Non-Functional Requirements for SaaS

All software products are built with a set of Functional as well as Non-functional requirements. The key role of the Business Analysts and the Business owners is to define / articulate the need for each and every requirement whether functional or non-functional. Functional requirements are surely the must haves and it is a prime responsibility of the Business owners and the analysts to define it or at least justify the need for it.

It is very important, one must also define Non-functional requirements and give equal importance to it along with functional requirements.It may not be appropriate but surely certain lenience in defining Non functional requirements can be incorporated in case of a on-premise software.

If you are an Independent Software vendor who would like to provide your Software as a Service, or if you would like to extend your current offering to a different market on the cloud by providing a SaaS version of the product, then the game changes completely.

In most cases, a SAAS solution is a SINGLE CODE BASE, with a SINGLE LOGICAL DATABASE serving 100s of customers and potentially 1000s of users with completely different usage patterns, different individual tweaking requirements, different requirements for interfacing with their in-house systems and so on.

Hence it is one of the top priorities to not only define the functional requirements, but also define and design the system to cater to a very clearly and strongly defined non-functional requirements. A non functional requirement as the name suggests does not provide any “business functionality”, but instead they glue the functionalities together better. Although there are too many things that can be defined as a “non-functional requirement”, I would like to highlight the most important ones that any SaaS Architects or Analysts should keep in mind, define them and most important “architect & design” the software to ensure it addresses these requirements.

Please note that there isn’t any specific priority order for each one of them and the importance of one over the other is completely dependent upon the business need and the type of the software to be delivered as a SaaS.

Also please note that not all of them may be a key requirement for every software and hence it is up to the Analysts and the Architect to define the same. The below list may also be used as a check list for the designers of the system to ensure they have it covered in their definition.

--

Security

No software can escape from the need for security whether SaaS or on-premise. But when it comes to SaaS the requirement turns out to be more stringent. As an ISV, the responsibility of the security (whether data security, network security or intrusion prevention) all of it lies with us. Any subscriber to a SaaS would expect assurance that his information and data is secure enough more since they are not under their own radar but we are the custodian for the same. In a multi-tenanted environment, no one would want their data to be visible to other companies using the same system. This is upmost important and should be one of the key points to be considered while defining the data structure for the software.

The network security and intrusion prevention is not the point of concern for the provider of a traditional on-premise software since the responsibility of deployment and network security then is the responsibility of the client rather than the software provider. When it comes to SaaS, these things are equally important for it to be considered.

I had attempted to provide a simple security checklist in one of my previous blogs which may be used by all parties involved in SaaS whether it be an ISV providing the software or it be a company subscribing to it or a user using the system.

Scalability

Scalability of the software takes a completely different turn when it is a software delivered as SaaS. Any software (whether SaaS or on-premise) would have to consider scalability when it comes to handling “volumes”. And since SaaS is eventually all about multi-clients with multi-users using a single code base, volumes are inherent characteristics of the software. There are no second thoughts to not to consider a Scale-out architecture along with a Scale-Up architecture for any SaaS system. The better the software more number of clients and more number of users are bound to signup for your service.

The software at the architecture level has to natively support a Scale-out architecture whereby you should be able to expand your system to virtually any level up to the theoretical maximum. We never know if our software / service is successful, we could be the next billion dollar salesforce.com :-)

Availability / Reliability

As the case applies to security, the same applies to availability or reliability of the software. It is one of most important factors / characteristics that must be inherently be part of the skull of any SaaS product – Reliability.

A very clearly defined SLAs (Service Level Agreement) has become a norm these days for any SaaS offering and not adhering to it may even have legal implications. With more and more improvements in the technology and also increase in competition, customers expect a 99.99% uptime of the service and no longer just 99.9%. So that mathematically equates to 1 hour of downtime per year. Everyone is aware of the fact that no software can be 100% bug free but at the same time, the software needs to be architected and designed to ensure that the downtime scenarios are well handled and there would be no / minimum data or business loss to the clients. And most importantly ensure your SLAs are aligned to the SLAs of your hosting provider / partner. Always use a hosting provider. Never DIY.

Performance

One of the prime reason Google Search engine and Google’s web browser Chrome is a hit is because of its speed to respond. Although no one would expect your software to be as quick as Google (although if you could get there then nothing like it :-) ) but in terms of response times to any business operations, they have to be quick enough to an extent the users do not get a chance to think about the speed. Defining a clear SLAs for response times is also key for any SaaS offering. Although defining a higher response times in your SLAs to avoid legal implications and to play safe may be a good idea to an extent, but not at the cost of users realising the system is slow and start disliking it.

Perform frequent checks for ensuring the performance is at the top of the agenda. Cache the most frequently accessed metadata, service your database by optimising your queries and ensure all the queries in your database uses the most appropriate indexes. Minimize the network operations, use compression where appropriate. Load balance your web servers and if other factors permit, localise your server location.

And most importantly do not over engineer your software. The above points like caching, database indexing etc., may not always be the solution for performance and hence should be done as a calculated exercise,

Configurability

One of the critical success factor of any SaaS application is configurability. It is even more important to ensure configurability to a great extent is taken on board for a SaaS product since its native characteristics of having a single code base. Configurability in SaaS aims to provide customers with a multitude of options and variations to provide a unique experience. Not just that but having the system configurable allows you to sell different services based on various different licensing modes / editions, e.g. Software – Lite, Software – Professional, Software – Ultimate and so on. Ability to switch on and off a particular feature or an option to change the way a user uses the functionality or even ability to change background colour of a screen, may not be the most important thing to have within a software, but surely it is one of the key differentiators / selling factor for your offering. As mentioned above, providing different editions to different target provides an option to expand market share more easily.

Also since every customer would want to use the system in a different way to suit more to their internal culture, more the configurable your offering the better.

