In my last post on the DVCon 2009 panel on Software As A Service, or "SaaS" as it applies to EDA, recall that the main issues that came up were:
* EDA applications that can clearly benefit from SaaS
* Bandwidth needs
* Configuration control
* Dealing with and/or migrating legacy flows & data
Of these issues, the panelists uniformly reported that security is *always* the first thing that prospects ask about SaaS. Reinforcing the primacy of this issue was the fact that nearly all the initial questions from the audience were about security as well. Unfortunately I missed out on some of this discussion because I was multi-tasking with my laptop to check on the status of my mortgage refinancing, and seeing how badly my stock portfolio was beaten down that day ....
I'm KIDDING!!! The panel was way too engaging to be tempted by such distractions, and my point is that even 5 years ago many consumers were still fearful of doing any kind of financial transaction over the internet, vs. today where hardly anyone gives it a second thought. While I don't mean to trivialize security concerns, I assert that with the proper stewardship, SaaS security risks can be managed to the same extent they are today on existing platforms.
For starters, at Cadence we have a well thought out, easy-to-use set of procedures to manage sensitive data (the "Label, Log, Secure" program, complete with annual refresher training and enhancements based on real world feedback) that's similar to procedures used in my past life in aerospace. Of course any vendor that needs to manage access to sensitive data -- which is to say all vendors in EDA -- have similar procedures I'm sure, for the same reasons all our customers do as well. In short, there is no lack of experience or ongoing motivation in the EDA industry as a whole to extend the same security programs used on current platforms to SaaS solutions.
In fact, one could argue that the bulk of EDA work is already being done with "internal SaaS" today. Specifically, I'd say 95% of the customers I visit enable their engineers to do EDA work from their homes, or while traveling, via their company's VPN. (Recall this video showing how you can securely control EDA tools with a smart phone via a VPN). In effect, many EDA customers are already doing their own flavor of secure cloud computing, where the end users working "outside the plant" are largely ignorant of where exactly the CPUs they are using are physically located. Furthermore, by hosting most of their sensitive data in physically secure locations, customers and EDA vendors alike are already guarding against the danger of an employee's laptop being stolen and other common physical security risks.
Add up all of the above, and you have to imagine that it's only a matter of time before the folks in the Customers' Finance & Purchasing departments start to wonder where exactly the "make vs. buy" line lies for their IT infrastructure (that burns obscene amounts of electricity and HVAC resources, not to mention obsoletes itself every 18 months) vs. outsourcing all of that. This is not to say that SaaS is or will be automatically cheaper than traditional, "home-based" solutions. In fact, some of the comments from the panel and audience noted that SaaS offerings today can be visibly more expensive in the longer term than home-based solutions, but I digress ...
Assuming security risks for SaaS can be managed to the same or greater standards as existing platforms, this brings us to the next big issue, and subject of a future blog post, "what EDA applications can clearly benefit from SaaS"? Stay tuned ...
The last 4 frames of this set are photos from the DVCon 2009 SaaS panel: http://www.flickr.com/photos/24605532@N08/sets/72157614375923457/
What Cadence offers in the SaaS space today (in short, pretty much our whole line of products and services):
Panel moderator Harry "The ASIC Guy" Gries' site/blog: