Architecting a SaaS and PaaS for the Neophyte Developer

A new PaaS and SaaS combo is emerging. Why? App development. If app development is really going to thrive it needs the SaaS platform for the business data and a PaaS to make the app development accessible. But it needs something more. It needs deeper abstractions at the storage layer to allow a neophyte developer from the business ranks a way to build apps that have minimal risk exposure in case of attack.

At Dreamforce this week, Salesforce1 exemplified how valuable the PaaS has become as a way for the new developer to build apps but also with all the business requirements that are just a must have. It shows how a loosely coupled system can be assembled quite easily. But it also demonstrates why the assembly has to be done with first class integration components that get built with data in mind as a way to mitigate risk and exposure.

SaaS has become pretty standard fare in the business world. Like its legacy software predecessors, SaaS comes in many varieties. However, moving application and storage workloads to the cloud has removed many of the dependency and conflict issues which have long plagued IT. In other words, we have solved a lot of problems with SaaS.  Now with apps so important for business, we see the need for the next evolution of SaaS to a more PaaS like environment that fosters ecosystems built on the core functionality of the service.

Naturally, as IaaS players like Amazon and Microsoft have also made the move to PaaS, and with the rapid growth of pure PaaS like Pivotal CF, the PaaS label describes a cornucopia of differing platforms — some focused on quickly bringing apps to market, some on automation and data analytics, and some tailored to have all the tools necessary to reliably build, test, deploy, and manage new applications. Each flavor has its benefits and use cases, but since this week is Dreamforce, I’m going to focus on the Salesforce1 platform.

Any PaaS rooted in SaaS has the advantage of purpose-built integrated components; libraries with a variety of common framework abstraction layers, identity, and data handling models. When these tools and capabilities are integrated, rather than customer assembled, and allow federation of rules and code structures across all the tiers in an application, they provide higher levels of productivity, agility, and efficiency to customers.

As the line between SaaS and PaaS continues to blur, and as provider ecosystems intersect, we are witnessing a return to “best of breed” integrations reminiscent of the turn of the century ERP era.

As a SaaS-borne PaaS, Salesforce1 provides a coherent layer that addresses many aspects of customer relationship management, including marketing automation, collaboration, and now even analytics. Another such PaaS, Box, addresses many of the governance issues which often surround content in the cloud, and lastly, Adallom, which is essentially a Risk Management as-a-service-cum-Platform that offers “single pane of glass” risk and threat assessment across multiple cloud service providers.

If we think about putting these three platforms together as an Über-SaaS for enterprise-class secure CRM, why develop a storage layer into Salesforce when a solution with built-in governance and rock solid APIs already exists? Proof in point: Yes, Salesforce1 has a storage layer, but information governance controls aren’t a component of the service. For example, how would one go about creating a data loss prevention (DLP) policy for data in Salesforce1? The Salesforce1 platform can be trusted with data retention, but when it’s up to managing the files inside of Salesforce, Box’s governance capabilities are a no-brainer plug-in. Box is the platform that solves the storage layer problem, which makes the utility of Box for Salesforce obvious.

Some things fall outside the purview of both trust, and governance. For example, what happens when a user is compromised? As a risk management layer that applies fraud-prevention mechanisms to data across platforms; that generates actionable insights and relevant alerts when application settings, user transactions or data interactions fall outside acceptable standard deviations. Adallom plugs into our Über-SaaS to mitigate users who have been phished, are acting in a risky or suspicious manner (such as a single user logging into both Box from California and into Salesforce from China), when a user who traditionally shares a few files a day is suddenly sharing hundreds of files, or when users share confidential files with personal email addresses.

In many ways, SaaS providers’ evolution to PaaS is commensurate with procurement falling back into the IT fold. That’s because the best way to head off “Shadow IT” is to offer competitive cloud services that both satisfy the needs of the business units and the regulatory and security requirements of the entire organization. IT should also heed lessons learned from DevOps and “best of breed” frameworks, and apply them to building out a robust cross-platform SaaS infrastructure.

Tal Klein is Vice President of Marketing for Adallom, a sponsor of The New Stack.