The Enterprise Readiness Guide for SaaS Product Managers
This guide is for SaaS product managers that want to better understand the essential features enterprises expect, ideal timing for going upmarket, build vs. buy considerations, and pricing & packaging implications.
“Enterprise Readiness” is the ability of a SaaS product to meet the security, compliance, reliability, and support needs of larger customers. These organizations are typically businesses of considerable size (>1000 employees) with multi-layered evaluation, procurement, and decision making processes.
This guide is tailored for SaaS product managers seeking best practices in the following areas:
- Enterprise Timing: When to prioritize enterprise readiness.
- Enterprise Personas: Customer profiles that become important as one moves upmarket.
- Enterprise Features: Important and common features enterprises expect from vendors.
- Resourcing: “Build vs. buy” considerations.
- Pricing: Packaging and commercial implications of enterprise specific features.
Insights below are drawn from interviews with product leaders who have successfully navigated the enterprise journey. Special thanks to: Thomas Schiavone, Former VP of Product, Sift; Patrick Malatack, Former VP of Product, Twilio; Matt Rinehart, Staff Product Manager, Netlify; Meagan Gamache, VP Product, Render; Lawrence Han, Product Management Lead, Asana; Sean Santschi, Enterprise Product, Motive; JB Volta, Former Staff Software Engineer, Slack; and Mark Tran, Engineering Manager, WorkOS.
The decision to move upmarket is typically driven by one of two catalysts: a "pull" motion or a "push" motion. Pull occurs when a user base expands organically, typically through a bottom-up motion into larger customers, and the organization is now drawn into enterprise conversations. A push motion occurs when the organization proactively prioritizes demand creation in enterprise and the likes of Fortune 1000 companies.
In either scenario, demonstrating an early understanding of common enterprise needs often leads to increased credibility and a higher likelihood of success. This is particularly true in competitive markets and emerging product categories, where factors beyond a product's core technology can determine success.
Product leaders shared that organizations that eventually want to move into the enterprise should prioritize a culture of “Day 1” enterprise readiness from the outset rather than trying to establish this retroactively. Moving upmarket is often a company-wide motion that can be riddled with complexities, and early preparation can simplify the process drastically. It’s a process that fundamentally affects every function within an organization but the rewards are significant, often resulting in increased total addressable market, higher average contract values (ACV), decreased churn, and better long-term value for customers.
Personas: Know your customer(s)
Most SaaS product managers understand their product's primary users very well, as these users are central to the core value proposition of the business. However, within larger organizations, the decision-making process includes a wider array of personas, and their distinct needs must be reflected in the product's features. This extended group of stakeholders typically includes:
Security & Compliance Teams
These professionals are tasked with protecting organizational data integrity and ensuring adherence to industry regulations and standards. They seek robust security features like end-to-end encryption, multi-factor authentication, and detailed audit logs that can track and report on user actions within the system. Compliance with frameworks such as GDPR, HIPAA, or SOC 2 is often non-negotiable. These teams look for SaaS providers that offer comprehensive security measures and transparent compliance documentation.
Procurement & Legal
Procurement specialists are focused on optimizing spend and ensuring that the SaaS solutions their company adopts provide value without redundant functionality. They often scrutinize usage statistics, looking for scalable licensing models and cost-effective integrations with existing systems. On the other hand, legal professionals meticulously review terms of service, privacy policies, and service level agreements (SLA) to safeguard the company against legal and financial risks. They are particularly concerned with indemnities, liability limitations, and data processing agreements, seeking clarity and fairness in all contractual language.
C-suite executives and senior leaders evaluate vendors not just on their ability to address immediate problems but also on their capacity for long-term partnership and support for strategic goals. They appreciate a vendor's track record of innovation, customer success stories, and thought leadership in their industry. A well-articulated product roadmap that aligns with future technological trends and the evolving landscape of customer needs can be instrumental in securing their buy-in.
