innotas has used solutions from Sonoa Systems to provide better managed services based on service level agreements (SLAs). We'll also hear how they derive more analytics from network activity and thereby provide mounting confidence in how services are performing.

At the same time, they can add more attributes and benefits to the services they deliver. The goal here is to make online and on-demand applications and services delivery come across with the same sense of maturity, control, reliability, and scale that enterprises and medium-sized business are accustomed to.

Here to help provide an in-depth look at how SaaS and cloud delivery management can be improved is Chet Kapoor, CEO of Sonoa Systems. We're also joined by Tim Madewell, vice president of operations at Innotas, an on-demand project portfolio management (PPM) service. Welcome, Tim.

Tim Madewell: Thank you, Dana.

Gardner: Let’s first get into the whole cloud topic. The world is changing around us. SaaS, of course, has been around for some time and many elements of cloud have been around, but we're starting to see more interest in bringing the enterprise on-premises model in some alignment with what goes on with cloud and SaaS. There's an interest in finding a common sense of security and trust.

Let’s start with you, Tim. Give us a rundown of what Innotas does and a little more information about what your customers' expectations are, now that we’re a bit deeper into this whole cloud mentality?

Madewell: Sure, I’d be happy too. Innotas is an on-demand PPM solution. We focus on IT organizations and provide software access via a standard Web browser for managing projects, as well as non-project work within an IT department.

Our goal, or value proposition, and the problem we're trying to solve with Innotas, is more of a top-down enterprise problem -- how best to utilize the resources that you have within your IT department. That's from a cost standpoint and budgets, as well as capacity and actual resources. Innotas is providing an IT governance solution on-demand, and providing it as a service.

Gardner: So, you're actually at two levels of opportunity and benefits here. You offer visibility, based on the requirements of the application, but also delivering it as SaaS. Has it always been an on-demand application, or did you have this as an on-premises product at one time?

On-Demand and Multi-Tenant


Madewell: Innotas has always been on-demand. We've been on-demand and multi-tenant from day one. That’s been one of our differentiators. Certainly, PPM is not a new category, but something that Gartner has tracked for some time, and there are plenty of competitors out there on the on-premises world.

One of our differentiators was that being on-demand and multi-tenant from day one enabled us to be one of the early adopters in the SaaS world and in subscription-based software.

Gardner: Interestingly enough, you've taken this to the IT department folks, and they've had a chance to examine how SaaS and on-demand works for them. I suppose that’s sort of greasing the skids for their acceptance of these services that they can deliver to either their employee constituents or to online customers and partners.

Madewell: That’s exactly right. Our target audience is IT, and that’s just where we have really chosen to focus.

In many ways, IT has very few projects that they perform that are internal for IT. You end up being your own customer in this type of implementation. We have seen how the attitude around SaaS has matured and evolved here. SaaS has become more standard and available, and as the technology has matured, especially around security, the acceptance level for SaaS has improved. One of the things that benefit us is in focusing on IT. Typically this type of change in acceptance for software starts within the IT organization itself.

Gardner: This is fairly sensitive information, right? What’s going on with the projects? IT could have a great bearing on where a strategy is headed for an organization. So, security, governance, and risk-compliance concerns need to be addressed at this level

Madewell: Absolutely. That’s where differentiation comes into play. To be a business application in a SaaS model today means that you have to step up and be enterprise class.

We look at ourselves as an extension of all of our customers' internal IT and operations groups and we need to live up to those same standards. That’s not unique to us. Any SaaS provider that’s out there that is going to provide a business solution and is going to have to adhere and live up to the same type of standards.

Gardner: As you’ve sought out solutions that can bring those elements of maturity and trust back into your service and therefore to your customers, what sort of problems did you encounter and how did you move forward from them?

Madewell: The problems where we would initially see a push-back was along those lines of acceptance and confidence -- how could we communicate and establish the confidence with our customers that this is secure and reliable. Once we get past the initial security challenges, folks are very interested and concerned about reliability and performance.

