Multi-Tenancy, Platforms, and ISVs

Eric Farrar

The thoughts and opinions expressed in this blog post are my own, and do not necessarily represent those of Sybase or SAP.

This past week an article written by my colleague, Eric Lai (Twitter), entitled Multitenancy & Cloud Computing Platforms: Four Big Problems, caused quite a bit of controversy. An example of this is the formal rebuttal by independent consultant Frank Scavo (Twitter) in his blog post, Mischaracterization of Multitenancy in an SAP-sponsored Blog Post.

As Eric noted in his article, this post was motivated by a discussion that he and I had about multi-tenancy around Sybase’s forthcoming SQL Anywhere OnDemand cloud database. In this post I will respond to Frank’s comments, attempting to frame the discussion in the context that the article was intended. I think we will find it is all a matter of hats. To that end, I invite you to put on my hat for a moment.


My Hat

I am a product manager on the SQL Anywhere team. For those who are new to SQL Anywhere, it is an embedded relational database that has been in development at Sybase for over 20 years. Although you may never have heard of it, there is a good chance you have used it. This is because it is typically so deeply embedded in an ISV’s product that you do not know it is there. An example of an application that embeds SQL Anywhere is Intuit’s QuickBooks.

Over the last two years, we have started to see a shift in the ISV community. ISVs who previously used to deploy an application to their end users (and have it run on-premise) are feeling pressure to have a hosted version. This turns an ISVs core competency on its head. After all, ISVs have expertise in deploying software, and managing deployed software. While hosting removes those challenges, it puts the challenges of hosting in their place. This is an entirely new world for many ISVs.

To capture this shift (and other shifts within IT), many companies have launched full-stack, public platforms-as-a-service products. These are multi-tenant platforms where the resources are shared between hundreds of different applications running on the platform. The promise of the PaaS is that it will take care of the hosting, and it will scale your application automatically.

There is no such thing as a free lunch. The tradeoffs come in four places: flexibility, security, power (or functionality), and cost. Now that we are all wearing my hat (also known as the ISV-looking-for-a-platform-to-host-their-application hat), let’s take a look at the objections raised in Frank’s response.

It’s Inflexible

When choosing a platform, any platform, you have entered a garden. Some of these gardens have quaint white picket fences with lots of gates and a nice breeze. Others have tall, thick, brick walls.

On a PaaS, the ISV will be limited to the physical locations, certifications (HIPAA, PCI-DSS), hardware, technologies, and terms-of-service of the platform provider. This rigidity causes problems if the ISV has current (or future) requirements that can not be met by the platform provider.

So what does multi-tenancy have to do with this inflexibility? Whether speaking of a platform or an application, it is often the multi-tenancy aspect that limits the amount of flexibility that an application or platform can support. I am not saying that multi-tenancy is bad, just that it is usually inversely correlated with flexibility.

It’s Less Secure

The question of multi-tenancy for an ISV has two facets. There is the question of the multi-tenancy of the platform they are running on, and there is the question of their ability to create a multi-tenant application.

I am not aware of any published security breaches between separate applications running on a multi-tenant platform. Each application running on the platform will likely have its own database, and so the risk of data leakage is mitigated. I believe that the platform providers will have done a lot of work and testing to ensure that separate applications on their platforms are isolated.

But the platforms do not provide any help in isolating the data within an ISV’s own application. When an ISV deploys an application on-premise, each customer gets their own instance of the application (with their own instance of the database). When the ISV pulls all of those customers together to host the application, does it make sense to combine all of the customers’ databases together into a single database?

Most of the PaaS stack’s databases have been designed to scale with the absolute size of a single database. This metric of scaling suggests that it would be best to combine all of the customers’ data into a single database. This creates a potential risk because it is possible that the ISV could introduce a bug that accidently exposes one customer’s data to another. The most likely cause of this is a coding error. (eg. forgetting to filter the data to just that customer, a bug that causes confusion of the customer identifier, etc)

Cases like this have happened in the wild (emphasis mine):


  • Microsoft BPOS cloud service hit with data breach


“We recently became aware that, due to a configuration issue, Offline Address Book information for Business Productivity Online Suite (BPOS) Standard customers could be inadvertently downloaded by other customers of the service, in a very specific circumstance,” said Clint Patterson, director of BPOS Communications at Microsoft.