What drives the needs of these new stakeholders are trust and visibility that are critical for a long-term partnership. Patrick Malatack remarked, "As enterprises evaluate different vendors, they look for your ability to grow alongside them as their requirements change. Ideally, they want a vendor that is constantly pushing boundaries and resolving issues before they become apparent." He added, "The vendor-enterprise relationship is always evolving. It's not a one-and-done activity, and enterprise needs are continually changing. Catering to an increasingly diverse group of stakeholders must be an ongoing effort."
Enterprise Features, Unpacked
As the SaaS market has matured, so has the set of essential enterprise capabilities large organizations require from vendors. We’ll now explore the most important and common enterprise features expected from SaaS businesses.
Unlike other common enterprise features such as single sign-on (SSO) or audit logs, compliance refers to adherence to specific standards that ensures data privacy, security, and operational transparency. It is a broader operational principle guiding how a company manages its tools, data, and processes to mitigate risks, avoid potential legal liabilities, and foster trust among customers.
SOC 2 and ISO 27001 are the most common certifications in compliance.
For SOC 2, there are two types:
SOC 2 Type 1: This audit captures a snapshot of an organization's systems and assesses if their design aligns with trust principles on a given date. It focuses on control design but doesn't evaluate operational effectiveness over time.
SOC 2 Type 2: This audit is a more in-depth review spanning six months to a year and examines both the design and operational effectiveness of controls throughout the period. It ensures controls are not just aptly designed but also consistently applied and effective.
ISO 27001: This is an international standard guiding how companies manage and protect data. It emphasizes a structured approach to assessing risks and implementing measures to mitigate them. For certification, companies must systematically identify potential threats, evaluate their impact, and establish robust controls to address these risks.
Historically, SOC 2 has been more prevalent in North America, and ISO 27001 has been more prevalent in Europe. For most US-based businesses that deal with customer data to any extent, SOC 2 compliance is seen as an absolute requirement.
Attaining SOC 2 compliance has three distinct benefits:
- Reinforces trust between an organization and customers. In an interview with WorkOS, Daniel Marashlian, Co-Founder and CTO at Drata, mentioned, “The main thing about SOC 2 is establishing trust. As you talk to your upstream vendors, you’ll realize that it’s not so much about the certification or the report but rather, reinforcing the notion that you care about your customers and their users.”
- Enables the customer to also be SOC 2 compliant more easily. As Thomas Schiavone noted, “Customers will also want to remain SOC 2 compliant. As their vendor, if your product is also SOC 2 compliant, it makes things much easier. SOC 2 compliance has a downstream impact that you, even as a series A company, must adhere to nowadays.”
- Offers an easy win that doesn’t require much engineering resources. Schiavone added, “The thing about SOC 2 is that it’s a lot of paperwork, not a lot of engineering work. Most of the work can be handled by one engineering manager, making it a cost-effective way to signal enterprise readiness.”
Advanced User Authentication
After meeting compliance requirements, the next thing organizations tend to focus on is broadening their authentication capabilities. Unlike baseline features like password storage, basic input validation, and session management, which are relatively easy to implement and foundational to every business, advanced features like multi-factor authentication (MFA) and privileged access management (PAM) are more sophisticated and provide unique value to enterprises.
Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) significantly bolsters security by requiring users to present several pieces of evidence, or factors, to verify their identity when accessing a system or application. These factors are typically categorized into something the user knows (knowledge), something the user has (possession), and something the user is (inherence). MFA ensures that even if one factor is compromised, unauthorized access to a user's account is still unlikely.
Here are some examples of MFA implementations to consider:
- Token-Based Authentication: Hardware tokens generate a numeric code that the user enters during the authentication process, while software-based tokens are apps (like Google Authenticator) that perform a similar function on a user device.
- SMS and Email-Based Verification: A code is sent to the user's phone or email which they must enter to authenticate. However, these methods have security considerations, as SMS and email can be intercepted.
