I’m constantly asked about the pros and cons of Software as a service (SaaS) and Private Cloud IoT applications. It is a complex topic that spans business, legal, and technical issues. Below you will find some insights to hopefully help you make the right decision for your business.
Let’s start with some basic definitions:
SaaS IoT Applications
Delivered as a managed service.
Paid as a monthly or annual fee, typically per-device or per-transaction.
Service availability is the responsibility of the service provider.
24x7 monitoring is the responsibility of the service provider.
Your data is collected and stored by the service provider.
Private Cloud Applications
Delivered as software or containers to be self-hosted.
Purchased as a service or as a perpetual software license.
Service availability is your responsibility.
24x7 monitoring is your responsibility.
Your data is collected and stored within your hosting provider.
Managed Service or Self-Hosting
One of the most important factors determining if you should use SaaS or Private Cloud solutions is if you have the technical capabilities to host the software and manage it yourself.
The old IBM commercials show the server lost in the back of the broom closet covered in dust still working away without anyone noticing… If only life were that easy. The reality is that hosting an application involves a number of on-going tasks:
Deploying the servers and software
Whether installing software on a group of virtual machines, or deploying a complex Kubernetes application, there is a minimal effort that must be taken to deploy the IoT application.
Keeping up to date on security fixes and updates
Great, you deployed an IoT application at your hosting provider, but now you need to manage updates coming from the vendor as well as updates to the underlying infrastructure. The IoT market is under constant attack, and it is essential to be ready to continuously and quickly update your application as vulnerabilities are discovered and patched. Keeping up to date is not a small task and must factor into the SaaS vs Private Cloud decision.
Further, not all of the infrastructure required to host an application will be covered by the software vendor. Vendors supplying software typically don’t provide recommendations for fixes to the underlying virtual machines or networking components that are out of the scope of their offered software. There is peace of mind in using a SaaS service where all of these issues are managed by someone else.
Monitoring the health of the solution
Technically waiting for someone to call and say “hey, the site isn’t working” is a monitoring strategy, but I can’t say that’s the right way to approach the problem. Monitoring means having instrumentation checking the health of the application and sending alerts when problems occur. It also means having people who are watching for those alerts and are prepared to take action should a problem arise. I spent years with my laptop in the trunk of my car whenever I went out “just in case” something happened. Customers expect IoT solutions to be 99.9% available, which about 43 minutes of downtime per month is permitted.
Solutions designed for Private Cloud should provide you the tools to monitor the health of their application, you just have to provide the people to respond when an alert is received.
Predictable pricing
When you use a SaaS service, you have the advantage of a fixed price for the service that includes all of the underlying services bundled into a predictable price that is easy to evaluate. Compute, networking, storage, firewalls, logs, and backups are just some of the cost components that are incurred to host an application, and optimizing and managing these costs can be difficult if it is not part of your core business.
With Private Cloud deployments, the before-mentioned expenses are all managed by you, and simple mistakes can cost the company thousands of dollars per month.
SaaS provider experience and capabilities
Above I mentioned several considerations that you need to evaluate to consider Private Cloud deployments of an IoT application, and it is important that these same questions be asked to any SaaS application provider. I wish the IoT industry consisted of all large mature companies, but the reality is that companies in this space come in all shapes, sizes, and maturities. I have encountered SaaS providers who have no redundancy, no monitoring, and minimal infrastructure and I couldn’t imagine delivering a production service on their offering. But their software was solid, so self-hosting in my own environment was a path to success.
In summary, if your company has a competent IT group with the ability to deploy, manage, and monitor 3rd party applications, then Private Cloud may be the way to go. But opposite that, if your core business does not involve managing applications, then SaaS is the way to go.
Data Access and Ownership
One of the most important drivers in the decision of SaaS vs Private Cloud relates to your requirements around who owns your customer data, and who can access it.
GDPR & CCPA
If you provide services in the European Union or in California then your data will fall under the protections of the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). Both of these regulations provide similar protections for consumers that you must ensure are honored by all of your vendors. SaaS vendors will need to provide you with documentation explaining their compliance with these laws and you will need to share this documentation with your customers. This means it is hard to hide who your downstream SaaS providers are (if that is important to you).
Examples of what type of information you need to share with customers would be as follows:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Ability to opt-out to the sale of personal data.
- Customers can request a copy of all personal data collected about them.
- Request to be forgotten, you have to be able to delete all information about a customer.
If your potential SaaS vendor cannot supply you with the required documentation for these regulations, it is a red-flag and you should strongly factor this into your decision process. If you host the application in a Private Cloud, then you have control of the data, and you do not need any documentation from your software provider.
National data access/hosting restrictions
It is not uncommon to encounter customers who have requirements that the data be hosted in a particular country or region, and that the only people with access to that data are citizens of the before-mentioned geographical area. You will typically find these restrictions if your company serves utility, municipal, or transportation companies. When faced with these requirements, it can be difficult to employ SaaS application providers as they may not be able to guarantee they can abide by the restrictions. If this is a problem for you, then Private Cloud is the solution.
Ownership of the data
I have read SaaS application contracts where the SaaS provider technically owns all data collected and reserves the right to re-sell that data without informing their customers. I find this approach and strategy to be horrifying and something that can pose grave liability risks if you don’t understand how your data can be used by the SaaS provider.
If you deploy a Private Cloud solution the answer is crystal clear, you own and store the data (or your customers own it and you have no rights).
Access to the data
We have become accustomed to applications like WhatsApp with “end to end” encryption where the staff at WhatsApp cannot read your messages, however, in IoT typically data is not encrypted end to end, and the SaaS provider will have access to the sensor data coming from your devices. Also, when using a SaaS service, one of the value propositions is being able to leverage the technical support staff at the vendor to help debug problems with the application. To provide this service, the vendor needs to be able to access your data, but it should only be accessed on your request.
If you are hosting the application in a Private Cloud, then you have control over who can access the data.
Connecting the device to your application
Another important factor in your decision making process relates to what kind of devices you deploy, and how that device will communicate with your application.
Cellular connectivity and the Internet
If your device supports standards based encryption and is compatible with typical internet NAT policies, then you can use the public network and utilize a wide range of connectivity plans from devices. I highlight the words “standards based” because there are many solutions that either use no encryption, or worse, something they describe as encryption that is really just a simple encoding. These types of solutions have no business being on the internet in 2022 and should utilize private VPNs from connectivity providers.
If you are using the internet, then it is easy to route your devices to communicate with a SaaS application.
Cellular connectivity and Private VPNs
Different connectivity providers may use different names, but most providers have the ability to establish a VPN between the network core and your network. While setting up these connections can be costly and time consuming, the functionality and flexibility provides many benefits as well such as static IP addresses and more flexibility for device security.
If you are using a Private Cloud application, then it is relatively easy to route traffic to your applications. However, if you are using a SaaS application, you must now consider how to securely get data from your devices all the way to the SaaS provider. This can include setting up additional VPN connections from your VPN termination point to the SaaS vendor or paying to terminate a VPN from the carrier directly with the SaaS provider.
LoRaWAN connectivity
If your solution uses LoRaWAN, then you have many options to integrate with either Private Cloud or SaaS vendors. The important decision is to ensure that the software supports your connectivity provider. Most services have the ability to push sensor data via HTTPS, and SaaS vendors have integrations enabling rapid integration from the Lora Network Server (LNS) to securely onboard data from devices.
Sensor as a Service
An emerging trend is to purchase a “sensor as a service” offering, where you are sold a bundle that includes the device, SIM, and software as a package. This package can be sold with the device cost amortized over the life of the subscription or with an upfront fee for the device and on-going subscription fees for the connectivity and platform access.
This type of service is highly attractive for you if you want to build your own application to ingest data from IoT devices and don’t want to worry about the device or cellular connectivity details.
The service provider will typically push data to you through MQTT, HTTP, or through one of the Hyper-scale IoT gateways like Azure IoT Hub or AWS IoT Core.
Red Flags
Below are some of the most common red flags you should consider when evaluating Private Cloud vs SaaS deployments of IoT Applications:
SaaS
When you receive a demo of the SaaS application, were you able to see customer names and/or devices?
Yes indicates poor information security management.
Were you dropped into a live customer’s account and shown their data?
Yes indicates poor information security management.
Were you given a demo account where multiple different customers are co-resident and you can see the other evaluators?
Yes indicates poor information security management.
Were you able to receive a copy of the vendor’s DPA and privacy policy?
No indicates immaturity at handling common legal requirements as a SaaS provider.
Can the vendor articulate the SLA for their service offering and how they achieve their SLA?
No indicates immaturity in hosting and servicing SaaS applications.
Can my devices communicate securely over the internet?
No indicates you will need to establish additional infrastructure to ensure a secure solution is deployed.
Private Cloud
Is the application fault tolerant with no single point of failure?
If it is not clear how the application handles disaster recovery and can be deployed such that it is fault tolerant, then it most likely lacks the maturity to be deployed in a private cloud.
Does the application vendor supply documentation how to install, upgrade, and generally maintain the application?
If not, then it should not be deployed in a private cloud.
Does the application provide mechanisms for easy backups and other lifecycle tasks?
If not, then it should not be deployed in a private cloud.
Is the application container based or software based?
Container based applications are significantly easier to manage than software based. Much of the application integration and security can be managed within the container infrastructure saving you the headache of maintaining it yourself.
Summary
In summary, there is no one size fits all approach. You need to understand the requirements of your business case, the capabilities of your technical team, and the economics of the solution you are trying to deliver. Both SaaS and Private Cloud based deployments have their place and can be very powerful for delivering IoT solutions.
At Tartabit, we provide both options to customers, our IoT Bridge can be used as a SaaS offering available in the Azure Marketplace (here), or it can be deployed as a Kubernetes native application in your Private Cloud environment, our preferred partner for hosting is Microsoft Azure, but it can run in any Kubernetes environment.
About Tartabit
Tartabit is a Next Generation IoT enablement company founded by a team of experienced IoT executives and practitioners who share a passion to provide easy to use tools and services capable of accelerating the adoption of IoT globally. Our vision is to radically increase the ability for enterprise and OEM customers to leverage next generation IoT device data by offering the easiest to use, buy, deploy, and manage LPWAN Cloud Gateway Service to bridge next generation IoT device data with industry leading Cloud Services. IoT Services built for IoT Developers by IoT Developers.
Comments