Over the last two days, a mailing list of which I am a member had an interesting – and sometimes sharp – exchange (pun intended) about whether or not the mass availability and advanced feature sets of Web-based, corporate-focused mail services, like Google Apps for Your Domain, are a threat to, and possibly the end of, internally managed collaboration products like Microsoft Exchange. This article will provide a short analysis of the arguments in both directions and a framework for analyzing when CaaS, or Collaboration-as-a-Service, makes sense .
Why is Google Apps (or Yahoo, for that matter) so appealing to an IT manager or CFO? Normally, it is portrayed as beneficial for two key reasons, one to suit the users, the other the CFO:
- Everywhere: If you use browser-based email or collaboration, it is available everywhere – from your home, office, laptop, customer site, even Internet cafe in Thailand. While this does not usually allow you to “leave the laptop behind,” the inconvenience, which can lead to lost business, due to being tied to a particular piece of equipment to collaborate is a significant matter for most users.
- Management costs: With a cost of $50/user/year for premium edition and $0 (a.k.a. free) for the basic edition, the financials are extremely appealing to the CFO. In addition to an often lower cost, the ability to turn a large amount of fixed infrastructure costs into variable costs that can increase and decrease precisely linearly with the number of employees is very valuable to any CFO. It is also valuable to any CIO who understands his or her role to be COO for information, rather than chief technology manager and implementor. Unfortunately, such CIOs are all-too-rare.
In direct response to the “everywhere” issue, most internal software providers, of which Exchange is the most well-known, have provided a browser-based interface to their products. In many corporations, Outlook Web Access, or OWA, is actually the primary method many employees use to retrieve their mail. Largely, this neutralizes the anywhere advantage. Thus, the primary argument in favour of CaaS in the form of Google Apps or any other such service is cost: it is cheaper, and it is variable.
Is it cheaper?
The answer, of course, is “it depends.” Let us analyze two extremes: a small 10-person business and a large 20,000-person multinational.
- Our small 10-person business can get Google Apps for $50/person/year, for a total cost of $500/year. By contrast, Microsoft Exchange 2007 Standard Edition is $700, plus $67 per client access license, for a total of $1,370 before hardware. Of course, the business can use Microsoft’s Small Business Server 2008 with 10 client access licenses, for a total of $1,474, around the same amount. Add in hardware for $2,000 (it will actually cost a lot more), for a total of $3,500. Since a reasonable life expectation for this equipment is the standard 3 years, ignoring time value of money, the annual cost is over twice that of a CaaS solution. Add to that the ongoing costs of power, cooling, systems administration, problem-solving, and backups, and the CaaS solution’s appeal is very strong.
- Our large 20,000-person multinational can get Google Apps for $50/person/year, for a total cost of $1MM/year. Unlike a small company, a large firm has to deal with significant issues relating to infrastructure redundancy, cost of routing, etc. Additionally, the bandwidth demands of 20,000 people accessing email over the company’s Internet connections can be quite high. On the other hand, the large company can gain significant economies of scale in utilizing its mail servers. Assume the company has 30 quad-core Exchange servers, with 1,000 mailboxes spread over each of 20 servers on average, 5 additional servers fronting Outlook Web Access, and 5 servers in failover mode for redundancy. Since the rule of thumb often used is 1,000 average users per core, this should be sufficient. 30 Enterprise Exchange 2007 server licenses is $4,000*30 = $120,000. Add in 20,000 client access licenses at $35/license for an additional $700,000, and software licensing totals $820,000. Each quad-core server is approximately $4,000, for a total of $120,000. Assuming each mailbox to be 2GB in size, total storage requirement per server is 2TB, or 40TB total. There are lots of routes to get this storage, but assuming the least efficient direct attached storage, the additional cost will be about $6,000 per server, for a a total cost of $120,000. Thus, the total upfront cost before any corporate discounts is $1,060,000. Since the expected life of the product is 3 years, and ignoring time value of money discount rate, the annual total is just over $350,000, or $17.50 per mailbox, one third of the CaaS cost. The maintenance and staffing costs can significantly increase the total internal cost to as much as triple or more.
Thus, the raw costs of the internal route for a company of scale are significantly below those of CaaS, while those of a small business are significantly higher. To answer the first question, “is it cheaper?”, the answer depends on company size. At some point in scale, it becomes cheaper to do it in-house than out of house. My own experience shows that the point at which the two cross is actually quite high, somewhere between the 5,000 and 10,000-person mark. The primary concern is, quite frankly, how efficiently the internal IT team operates. If they keep costs low and are highly automated, then raw hardware and software costs dominate, and internal costs are much lower; if they do not, then labour costs dominate and the internal costs can match or exceed external costs.
Thus, from a costs perspective, CaaS will almost always be cheaper for small business, whereas larger institutions can sometimes save money in-house depending on their internal labour and operating costs and efficiencies. The challenge is that often costs are mixed together. The IT mail maintenance team may also support file-sharing servers; Internet bandwidth costs may be a single line item on the IT infrastructure budget; and storage costs may be subject to odd forms of fixed-cost accounting. Only an unbiased internal analysis that quickly isolates all of the costs correctly, including current and ongoing costs in both scenarios, and fully understands technology usage patterns and benefits, can correctly determine the optimal cost path.
For many enterprises, however, cost is not make or break. Other considerations unique to the business operating or regulatory requirements of a particular organization or industry may have a far greater impact. In this section, we will explore those considerations and how they impact the CaaS vs. internal choice.
Going back to our 20,000-person company, we determined that every three years or so, on average, the firm would need to spend about $1MM in software and hardware refreshes. In most companies, these expenses would (properly, although I am not an accountant) be considered capital expenses, an asset purchase with a three-year lifespan. However, within most businesses, the process of getting OpEx, or operating expenditures, is significantly different from the cost of CapEx, or capital expenditures. Whereas an IT manager can usually get operating expenditures, whether increased or decreased, as part of the normal budget cycle plus some special approvals process at the time of expenditure beyond some threshold, capital expenditures, especially those of $1MM or more, require many more hoops to jump through. For this reason alone, if the CapEx approval and justification process is particularly difficult, there are significant advantages to CaaS, which is essentially a service leasing model. I have one client who, after several years, switched from owning and maintaining their Enterprise Resource Planning (ERP) software and hardware infrastructure to leasing it as a service. The cost financials were largely the same. However, with the lease model, the ERP manager and the CIO have converted CapEx headaches into ongoing operating expenditures. The era of capital investment battles, at least for ERP, are over.
When dealing with technology services, there are essentially three layers of risk: systems, software and network. Each one needs to be managed differently and separately from a technology risk reduction perspective. However, from a business perspective, our concerns are the risk of failure and the impact on the business. Systems and software risk are identical, from the company’s perspective, whether the service is internal or CaaS. Network risk, on the other hand, differs dramatically. In the case of CaaS, loss of or significant degradation in Internet connectivity means complete loss of email service, both employee-to-employee and employee-to-outsider. In the case of internal email service, only employee-to-outsider (and reversed) is affected; employee-to-employee continues to function. The impact of this differential depends on the nature of the organization’s email usage patterns.
In most small businesses, a large proportion of mail is sent between internal employees and external customers, vendors and partners. Thus, the risk with the greatest impact is loss of Internet connectivity. As soon as the Internet connection is no longer available, or performance is degraded beyond effective usage, email essentially ceases to exist, whether the mail service is internal or CaaS. The very nature of the smaller organization size also makes it easier to work around those failures. A 10-person shop can simply use the phone, as inefficient as it may be.
In larger organizations, a larger proportion of email is sent internally between various departments or regions. Thus, loss of Internet connectivity, while painful, is not equivalent to loss of email entirely. Thus, the larger organization will suffer much greater dislocation if connectivity to the CaaS provider is lost, even though internal services continue to function. Further, the sheer size of the organization makes replacing email with phone calls nearly impossible.
Regulatory & Litigation Risk
Many businesses operate in a regulatory environment that requires them to do one or more of the following. Some companies may wish to do these for legal protection reasons.
- Retain and/or review all emails over some period of time.
- Keep copies of emails for some period of time.
- Remove all copies of emails after some period of time.
Essentially, regulators of various stripes insist the company exercise different types of control over email. For example, some European countries forbid companies from ever looking at employee email, under privacy laws, while others require companies to review email for inappropriate, illegal or offensive behaviour, such as harassment or insider trading. This author is perfectly aware that these requirements may be conflicting. I once worked with a large multinational bank that operated in Switzerland, Germany and the United States, among others. German regulators forbade the bank from reviewing email; American regulators required regulators to review the emails. It was literally impossible to comply with both simultaneously. The solution required re-routing email based on source and destination in ways that they would never become part of two conflicting jurisdictions simultaneously, an absurd and expensive situation but one required by the circumstances.
Some CaaS providers can meet some of the requirements; almost none can meet all. Additionally, lack of knowledge of location of the CaaS servers and storage can open a regulatory morass, a veritable Pandora’s Box. Thus, in circumstances where conflicting and changing regulatory and litigation regimes require fine-tuned control over email behaviour and routing, both during viewing and for a time period thereafter, CaaS is unlikely to provide a viable solution for a while yet, until some CaaS provider focused primarily on these issues arises.
Privacy is an issue for many entities. Organizations are concerned that the CaaS providers, primarily Google, but also Yahoo and Microsoft, have too much knowledge of their personal and employee behaviour. Many are reluctant to place every email they send, inbound and outbound, through servers managed and controlled by these companies. Although these concerns are legitimate, it is important to note that they are not as severe as normally raised. This is not because the companies are unlikely to mine or use email content; quite the opposite, they are highly likely to do so. Rather, it is because email that goes outside the organization, unless encrypted, is already largely public. There are no “sealed envelopes” like in normal “snail mail”, and regulations in many countries do not equate email theft with mail theft. Further, many organizations already use SaaS mail filtering services for spam and viruses, like MessageLabs (owned by Symantec) or Postini (owned by Google). The excellent consumer and small business security company Webroot also provides enterprise services, and is a flexible alternative without being bound to Symantec’s sales procedures or Google’s mining.
Is It a Threat?
As we have shown, internally managed email and collaboration services will exist for a very long time. CaaS is definitely a threat to Exchange at small organizations, where the cost far outweighs the benefits. However, many organizations, especially large ones with complex technology, legal, privacy, budgeting and cost requirements will perform this analysis and decide they need internal email infrastructure. Exchange and its competitors will continue to be a critical product for organizations with requirements that lead to internal deployment and management. An interest proof that even Web companies are of the same mind is Zimbra. Zimbra makes a fully open-source, Web-based Exchange competitor. On October 4, 2007, Yahoo acquired Zimbra for $303MM in mostly cash and some equity. Clearly, even Yahoo, a Web pure-play business, saw the need to continue to have a presence in the internally installed and managed email and collaboration software industry.
Making the Decision
In sum, to decide between CaaS and internal email, one needs to analyze the following major factors:
- Software and hardware costs, including timing of outlays and discount rates
- Ongoing maintenance costs, including power, cooling, administration and support
- CapEx budgeting, including relative difficulty of releasing CapEx funds versus OpEx funds, and the preferred accounting treatments of assets on balance sheet
- Operating risk tolerance for network failures, as driven by email usage patterns and available alternatives
- Regulatory and litigation risk, including requirements for multi-facted and often conflicting retention, review and privacy rules
- Privacy preferences, and concern for passing all mail, internal and external, through a third-party provider
An single analyst or consultant should be able to determine these requirements for a company of any size in no more than eight weeks at the outside. If your organization does not have the staff with the mix of technology, finance, operations, legal and political skills, consider an outsider, but make absolutely sure that (a) they have all the skills and (b) they can execute quickly.
Insource vs. outsource, CaaS vs. internal, is a major decision with significant ramifications. Doing it correctly can have a significant impact on the business; doing it wrong can cost millions. Make sure to do it right.