- Time-Based One-Time Password (TOTP): Algorithms generate a one-time password that changes at a set interval, used in conjunction with a mobile app or a hardware token.
Privileged Access Management (PAM)
Privileged Access Management (PAM) refers to a class of solutions that secure, control, manage, and monitor privileged access to critical assets within an organization. Privileged access can be associated with human users, as well as non-human users like applications and machine identities. The primary goal of PAM is to enforce the principle of least privilege, ensuring users have just enough access to perform their roles and no more. This reduces the attack surface and the risk of a security breach by limiting the potential misuse of elevated permissions.
When implementing PAM, three key considerations to prioritize are:
- Secure Credential Storage and Management: Prioritize establishing a secure vault for storing privileged credentials, with automated password rotation and restricted access to ensure that privileged account details are kept confidential and are not a point of weakness.
- Detailed Auditing and Monitoring: Implement comprehensive auditing and real-time monitoring capabilities for all privileged sessions. This enables the organization to track privileged activities, providing visibility and forensic capabilities to respond to incidents effectively.
- Integration with Identity Verification Systems: Ensure that the PAM solution integrates seamlessly with existing identity verification systems to provide a consistent access control framework. This is vital for enforcing access policies and supporting a unified identity management approach.
Single Sign-On (SSO)
Single sign-on (SSO) is also a type of an authentication method that allows users to access multiple applications using a single set of credentials. It leverages the coordination between the service provider (SP), or the application seeking authentication, and the identity provider (IdP) that confirms user identity. SSO often leverages the Security Assertion Markup Language (SAML) protocol to facilitate this process. In a SAML-enabled SSO setup, when a user attempts to access a service, the service provider issues a SAML request to the designated IdP. The IdP then authenticates the user's identity and returns a SAML assertion to the service provider. This assertion, in essence, vouches for the user's authenticity, granting them access. This flow broadly carries over to other protocols like OAuth and OIDC as well.
According to Meagan Gamache, who has years of experience building enterprise products at companies like Slack and Figma, “Single sign-on (SSO) is usually the feature that enterprises request after SOC 2 and user management have been established. Because SSO is essentially a more advanced authentication method, this progression of enterprise features is typically true across organizations.”
The benefits of SSO are two-fold: it streamlines the end user experience by reducing repeated login prompts across services and mitigates potential attack vectors associated with multiple password management with centralized authentication.
SSO can be provisioned with a provider or built in-house. While feasible, building an in-house SSO solution can become incredibly complex, and here are some of the components that would require attention:
- A SAML controller for handling requests and providing responses to the integrated IdPs.
- A SAML service to verify x509 certs, entity IDs, and IdP URLs, alongside parsing SAML assertions and creating and validating SAML responses.
- A strategy to correctly authenticate users in the app based on the attributes that IdPs send back. This process will need to be normalized when supporting multiple customers.
The underpinning challenge of building SSO from scratch is the bespoke customization that is required to build unique SAML flows for each IdP. While SAML is a standard, it, like many standards, can be fragmented and occasionally challenging to navigate.
Automated User Lifecycle Management: Directory Sync & SCIM
Directories, systems, Directory Sync, and System for Cross-Domain Identity Management (SCIM) are four relevant terms to understand when discussing identity management across systems.
- Directories: Directories primarily store and organize user information. Common examples include Microsoft Active Directory, LDAP directories (like OpenLDAP), and Azure Active Directory.
- Systems: Digital platforms or applications that use or manage user identities. This category spans SaaS platforms (e.g., Salesforce, Slack, Dropbox), infrastructure platforms (e.g., AWS, GCP, Azure), and proprietary or custom enterprise applications.
- Directory Sync: The process or concept that ensures consistent user and group attributes, such as profiles, memberships, and passwords, across various directories and systems. It aims to maintain uniformity and accuracy in identity data throughout the IT ecosystem.
