SaaS vs On-premise: What are the Risks?
Determining the best Student Information System (SIS) built to adequately meet the needs of your organization can be a daunting task. There are many factors to consider and choosing the right software solution is only the beginning. How the software should be delivered and the adequate infrastructure required to support it can be just as critical a decision. Knowing the risks and costs associated with these considerations can save you a lot of time and headaches in the long-run.
In this series, Evaluating a Student Information System, I'll outline in detail the major factors in determining a SaaS vs on-premise solution. This series is broken into many parts, this post (the first) pertains to the risks, the next post will be focused on the costs, and also stay tuned for more timely posts to follow.
Defining Cloud and SaaS
Part of the problem in assessing cost and risk associated with SaaS vs an on-premise solution is defining just what the terms mean. Without a high level of IT expertise, it is a challenge. Clear definitions are key to avoiding hidden costs and risks.
The a�?clouda�?, we hear that term alot. It's essentially a remote network of servers (the utility of which is to provide/purchase only the necessary computing resources to meet the business requirement). SaaS is typically defined as a software delivery model that uses a cloud remotely hosted from the client. The other major characteristic of a SaaS-based approach is the software is provided on a subscription basis (monthly, quarterly or annually). There are many combinations of cloud-based storage and SaaS delivery models that make it difficult to assess total cost of ownership (TCO) and risk over time. For example, a provider might deliver a software product where the service and the data are stored at a specific location (colocation or colo), while another might deliver the same type of service where the data is stored in an undefined location.
Main Components in a Student Information System
Consists primarily of servers and ancillary equipment that the software runs on.
The network includes all the services and hardware components that allow the server to communicate with other computers. This includes services like internet access, bandwidth, throughput and physical layers such as cabling, fiber, power, security, switches and routers.
Operating System and Upgrades
The student information system isn't the only software that will be running on the hardware environment. The server will require an operating system which involves various functions in maintenance and upkeep which includes: installations, configurations, change control, updates and patches, anti-virus protection, and security.
Licensed software and upgrades
Licensed software includes many third party applications that work with the student information system including: server licensing, SQL Licensing, Reporting Tools, Office software (email, communications, etc.). Other recommended services like anti-virus, backups and storage for your SIS system require licenses.
Security encompasses many different aspects of the operation in both the physical and virtual world. A complete information security policy includes, but is not limited to, protection from external and internal threats, data integrity, information assurance (the availability of the business information when you need it), disaster recovery and business continuity.
A student information system is a complex piece of software that generally requires many levels of human resource support. The most common of which are network administrators, database administrators, help desk and software support staff, data analysts, institutional research and/or report development staff.
Risk Considerations: On-premise vs SaaS
With an on-premise solution, software availability might seem to be a lesser risk compared to SaaS, assuming you have a stable installation running locally. However, many organizations that select on-premise overlook the creation of an adequate disaster recovery and reimplementation plan in the event of a local outage. The other main risk involves keeping up to date with upgrades and the resource cost to maintain them. In any case, your institution should have a plan for business continuity regardless of where the solution is hosted.
Backups and offsite storage of data is critical to any disaster recovery or business continuity plan. On-premise backups are essential for quick recovery due to many factors. The most common are user error, hardware failure, and power loss. For short-term business continuity, battery backups should be employed and local backups to storage area networks are another critical consideration that needs to be factored into the equation. If your policies are properly planned and executed there should almost never be a time where data is completely lost. With a SaaS implementation, the general assumption is that the vendor is completely responsible for the data. This would be a mistake. The type of storage used, its availability, and backup/recovery strategies of the vendor should be made clear. Where the data resides, who owns it, and the level of accessibility to the data, should also be well documented. Critical data should exist in three locations 1.) the primary data storage 2.) another data storage facility housing a regular back-up, and 3.) locally within the organization. This ensures that if the software service or computing capability becomes unavailable for any reason, the data that is owned by the organization is under its control.
In today's rapid business cycles, loss of access to your information can have a major impact on your success. The system availability is dependent on the working effectiveness of all components listed prior (hardware, network, virtualization, operating system etc.) and will be adversely affected by oversight in any one of the supporting layers. Since today's internal networks are dependent on the external network for day-to-day operations (email etc.), the risk of moving to a SaaS is relatively small when compared with staying on-premise. One risk to consider with SaaS is that while the vendor guarantees 99+ percent uptime, you do not have control over when the scheduled downtime occurs. While vendors usually perform scheduled downtime tasks in off-hours, this might be an issue if you are in a different time zone, or have global operations.
Response time is affected by many variables including physical computer hardware (disks and memory, internal bandwidth, switches, and external bandwidth). It is often assumed that moving to SaaS will increase bandwidth. While your organization can eliminate many of the internal response time issues with SaaS, maintaining adequate upload and download speeds is still the organization's responsibility.
Irrespective of SaaS or on-premise, how quickly an issue is resolved will vary based on many factors including: internal staffing levels, partnership agreements, vendor availability, vendor access to 3rd party systems, the timing of an issue (i.e. business hours, weekends, evening) and the availability of the proper information (access to trained staff, documentation etc...). Service level agreements should have a clear indication of expected call back time when an issue is reported and how these variables will affect issue reporting and resolution.
IT Core Competency
One of the greatest risks with an on-premise solution is ensuring all IT staff members are continuously trained to effectively manage all of the technical components of an student information system. If information technology is an organizational core competency then this is a minor concern. If not, then the advantage of going with SaaS is paying for resources that will stay on-top of the changing technology landscape while maintaining and sustaining the software infrastructure with a high level of proficiency.
SaaS security has the advantage of ensuring adequate bandwidth to systems servers, firewalls, intrusion detection systems and other security appliances. Managed Access Control, encryption, physical security of the state-of-art data center are all components of the SaaS solution. On-premise is dependent on the competency of the human resources and the physical infrastructure of the organization. There are also certainly security risks with a SaaS solution that must be weighed including breaches outside of the control of the SaaS vendor.
Many organizations (especially smaller ones) have been moving to SaaS over the years as technology advances have helped alleviate the fear of trusting a third party with such critical business operations. Of all the risk factors, IT core competency and staying current with technology are probably the two driving forces that make SaaS an attractive option. These factors must be weighed against risks associated with moving your data and software to the cloud. For some, a SaaS solution isn't viable or a hybrid approach is the best option. In each case it's important to find a trustworthy vendor that will evaluate your particular business process and needs and then work with you to find the best solution for your organization.
Finding a good vendor can be challenging so please subscribe for helpful tips and industry trends so you're able to manage your vendor relationship with confidence.
Check out Part 2: Evaluating a Student Information System: What are the Costs?
Any questions? Contact Us
About the Author
Joe Stefaniak has been a leading expert for almost 30 years in the development and implementation of software solutions for higher education. His expertise is in helping colleges and schools streamline operations and manage information for better decision making through analysis and application of best practice software. He founded SCAN Business Systems in 1986. Its flagship product, Campus Café, has grown into a leading provider of educational student information systems. He holds a degree in Business Administration from Northeastern University.