The problem with SaaS

SaaS (software as a service) is extremely popular right now, and it can solve a lot of problems. It means someone else takes responsibility for maintenance and security. Of course nothing is ever that easy a win.

So, what are the problems? Our experience is that there are three, two of which are closely linked:

  1. Inflexibility

  2. Lock-in

  3. Pricing

On top of this, the security and reliability of SaaS providers is not as perfect as one might expect.

Lock-in and pricing are closely related because the pricing often relies on lock-in to get you to pay. One common price scheme is "freemium" where the basic service is free and you pay for upgrades or more users. The disadvantage of this is that if you are not a paying user you are not a real customer and can expect the level of customer service, guarantees of future availability, and so on that that implies.

Then consider this. If the profits only come from a minority of paying customers then they have to pay enough to cover the costs of the non-paying customers and their own costs and leave enough over to make profit.

To be fair, many of these services have a very low marginal cost because the main cost is software development (or possibly marketing) rather than running servers or operations. That, however, points to another reason to look elsewhere: paying once is almost always cheaper than paying a repeating subscription.

Once you are locked in and all your data is on the system, and all your staff are paid to work on it, and all your other systems are integrated with it, you have little choice but to keep paying. Even if you start free, you are quite likely to find some features that you have to have that needs to be paid for, or find that you have hit a limit on the number of users or the amount of data or... The specifics depend on the particular application, but remember the pricing structure, and the providers entire business model, has been carefully built to make this happen.

I have known people to set out to use the free version of an SaaS app but end up finding that they need to pay a fair amount before they start anything more than test and training use.

So far, I have not talked about inflexibility. Its simple: you have far less scope to customise it than you would have running your own copy of the software, and customisation if vital for software that defines the processes that run your business. You can usually add functionality using APIs, usually web based REST APIs or similar, so you might think that solves the problem.

It often does not, because there are limitations. There are some things that are baked in and cannot be changed - of course that is true of most software (you can change anything in open source software but some things are impractical). The other problem is that there are a lot of limitations and difficulties on top of it: for example rate limits, the limitations on how data structures, lack of direct access to databases. This is why we dislike them: they make our lives harder - which means we have to make it more expensive for our customers.

The advantages are also overstated. A big SaaS provider should have good security, and should be able to run a reliable system. In practice there have been many failures on both fronts. There are three problems here. Firstly running big systems is hard, so people make mistakes. Secondly they are publicly known (which a server used only internally would not be) and have to be completely open to the public internet (so they cannot do things like restrict access to the office network and a VPN). Finally they are a target. A system used by one business is most likely to suffer automated attacks that start by scanning for vulnerable systems and then go after low hanging fruit. Something more public, like a big website or SaaS provider will attract much more skilled attention.

On top of that the track record of big SaaS providers is not as good as it should be. Salesforce has lost data, Microsoft has leaked data, and Dropbox has publicly exposed private files. On top of that are many outages, and the risk of network issues at your own end. Very often customers will not find out until later (if at all) and may never know the full extent of problems, and are powerless to ensure prompt and proper fixes.

So, what is the solution? Our favourite option is to find an open source substitute. Its the ultimate in flexibility and its cheap. You can usually find people to work on it. Very often the developers will customise to your needs for a fee. Sometimes they offer support contracts, or even a hosted version which lets you have your cake and eat it: SaaS without lock-in.

If that fails, buy in proprietary software with reasonable license terms and a supplier who looks likely to keep supporting it. If its on your premises it should keep running until you decide to pull the plug (although there are some legal and technical pitfalls you need to look out for).

It is worth spending the time finding the right solution, before you commit to something that could cost more and close options.