What do you need to do to ensure your SaaS business is ready to be adopted by an Enterprise?
Since our beginning we have been working with B2B SaaS Providers to help them sell to Enterprises. We can’t promise we can close the deal for you but based upon our experiences with our customers, we can guarantee to remove the reasons why you might not be adopted.
Everyone understands the value and risk associated with hosting critical applications and customer data within a cloud environment; none more so than your future Enterprise customer. So it’s important to have a clear understanding of what this means and what you, as the SaaS Provider, should be prepared for.
Here is our simple technology checklist for B2B SaaS Providers who want to successfully sell to Enterprises:
Not to be confused with shared or dedicated instances/resources, although this is still a factor to consider. A single tenancy is where the entire cloud architecture is dedicated to one Enterprise. A multi-tenancy is where one cloud architecture hosts multiple Enterprises.
With this in mind, you as the SaaS Provider, may already have a preferred method in order to host your applications. You may have an architecture for shared resources and databases or you may have a completely separate tenancy for each Enterprise.
Depending on who the Enterprise is will depend on how they want their application and data hosted. For example, financial and transaction data will want to remain in a dedicated database, or more preferably in a dedicated cloud tenancy. Governance and legislation will also dictate how the data should be managed.
Some Enterprises may already have a preferred provider so be prepared to adapt, especially if this is a deal breaker. For example, online shopping Enterprises may prefer to host with Azure or GCP rather than AWS.
As with tenancy, you may already have a preferred model. Out of the three mentioned, the Hybrid model is the one to be prepared for. Enterprises may want a composition of private and public clouds therefore, utilising the differing advantages of both such as scalability, low costs and the ability to run business-critical applications in a secure environment.
Your application not only needs to deliver scale and value but it must also be deployable seamlessly. Simply put, you need open architecture that sympathises with the needs of the Enterprise.
What does that mean?
i) Data Export – your Enterprise will want to be able to access their raw data to analyse it, absorb it into their own systems or simply to take some comfort that if the worst happens, they have their own store. Whether you offer this upon request with an agreed response time, or as a self-service offering is up to you, but make no mistake the Enterprise will want access to it.
ii) Restful API – ideally you make data available via an API allowing your Enterprise customers to retrieve and query perhaps using JSON as a data format. Document your API to include things such as: authentication, base URL for test, production, response codes, endpoint URLs, descriptions, data structures and a narrative around the general concepts of your API.
Consider incremental endpoints for data synchronisation, such as data points from a given timestamp.
iii) Webhooks – similar to an API, webhooks are real-time rather than requiring a request. They aren’t great for sending and synching tonnes of data but they are excellent for signalling when a change has happened and therefore can be incorporated into the Enterprises workflow to highlight if something has stopped working or data is no longer being received. Ideally, there are never any problems but allowing your Enterprise to monitor aspects of the service is an important add-on.
An Enterprise will know the performance of their on-premise solution. It may be monitored 24/7/365 to ensure the performance is as expected, they would be able to change requirements as needed. Although moving to a cloud environment is more efficient and more easily scalable, performance and monitoring is still a key factor to consider. Daily reports may be requested by the Enterprise to ensure the application is running as expected. SLA’s will be part of the agreement and will need to be adhered to.
Brace yourself. This is a broad and complex piece of the puzzle but mission critical for you to successfully navigate the stringent information security or infosec process of the Enterprise.
Whilst there are a number of initiatives to standardise SaaS Provider’s security criteria, the largest Enterprises will have their own SaaS Provider risk management teams and as such will receive and have to complete a security questionnaire with literally hundreds of questions. You will need to be able to articulate your security posture on areas such as: product, network, business continuity/disaster recovery, your SaaS Providers, data and data centres, physical office, employee screening etc. Our Vendor Assessment platform allows you to generate an answer bank in our application that will automatically match your previous answers to standardised and customised Enterprise questionnaires.
You will also need to provide policies on each of these matters and demonstrate your staff have read and understood them and that you are evidencing compliance to them.
We have created a policy generator that easily configures policies bespoke to your organisation and includes an approval/attestation workflow tool with evidencing audit trail.
Whilst arguably a subset of cybersecurity, GDPR deserves special attention. We have created a SaaS GDPR checklist for your organisation including details on: Key Parties, data audits, the role of the ICO, Data consent, records retention policies, information security, staff training, subject access requests, and third party risk management.
Data itself is probably the most important consideration when proposing to a future Enterprise. Depending on how the Enterprise currently maintains their data they may want it hosted within a dedicated cloud tenancy, or at least within a dedicated database instance. Furthermore, you should be prepared to manage a hybrid solution where the data is maintained by the Enterprise directly and outside of your cloud environment.
Five of the most common factors to consider when storing Enterprises data within a cloud environment are:
i) Region – the geographical area where the physical data server is which stores data. The region where data is stored will also dictate its accessibility. From an Enterprises point of view, it would be preferable for their data to be stored in their desired region as they would be more familiar with the data laws than they would be if their data was stored in a different region.
ii) Regulations and Compliance – differs between regions and relates to regulations and compliance such as data laws. Data Protection Laws (dealing with the transfer of data across borders) and Data Localisation Laws (requires data to remain in a particular location) may mean that certain records have to remain in a certain country or are even unable to be moved to a cloud environment.
iii) Security – works alongside performance and assures the Enterprise that the correct measures are in place. There are four categories that sit in cloud security. Deterrent controls are essentially warning signs which inform potential attackers of the consequences. Preventive controls are used to eliminate vulnerabilities, for example having strong user authentication or a piece of code which disables inactive ports. Detective controls would identify security threats and react accordingly, for example security monitoring tools can monitor networks for any attacks. Corrective controls are used to limit damage, for example a piece of code that will shut down servers when a threat is detected.
iv) Accessibility – being able to access your data from anywhere there is a network connection is paramount for any Enterprise business. The accessibility of data is also dependent on the region where the data is stored, and the subsequent data sovereignty. For example some regulatory requirements may prevent storing specific data in a cloud environment meaning that Enterprises will not be able to have full access to their data on a remote basis. Furthermore without data, critical applications may not run effectively. Again, a hybrid solution could be integrated, where a portion of data is stored in the cloud, whilst the data that is not permitted in the cloud, remains within a non-SaaS solution.
v) Disaster Recovery – it is important for any Enterprise that utilises the cloud in a critical manner to have a disaster recovery plan. This plan will help identify elements such as critical resources and data within the cloud environment, define a recovery time objective and recovery point objective, choose a recovery method (backup and restore, pilot light, warm standby, hot standby), implement security and corrective measures, schedule maintenance and use cross regions backups.
In all of our experience with software companies and Enterprises, cyber security is one of the key areas that is often overlooked and can cause the largest delays in beginning the onboarding process.
Cyber security is a complex and broad subject that we cover in a separate Cyber Security Checklist but there are three minimum requirements of cyber hygiene you must ensure you have conducted before you commence your enterprise engagement process:
i) Ability to demonstrate that you have conducted annual penetration tests and vulnerability assessments.
ii) Evidence that all staff have completed annual cyber training (here are many online courses available).
iii) An understanding of the nature of your target Enterprise business and therefore what level of cyber security you will need to achieve and maintain. Do not wait to get in place your cyber posture once engaging with the customer as this can insert a considerable delay in the Enterprise onboarding process.