When it was traditionally inside your four walls, there was a greater sense of control. As soon as you step into the cloud or with any SaaS provider, some of the benefits and the value prop is that they control it, they manage it for you, but you're giving up some control. Building that confidence and acceptance into the solution is important, and ties back to being enterprise class. What I’ve got to establish and manage within my operations is operations as a service.

I need to be very much like a data center, providing a level of service that’s transparent to customers and with some predictability, and wrap that all up with the SaaS model. I need to do that at a reasonable cost, so that I can keep subscription rates reasonable, and where customers feel like they're getting a reasonable cost-to-value ratio.

Gardner: Let’s go over to Chet. You’ve heard some of the concerns that Tim has had in the way that he is trying to bring more maturity and confidence into his product. I'm sure there are many other providers, and there will be more as this cloud opportunity develops. What does Sonoa look at when it tries to help organizations like Innotas?

Maturity of Services

Chet Kapoor: Thanks, Dana. The approach that Sonoa has taken with a SaaS company like Innotas or an enterprise that wants to take its services and make them available to the cloud is to ask what is the maturity or the evolution of the services. Tim would tell you, using a quote that he has done for us: You always start by wanting to see the needle, because you can’t move the needle, if you don’t see it.

So the first thing is visibility. I want to know who is using my service, what are they using it for, how long are they using it, things like that. You have to have visibility into the services you provide. You always start there.

The next thing you say is, "Okay, now that I have visibility, I want to start putting in some security access control." You may choose to do that at the same time. They could be parallel approaches, and you want to start by saying, "I want to give priority access to priority customers."

Then, the third step that most customers take is to scale it. They have something working across 50 API calls or 100 API calls, and they say, "You know what, we are going to make this available throughout our application, make all our functionality available." And, they want it to be available at a scale where all their customers are getting it.

We've been working with companies like Innotas to get them through this evolution. Some customers choose to get our technology in the form of appliances. Some of them do it in the form of software, as Tim has. And, some of our customers are choosing to get our technology right in the cloud itself where they do not have any data-center whatsoever.

Gardner: Now, these days, being in a tough economic climate, providing visibility and efficiency needs to often be accompanied by a strict return on investment (ROI). Are there elements of what you are providing to organizations like Tim’s that fall into that business case and solution at a high economic value?

Kapoor: We believe so. I'd like Tim to take a stab at this also either now or sometime later to get his perspective. At the end of the day, when somebody is providing a cloud service or consuming a cloud service, it has an element of the client-server model. You are saving cost, especially if you are getting something on demand and you are a consumer of something like Innotas inside the enterprise.

So, there is definitely cost saving there from that point of view. The easier we can make it for enterprises to access the information for their composite applications through APIs, the more successful companies like Innotas are, and there is more adoption. IT enterprises end up saving money.

The second aspect of this is that it's probably a new revenue stream for Web 2.0 and SaaS companies, as well as enterprises. They've maximized or have worked very hard on their channels, whether user access or a browser-based channel. Now, they have an opportunity to go after a different set of folks who are trying to not just go off and use Innotas through a browser or Salesforce.com through a browser.

Somebody else wants to write custom applications and that’s not necessarily the project manager or the sales person, but the CFO wanting to do something. They want the access to information from something in the cloud. So, we’ve found that the ROI model comes in two flavors -- not only cost savings, but also new revenue-generation opportunities with a completely new set of customers.

Gardner: Let’s take that over to Innotas. Tim, when it comes to gaining benefits through this visibility, how you are able to justify that from a cost perspective?

Looking at Immediate Needs

Madewell: I would just second Chet’s comments. Those are right in line with how I looked at this when I was going through the early stages of evaluating Sonoa and just looking at what my immediate needs were within my operations department.

Here's how I justify it. The first one was very selfishly from an SLA. I have an SLA I've got to maintain and deliver against. As the sales team is selling this, my services team is implementing it.

At the end of the day, I've got to have the availability and the performance that was up to what we're selling. That ties directly back to the visibility point Chet made. That was absolutely my biggest value target day one to get up and running -- to give me the visibility and how that translates into my SLA.