  • users were logged into someone else’s account


“Hulu said shortly after launching its Facebook Connect feature Friday that it noticed a small number of users were seeing someone else’s account information upon logging in to the site.”


“We’re still drilling down on the precise nature of the issue, but we know that it was a coding and configuration error on Hulu’s side, and not the result of hacking, or other third party actions”

(Official Blog)

Both of these are large companies who I expect have the resources to design and test their multi-tenant solutions, and yet both had (thankfully, limited) data breaches.

The concern of many smaller ISVs who are brand new to hosting is that they will not do it correctly. I would expect that data breaches of this nature are more common, but it is just that many smaller ISVs do not have the profile to have their breach featured in ComputerWorld or VentureBeat.

One solution for the ISV is to keep total isolation of the data between all of their tenants. One tenant, one database. The application layer may be multi-tenant, but the database is single-tenant. While some of the platforms will allow you to maintain multiple databases, it is not cost-effective, and they do not have any tools to help manage thousands of separate databases.

This is exactly the use-case for which SQL Anywhere OnDemand was designed: a multi-tenant application layer, backed by a single-tenant database layer.

I want to make it clear I am not suggesting a multi-tenant application is inherently insecure. (After all, we are enabling our ISVs to create multi-tenant applications!) Instead I am suggesting any developer should only include multi-tenancy up to the level they are confident that they can make secure. For many ISVs who do not have experience in multi-tenancy and hosting (and whose apps are already written as single-tenant applications), it may be prudent to keep the databases single-tenant.

It’s Less Powerful

As Frank points out, the platforms allow for huge improvement in productivity. I have no argument here. However here as well, there is no free lunch. The productivity gain is inversely correlated with power and functionality.

When I have to write a quick script, my language of choice is Python. I love Python. Our SQL Anywhere database is written in C/C++, with some performance critical routines written in assembly. Would it be a wise choice to rewrite SQL Anywhere in Python? No, it is not the right tool for the job.

Many of the ISVs using SQL Anywhere have very database-intensive applications. They move large amounts of their code into stored procedures in order to reach their performance goals. Moving the logic out of the database, and going through an abstraction layer (eg. Object-Relational Mappers) may not be an option for them.

This really comes down to the same conclusion as the flexibility argument. If the restrictions in functionality (which allow the boost in productivity) are acceptable to you, great. If they are not acceptable, that platform is not an option.

It May Be More Costly

As Frank asserts, this is speaking of the cost to the ISV, not the end customer. The reason for this is that many ISVs are smaller shops who do not have the bandwidth to fully re-architect their application to fit the constraints of a platform. They need their application hosted, and they needed it done yesterday.

Many of the ISVs that I have talked to plan to accomplish by doing it in stages. The first stage is to move the existing application and database up a hosting provider, and use remote desktoping technologies to remote the application’s GUI to the end-user

I can almost hear an audible groan of disdain from cloud purists:

“You can’t do that! The application must be totally re-architected in order to take advantage of the cloud.”

That is true, but pragmatism is holding the trump card. Don’t let the perfect be the enemy of the good!

For many of these ISVs, the end goal will be to re-write as a “cloudy” application (and thus reap all of the cost savings to both them, and their customers), but the direct path may not be the most cost effective.


Switching Hats

Now let’s take off my hat, and put on the Enterprise-end-user hat. To understand the reaction wearing this hat, I invite you to read Frank’s blog post.

As Frank points out, when the original post is read as an enterprise end-user (or even an enterprise developer), a lot of the arguments do not make any sense. This is because enterprises and ISVs are different beasts.

It’s Inflexible

An enterprise knows its requirements. It knows what local data centers it will need, and it controls all of its end-users.

An enterprise does not have to consider what would happens if a new customer appeared in a country that had strict data laws, and there was no data center for your platform located there.

An enterprise does not have to consider that they might suddenly find out their enterprise application needs to be HIPAA compliant because they were able to score a new customer in the health care space. (I am not saying they would not ever have to be HIPAA compliant, but they would be better able to plan for it).

It’s Less Secure

The question of multi-tenancy within the application is meaningless here. All the data in that application is for that enterprise. There no risk of having your enterprises’ data accidently exposed to another enterprise due to your programming or configuration error.

It’s Less Powerful

An enterprise is in control of all of its users, and is able to limit functionality by mandate. An example of this is IT departments that often mandate “This is our list of supported browsers”, or “This is our list of supported devices”.

Most ISVs are not in a position to make mandates to their users. If they cannot support a certain feature, they lose customers. That customer will not care if the excuse is, “My underlying platform does not support that.”

It May Be More Costly

From time to time, enterprises need to do overhauls of their applications. While these are disruptive, there is nothing you can do except grit your teeth and wait for the disruption to pass.

It is much harder for an ISV to tell their customers:

“We have to do a major internal rewrite. This means our next release will contain almost no new features, and will probably be late.”

(In reality, ISVs still actually have to do this, but they try to mitigate it by doing it in smaller chunks.)


Taking the Hats Off

Several months back, there was a blog post at the SAP Community Network from Richard Hirsch entitled What is the relationship between Sybase’s ‘SQL Anywhere OnDemand Edition’ and SAP’s other OnDemand offerings?. After delving into the question, he concluded:

  1. There were other use cases in the market beyond those that were being met by SAP OnDemand offerings on which I usually concentrate (OnDemand Core, OnDemand Edge, SAP NetWeaver OnDemand, etc)


  • The SaaS market is varied / more complicated than many assume.


I think this hits the nail on the head. The original post was targeted at the group outlined in his first point.

The second point is a good reminder for me. I spend so much of my day wearing my own hat (after all, it is comfortable), and I failed to anticipate how these ideas would be interpreted if read wearing a different hat. I apologize for the confusion it has caused.




Recommended for you:

13 Scary Statistics On Employee Engagement [INFOGRAPHIC]

Jacob Shriar

There is a serious problem with the way we work.

Most employees are disengaged and not passionate about the work they do. This is costing companies a ton of money in lost productivity, absenteeism, and turnover. It’s also harmful to employees, because they’re more stressed out than ever.

The thing that bothers me the most about it, is that it’s all so easy to fix. I can’t figure out why managers aren’t more proactive about this. Besides the human element of caring for our employees, it’s costing them money, so they should care more about fixing it. Something as simple as saying thank you to your employees can have a huge effect on their engagement, not to mention it’s good for your level of happiness.

The infographic that we put together has some pretty shocking statistics in it, but there are a few common themes. Employees feel overworked, overwhelmed, and they don’t like what they do. Companies are noticing it, with 75% of them saying they can’t attract the right talent, and 83% of them feeling that their employer brand isn’t compelling. Companies that want to fix this need to be smart, and patient. This doesn’t happen overnight, but like I mentioned, it’s easy to do. Being patient might be the hardest thing for companies, and I understand how frustrating it can be not to see results right away, but it’s important that you invest in this, because the ROI of employee engagement is huge.

Here are 4 simple (and free) things you can do to get that passion back into employees. These are all based on research from Deloitte.

1.  Encourage side projects

Employees feel overworked and underappreciated, so as leaders, we need to stop overloading them to the point where they can’t handle the workload. Let them explore their own passions and interests, and work on side projects. Ideally, they wouldn’t have to be related to the company, but if you’re worried about them wasting time, you can set that boundary that it has to be related to the company. What this does, is give them autonomy, and let them improve on their skills (mastery), two of the biggest motivators for work.

Employees feel overworked and underappreciated, so as leaders, we need to stop overloading them to the point where they can’t handle the workload.

2.  Encourage workers to engage with customers

At Wistia, a video hosting company, they make everyone in the company do customer support during their onboarding, and they often rotate people into customer support. When I asked Chris, their CEO, why they do this, he mentioned to me that it’s so every single person in the company understands how their customers are using their product. What pains they’re having, what they like about it, it gets everyone on the same page. It keeps all employees in the loop, and can really motivate you to work when you’re talking directly with customers.

3.  Encourage workers to work cross-functionally

Both Apple and Google have created common areas in their offices, specifically and strategically located, so that different workers that don’t normally interact with each other can have a chance to chat.

This isn’t a coincidence. It’s meant for that collaborative learning, and building those relationships with your colleagues.

