Selecting a SaaS platform is about more than business requirements

Software as a Service can be an equalizer, giving organizations access to best-of-breed capabilities with lower entry costs than custom-built or self-managed services.  Product evaluation involves business requirements and non-technical and technical Non Functional Requirements.  

The following are part of my list of mandatory NFRs for a modern internet-connected SaaS product. All of these are discussed in more detail in the video.


    Control and Data Plane

    • Platform Control Plane Software management functionality used by the SaaS vendor must be isolated from the Tenant control and data plane. It must not overlap functionality that is delegated to the tenant. This plane should not have access to business API or data. It should be easy to block access from the public internet.
    • Tenant Control Plane Software management functionality is used by the tenant to configure their data organization, application functionality, and application and data security. It should be easy to block access from the public internet.
    • Tenant Data Plane Tenant API and data, the business part of the application.  API and data must be isolated from both the platform and tenant control plane functions.  It should be easy to block any access from the public internet.

    Data and Tenant Protection

    • Revokable Encryption Tenant data must be protected by encryption in transit and at rest using customer-provided secrets. The tenant should be able to terminate the relationship without risking data exposure left on the SaaS platform.
    • Authorization Integration Data access policies must be managed only in the Tenant Control Plane.  The SaaS provider should not be able to grant tenant data permissions and should not be able to accept them from the tenant.  
    • Tenant Isolation Tenants must be isolated from each other in all tiers, interfaces, API, data.  No tenant should be able to manipulate permissions to others. The SaaS provider should provide the policies and test plans and test results at regular intervals


    • Tenant Integration Tenants should have several options for integrating their internal identity management systems with the SaaS tenant control and data planes.  Multiple options are required because tenant capabilities vary widely.  It should be easy to automate tenant staff onboarding and termination in order to protect the control and data planes
    • Provider Integration The SaaS provider needs a high level of integration with their internal identity management.  They need to be able to terminate employee permissions across their platform as part of role changes or termination.  

    Images from the video

    Created 2021 10


    Popular posts from this blog

    Understanding your WSL2 RAM and swap - Changing the default 50%-25%

    Installing the RNDIS driver on Windows 11 to use USB Raspberry Pi as network attached

    DNS for Azure Point to Site (P2S) VPN - getting the internal IPs