I can’t address the problem until I can see it. Sonoa helped me identify problems or potential problems earlier. When I turned up the ServiceNet product it decoupled the traffic from my Web users, my end-users, the traditional users from my back end, and from my API.

Then, I was able to take a look at to see what kind of activity was occurring on the back end. That visibility gave me some input into when my servers were getting hot or heating up. I was seeing a lot of activity and started to differentiate if this activity was generated through the front end or through the back end.

So, my immediate return was to give my operations team a solution and a tool that gives them better visibility and then to control some of that traffic on the back-end.

My ROI on that is A) certainly living up to an SLA. I have penalties if I don’t hit it. So there is a dollar amount that could be tied to that. And B) it’s about serving up an experience of the customers. Certainly a tolerance for response times on an API is a lot greater than an end-user clicking on the screen.

So I have to have this healthy balance, if you will, between making sure I'm still serving up a reasonable end-user experience to the Web browser, and then serving the request on the back-end.

That ROI is really about the experience, and that means renewals for me. In a subscription-based model like Innotas' the customer is absolutely paramount, and the service that we provide is paramount to keep the renewals coming.

Gardner: Of course, when it comes to efficiency in the current economic downturn, a dollar saved is important. You have to meet your SLAs first. Does this give you an opportunity to tweak and customize in such a way that you're getting more utilization?

Aiming for Efficiency

Madewell: I'm serving a lot of customers in this multi-tenant architecture and I need to make sure that I can’t just throw hardware at the problems. I need to be very efficient, and the multi-tenancy gives me efficiency. I also need to make sure that I'm managing the utilization and managing those systems very efficiently.

It gives me that capability that I needed as a multi-tenant application. To your question of this economic environment, with this visibility I'm able to put in some controls that will give me the ability to look at how I make more and better use of the capacity that I have today.

A good analogy here is in my commute over the Bay Bridge -- sitting there in queue, waiting for the metering lights to turn on, and wishing there was another lane or two lanes. I certainly hit some point, where I guess it’s probably a good queuing-theory model where it does make sense to add another lane or two. I'm always looking at that from an operations and capacity standpoint.

But, I don’t want to just throw hardware or lanes at the problem. If I can still move traffic through in an efficient manner, much like the metering lights. I can make the best use of the lanes I have. That’s exactly what I'm looking at, especially in this environment: Where is my capacity, where is my unused capacity, and how do I deploy or redeploy that as efficiently as possible?

Gardner: So, the visibility and control offer you apparently a fairly significant ROI that you are comfortable with. But, then there is that additional benefit that Chet discussed, in terms of richness and additional benefits that you can apply for your services as they’re perceived, delivered, and even built against for your customers.

Madewell: That’s right. Now, from a front-end and from a user model, we're very familiar with the different user types in an application. You may have view-only users, standard users, or power users. We can take the same view on the back end with Web-services. There are certainly different levels of users or different levels of service you could provide for users, depending on their needs.

If I've got real-time integration I'm looking to deploy, my requirements are a lot different and a lot more stringent than somebody on a monthly or weekly basis, which is like an extract and much more tolerant. Now, I've got the ability to take a look at offering some tiered services or tailoring my back-end user type and then tying that to my revenue model.

Gardner: That provides a level of maturity -- not one size fits all, but more customization. Your receiving organizations, if you will, start to view this as closer to what they've been accustomed to with the client-server or distributed computing. Do you have any instances, metrics, or anecdotes about how that’s actually worked out in the field, practice versus theory?

Madewell: In this field it’s kind of a journey, as we've got the visibility and some basic control in place. We've turned up the policy management and SLA management with the ServiceNet product.

Some of the immediate benefits we had were with the early diagnosis of problems and troubleshooting. We had a recurring issue with a specific customer reporting errors with Web services, decoupling that traffic, and having it right there in a real-time dashboard.

We were able to turn around and find the root cause and find that they were submitting multiple attempts with invalid log-ins and flooding the Web service. Our ability to diagnose that quickly was definitely a benefit we were able to realize with Sonoa.