4.  Encourage networking in their industry

This is similar to number 2 on the list, but it’s important for employees to grow and learn more about what they do. It helps them build that passion for their industry. It’s important to go to networking events, and encourage your employees to participate in these things. Websites like Eventbrite or Meetup have lots of great resources, and most of the events on there are free.

13 Disturbing Facts About Employee Engagement [Infographic]

What do you do to increase employee engagement? Let me know your thoughts in the comments!

Did you like today’s post? If so you’ll love our frequent newsletter! Sign up here and receive The Switch and Shift Change Playbook, by Shawn Murphy, as our thanks to you!

This infographic was crafted with love by Officevibe, the employee survey tool that helps companies improve their corporate wellness, and have a better organizational culture.


Recommended for you:

Supply Chain Fraud: The Threat from Within

Lindsey LaManna

Supply chain fraud – whether perpetrated by suppliers, subcontractors, employees, or some combination of those – can take many forms. Among the most common are:

  • Falsified labor
  • Inflated bills or expense accounts
  • Bribery and corruption
  • Phantom vendor accounts or invoices
  • Bid rigging
  • Grey markets (counterfeit or knockoff products)
  • Failure to meet specifications (resulting in substandard or dangerous goods)
  • Unauthorized disbursements

LSAP_Smart Supply Chains_graphics_briefook inside

Perhaps the most damaging sources of supply chain fraud are internal, especially collusion between an employee and a supplier. Such partnerships help fraudsters evade independent checks and other controls, enabling them to steal larger amounts. The median loss from fraud committed
by a single thief was US$80,000, according to the Association of Certified Fraud Examiners (ACFE).

Costs increase along with the number of perpetrators involved. Fraud involving two thieves had a median loss of US$200,000; fraud involving three people had a median loss of US$355,000; and fraud with four or more had a median loss of more than US$500,000, according to ACFE.

Build a culture to fight fraud

The most effective method to fight internal supply chain theft is to create a culture dedicated to fighting it. Here are a few ways to do it:

  • Make sure the board and C-level executives understand the critical nature of the supply chain and the risk of fraud throughout the procurement lifecycle.
  • Market the organization’s supply chain policies internally and among contractors.
  • Institute policies that prohibit conflicts of interest, and cross-check employee and supplier data to uncover potential conflicts.
  • Define the rules for accepting gifts from suppliers and insist that all gifts be documented.
  • Require two employees to sign off on any proposed changes to suppliers.
  • Watch for staff defections to suppliers, and pay close attention to any supplier that has recently poached an employee.

About Lindsey LaManna

Lindsey LaManna is Social and Reporting Manager for the Digitalist Magazine by SAP Global Marketing. Follow @LindseyLaManna on Twitter, on LinkedIn or Google+.


Recommended for you:

Innovation Without Boundaries: Why The Cloud Matters

Michael Haws

Is it possible to innovate without boundaries?

Of course – if you are using the cloud. An actual cloud doesn’t have any boundaries. It’s fluid. But more important, it can provide the much-needed precipitation that brings nature to life. So it is with cloud technology – but it’s your ideas that can grow and transform your business.USA --- Clouds, Heaven --- Image by © Ocean/Corbis

Running your business in the cloud is no longer just a consideration during a typical use-case exercise. Business executives are now faced with making decisions on solutions that go beyond previous limitations with cloud computing. Selecting the latest tools to address a business process gap is now less about features and more about functionality.

It doesn’t matter whether your organization is experienced with cloud solutions or new to the concept. Cloud technology is quickly becoming a core part of addressing the needs of a growing business.

5 considerations when planning your journey to the cloud

How can your organization define its successful path to the cloud? Here are five things you should consider when investigating whether a move to the cloud is right for you.

1. Understanding the cloud is great, but putting it into action is another thing.

For most CIOs, putting a cloud strategy on paper is new territory. Cloud computing is taking on new realms: Pure managed services to software-as-a-service (SaaS). Just as legacy computing had different flavors, so does cloud technology.

2. There is more than one way to innovate in the cloud.

Alignment with an open cloud reference architecture can help your CIO deliver on the promises of the cloud while using a stair-step approach to cloud adoption – from on-premise to hybrid to full cloud computing. Some companies find their own path by constantly reevaluating their needs and shifting their focus when necessary – making the move from running a data center to delivering real value to stakeholders, for example.

