CIOInsider India Magazine
Optimizing Costs in SaaS: Strategies for Efficiency
Rajalakshmi Srinivasan has more than 20 years of professional experience. She has gained extensive experience ranging from database scaling and network monitoring to application performance tracking and end-user experience management. Rajalakshmi has an engineering degree in Computer Science from The College of Engineering, Guindy (CEG), Chennai.
In a conversation with Keerthana H K, Correspondent, CIO Insider Magazine, Rajalakshmi Srinivasan, Director-Product Management, Zoho Corp, shared her views and thoughts on how we can ensure data security and privacy in a SaaS application, as well as how we can optimize the cost of running a SaaS application.
What are some challenges in migrating an existing on-premises application to a SaaS model, and how would you address them?
To date, many in-house legacy applications are still in production. With the advent of cloud, organizations wanting to cope with the technological advancements are trying to move their on-premises applications to SaaS model. The challenges in migrating an existing on-premises app to a SaaS model depends on various factors. Some of them are:
(i) The components used in the existing application like the web server, database server, file systems, and cache.
(ii) The modularity of the application, i.e., if the application is a single monolith or if the different components are written as independent modules.
(iii) The complexity of the integrations with other legacy systems.
There is no one-size-fits-all solution to address the challenges. Instead, analyze the pros and cons of moving to the cloud, estimate the cost and effort involved in the migration, and then decide your migration approach. Sometimes the decision could even be, 'not to migrate and live with the existing on-premises application instead'.
But, if you decide to migrate, one crucial factor to consider is the customer and business impact. The migration shouldn't affect existing customers. Take the modularity approach and migrate one module at a time, and run it parallelly along side your on-premises application to ensure 100 percent data consistency. Post this, retire the existing system.
How should we ensure data security and privacy in a SaaS application? Could you discuss the best practices for securing SaaS applications?
In Saas applications, security is not an afterthought. Security-by-design has to be followed strictly for all applications. The best practice should be to secure not just the SaaS layer, but also all the other layers (PaaS, IaaS etc.) in cloud architecture, by ensuring that necessary security controls exist across all layers. Data Classification, Data Isolation, Data Cleanup, Encryption at Rest (EAR), Identity and Access Management (IAM), Secure Configurations, DDoS Prevention, and Web Application Firewall (WAF) configurations are some examples of the security controls to be enabled.
How should we optimize the cost of running a SaaS application, and what strategies are employed to reduce infrastructure expenses?
Cost is one of the primary factors to be considered in running a SaaS application, and it is important to optimize and keep it in control. Some of the strategies to be followed are as follows:
(i) Use the minimum required infrastructure. We can scale as and when needed. That is the beauty of SaaS.
(ii) The type of server—whether Virtual Machine (VM) or dedicated machine, the capacity of components like RAM and CPU cores, disk storage capacity, and the number of copies of the data stored plays a major role in the infrastructure cost. Select them wisely.
(iii) Ensure to collect and store only relevant and required data in the SaaS application. Data that is not shown in the client or used for background processing does not have to be stored in the database. In fact, such data does not have to be collected.
(iv) Conduct a periodic data cleanup and free up resources.
(v) If the application is hosted on a public cloud, set a cap on the cost/resources used, configure notifications that alert you on/before the set cap, study the usage, and plan accordingly.
If the application is hosted on a public cloud, set a cap on the cost/resources used, configure notifications that alert you on/before the set cap, study the usage, and plan accordingly.
Any/all SaaS application(s) should be monitored for three major aspects:
(i) Availability - All the resources that are needed for running a SaaS application like web servers, database servers, cache servers, VM, router, switch, firewall, network and more, has to be up and running. Availability of 99.999 percent is the market expectation.
(ii) Performance - Speed is an important aspect. In this fast-moving internet world, none of us have the time or patience to wait. Slow is the new down.
(iii) Security - We have talked about the importance of security earlier. For cloud applications, ensuring security across all layers is important.
Monitoring tools play an important role. Any standard tool from the market or a tool built in-house can be used; however, the tool has to be all-in-one. There are numerous examples of people using different tools for different layers and struggling to connect the dots. This leads to a siloed approach, which complicates application performance. Only an all-in-one tool approach will have all the monitoring data in one place so that contextual alerting and reporting can help improve the overall performance of the SaaS application.
Describe the concept of compliance and regulatory requirements in SaaS and how to ensure compliance with data protection laws.
To start with, transparency is a must. It's important to be clear and explicit about all the data that is collected. The data also needs to be segregated as Personally Identifiable Information (PII), wherever required.
SaaS applications are also required to comply with ISO standards. ISO 27001 - Information Security Management System (ISMS), ISO 27701 - Privacy Information Management System (PIMS), ISO 27017 - Cloud Security, and ISO 27018 - Cloud Privacy are some of them. Additionally, country-specific regulations like the GDPR and CCPA should be adhered to based on geographic presence.
The crux of all these compliance is to have security controls at all layers of the SaaS application and to emphasize the fact that the customer owns their PII data. So, all the rights regrading the PII data, like right to access, right to erase, right to rectify are in the customer's hands.
The following are a few other practices that can help companies comply with data protection laws:
(i) Zero-trust model implemented for data, users, devices, application, and network.
(ii) Audit and evidence in place for every touch point.