Gardner: Let’s think about some other scenarios -- and I’ll open this up to both Chet and Tim -- with cloud computing and boundaries, hybrid models, business processes that are composed of services from different clouds or different SaaS providers. Quite a bit of complexity can creep into this very rapidly, and the visibility, control, and scale issues become significantly aggravated. What can solutions like Sonoa bring to that level of complexity, when we move beyond a single SaaS-type of application into a business process that’s composed of services.

Hybrid Applications

Kapoor: Dana, let me take a shot, and Tim, as a technologist, would also have a view. We’ve spent the last half an hour talking about how a provider of services -- what are some of their motivations, what are some of their pains, what is the ROI? Tim has done a great job of articulating all of that.

As you said, there are a lot of consumers of cloud services like Innotas, and they probably do it in a very hybrid model because I don’t think on-premise computing is going away. So, customers will write applications or custom applications, where they probably want to use Oracle or SAP inside the firewall and maybe have another custom application of some sort, Innotas or Salesforce or whatever -- outside.

They want to write a composite application, a mashup, or whatever you decide to call it, and they want all these different services. A critical need that we find is that customers start to get nervous. It's not so much with the Innotases of the world, because they are fairly secure. They run like an enterprise application, but it’s available in the cloud. It happens when you start using things like Amazon Elastic Compute Cloud (EC2), and people are starting to put custom applications there.

What we’re finding is there is a need for a way to govern what goes on outside the enterprise. Govern could be a fairly heavy word, so let me be more specific. You want to have visibility into, how many accounts I have at EC2, for example.

If you ask a CIO -- and I've had 50-plus conversations about this -- how many cloud users you have at a very basic level, the SaaS companies you have contracts with, it’s fairly easy. I am using EC2 only as an example. But, if you ask how many people actually use a credit card to open an EC2 account and are doing something with compute resources and doing things with storage, the answer is no.

They have no idea who those people are. So one thing they need is visibility into who is doing what. The next thing is, all senior executives in companies every quarter sign a document saying, "I have complied with law." If I'm in the health-care industry, I am not going to let certain medical information about my patients go out. If I'm in the financial services industry, I'm not going to let the Social Security numbers go out.

The question is how do they know? How do they know that what they are signing is actually happening? There's no way of them figuring out if compliance laws have been broken or not. So, we find that a lot of customers who are just consuming, not doing the SLAs and things like that, as Tim was talking about, but just consumption. They want to have some visibility into what is happening with the cloud. Then, as they get more visibility, they want to see if they are paying extra for SLAs and the SLAs being mapped.

The second thing is that they have multiple cloud providers for resources. Which one is cheaper? Which one is better? Which one has better SLAs? Which one is easier to configure? And, things like that. Or, they can go off and say, "You know the network is really slow because this set of individuals are doing a lot of compute-intensive things, and we are not going to give them the ability to bring the network down towards the end of the quarter." So you don’t only have visibility, but you also have control, and it’s all from a consumer point of view.

Gardner: Let’s take that to Tim. In Innotas, if you get into a position where you are starting to compose services from cloud-based resources and models and deliver that back out to your SaaS providers, it sounds like you are going to really be interested in this level of visibility?

The Importance of Governance

Madewell: Yes, we would. Visibility is real, just from a technology standpoint, and working with my customers through initial security questions and audits that I need to go through as a software provider. What Chet has articulated here is real and growing in my opinion. Governance is going to be very important.

I'll just give you an example. SaaS, especially in the large enterprises, is something that’s very new. In many cases, as I'm working and partnering with our customers to go through the due diligence, the technical review, and the network and infrastructure review, their standards have not been modified yet to even accommodate SaaS.

So, there is a level of education needed there, and this goes back to we started talking about how to get the comfort level up. Well, this is the driver for it. There are many companies out there that have stated that no data is outside their four walls. Yet, now they're trying to accommodate and adopt a hybrid model, which I firmly believe is where this is going.

With that, if they don’t realize the need for governance and control at an enterprise level, as Chet has outlined here, they will very soon, because folks like Innotas and others are making inroads into the enterprise space -- and we’re viable.