3. The cloud can help accelerate processes and lower cost.

By recognizing unprecedented growth, your organization can embark on a path to significant transformation that powers greater agility and competitiveness. Choose a solution set that best meets your needs, and implement and support it moving forward. By leveraging the cloud to support the chosen solution, ongoing maintenance, training, and system issues becomes the cloud provider’s responsibility. And for you, this offers the freedom to focus on the core business.

4. You can lock down your infrastructure and ensure more efficient processes.

Do you use a traditional reporting engine against a large relational database to generate a sequential batched report to close your books at quarter’s end? If so, you’re not alone. Sure, a new solution with new technology may be an obvious improvement. But how valuable to your board will you become when you reduce the financial closing process by 1–3 days? That’s the beauty of the cloud: You can accelerate the deployment of your chosen solution and realize ROI quickly – even before the next full reporting period.

5. The cloud opens the door to new opportunity in a secure environment.

For many companies, moving to the cloud may seem impossible due to the time and effort needed to train workers and hire resources with the right skill sets. Plus, if you are a startup in a rural location, it may not be as easy to attract the right talent as it is for your Silicon Valley counterparts. The cloud allows your business to secure your infrastructure as well as recruit and onboard those hard-to-find resources by applying a managed services contract to run your cloud model

The cloud means many things to different people. What’s your path?

With SAP HANA Enterprise Cloud service, you can navigate the best path to building, running, and operating your own cloud when running critical business processes. Find out how SAP HANA Enterprise Cloud can deliver the speed and resources necessary to quickly validate and realize solid ROI.

Check out the video below or visit us at

Connect with us on Twitter: @SAPServices



Recommended for you:

4 Biggest Risks In NOT Using Social Media

April Crichlow

These days social media is critical for success in business. Early adopters have made great strides, using it to engage with customers online and find new clients. For the laggards — typically small businesses that think they don’t have the resources or need for social media — the question looms: “Is social media a fad, or is it here to stay?”

Unfortunately for these companies, social media is here to stay. There are four major risks in not using social platforms as a business tool:

  1. You risk being out of the loop. Social media is a key channel for consumers collecting information and connecting with other consumers. It is also a great opportunity for companies to engage with current customers, as well as potential customers, all over the world. By not using social media, you run the risk of losing customers, credibility, and crucial information that can benefit your business. Even if you choose not to actively participate in discussions, you need be aware and stay informed regarding conversations about your company. Don’t stick your head in the ground and hope for social media to “blow on by.”
  1. You can’t respond to negative comments about your business. When customers are not satisfied with your product or service, one of the first things many will do is complain on Twitter or Facebook, or they will write a bad review online. If you are not actively keeping tabs on these discussions and reviews, they can hurt your reputation and cost you potential business. How can you protect your brand if you don’t know what’s being said about it online? Social media is now the default platform for customer service. Instead of calling an 800 number, consumers want to send businesses a tweet or post something on a Facebook page. When they can’t find you online, they will go to a review site such a Yelp or Merchant Circle to complain and warn other customers. However, if they have a relationship with your company, they are much less likely to take such actions and will instead send you an email or a private message about the problem.
  1. You risk missing the positive comments about your business. Customers also leave positive feedback online about companies with which they do business. However, if they believe their comments won’t be read by the companies they are praising, satisfied customers are less likely to leave feedback.
  1. You risk giving your competitors an unfair advantage. If your competitors are active on social media and you are not, your rivals have a leg up on winning business from potential customers. You don’t allow for comparisons and can’t answer questions in real time. Unless your product or service is overwhelmingly superior, this is one risk you cannot afford to take!

Social media is an excellent forum to participate in discussions happening right now about your business and your industry. Building an active presence on social sites offers numerous opportunities to promote your products and services, provide outlets for customer service, and check up on your competition. It’s not too late to start using social media as a business tool…but one day soon, it might be.

If you are an SAP partner and would like to learn more about this topic, join me on Dec 1st for How to Spend 15 Minutes a Day on Social Without Breaking a Sweat. Register now: (s-user) #SAPMarketingAcademy


Recommended for you: