Evaluating a Student Information System – Part 1

SaaS vs On-premise: What are the Risks?

Determining the best Student Information System (SIS) built to adequately meet the needs of your organization can be a daunting task. There are many factors to consider and choosing the right software solution is only the beginning. How the software should be delivered and the adequate infrastructure required to support it can be just as critical a decision. Knowing the risks and costs associated with these considerations can save you a lot of time and headaches in the long-run.

In this series, Evaluating a Student Information System, I’ll outline in detail the major factors in determining a SaaS vs on-premise solution. This series is broken into many parts, this post (the first) pertains to the risks, the next post will be focused on the costs, and also stay tuned for more timely posts to follow.

Defining Cloud and SaaS

Part of the problem in assessing cost and risk associated with SaaS vs an on-premise solution is defining just what the terms mean. Without a high level of IT expertise, it is a challenge. Clear definitions are key to avoiding hidden costs and risks.

The a�?clouda�?, we hear that term alot. It’s essentially a remote network of servers (the utility of which is to provide/purchase only the necessary computing resources to meet the business requirement). SaaS is typically defined as a software delivery model that uses a cloud remotely hosted from the client. The other major characteristic of a SaaS-based approach is the software is provided on a subscription basis (monthly, quarterly or annually). There are many combinations of cloud-based storage and SaaS delivery models that make it difficult to assess total cost of ownership (TCO) and risk over time. For example, a provider might deliver a software product where the service and the data are stored at a specific location (colocation or colo), while another might deliver the same type of service where the data is stored in an undefined location.

Main Components in a Student Information System

Hardware

Consists primarily of servers and ancillary equipment that the software runs on.

The Network

The network includes all the services and hardware components that allow the server to communicate with other computers. This includes services like internet access, bandwidth, throughput and physical layers such as cabling, fiber, power, security, switches and routers.

Operating System and Upgrades

The student information system isn’t the only software that will be running on the hardware environment. The server will require an operating system which involves various functions in maintenance and upkeep which includes: installations, configurations, change control, updates and patches, anti-virus protection, and security.

Licensed software and upgrades

Licensed software includes many third party applications that work with the student information system including: server licensing, SQL Licensing, Reporting Tools, Office software (email, communications, etc.). Other recommended services like anti-virus, backups and storage for your SIS system require licenses.

Security

Security encompasses many different aspects of the operation in both the physical and virtual world. A complete information security policy includes, but is not limited to, protection from external and internal threats, data integrity, information assurance (the availability of the business information when you need it), disaster recovery and business continuity.

Personnel

A student information system is a complex piece of software that generally requires many levels of human resource support. The most common of which are network administrators, database administrators, help desk and software support staff, data analysts, institutional research and/or report development staff.

Risk Considerations: On-premise vs SaaS

Software Availability

With an on-premise solution, software availability might seem to be a lesser risk compared to SaaS, assuming you have a stable installation running locally. However, many organizations that select on-premise overlook the creation of an adequate disaster recovery and reimplementation plan in the event of a local outage. The other main risk involves keeping up to date with upgrades and the resource cost to maintain them. In any case, your institution should have a plan for business continuity regardless of where the solution is hosted.

Data Loss

Backups and offsite storage of data is critical to any disaster recovery or business continuity plan. On-premise backups are essential for quick recovery due to many factors. The most common are user error, hardware failure, and power loss. For short-term business continuity, battery backups should be employed and local backups to storage area networks are another critical consideration that needs to be factored into the equation. If your policies are properly planned and executed there should almost never be a time where data is completely lost. With a SaaS implementation, the general assumption is that the vendor is completely responsible for the data. This would be a mistake. The type of storage used, its availability, and backup/recovery strategies of the vendor should be made clear. Where the data resides, who owns it, and the level of accessibility to the data, should also be well documented. Critical data should exist in three locations 1.) the primary data storage 2.) another data storage facility housing a regular back-up, and 3.) locally within the organization. This ensures that if the software service or computing capability becomes unavailable for any reason, the data that is owned by the organization is under its control.