- SCIM: A standardized protocol developed to streamline Directory Sync, especially in cloud environments. SCIM sets a defined schema for user and group attributes, ensuring consistent representation across systems. RESTful APIs facilitate the exchange of this structured data among different platforms.
The Significance of SCIM for Enterprise Personas
- Reinforced Security & Compliance: With SCIM, enterprises can streamline user provisioning and deprovisioning. When a new employee is entered into the primary HR system, SCIM can be configured to automatically trigger a POST request to all integrated systems, ensuring accurate new user creation. Similarly, when an employee departs or is terminated, a single change in the primary system, like marking the employee as "inactive,” can propagate to all connected systems via a DELETE request or an update, immediately revoking access. This ensures that the departed employee cannot access any enterprise system, reducing the risk of data leaks or unauthorized actions. Additionally, SCIM data can be encrypted end-to-end, meaning that as user data moves between systems, it remains both secure and unchanged.
- Data Integrity: SCIM employs a specific, extensible schema that details how user and group entities should be represented in data exchange between systems. SCIM also supports bulk updates, synchronizing a large set of users, and delta updates, only sending changes since the last sync. This ensures that even if only a small subset of user data changes, only the necessary modifications are communicated, keeping all systems up-to-date. Lastly, when data is pushed to a system via SCIM, that system can validate the data against its constraints. If a user's email format doesn't match what's expected, the receiving system can reject the update and notify the sending system of the error, ensuring data integrity.
- Reduced Overhead: For profile updates, a change in the HR system can trigger a PATCH or PUT request via SCIM, automatically reflecting this change across all integrated systems. For password management, SCIM's ability to synchronize with SSO solutions means that a password reset action in one system can be synced with others, reducing the need for disparate reset procedures. Access requests can also be automated through integrations with Identity Governance and Administration (IGA) tools. Instead of manual provisioning by IT personnel, a SCIM POST request can be instantiated once an access request is approved within the IGA tool, ensuring timely and accurate access provisioning.
For IT and security personnel in particular, SCIM is paramount because it offers a streamlined and automated approach to identity management, ensuring that users have the right access at the right time. This not only enhances productivity but significantly elevates the security posture by mitigating potential risks associated with outdated access rights or human errors.
Audit Trail and Log Streaming
An audit trail refers to a chronologically ordered record of events and operations that have taken place within a software application or system. This trail provides evidence of activities and granular details such as who initiated an action, when it was taken, from where, and the exact nature of the change or access. These trails are invaluable for security monitoring, forensic analysis, and regulatory compliance, as they can help detect unauthorized or malicious activity and establish accountability.
Log streaming is a real-time continuous flow of event logs and data from various sources like applications or servers to centralized logging systems or repositories such as Datadog, Splunk, or even an ELK stack (Elasticsearch, Logstash, Kibana). It ensures that logs are immediately relayed, processed, and stored for rapid detection and response to potential security incidents. In essence, while an audit trail provides a historical record of events, log streaming is the mechanism by which these records are efficiently and promptly collected and centralized.
For security analysts and infosec teams tasked with safeguarding the organization's information assets against potential threats, audit trails and log streaming are valuable tools that provide:
- Proactive Security Measures: By maintaining a real-time feed of events across the IT landscape, security teams can stay perpetually informed, swiftly identifying irregularities like traffic surges, unauthorized accesses, or unforeseen system alterations. Audit trails and log streaming also provide nuanced analytics to better detect subtle, modern threats. They can be integrated with threat intelligence platforms like CrowdStrike and Palo Alto Networks, to identify potential breaches or ongoing attacks more effectively.
- Prompt Incident Management and Analysis: Forensic analysis leverages chronological logs to precisely trace an attacker's steps, discern the attack vector, and gauge the breach's magnitude. The immediacy of this data is critical for prompt incident management, because it significantly decreases the interval between identifying a threat and executing countermeasures.
