Developing and Evolving SaaS Infrastructures for Enterprises

MMS Founder
MMS Ben Linders

Article originally posted on InfoQ. Visit InfoQ

SaaS companies that are focused on the enterprise market need to evolve their infrastructure to meet the security, reliability, and other IT requirements of their customers. IT admins and large customers are two important sources of requirements to drive development.

Prashant Pandey, head of engineering at Asana, spoke about establishing a SaaS infrastructure that supports and grows with large customers at DevOpsCon London 2022.

The exact needs of IT admins vary depending on the industries the product serves, the capabilities of the product, and the type of data that the product stores or accesses. It’s important to understand the domain and conduct research on the experience of IT admins with your product, as Pandey explained:

Treat IT admins as primary customers, and think about features for IT admins in the same way as you think about other features, with an eye towards usability, flexibility, and efficiency at scale.

Adoption by enterprise customers leads to more requirements around security, reliability, and scalable management. Pandey suggested monitoring the requests coming from your current largest customers. Those are likely to become more prominent as you succeed in getting more customers of that size, he said.

InfoQ interviewed Prashant Pandey about reliability and security in enterprise SaaS solutions.

InfoQ: How do administrators use controls provided by SaaS products to ensure reliability and data security?

Prashant Pandey: An example of using controls is SCIM integration, where an admin can ensure that users’ access to a software product is automatically removed when the account is centrally deprovisioned, removing the risk of ex-employees retaining access to data. Admins also use these features to ensure availability of the right set of SaaS products to individuals and teams that need them. IT admins can use integration controls provided by a SaaS product to ensure that employees only use approved document sharing systems, reducing the risk of data exfiltration.

IT admins can enforce security controls by requiring 2FA or a single sign-on for all software with access to critical data. Features like data export and Security Information and Event Management can be used for forensic analysis, for example to ascertain whether a leaked credential was utilized to access a software product or update data. The ability for admins to send custom messages and announcements in-product also enables admins to share timely updates like scheduled maintenance announcements.

InfoQ: How can a SaaS provider build infrastructure that meets enterprise needs?

Pandey: Sequencing infrastructure work can allow an evolution towards meeting more enterprise needs. Backups should be an early part of your reliability strategy. Regular end-to-end testing of business continuity using backups requires more investment and becomes more important as your system complexity increases. An ability to measure availability and understand reasons for downtime are worth investing in early when building a SaaS product. Those systems can be extended to provide reportable metrics per-customer when customers ask for that visibility.

Security certifications are an important way to decrease friction in the sales process, so any SaaS product team should also invest in understanding which certifications (like SOC 2, SOC 3, ISO 27001, FERPA, HIPAA etc.) are valued by their potential customers, and what development/operational cost is involved in achieving and maintaining it. There should be a roadmap for pursuing the right certifications based on their return on investment. Risks related to data access grow as your team size grows, and as the amount of customer data your product processes and stores grows. To manage these risks, it’s prudent to follow the principle of least privilege, and to invest more in internal controls to keep up with the growth.

InfoQ: What are the benefits that data isolation can bring?

Pandey: An important technique for increasing scalability, performance, and security is to create more isolating customer data and services in “compartments” to reduce noisy neighbor performance effects, blast radius of availability events, and number of customers impacted by certain types of security incidents.

At Asana, we started with isolation largely provided by the app layers. Then we separated customer data into database shards, followed by isolating enterprise customers to individual databases and search clusters. Now, we’re considering separate accounts hosted by our cloud provider for all infrastructure that touches a particular customer’s data. Building in isolation helps us meet key enterprise customer needs – data residency and Enterprise Key management.

About the Author

Subscribe for MMS Newsletter

By signing up, you will receive updates about our latest information.

  • This field is for validation purposes and should be left unchanged.