CISOs have one of the most challenging jobs today. Not only are they tasked with creating policy that keeps their companies safe, but they are also in charge of executing that plan which often proves to be an even bigger challenge. Why? I’ll admit one reason is the technology component. Today’s identity security market can be quite confusing, especially to a new or unsophisticated buyer. Many companies today are mandating “new” technology solutions be implemented in the “cloud” or a “SaaS” solution. I’ve often witnessed how the term “cloud” and “SaaS” are used interchangeably by vendors and system integrators alike. And I’m here to tell you that they are not one in the same. As the buyer and the ultimate owner of the technology component decision (and resulting outcome), make sure you understand what you are signing up for.
Let’s take single-tenant SaaS for starters: this often means a vendor provides their single tenant software IP in the ‘cloud.’ Now, it could be entirely possible that your company requirements necessitate a single-tenant environment. Still, as the buyer, you must fully understand what that means for you and your company. First off, you assume ownership of the day-to-day operations, and you will take responsibility for upgrading and updating your solution. In other words, you’ll never get the benefit of true SaaS. You’ll still need manual upgrades and updates every time a new feature is rolled out. So, you can expect a “big announcement” encouraging everyone to update their software every six months to a year. These updates take several weeks and require planned downtime and support tickets, impacting business continuity which adds to the total cost of ownership of the solution. Meanwhile, customers typically fall several versions behind the current release and are not benefiting from the latest updates. Sound familiar? It should – this is how the on-prem world operates; single-tenant “SaaS” is just a fancy way of saying on-prem hosted in the cloud.
In contrast, a multi-tenant SaaS solution must provide a single code across all its customers universally. With this approach, each customer has immediate and universal access to the latest features. How? Because these features are built on microservices to enable the delivery of new capabilities, fixes, and enhancements as soon as they are available. As a result, you’ll see rapid and high adoption of new features and automation of manual processes, including the elimination of lengthy upgrades that often force customers to live with outdated software.
Now, naysayers of multi-tenant SaaS will say you have to use it right out of the box, but that isn’t the full story. Configurable SaaS is available through workflows, forms, AI, and notifications. All of these tools allow you to take a multi-tenant SaaS solution and consume it your way — however, it fits within your existing business processes. But the constructs of multi-tenant SaaS also provide guardrails that prevent your company from starting the customization dance that often happens with single-tenant SaaS. What do I mean by customization dance? It is where companies quickly lose the value of true SaaS – with every customization; you’re starting from ground zero when a new feature comes out.
On the other hand, companies that look to accelerate innovation are the ones that embrace multi-tenant SaaS; even the largest companies in the world are using it as a catalyst for simplicity and to deliver a best practices approach across their organization. What do I mean by simplicity? Simplifying the deployment and ongoing administration of your identity security program by avoiding customization and instead, aligning with industry best practices. This drives enormous time, maintenance, and ownership efficiencies.
If it wasn’t clear by now, SailPoint is a multi-tenant SaaS platform. So, let me provide a real-life example of the benefit of multi-tenant SaaS: In early 2022, we launched a new AI-driven capability called Identity Outliers. Once launched, any and all customers who were already using our Access Insights capability automatically had Identity Outliers. They didn’t have to schedule downtime. They didn’t have to push updates manually. Then, when we launched Identity Scoring only a few months later, customers with Identity Outliers automatically had that new capability as well. Now, just for a second, let’s pretend we were a single-tenant platform. Only a portion of customers would be using the Identity Outliers capability. The portion of customers who did issue an update to have Identity Outliers capabilities now, most likely, would not be utilizing the following update — Identity Scoring — until their next scheduled update, which could be six months to a year later (and that’s the best-case scenario).
Quick pause. Let’s recap:
SINGLE TENANT | MULTI-TENANT |
Low adoption of new capabilities | High adoption of new capabilities |
Hundreds of unique instances running on different versions | All customers are on the same code-base/same version |
Cost of ownership and maintenance is higher | Cost of ownership and maintenance is shared across customers which makes overall spend lower |
Requires manual upgrades and patches | Automates upgrades |
Upgrades require downtime and support tickets | Less time stuck in technical support |
For those of you that may be looking for the “TL;DR” version. My point is this, strategically, multi-tenant SaaS causes you to think differently about the outcomes and problems you are solving. And in this space, identity security is—in many aspects—still early in maturity, especially from how customers today are consuming and evolving their approach to managing identities and access. There is a significant amount of innovation on the way. If you’re using a single-tenant cloud solution, your path to accelerated innovation and new technologies will be seriously stalled.
Multi-tenant SaaS is hands down the better option when presented with a choice. And that’s the key – you deserve options and clarity around what those options look like in the market today. No smoke and mirrors. It’s clear that much of this has gotten lost along the way, and, as the industry leader, it’s on us to educate the market, reduce or eliminate confusion, and add clarity.