Architecting Software as a Service for the Enterprise


Published on

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Architecting Software as a Service for the Enterprise

  1. 1. IT@Intel White Paper Intel Information Technology Cloud Computing October 2009 Architecting Software as a Service for the Enterprise Executive Overview The reference architecture As part of our cloud computing strategy, Intel IT has been opportunistically taking provides a proven template advantage of external offerings of software as a service (SaaS) applications. To solution that Intel SaaS project prepare for broader SaaS adoption, we designed a SaaS architecture that will enable us to shift to a more strategic view and facilitate faster, more standardized teams can immediately apply to implementations. specific implementation projects. To create our architecture, we analyzed • A reference architecture providing a proven SaaS industry trends and scanned existing template solution that Intel SaaS project Intel SaaS implementations to gather best- teams can immediately apply to specific known methods and architectural techniques. implementation projects. We then extended existing enterprise The SaaS architecture promotes standardization application frameworks and architecture to and best practices. It defines the components create the elements that comprise the SaaS and capabilities required for deployment and architecture, including: a vocabulary for consistent communication Catherine Spence • A use-case model based on a typical with SaaS providers. Our goal is to facilitate Enterprise Architect, Intel IT scenario that requires back-end data a shift from organic growth to prescriptive exchange between Intel and the deployment of SaaS applications at Intel, with Jason Devoys SaaS provider. greater consistency among implementations Enterprise Architect, Intel IT and reduced implementation effort. • A conceptual architecture that provides Sudip Chahal a long-term view of all the components Principal Engineer, Intel IT required in a complete SaaS implementation.
  2. 2. IT@Intel White Paper Architecting Software as a Service for the Enterprise Contents BACKGROUND specialized point solutions: Expense reporting was an early example, and adoption has grown Executive Overview............................. 1 Cloud computing is an important as we have continued to identify specialized trend that includes several categories Background ............................................ 2 solutions that make sense to outsource. We’ve of service, all offered on demand experienced accelerating growth of SaaS in the SaaS Architecture ............................... 3 over the Internet in a pay-as-you-go last few years. Based on the success of these Environmental Scan .......................... 3 model. Software as a service (SaaS) solutions, we expect growth to continue. Use-Case Model ................................ 5 is one of these categories; others include platform as a service (PaaS) The opportunistic use of SaaS has yielded Conceptual Architecture .................. 6 and infrastructure as a service (IaaS). benefits such as cost savings, improved agility, Reference Architecture ................... 8 See the sidebar “A Cloud Computing and faster time-to-market, as well as increased Conclusion ............................................10 Taxonomy” on page 3 for more details. flexibility in scaling to support more users as necessary. It has also provided a venue for Contributors .........................................10 Intel IT has defined an overall cloud experimenting with new capabilities. Acronyms ..............................................10 computing strategy based on growing the As our use of SaaS increases, we must be cloud from the inside out. We are developing able to scale the environment, be positioned a private internal cloud that will eventually to take advantage of standardization, and extend to, and support interoperability with, provide guidance to suppliers about how the Internet or external cloud. Over time, to integrate with enterprise applications. In this strategy will allow Intel to dynamically addition, future solutions will likely require transfer workloads in and out of the more frequent data exchange between Intel enterprise, taking into account considerations and our providers, with lower tolerance for such as cost, security, and compliance. failure. We also look to improve security and As we grow our internal cloud and determine manageability, which currently require a great how best to take advantage of the external deal of work, due diligence, and carefully cloud, we have also been opportunistically calculated risk. taking advantage of external SaaS offerings These requirements led us to develop a SaaS that deliver value such as increased agility architecture that will help us shift to a more and cost savings. strategic view of SaaS and enable faster, SaaS is the most mature category of cloud more standardized implementations. Using service, since it evolved from the application- the SaaS architecture, we can proactively service-provider model of software hosting. assess applications in our portfolio, exploring With SaaS, software applications are rented opportunities to simplify our environment, from a provider as opposed to purchased for gain faster access to new features, and IT@INTEL enterprise installation and deployment. reduce cost. IT@Intel is a resource that enables IT Intel has successfully used a variety of SaaS professionals, managers, and executives to engage with peers in the Intel IT applications. These typically have been organization—and with thousands of other industry IT leaders—so you can gain insights into the tools, methods, strategies, and best practices that are proving most successful in addressing today’s tough IT challenges. Visit us today at or contact your local Intel representative if you’d like to learn more. 2
  3. 3. Architecting Software as a Service for the Enterprise IT@Intel White Paper SAAS ARCHITECTURE Intel SaaS project teams can immediately INTEL SAAS DEPLOYMENTS apply to specific implementation projects. Over time, Intel has experimented with or Our goal was to provide a proven deployed a variety of SaaS applications, template solution that comprehends the Environmental Scan including four of the five most widely used unique requirements of SaaS, defines the The environmental scan incorporated two SaaS categories: customer relationship components and capabilities required for activities. First, we examined industry trends. management (CRM), human resources deployment, and promotes consistent Second, we surveyed representative Intel management systems, collaboration, and communication with external solution SaaS deployments to gather architectural business expenses. providers. techniques and best-known methods. We surveyed 14 SaaS solutions that had We began by conducting an environmental been used at Intel. Of these, 11 were in INDUSTRY TRENDS scan of industry trends and existing production use: these included expense and Intel SaaS solution architecture. We then Our examination of industry trends painted a time-card tools, online learning, hiring tools, developed a series of architectural elements. positive picture of SaaS, with a rich application and health benefits. Table 1 summarizes the These included a use-case model and a pipeline. Though the market is still relatively characteristics of these applications. conceptual architecture that represent a small, it is expected to grow up to 40 percent annually; as a result, some analysts expect Key findings of our survey included: long-term vision of the key capabilities required in a complete SaaS offering. that one quarter of all business software Uses and benefits. Intel’s most successful Because not all of these capabilities are will be delivered using SaaS by 2011. In one SaaS projects have involved the delivery available today, we also developed a near- survey of organizations using SaaS, over of non-critical capabilities: commoditized term reference architecture based on 90 percent said they were satisfied. Many functions that do not contribute directly to existing enterprise application frameworks software suppliers are creating SaaS solutions Intel’s competitive advantage. The biggest and architecture. The reference architecture based on their traditional offerings; this will benefit has been that SaaS provides agility, provides a proven template solution that create additional outsourcing options. with fast access to new functionality. Table 1. Characteristics of Software as a Service (SaaS) Applications in Use at Intel Application Categories • Good candidates for SaaS are applications with industry-standard workflows, which do not involve intellectual property or sensitive data, such as human resources management, employee stock options, medical benefits, and expense reports. Users • The number of users varies—from participants in a small pilot project to a majority of Intel employees for several applications. • About half of SaaS applications are used globally and half are specific to the United States. Business Drivers • Agility and time to market. • Lower cost: No need to develop and maintain internal expertise for commoditized capabilities with industry-standard workflows. Costing Model • Most applications use subscription licensing, with a fee paid at regular intervals—yearly, quarterly, monthly. • A few applications are priced per transaction. Platform • In about 30 percent of cases, suppliers provide a dedicated hardware platform for Intel’s application; in the other 70 percent, the platform is shared. The application is typically not virtualized. • In about half of the cases, suppliers provide a dedicated application instance for Intel; the rest use a standard multi-tenant shared instance. Disaster Recovery • There is a disaster recovery plan for most applications. Security • All SaaS solutions have undergone a security risk assessment. Most data has a relatively low security rating. • Half of the SaaS applications use single sign-on (SSO); the rest use personal profiles. • Data may be encrypted in transit and at rest. Native Web applications use HTTPS/SSL to protect important data during transmission. Monitoring • Typically, vendors monitor applications and infrastructure and send us selected or summary alerts. 3
  4. 4. IT@Intel White Paper Architecting Software as a Service for the Enterprise We realized even more value when we outsourced the application-specific help A Cloud Computing desk along with the software. Taxonomy We have also benefited from the expertise To promote the use of common definitions, • Platform as a service (PaaS). of outsourcing suppliers, which has enabled Intel has developed a cloud computing On-demand software development us to focus internal resources on other more taxonomy. We referenced existing platforms. critical tasks. works of cloud taxonomy and used • Infrastructure as a service them as input to develop our own. The We have generally seen reduced costs (IaaS). On-demand computing taxonomy includes several established from using SaaS solutions—however cost infrastructure. categories of cloud computing service, has historically been a lower priority than as shown in Figure 1. • Cloud software. Unique purchased/ functionality. We like the ability to pay for packaged software used to build and only what we use, and we like solutions that Elements of the taxonomy include: run cloud services. could scale up and down based on demand. • Software as a service (SaaS). • Service as a service. Horizontal On-demand software applications. Users generally have reported good service that is subscribed to and With SaaS, software applications are experiences, especially in the areas of used as a component of SaaS, IaaS, rented from a provider as opposed usability and responsiveness. In some cases, or PaaS offerings. An example is a to purchasing them for enterprise users had difficulty distinguishing SaaS from billing service. installation and deployment. At the internally installed enterprise applications. top of the pyramid, this is the most • Cloud client. Client-centric services and We observed that Intel users are technically mature category of cloud service; a run-time software for cloud execution. savvy and like a self-service approach, so wide variety of applications are already they are comfortable with the SaaS model. available for enterprise use One innovative SaaS use has been to temporarily try new capabilities to inform our broader strategy and long-term plan. Cloud Client For example, we experimented with an Software on-demand CRM product with the intent of as a Service meeting immediate internal demand while Platform as a Service we planned the deployment of an enterprise Infrastructure CRM solution. When the product did not meet as a Service Intel’s needs, we were able to de-provision it Cloud Software Service as a Service quickly. This exercise provided insights that have influenced our current CRM direction. Figure 1. Intel adopted a cloud computing taxonomy using input from existing works. Integration. The business process, application, and data integration required depends on the extent to which a SaaS application is 4
  5. 5. Architecting Software as a Service for the Enterprise IT@Intel White Paper tightly coupled with the Intel environment. We we assign these security ratings relative to of data in contracts, including liability in the found that the key has been to evaluate the the sensitivity and importance of the data. event of legal action. intersection of each SaaS solution with our We requested evidence of protection level existing business processes, systems, and data. and encryption; with multi-tenant solutions, Use-Case Model we probed how suppliers separate Intel’s As part of our SaaS architecture, we defined Ideally, we want a good fit between a information from that of other companies. In a use-case model that shows how the SaaS application and our business process, some cases, we required a physical inspection system behaves from a user-centered design with minimal need for configuration or of the provider premises and employee perspective. Our model, shown in Figure 2, customization. Where changes are required, background checks. focuses primarily on IT-approved solutions for we have favored configuration of SaaS commoditized functions used by many Intel applications over customization, but we have Regulatory compliance. We identified a few employees, though there is enough flexibility customized software in some cases where it areas as important for regulatory compliance. in the model to include some cases in which is necessary to meet Intel business needs. We Employees’ personal data must be protected, an Intel department or end-user sources their gathered best practices for testing and for such as bank account information associated own solution. troubleshooting—which is challenging when with expense reports. We also need to help multiple parties, including an Internet service ensure intellectual property protection; for There are three types of primary SaaS user provider, are involved. example, we do not want to store sensitive roles within Intel. documents in the cloud for potential access Security. With our existing SaaS applications, • IT users. Primary IT user roles are by controlled countries. We have to comply we have adopted a comprehensive approach applications administrators and with local and national financial reporting to security. The rigor of our assessment was SaaS specialists. The administrator regulations. We explicitly defined jurisdiction based primarily on the security rating of data; is responsible for the decision to use Decide SaaS Manage Users Intel SaaS Uses Specialist Set up Intel Agree Contract Service SaaS Provider IT Administrator Uses Exchange Set up Provider Deliver Metrics Uses and Indicators Data Service Pay Usage Deliver Audit Service Security Extends Uses Remove SaaS Request Service Meter Uses Manage Usage Versions End User Consume Uses Manage Service Service Extends Request Work Service Offline Removal Figure 2. Software as a service (SaaS) architecture use-case model. 5
  6. 6. IT@Intel White Paper Architecting Software as a Service for the Enterprise SaaS for a particular application and for • Multi-tenant efficient. The design Intel’s data and user accounts are typically any integration work needed to deliver the should support multiple tenants using a hosted by the SaaS provider. We considered service within Intel. The SaaS specialist single instance of the application. The the following capabilities: is the technical resource who delivers data must be segregated for each tenant. • Identity and federation. Identity uniquely any personalization, programming, and • Configurable. The application can identifies a user or another entity such as customization for Intel. be configured to meet the needs of an Intel application or system. An example • End users. Primary end users are individual each tenant, using metadata and a is a user name. Federation describes the workers at Intel who use SaaS applications metadata execution engine—also known function of enabling users in one domain for job-related activities. Workers are located as a business rules engine. Routine to securely and seamlessly access data within the enterprise or connected to Intel configuration changes should be possible within another domain. while traveling or working from home. without the need to coordinate downtime • Authentication and single sign-on • SaaS provider. This is the external provider with other tenants. (SSO). The process of identifying an that delivers a software service over the • Scalable. Multi-tenant usage can result individual, usually based on a user name Internet to Intel. in millions of users. Applications should be and password. In the context of SaaS, this The model describes a typical SaaS solution designed from the ground up to scale up includes the ability to achieve SSO across in which back-end integration is required. It and scale out—and to be able to do this multiple cloud applications and services. encompasses the entire service life cycle and dynamically, on demand. • Authorization and role-based access includes use cases to define SaaS selection, control. After an identity has been SAAS CAPABILITIES initial setup at Intel and the SaaS provider, confirmed, authorization is the process Many capabilities make up the SaaS user consumption of the service, ongoing of giving individuals access to system conceptual architecture. We group these data exchange and administration, and objects based on their identities. Identities into presentation, security, application, service end of life. are usually assigned to roles for ease of operations, and infrastructure categories, as managing access. Conceptual Architecture shown in Figure 3. The following sections describe the most important capabilities. • Entitlement. The process of granting access The conceptual architecture is intended to a specific resource. Tenants are usually to represent a three- to five-year vision of Presentation responsible for maintaining their own user SaaS architecture, free of implementation This includes all capabilities exposed to the accounts using delegated administration. technology details, and to establish common user, such as: • Encryption. Data may need to be encrypted capability definitions. The conceptual • Menu and navigation. These provide in transit (between applications or between architecture depicts all the key capabilities access to the features and functionality the layers within an application) and at rest required in a complete SaaS offering, the within an application, organized in an (while stored). logical separation of capabilities into tiers, and the logical grouping of capabilities. We do not intuitive way so that the user can select • Regulatory controls. Tracking and expect that individual SaaS applications will the desired function. reporting who accessed what, when, necessarily include every capability described • Reporting. Application-specific predefined and why. It includes tracking access to in the conceptual architecture. or ad-hoc reports. application features and data, the security rating of the data, and the implementation KEY FEATURES Security of a data retention policy. It also includes A well-designed SaaS application has several Security is one of the most important identifying whether individuals are located key architectural features. It should be: categories of SaaS capabilities, given that in controlled countries. 6
  7. 7. Architecting Software as a Service for the Enterprise IT@Intel White Paper Presentation Menu and User Display and Reporting Navigation Controls Rendering Security Application Operations Identity and Monitoring and User Profile Workflow Federation Alerting Authentication and Notification and Exception Backup and Single Sign-on Subscription Handling Restore Authorization and Metadata Execution Orchestration Provisioning Role-based Access Control Engine Entitlement Metadata Data Configuration and Services Synchronization Customization Performance and Encryption Messaging Availability Regulatory Metering and Controls Indicators Infrastructure Networking and Database Storage Compute Communications Figure 3. Intel IT’s conceptual architecture for software as a service (SaaS) includes capabilities in five categories. Application • Workflow. The defined series of user- Operations These represent the typical business layer or based tasks within a process to produce These are the capabilities needed to middle tier of a SaaS application: a final outcome. An example is creating a efficiently keep the SaaS application running: purchase order. • User profile. The attributes and • Monitoring and alerting. Polling application information