Up-time

In today’s rapid business cycles, loss of access to your information can have a major impact on your success. The system availability is dependent on the working effectiveness of all components listed prior (hardware, network, virtualization, operating system etc.) and will be adversely affected by oversight in any one of the supporting layers. Since today’s internal networks are dependent on the external network for day-to-day operations (email etc.), the risk of moving to a SaaS is relatively small when compared with staying on-premise. One risk to consider with SaaS is that while the vendor guarantees 99+ percent uptime, you do not have control over when the scheduled downtime occurs. While vendors usually perform scheduled downtime tasks in off-hours, this might be an issue if you are in a different time zone, or have global operations.

Response time

Response time is affected by many variables including physical computer hardware (disks and memory, internal bandwidth, switches, and external bandwidth). It is often assumed that moving to SaaS will increase bandwidth. While your organization can eliminate many of the internal response time issues with SaaS, maintaining adequate upload and download speeds is still the organization’s responsibility.

Issue Resolution

Irrespective of SaaS or on-premise, how quickly an issue is resolved will vary based on many factors including: internal staffing levels, partnership agreements, vendor availability, vendor access to 3rd party systems, the timing of an issue (i.e. business hours, weekends, evening) and the availability of the proper information (access to trained staff, documentation etc…). Service level agreements should have a clear indication of expected call back time when an issue is reported and how these variables will affect issue reporting and resolution.

IT Core Competency

One of the greatest risks with an on-premise solution is ensuring all IT staff members are continuously trained to effectively manage all of the technical components of an student information system. If information technology is an organizational core competency then this is a minor concern. If not, then the advantage of going with SaaS is paying for resources that will stay on-top of the changing technology landscape while maintaining and sustaining the software infrastructure with a high level of proficiency.

Security

SaaS security has the advantage of ensuring adequate bandwidth to systems servers, firewalls, intrusion detection systems and other security appliances. Managed Access Control, encryption, physical security of the state-of-art data center are all components of the SaaS solution. On-premise is dependent on the competency of the human resources and the physical infrastructure of the organization. There are also certainly security risks with a SaaS solution that must be weighed including breaches outside of the control of the SaaS vendor.

Conclusion

Many organizations (especially smaller ones) have been moving to SaaS over the years as technology advances have helped alleviate the fear of trusting a third party with such critical business operations. Of all the risk factors, IT core competency and staying current with technology are probably the two driving forces that make SaaS an attractive option. These factors must be weighed against risks associated with moving your data and software to the cloud. For some, a SaaS solution isn’t viable or a hybrid approach is the best option. In each case it’s important to find a trustworthy vendor that will evaluate your particular business process and needs and then work with you to find the best solution for your organization.

Finding a good vendor can be challenging so please subscribe for helpful tips and industry trends so you’re able to manage your vendor relationship with confidence.

Check out Part 2: Evaluating a Student Information System: What are the Costs?

Any questions? Contact Us

Sign up for a Free Online Demonstration of Campus Café

About the Author

Joe Stefaniak has been a leading expert for almost 30 years in the development and implementation of software solutions for higher education. His expertise is in helping colleges and schools streamline operations and manage information for better decision making through analysis and application of best practice software. He founded SCAN Business Systems in 1986. Its flagship product, Campus Café, has grown into a leading provider of educational student information systems. He holds a degree in Business Administration from Northeastern University.

Why is good information so hard to find in an educational institution?

I have been involved in developing student information software, customization, consulting, training and mentoring in small to medium sized schools and colleges for over 30 years. Here are some basic observations on information gathering and dissemination based on my experiences.

The Problem

The technology in educational institutions is generally quite good, but the information available through the student information systems (ERP) is not always on par with the technological capabilities. There are many reasons for this information gap.