Flexibility / Extensibility

Software offering never ever ends at Version 1. It is relatively easier to incorporate or add functionality / remove / modify functionality from an on-premise software since the consequence of doing so would not affect your other customers. They have separate copies of your system and providing more “bespoke” tweaking is possible in such cases. A SaaS offering is a single piece of software catering to all your customers. Hence the architecture should take in to account an ability / room to extend the software with more features and functionalities to provide more value to your offerings in the future.

The most important point one must avoid for a SaaS offering is to provide bespoke implementations for different customers (with switches). Ensure the software is extensible enough to avoid such scenarios.

Usability

Usability Engineering is a vast area in itself and over the years companies have started taking User experience more seriously rather than just providing “a” User interface they think is appropriate. It becomes even difficult to implement a good user interface and interaction for a SaaS offering since the spectrum of users increases more than ten-fold. A single software instance needs to provide a unique experience and functionalities to different customers and in turn various different users of each customer. It is advised for every SaaS offering to undergo a Usability engineering exercise before getting the Graphics team to define the user interface for the software.

Interoperability

And last but not the least, no software can work stand alone. There is always a need for integration of our systems with other systems providing specialised services. E.g A Purchase Management system may need to provide a facility to interoperate with a financial accounting system. If you are providing a Financial accounting system as a SaaS offering, the need for interoperability would be even higher than the other kinds of business software for obvious reasons.

The key solution to address this non functional requirement is to implement a Service Oriented Architecture. It is important to expose most of your key interoperable business functions in the form of well documented Web services to allow other systems to interact and interoperate with your system. Since we are talking about a SaaS offering, and as mentioned earlier, the requirement of individual customers may differ and hence the SOA layer to the software needs to be well thought of and well documented to avoid any need for bespoke implementations. Also it may be required to consider a facility natively part of the system’s architecture to provide a facility to import and export of raw data to allow other related systems to make the best bonding with your offering. Needless to say, interoperability should not be provided at the cost of security and hence due care needs to be taken to ensure both marry well within the system.

--

There may be many more points which may be considered important as non-functional requirements, but the above ones are the most important and common ones which almost all the software delivered as SaaS needs to consider and take in to account in their design and implementation.

The success of a software (especially delivered as SaaS) depends not only on its functional requirements but also to a very great extent the….NON-FUNCTIONAL REQUIREMENTS.

Security concerns with a SAAS system

SAAS – Software as a Service can be defined as "Software deployed as a hosted service and accessed over the Internet rather than a product deployed at the customer’s premises for each customer."

Today, SAAS applications are expected to take advantage of the benefits of centralization through a single-instance, multi-tenant architecture, and to provide a feature-rich experience competitive with comparable on-premise applications.

Software as a Service (SAAS) is transforming the way traditional ISVs do business as providers of applications to the market. This new deployment and licensing model will fundamentally change the business model of the ISV, impacting many parts of the organisation – marketing, the sales force, presales engineering, deployment, support, finance, and product engineering and maintenance.

But all sounds good for the ISVs run this Business model. The main point here is to get a customer convinced to go for a subscription based software rather than on-premise software.

Customers surely see lots of business advantages by using a SAAS based product over an on-premise product. The reasoning no longer is a business decision. It is more a technical decision. The key technical factor that influences the customer to take a decision whether to go on-demand subscription-based or to buy an on-premise software is – Security.

Since the data is multi-tenanted in a SAAS environment, the fundamental question that comes to the customers mind is – How secure is my data (since it is not in front of me)? What is the guarantee that other customers of the same service do not have access to my data?

The customer should ideally be asking the SAAS providers the following questions to be convinced. It is not necessary that all the question is expected to have a positive answer for the customer to take a decision. It also depends upon what type of business application is being offered as SAAS. But “knowing” the answers is a “must” before taking a decision of going the on-demand route or on-premise route.

Here’s a list of questions I think should be asked by any customer to a SAAS vendor before subscribing to their service. The same set of questions can also be used as a check list by a SAAS vendor.

Data Access Related Questions

• Is the Database Multi-tenanted?
• How many people in the entire chain have the Database SA password?
• Is the data for one customer securely away from another customer?
• Do the Data-Centre engineers have access to the database through SA?
• Can anyone in the entire chain in a position to access / copy / change / destroy critical data of any customer?
• In a system where 3rd Party integration is involved, is the Data communication secured and restricted to only the required exchange of information?
• What information is stored in the Audit log?
• What arrangements are made for Database backup?
• What types of data are encrypted and what is the encryption mechanism used to ensure it is safe?

Infrastructure Related Questions

• What SLA do you the SAAS provider have with their Data Centre?
• What is the hardware redundancy arrangements made by the vendor?
• Does the data centre have WAN backup? i.e. The data centre is replicated in 2 different continents as a backup?
• If yes, Ask all the Data Access Related Questions again with reference to this second Data centre
• How many people from the SAAS vendor organisation have the network administrator password within the data centre?
• How many people have the Shut-Down permission on the Server?
• How often are the servers need to be restarted?
• Does the SAAS vendor align with the Data Centre's SLA within their own SLA?

Internet based Security Threats

• Is the Site hosting the SAAS system SSL enabled?
• Is the Database server on the internet or behind a DMZ?
• If, Yes it is exposed to the internet, then Why?
• How is the system protected from SQL injection?
• (If in case the hacker gets access to Database) Are the critical data encrypted?
• Does the Application User security tightly aligned to the data security?
• Last but not the least, Does the SAAS vendor / provider get their system audited by Security Auditing authorities?

Typically all these (or most of them) are covered in the SLA provided by the SAAS vendor but this is something to my mind is a must for any customer to be aware of before signing as a customer for a SAAS offering.