Uptime SLAs are a bit unique in that they are formal agreements established between service providers and customers. SLAs consist of service level objectives (SLOs), which detail explicit metrics such as uptime, response time, latency, and throughput. These metrics are not just numbers, since they represent the provider's pledge to maintain a high standard of service. Should the provider fall short, they are typically bound to offer service credits or compensation to the affected customer.
In negotiations with enterprise clients, SLAs are more than contractual obligations; they are a foundation for establishing trust and a benchmark of the provider's reliability and operational excellence. Uptime guarantee, often quantified in terms like 99.9% ("three nines") or even 99.99% ("four nines"), is not just a figure. It reflects a provider's commitment to sustained availability and robust infrastructure, a quality highly valued by enterprises seeking dependable service partners.
Build vs. Buy
The build vs. buy debate depends on numerous factors such as engineering bandwidth, committed timelines with customers, long-term product vision, availability of vendors, complexity of implementation, monetization, and more. This topic is also one of the hardest to navigate for PMs, given the number of stakeholders that must be aligned and the potential setback that can seriously deter the trajectory of the business if a wrong decision is made.
After conversing with product leaders that had gone through countless build vs. buy motions, three axes of criteria emerged: the proximity of the feature to the core value prop of the business, amount of resources required to build and maintain the feature, and vendor lock-in.
How close is the feature to the core product capabilities?
Determining whether a feature is part of the product’s core capabilities is a pivotal decision that shapes the build vs. buy decision. Reflecting on her own experiences at Render, Gamache noted that Audit Logs was a feature developed internally because it was closely tied to Render's specialty in infrastructure services, such as cloud hosting, databases, and CI/CD solutions. Had Render not been focused on infrastructure, she noted it was likely that a third-party service like WorkOS would have been chosen instead.
Matt Rinehart, Staff Product Manager at Netlify, echoed similar sentiments, advising that unless a company's primary offering involves SSO services or necessitates direct handling of identity provider relationships, partnering with external vendors is recommended to avoid the extra work that is required. He added that for his team, the choice was about finding a vendor that allowed them to off-load all the operational burden.
How complex is the feature to build and maintain?
Yet, the question arises: What if a feature is integral to the product's core functionality but is incredibly complex to build and maintain? How should product managers approach the situation then? The answer depends, but here are some key considerations to guide that process.
1. Plan more time than you think is necessary.
Patrick Malatack shared that supporting enterprise customers is a never-ending, constantly evolving process. He emphasized, “Yes, it is sometimes necessary to build features in-house, but it is critical to realize that processes will be even more complex and time-consuming than you expect.”
Schiavone voiced similar thoughts, highlighting the need to “adopt a mindset that is okay with the first few iterations simply not working. It’s also super annoying to have to worry about all the edge cases but those are inevitable when building in-house."
To provide a more technical example, consider authentication, which seems like a straightforward solution that can be quickly built using open source libraries, but requires a lot more business logic and edge case handling than one might expect. Implementing something as rudimentary as email verification would require the product manager to decide at which point in the registration process the email verification takes place and ensure that the UI communicates clearly that a verification email will be sent and what steps the user needs to follow.
For technical specs, they would need to choose an email service or SMTP server to send out emails, implement a secure method for generating unique tokens or links, and check that the user's database schema can store verification tokens and verification status.
They would then need to work with backend engineers to create API endpoints for sending emails and verifying tokens, frontend engineers to develop a seamless experience for entering email addresses and handling verification inputs, and the security team to hash and securely store tokens, and implement expiration times for tokens to prevent abuse.
Email verification represents just a sliver of an entire authentication solution, and the product manager would still need to worry about handling safe linking and merging of duplicate accounts, normalizing IdP differences to establish consistency across user profiles, and provisioning MFA per environment to further enhance the app’s security posture.