We often hear from presidents and high-level executives that they cannot obtain meaningful or consistent information. Our company has received a number of RFI or RFPs where the central theme is a variety of information islands with minimal communication between them. This is typically despite the fact that the data has been appropriately captured on their software systems. There can be a presumption that once expensive technology and ERP systems have been installed, cohesive and meaningful data will automatically follow. As business requirements are fluid, information gathering needs to be closely monitored to ensure that it reflects changes due to shifts in organizational practices and changing regulatory requirements.

As there are many levels of data, it is important for requests to be quite specific. For example, you might ask the question a�?how many students were enrolled for fall 2013a�?. You would get a different answer if withdrawals were included or not. It might seem obvious not to include withdrawals, but they are generally included when analyzing data for financial aid and other purposes. So it is very important to ask the question in away that will not create the possibility of multiple a�?correcta�? answers; otherwise a tolerance for reasonable variations must be expected.

The Reasons

Yearly ongoing ERP budgets should average a minimum of at least 1.5% ‘ 2% of the annual operating budget of the institution. A school with a 50m annual budget would thus ideally have a budget of about 750k-1M strictly for ERP support and no other IT related items. This would include internal salaries, vendor software upgrades, support and training. The initial capital outlay for the ERP software would be a separate budget item.

Technology infrastructure at a school is typically a strategic top down approach.

  • Networking
  • Security
  • Wiring/Wireless
  • Hardware
  • Operating Systems
  • Software
  • Access for students, faculty, administrators for email, texting, LMS.

This is in direct contrast to information creation which is typically a bottom up approach. Often a strategic plan is not in place for providing information, but rather data is analyzed after the fact and attempts are made to correct the process for gathering the information. An executive might say a�?I need a report that gives me a breakdown of students by criteria A, B, and Ca�?. In some cases, the information for the report criteria is not in the system or is only available in a way that is difficult to collate.

In essence, the reporting requirement was an afterthought, rather than a requirement that was clearly outlined when the system was configured. It would be analogous to asking for an old building to be networked for fiber optic capability after it had already been trenched and wired for telephones. It can be done, but requires a lot of redundant and unnecessary labor.

While information is critical to the mission of an institution, the reality is that it is not considered part of the mission itself. Persons responsible for the information typically report to a technology person. This can be inappropriate for a variety of reasons including:

  • The technology director’s expertise is in managing technology, not information. They are not the same!
  • Technology is a tool for gathering and providing information.
  • Information itself is an entirely different entity.
  • Having the information personnel report to a technology person without the right skill set is somewhat analogous to the CFO reporting to the facilities department because they use office space. Stated another way, an IT and an IS professional are as different as a CFO and a Human Resources Director.

The Solution

Organizational changes may be needed so that the information systems director is aligned with the mission of the organization. If information is a paramount concern, then the information director might report directly to the president rather than the CFO or IT director. Times have changed, and a case can easily be made that while information itself is not part of the mission, the institution can falter due to inaccurate or unavailable information. This is especially true with new regulations that surround financial aid availability and is even more significant in the for-profit sector.

The skill set of an information person should include:

  • Advocacy for process, software utilization, and resolution.
  • Consensus building so that data decisions are made cohesively for the entire institution.
  • Superior interpersonal skills that help to promote departmental confidence with the system.
  • Excellent verbal and communications skills.
  • Analytical skills.
  • Management skills that include minimizing the emotional reaction to change and encouraging cross department cooperation.
  • Executive authority that allows the ability to challenge managers to create new processes.

This person will not come cheaply and an appropriate budget must be maintained for this position. It can be risky to hire someone with a skill set involving phones, wires, computers, or networks. They can easily be drawn into the demands of students, faculty, and administrators for improved networking, email capability, and bandwidth. Although that role is also important, the informational role should definitely be separate and well defined.

Finally, the institution must look at the organizational chart and place the information person on at least the same level as the technology person if the desire is to have information on par with the technological capabilities. With the increased demand and complexity of data, the smooth flow of information throughout the institution can empower management, increase departmental efficiency and identify opportunities that contribute to the success of the school.

Any questions? Contact Us

Sign up for a Free Online Demonstration of Campus Café