An increasing number of businesses are using third party developed applications that are delivered through a hosting partner or ASP using a Software as a Service or ‘SaaS’ model.
Whilst there are well established benefits to be realised through the use of SaaS, there are also significant risks to be aware of and provisions to be considered.
As vendors commonly own the account with the hosting partner, if there is a problem you may well be unaware of it until the hosting service suspends the service such as for non-payment, which could well be too late to rectify the situation.
If the vendor is no longer operational the service would not be reactivated and you could be left unable to access critical HR, financial or customer data etc.
By including the provision for regular deposits to be made by the vendor to an external party, you can protect your organisation from such an event.
If you are working with an external hosted provider, your data will be held with the vendor and they would usually create backups to help ensure security of your data. However this could only be server level snapshots rather than SQL backups. It is ultimately your responsibility to ensure accurate back up of your data.
Additional deposits with an external party of your choice can protect you against over reliance on the vendor.
Securing data in different locations prevents external factors (e.g. environmental, natural disaster etc.) disrupting your data access.
The dynamic nature of this information generally requires a high frequency of deposits/updates to ensure the data is as relevant as possible.
SaaS delivery allows you to move between applications and vendors without having to consider any impact on your infrastructure.
However, if you have invested quite heavily and spent time procuring a certain application, that your organisation is heavily dependent on daily or even hourly, you may be reluctant to change if your vendor sells the IP to a new provider. Or may not be an option for you full stop!
Should a new provider come in it is quite likely they may not offer a comparable service (e.g. they may decide to discontinue the product or even increase the charges).
Legal agreements such as Escrow protect existing licence contracts to ensure the service you have continues as originally intended.
If you are looking to continue with an application in the event of the existing supplier no longer being able to support (e.g. transfer of IP, liquidation, ceasing to trade etc.) you will need access to the source code. For SaaS platforms the data and associated materials are just as important.
Even organisations who are not seeking to continue with an application may include the provision for source code to be securely deposited on their behalf in order to protect their licence agreements and vendor negotiations.
If the application is important enough, bespoke, or unique, simply transferring to a new provider may not be a viable option – at least in the short term. In this instance, you will need to have arrangements in place to allow you to independently recreate the service.
The problem is that this information is proprietary for vendors and (failing acquisition) they are unlikely to disclose it unless protected under the strict criteria of an Escrow.
By having the most up to date source code, data, associated materials (and in most case virtual images) protected under an Escrow agreement will ensure that you can continue should the unforeseen happen.
In addition to standard Escrow requirements it is crucial that the full environment, build process and specific product knowledge is documented for this coverage.
The good news is that many Software Providers recognise the importance of this for their clients, and protectively implement Software Escrow on their clients behalf. I would always say ask the question to any current or future provider of any application you use. Whether they are hosted, on premise or mobile.
If you have any further questions about SaaS or any of the other services we offer, please get in touch and one of our specialists will get back to you within one business day.
© SES Secure Limited and ses-escrow.co.uk, 2017. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content.