Defensively Architecting a SaaS Implementation
If you’re a SaaSBlogs regular, you’re probably a big fan of the SaaS delivery model. One thing you also probably know is that one of the downfalls of the delivery model stems from the fact that it increases overall cost of failure and cost of downtime since it moves usage from a decentralized (aka on-premise) delivery mechanism to a centralized one. Although this is a downfall, it’s not a good enough reason to avoid the model; SaaS’ pros significantly outweigh its cons. The value afforded by SaaS outweighs centralization issues. That doesn’t mean, however, that an ISV should ignore problems posed by centralization. After all, if architected poorly, downtime may affect all of your customers, which would in turn clog your support lines and negatively impact your growth rate. So what can an ISV do to alleviate the pitfalls of centralization? Focus on defensive architectures.
As a discipline, SaaS architecture can take lessons from ship building. Normally, small vessels (let’s say one that carries 8 passengers) have a single compartment hull; that is, the hull is a single volume of air designed to keep the vessel afloat. One strategy to move 4,000 people from port A to port B is to put them on 500 such small vessels. If a vessel were to hit an iceberg, it would most definitely sink since a hull breach would open that single compartment up to water logging. However, the problem would be localized and isolated, with a high degree of probability that the other 399 vessels will make it to port B without a problem. Consider this to be representative of the on-premise model.
Much like the on-premise model, however, this mechanism for moving people is grossly inefficient at best since it requires separate crew and supplies for each vessel. A more efficient way to move 4,000 people would be on one massive vessel, exploiting obvious economies. Despite any achieved economies, an ugly facet rears its head: a poorly engineered mega-vessel could lead to the deaths of all 4,000 aboard in one fell swoop! What happens if it hits an iceberg? Consider this to be representative of the SaaS model.
So back to the iceberg question: fortunately, engineers architect mega-vessels defensively; rather than a single compartment, single volume hull, mega vessels are divided into multiple airtight compartments (for example, the Titanic had 16). A hull breach may cause any single compartment to flood, but the system as a whole remains resilient. Any load borne by the breached compartment is implicitly offloaded to the remaining compartments of the hull, keeping all 4,000 passengers alive despite a massive system failure! This sort of defensive model is absolutely necessary in ship design, and is something that SaaS architects and engineersÂ should adopt in their design approach. Your software now becomes a single, centralized heap that is “carrying” thousands of customers. Focus on compartmentalizing resources and supporting system failure, but try to keep any one compartment from being dedicated to some subset of your customers (i.e. when a compartment on a multi-compartment vessel is breached, some subset of the 4,000 passengers did not sink as a result!). Of course we all know how things turned out for the Titanic which confirms that if the breach is big enough it can still take down the entire system but the idea is to minimize the risk and realize all you can do is reduce the probability that an unforeseeable event will have significant negative impact.