2. 2
Is your company looking to employ new
software, or to decommission old in-house
systems? Evaluating vendors and selecting
software with functionalities that most closely
meet your business requirements can be a
significant undertaking. When presented with
this task, companies are increasingly starting to
consider cloud-based SaaS solutions due to the
benefits SaaS provides, such as the ease of
implementation, increased accessibility,
minimal maintenance, and reduced costs.
In this paper, we will discuss best practices
for selecting a SaaS product and provide
key considerations before investing in a
solution.
Cloud Delivery Options
There are two primary delivery options
within a SaaS model. These options include
deploying resources within a Private or
Public Cloud.
Public Cloud
In a Public Cloud model or “SaaS Multi-Tenant,”
the provider hosts resources such as servers
and databases on an infrastructure shared with
multiple customers. Almost all public clouds
employ a multi-tenancy model, which allows
multiple users to use the same servers and
database. Logical controls prevent data from
comingling. Public clouds are cost-effective and
low-maintenance solutions that are highly
reliable due to the vendor’s ability to provide
ongoing maintenance and updates. Multi-tenant
solutions are easily configured, which make the
upgrade processes quick and seamless.
There also exist offerings known as “Hybrid
Public Clouds”. In a hybrid public cloud model,
there is only one tenant per database, but
several tenants on the same instance.
Private Cloud
In a SaaS private cloud or “single-tenant”
model, a cloud instance is dedicated to one
organization. Compared to public clouds, they
offer greater flexibility in terms of customization,
as well as increased security, as data is not co-
mingling in the same cloud instance. Ultimately,
single-tenant solutions offer more enhanced
control and as a result, are generally more
expensive than public clouds. Therefore, they
continue to remain the less popular option of the
two.
What is SaaS?
Software as a Service (SaaS) is a
cloud service model, in which a
vendor leases software to a
customer. In a SaaS model, users
access services through the web.
The vendor owns and manages the
services in the cloud environment,
including the software, databases,
operating systems, IT
infrastructure, operations and
security.
SaaS utilizes a “pay as you go” pricing
model that offers customized and
scalable price points and low set-up
costs to customers. Unlike traditional
software sold on a perpetual flat-rate
license with a hefty up-front prepaid
cost, SaaS fees are subscription-
based. Therefore, customers only pay
for what they use, which is a cost-
effective method for many
organizations. This pricing design is
similar to that of Tesla, media
streaming providers, and smartphone
contracts, as the subscriptions are
tailored and scaled to the individual
user.
3. 3
Infrastructure as a Service (IaaS)
Along with SaaS, another popular cloud
option is the Infrastructure as a Service
(IaaS) model. In an IaaS model, customers rent
infrastructure from a vendor. The vendor owns
the servers, and the customer manages the
servers remotely. Similar to a SaaS model,
services are delivered over the internet.
Customers receive the benefit of storing data
offsite without having to invest and physically
maintain the equipment. Additionally, the IaaS
provider is responsible for all infrastructure
security elements, which are often more secure
and less costly than on-site options. Companies
with specific customization needs that are
looking to employ a cloud solution tend to
benefit significantly from IaaS solutions, as the
customer still owns and manages the software.
Key Considerations
To Build, Customize, or Buy?
Companies looking to implement a SaaS
solution should first consider whether their
business needs would require them to build,
customize, or buy a new software.
Customization involves the development of
specific code to transform an application to fit a
company’s needs (e.g., adding a new field,
developing custom business rules).
Configuration only involves adjusting
parameters within an application (e.g., changing
thresholds, adjusting labels, logos, importing
data). Companies that have specific
requirements that cannot be achieved by an
already existing solution in the market may elect
to build or customize their software. If your
company decides on such an option, a SaaS
product would not be a viable solution, as
customers cannot customize rented software.
However, even when customizing or building
software is preferred, many companies still
choose to buy software due to various reasons,
which can include the following:
Price constraints: Building software
requires organizations to deploy many
resources, which can be a costly
endeavor. Additionally, customizable
software is often more expensive than
SaaS software. For this reason, SaaS
solutions tend to be the preferred option
when budget constraints come into
play.
Implementation target dates: Building
and customizing software can be a
lengthy process. If companies have
strict implementation target dates, a
SaaS solution may be more effective in
meeting those deadlines. In general,
SaaS software implementations are
quick and efficient processes compared
to its alternatives.
IT Operations Strategy: In some cases,
companies’ internal departments have
mandates or strategies that favor SaaS
solutions. These strategies could be
due to a number of reasons including
those described above. These
department wide approaches take
precedent in decision-making.
Ultimately, if your company’s vision aligns with
any of the above descriptions or if your
organization determines that a specific SaaS
software can add value to your business
operations, then a SaaS solution may be worth
considering further. Next, it is important to look
at your company’s policies regarding data
storage to confirm that SaaS remains a feasible
option.
4. 4
What Can Be Stored in the Cloud?
Given that data is hosted remotely and
managed by a third party, it is crucial to
consider the risks involved in storing data
on the cloud. These risks stem from the public
communication channels used between the
host and client. These interactions travel
through a public network and are not protected.
To mitigate these risks, many SaaS vendors
offer controls, such as encryption and two-factor
authentication, as part of their support package.