2. Finding motivated engineers with expertise in enterprise features is difficult.
Inherently, building enterprise features like SSO and SCIM provisioning requires engineers to work with more traditional tech stacks that may not be at the bleeding edge of technology. Such tasks may also be perceived as under-appreciated, as the limelight tends to favor those directly contributing to the company’s flagship products. Gamache, drawing from her experience also working at Slack, likened the atmosphere to a perpetually high-stakes setting. The team was akin to a dedicated emergency response unit, always on page to tackle the next critical issue, indicating a work environment that is as challenging as it is essential to the company's infrastructure.
JB Volta, who spent years working as a Staff Engineer at Slack, reflected on his experience working with a team of 5-7 engineers that were responsible for maintaining the SSO and SCIM functionalities. He emphasized the relentless nature of their work, where the team's effectiveness was evaluated on their ability to quickly resolve a constant influx of security-related tickets against stringent deadlines. This behind-the-scenes diligence was critical to maintaining the integrity and trustworthiness of Slack’s enterprise-grade features, but was only made possible with a team of resilient engineers that could consistently deliver in high-pressure environments.
How many alternative options to a vendor exist?
Potential vendor lock-in was another concern that many product leaders articulated. When assessing the broader market for a specific feature, Schiavone mentioned it’s best to avoid purchasing a solution in a noncompetitive market, which is usually associated with higher possibility of vendor lock-in. He added, “If there are several viable solutions operating in a space, that’s a good enough signal for me.”
Pricing & Packaging Best Practices
It's important to recognize that enterprise features are a critical lever for justifying premium pricing for a product. Marketing, selling, and general support for larger organizations lack a specific cost like compute costs associated with a particular product line, but these endeavors still consume resources and should be priced as such. Malatack provided apt advice on focusing on commercialization efforts early, “First, I want to emphasize that a proper enterprise account relationship is an expensive one. An enterprise sales cycle will always consume more resources than you might expect, and that’s because every enterprise customer is complex and unique. Based on this, you should think about monetization as early as possible. Startups can adopt your product in a day, but enterprise can’t. It simply costs more to support them.”
Introducing enterprise-level features should serve as a key milestone in the progression of premium pricing and packaging options for the overall product portfolio. To illustrate this approach, here are examples of three companies and their methods for capitalizing on enterprise capabilities. Each company's approach highlights the integral role these features play in enhancing product offerings and expanding revenue streams.
Postman, one of the leading platforms for building and managing APIs, has created a premium Enterprise Plan that includes some core product differentiation features, e.g. Private API Network and API Builder, with standard enterprise-grade features like SSO, SCIM provisioning, and reporting & analytics.
Notion is one of the fastest growing enterprise SaaS workflow tools, and has created a core enterprise package specifically targeting security, compliance, and procurement personas with features like SCIM, SSO, and Audit Logs.
Slack, famous for revolutionizing workplace communication, has tailored its enterprise offering to provide more robust data residency and compliance as well as granular controls over how sensitive data is used and accessed across devices. The Enterprise Grid plan includes support for data loss prevention, HIPPA compliance, and Enterprise Mobility Management.
Enterprise readiness has become a non-negotiable aspect of a thriving SaaS operation, especially as shifting economic conditions accelerate the upmarket journey for many companies. This readiness, rooted in meeting the advanced security, compliance, and reliability standards of larger companies, can be effectively managed by breaking the process into manageable steps and prioritizing high-impact areas.
Integrating the mindset of enterprise-grade development early on is more crucial than ever, as Sean Santschi noted, "By focusing on building products that address the needs of multiple personas within an organization, your platform becomes a connective tissue that delivers multiple benefits across productivity, profitability, and scalability."
Reinforcing a culture of day one enterprise readiness leads to a larger addressable market, increased contract values, lower churn, and greater long-term customer satisfaction. For organizations navigating this transition, a partnership with WorkOS can be a game-changer, eliminating all the complexities and maintenance costs associated with implementing features like SSO, SCIM, MFA, and user management. By choosing WorkOS, companies can free their engineering teams from the burdens of enterprise feature development, allowing them to focus on building their core product functionalities and maintaining their competitive edge in a fast-paced market.