We Need a "TRUSTe for SaaS Apps"

SaaS is exploding and is well on its way to a $19.3 billion market by 2011, according to Gartner. Most of this, Gartner says, will go to new entrants rather than established software vendors.

So what are prospective customers supposed to make of the certain deluge of SaaS providers offering everything from HR applications to CRM, payroll, project management and more?  How will they ensure they are making the right decisions -- not only in terms of the application, its features and compatibility with existing systems but also in terms of security, reliability, customer service, corporate viability and more?

The Internet faced a similar scenario back in the late '90s with the boom in ecommerce sites. The big issue then was user privacy (or lack thereof). Consumers didn't know which sites they could or should trust with their personal information with and it was, many contended, hurting ecommerce adoption. So industry players stepped in to address the problem by creating certification and seal programs like TRUSTe and BBBOnline. Though they hit some early snags on enforcement, these programs proved to be valuable screening criteria for users of a wide array of web sites. Even though they are not as visible today, TRUSTe and BBBOnline are still around, have thousands of customers and are providing a valuable service for web consumers (as well as businesses).

Carnage Up Ahead
As the number of SaaS providers grows along with the market there will no doubt be some carnage along the way. Imagine the small business that wakes up one day and finds their SaaS provider has gone out of business and taken their data with them. Or the sole proprietor who's CRM app is suddenly down for hours on end. Or the mid-sized enterprise that discovers its customer records have been compromised.

While some SaaS apps are what I would call "Commercial Grade" - meaning they meet expected standards in key areas like reliability and security, etc. - many, perhaps most, are not.

It is time for the industry to step in NOW to validate commercial grade SaaS application providers and help minimize the potential damage that businesses will surely experience as the market continues to grow.

We Need a Certification Program for SaaS Applications
TRUSTe was created to "help consumers and businesses identify trustworthy online organizations..." While the focus was on privacy this is just one piece of the puzzle with SaaS. In addition to privacy, commercial grade SaaS certification should focus on the policies and procedures SaaS providers employ for security, reliability, data protection, backup processes, uptime guarantees, and customer service. Look at any survey and these are the biggest obstacles to further SaaS adoption, especially in the enterprise. Greater transparency is a good thing for customers and a certification program for business class SaaS would be a huge step in this direction.

As I mentioned in a previous post, there are SAS 70 audits that verify a service organization has been through “an in-depth audit of their controls and safeguards with respect to hosting or processing data belonging to their customers.” But again, this is a long and expensive process and is an unrealistic standard to hold smaller providers to. Something akin to a “TRUSTe for SaaS Apps” would be great for the industry and for business and would be an invaluable screening tool for customers.

What do think?  What are your experiences with your SaaS vendor?

Alex Glassey