that describe a user, such as • Exception handling. The process of components, services, and infrastructure to name, e-mail address, and role. raising and managing exceptions within an detect failures. On detection, an alert is sent application. This includes how application to the appropriate support group. • Metadata execution engine. Statements errors are exposed to the user and how that define or constrain some aspect • Performance and availability. Performance error messages are logged. of the business. They are intended to describes how the application performs assert business structure or to control or • Orchestration. The series of technical under load, both in terms of the number influence the behavior of the business. tasks performed within a process to of users and the transaction volume. In produce a final outcome. An example is an the context of SaaS, this should allow • Metadata services. Information about extract, transform, and load sequence to applications to dynamically scale based which data is contained and exposed move data between business applications. on runtime usage and demand. Availability within an application and about how content is organized. • Data synchronization. The capabilities is a measure of how much of the time for synchronizing data held within the the application is available to users and is application with external data. represented as a percentage. 7
  8. 8. IT@Intel White Paper Architecting Software as a Service for the Enterprise • Metering and indicators. Tracking and between internal Intel systems and data stores Additional work is required to qualify an reporting items specifically related to the hosted by the SaaS provider—as their biggest externally hosted SaaS solution, so it is service-level agreement, such as usage, challenge. It’s important to keep this data important to identify whether SaaS is an availability, number of failures, and mean synchronized between internal and external option early in the life cycle of an application time to respond to and fix problems. systems, so data transfer may need to occur implementation project; the additional frequently, often on a scheduled basis. security review and requirements may affect Infrastructure the overall agility and viability of the project. The key challenge is locating the right The underlying technical capabilities version of the data, since data can be Intel’s security controls tend to be more required for storing data and moving it stored within the enterprise, in the cloud, mature than those of SaaS suppliers, around the network: or at both locations. Considerations include and we must consider complex legal and • Database. In a multi-tenant data architecture, finding the master copy of data, searching regulatory requirements. Providers must there could be one database per tenant or for data, and governance. be able to explain how jurisdiction of one database shared by multiple tenants data is maintained. Together with the Through our environmental scan, we discovered with the data indexed by a specific tenant provider, we must be prepared to respond that various tools and designs are used to identification. to e-Discovery and legal notices. We must exchange SaaS data today, with no common • Compute. The physical clients, servers, or also address privacy concerns, comply with architecture across all the implementations. virtual machines that execute code. export restrictions that cover access from This highlights the need to standardize on a controlled countries, be prepared to satisfy single data interchange reference architecture. Reference Architecture audit requirements, and understand how the We’ve identified two types of data supplier verifies that old data is destroyed. The purpose of the reference architecture interchange: asynchronous and synchronous. is to provide a proven template solution From our environmental scan of existing An asynchronous, or batch, interchange is that project teams can immediately apply deployments, we identified several other key typically used for back-end data exchange. For to specific application domains. Accordingly, elements needed for a successful project: example, a SaaS expense report application it includes only a subset of the capabilities needs to know about the management • Classification of the data by an IP attorney. described in the conceptual architecture structure to enable management approval of • Rigorous due diligence to help ensure the and is more near-term in nature—one to travel expenses. This requires employee data required controls are included in the contract. two years. The reference architecture also to be periodically copied from the enterprise provides a common vocabulary for discussing • Completion of an information security to the expense report application. implementations; one goal is to increase the risk assessment. commonality between them. In contrast, synchronous, or real-time, • Protection of data in transit and at rest. interchange involves data that is dynamically Figure 4, on the next page, shows the high- retrieved in real time directly from its • Making sure that suppliers provide level reference architecture for a typical SaaS source. Today, there is limited use of real- satisfactory disaster recovery and offering at Intel. It includes summary views of time exchange for enterprise data, but we business continuity plans. data interchange, manageability, and security anticipate increased use in the future. For