There's a very good reason to keep certain data -- health-care is a great example with the HIPAA requirements -- inside your four walls. But, there may be other Tier 2 application solutions that are going to be outside your walls. How do you control that? How do you audit that? These are very important problems to solve.

Gardner: In addition to governance, there is the management from the provider side, as you get into more tiered services and more managed services. You're going to offer different levels of service compliance depending on the pricing and you’re going to have sales people who want to slice and dice these services in a variety of ways, as they can package them and deliver them.

We’re at the early innings of SaaS, but I can foresee that by the sixth or seventh inning, we’re going to get into some serious complexity around those delivery mechanisms. Tim, help us a little bit in terms of what road map you might have at Innotas and what the solution might start to look like?

Madewell: Well, out of the gate, we try to keep it simple, and that is one of the benefits, one of the value props, we push with on demand and with our product in the PPM space -- to keep it simple.

This gives us more flexibility in how we package. Absolutely. I agree. What does our road map look like? We've got about a 12-to-18 month road map at any given time that point features and capabilities into our product. We're looking at ways that we bundle that up and we bring the right mix to the customers. We're looking at ways that we can tier that.

Look at examples of some of the pioneers, especially in the SaaS space. Look at Salesforce.com. They have a pretty simple tiered model. As you walk up to and through their enterprise addition, you're just adding on capability.

That’s in line with what we’re trying to do -- keep a nice, small, reasonable entry cost. The subscription model is very powerful. And then, it's services as you need them, or services as you consume them. We're finding it a lot more appealing to customers, especially in this environment than give me everything and buy it all up front in one lump sum.

Gardner: Because of our use case scenario here we've been focusing on the concerns of the SaaS provider, but as Chet mentioned, we also have the incoming network for the user organization, be it enterprise or small- to medium-sized business. It seems that the solution here benefits receivers and senders. I'm wondering if this is a little bit of a leap into blue sky, Chet, but how about this visibility as a service -- that is to say, getting somewhere between the receiver and the sender. Is there anything that we might look forward to in the future along those lines?

Kapoor: Absolutely Dana. It's something that we recognized and are working on. If you really think about the person who is doing a mash up, every consumer is probably going to be a provider at some point, and every provider is going to be a consumer at some point. So, we've certainly thought about it and have been working on providing, taking what Sonoa provides a ServiceNet product, and making it available as a service. We have some customers that are already going in production. It's something that we will start talking about in the very near future.

Gardner: Well, great. I appreciate your input, Tim, on helping us understand a little bit more of the concerns of a SaaS provider. It’s really important that you're delivering this to the IT organization because they're the ones that are always going to be on the vanguard of managing these boundaries, as they become more permeable, and we see more of these arising scenarios around services delivery and consumption.

I also want to thank you, Chet. We've been discussing how enterprises expectations need to meet up with cloud delivery models, how there is a need for additional trust and maturity, and how services are perceived and delivered.

We've been talking with Chet Kapoor, CEO of Sonoa Systems. We've also been talking with Tim Madewell, vice president of operation at Innotas, an on-demand PPM service. I just want to throw out one more opportunity for input. Is there anything additional you think we should convey Tim?

Madewell: We've covered it well. My daily takeaway, as I go about my business, is that a lot of this is evolving, is new, and it’s a journey. This is one of the things I have really benefited from and appreciated with Sonoa, as well as other vendors that I worked with. We're all evolving in this SaaS and cloud space together.

What I am really encouraged by is that it's heading upstream, if you will, into the enterprise. The leaders in this space, are pushing these boundaries, pushing the governance, recognizing that with breaking down traditional walls comes new challenges that need to be controlled. It’s important to be looking two steps ahead, and evaluating how this all works.

Gardner: Very good. This is Dana Gardner, principal analyst at Interarbor Solutions. You've been listening to a sponsored Briefings Direct Podcast. Thanks for listening and come back next time.

Listen to the podcast. Download the podcast. Find it on iTunes and Podcast.com. Learn more. Sponsor: Sonoa Systems.

Transcript of a BriefingsDirect podcast on how visibility and control lead to better governance and security in cloud and SaaS operations. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.