Another consideration when reviewing
security requirements is to assess the
location of vendor data centers. Your
organization may be subject to varying
regulatory restrictions depending on the
vendor’s data center location. For example,
companies that are subject to Canada’s
Personal Information Protection and Electronic
Documents Act (“PIPEDA”) must ensure the
security of Canadian citizen’s personal
information. Although PIPEDA permits the
transfer of Canadian information across
borders, it is common for companies subject to
this regulation to prohibit the storage of
Canadian citizens’ data outside of the country
as a safety measure for certifying compliance
with the Act. Therefore, it is important to
consider any potential storage restrictions,
including those mandated by regulators and by
your company through internal policies.
As a best practice, before contacting vendors,
you should discuss your company’s data and IT
policies with security personnel at your
organization. To assess the feasibility of storing
data on the cloud, it is important to ask the
following questions:
What is the nature and sensitivity of the
data in question?
Is my organization subject to any specific
regulations (e.g., GDPR, CCPA, PIPEDA)?
Does my organization have any internal
policies (e.g., data classification,
cybersecurity policy) or contractual
obligations that require the setup of certain
controls (e.g., encryption, storage in a
specific data center location)?
What are the consequences of a possible
security breach, and how will it affect my
organization’s data?
IT security policies differ from company to
company, and it is essential to identify any
restrictions set in place by your organization
before beginning discussions with vendors.
Although there are risks involved with storing
data on the cloud, a vendor can generally
mitigate those risks by implementing robust
controls. Depending on your organization’s
internal policies, specific security measures
may be more important to meet than others.
Therefore, we recommend identifying your
company’s mandatory requirements, assessing
their impact within the organization, and
communicating that information to vendors as
soon as your organization confirms them.
Once you have a full understanding of the risks
involved in storing data on the cloud and have
confirmed that SaaS is the best method of
deployment for your organization, then you are
ready to begin the SaaS vendor selection
process.
5. 5
Selection Process
The process of selecting a vendor
encompasses several steps and can vary
depending on many factors. Below, we
highlight key steps to consider during the
selection process that can be effective
regardless of the product or industry.
Step 1: Define your Business Requirements
One of the most important steps in the selection
process is to understand all of your
organization’s business requirements. This step
should be a priority in your process and should
be the first step executed. To ensure your
understanding of your business requirements,
we suggest that you ask the following
questions:
What is my organization’s target state?
Will the new system interface with any
existing or future systems in the target
state?
What are the mandatory requirements
that the product must meet?
Are there any requirements that would
be nice to have, but are not necessary?
We suggest that you outline all of the criteria
that is necessary for vendors to meet and rate
each criteria’s importance according to your
organization’s priorities. It is helpful to write
down these requirements in detail. If you decide
to issue a Request for Proposal (“RFP”) during
your selection process, these requirements
should be included in the RFP questionnaire.
The RFP should be tailored to your
organization’s needs and when possible, should
avoid generic questions that will not provide any
insight regarding a vendor’s product
capabilities.
Step 2: Research the Vendor landscape
It is important to conduct preliminary market
research on the vendor landscape to ensure
that you have a full overview of all relevant
products offered in the market. This can help
you narrow down your list of vendors to be
contacted. We recommend that you generate a
list of five vendors that meet your high-level
requirements.
Step 3: Assess Product Capabilities
During the selection process, organizations
typically employ two common methods to
assess product capabilities. The first method,
as mentioned above, is to distribute a
questionnaire to vendors, allowing them to
indicate which requirements they can or cannot
meet.
The second method is to organize a product
demo with each vendor. Demos should be
structured based on company requirements and
can involve use cases to illustrate specific
product functionalities and stay out of the
generic “sales pitch demo.” It is important to
invite all key stakeholders to these demos, as
their feedback will be instrumental as you
compare products. We suggest that you employ
these two methods of analysis during your
selection process. The questionnaire will
provide an unbiased view of each product, while
the demo will allow potential users to see the
product interface and assess the user
experience.
Step 4: Compare Prices
During an initial proposal, vendors may
compute their solution costs using various
assumptions. For example, certain contracts
may include adjustments for inflation, differing
6. 6
implementation methodologies, or fixed fees.
Solutions are often priced for the length of the
agreement, which is typically 3-5 years.
In order to compare solution prices, we suggest
you build a model with similar assumptions for
each vendor, which can include but are not
limited to, users, modules, architecture setup,
and implementation methodology. Additionally,
it may be beneficial to consider how the cost will
change once the contract ends. Therefore, if
you decide to project the price for a more
extended period, you should adjust for
estimated cost increases, which will give you a
more accurate model of comparison.
Attention Points
As mentioned throughout this paper, the
selection process can be complex and
present certain challenges. However, it is
possible to avoid potential roadblocks by
being aware of the attention points
described below.
Define the objective of the solution from the
beginning. It is important to define your
solution’s critical requirements and the purpose
of your solution before starting the selection
process. For example, some organizations may
be replacing an existing system, and therefore,
require the new system to have highly specific
functionalities similar to the existing system that
operate in a more efficient way. On the other
hand, some organizations may be looking to
employ a new system to replace manual
processes. In this case, requirements may not
be as specific.
In some instances, organizations may be
looking to replace in-house software that
requires the implementation of more than one
SaaS solution. In all of these scenarios, defining
the purpose of the solution beforehand is critical
in helping organizations build out requirements
and assess the priority level of each
requirement.
Security is a critical element when choosing
a SaaS provider. It is important to make sure
that you have the appropriate conversations
with your organization’s security team before
starting the RFP process. If your organization
has mandatory security requirements that are
non-negotiable, it is critical that you
communicate those requirements with the
vendor and ensure that they have the desired
capabilities before proceeding with any next
steps in the selection process. You want to
avoid the risk of shortlisting vendors with
superior products that fail to meet your
organization’s key security requirements.