our users, it would be ideal to be able capabilities. We also developed more detailed architecture designs for each of these areas; to achieve SSO or reduced sign-on to avoid SECURITY continually re-authenticating for each key aspects of these are summarized in the SaaS providers must comply with a number application. In the future, we’d like to see following sections. of security policies. We have done a good this implemented with a federated identity DATA INTERCHANGE job of assessing providers in advance of approach using tokens that the SaaS implementation to help ensure they meet provider can decrypt and read. This would Intel SaaS project teams cite data interchange— our requirements, but we will continue to enable users to log on to the Intel network moving employee data and other information move cautiously. and immediately have access to all their 8
  9. 9. Architecting Software as a Service for the Enterprise IT@Intel White Paper applications, without having to maintain Today, Intel users who are experiencing problems and certifications for use by service providers. individual profiles for each SaaS provider. typically call their local Intel service desk. It is then This will provide organizations consuming the support agent’s responsibility to escalate the SaaS applications with a common set of MANAGEABILITY issue to the SaaS provider’s service desk. metrics, which will eliminate many of the To date, automated manageability has not been initial validation steps currently required. As we prepare for wider deployment of more- a priority for us because we have had relatively critical applications, the ability to automatically How much manageability data we will require few applications and they have generally not acquire reliable and complete manageability from SaaS providers is still an open question. Our been business-critical. Intel relies largely on data will become increasingly important. goal is to minimize introspection into incidents, user feedback and SaaS provider data to help focusing more on application performance, ensure the providers are meeting contractual We plan to work with standards bodies to reliability, and common tracking of requirements. obligations and addressing inadequacies. develop verifiable manageability standards External Cloud Data Sources SaaS Application Validate User Push Data File Server • Features Workflow Engine Federation Service Desk Pull (SaaS Provider) Services (SaaS Provider) Create SaaS Provider File • Scheduling • Token Service • Ticket Ticket Support • Transform Management Internet Demilitarized Copy File Access Provision Communicate Zone (DMZ) Ticket Data Transfer • Transfer Intranet Pull File Security Manageability Services Capability Copy Workflow Engine • Authentication File • Scheduling • Federation Pull File Authenticate File Server Intel Data User Management Create Ticket Configure • Transform Service Desk IT View • Configure • Ticket Ticket Support Management Pull Data IT Intel Internal Administrator Applications Data Sources Data Interchange Security Manageability Figure 4. Intel IT’s summary view of software as a service (SaaS) reference architecture. 9
  10. 10. IT@Intel White Paper Architecting Software as a Service for the Enterprise CONCLUSION The architecture provides a critical level of consistency; building and deploying solutions CONTRIBUTORS The success of SaaS applications at that are similar in design enables Intel to William Giard Intel to date, together with our industry reuse capabilities and reduce the amount of analysis, suggests that adoption will Thiru Thangarathinam effort and time required for each project. continue to grow. Our goal is that our Jay Hahn-Steichen SaaS architecture enables Intel’s use of For the future, we are targeting governance Stacy Purcell SaaS to progress from organic growth and auditing as two areas for additional All members of the Intel IT SaaS team to prescriptive deployment, with the design consideration. Using our SaaS reference architecture helping to drive architecture as a guide, we will continue to work with our suppliers to standardize ACRONYMS consistent designs, quickly, for new SaaS projects. on capabilities that will enable faster and CRM customer relationship more cost-effective deployment of business management We are continuing to add to our architecture solutions that are easier to integrate, more IaaS infrastructure as a service capabilities for exchanging information, manageable, and highly secure. PaaS platform as a service managing solutions, and increasing security. SSO single sign-on SaaS software as a service For more straight talk on current topics from Intel’s IT leaders, visit This paper is for informational purposes only. THIS DOCUMENT IS Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and other PROVIDED “AS IS” WITH NO WARRANTIES WHATSOEVER, INCLUDING countries. ANY WARRANTY OF MERCHANTABILITY, NONINFRINGEMENT, FITNESS * Other names and brands may be claimed as the property of others. FOR ANY PARTICULAR PURPOSE, OR ANY WARRANTY OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE. Intel Copyright © 2009 Intel Corporation. All rights reserved. disclaims all liability, including liability for infringement of any proprietary rights, relating to use of information in this specification. No license, express Printed in USA Please Recycle or implied, by estoppel or otherwise, to any intellectual property rights is 1009/KC/KC/PDF 322460-001US granted herein.