Don’t deal with the “what ifs” later … find out now
How can you ensure your applications and data are protected if something happens to your Software-as-a-Service (SaaS) provider? Our author, John Boruvka, uncovers big contract risks hidden in the cloud - and the vital things you need to think about before you sign the deal.
Did you know 85% of new software is being built for the cloud?
There’s been a paradigm shift in technology delivery. In the early days, SaaS was only used for small background applications, while mission-critical applications were still operated “in house” via licensed, on-premises software models.
Now all that has changed, and SaaS is being adopted for more and more mainstream and mission-critical applications. 85% of new software is being built for the cloud1 - and increasingly customers are expecting their vendors to be SaaS providers.2
Cloud-based applications and services continue to give subscribers options for flexibility, streamlining operations, and controlling costs. Yet, although the benefits of SaaS are hard to ignore, there are risks inherent to the cloud. And there are always questions of accessibility and security when dealing with SaaS providers.
79% of SaaS providers don’t guarantee application continuity
Unlike on-premises software, with SaaS both your application and data reside in the cloud. However, 79% of SaaS providers do not guarantee application continuity to their subscribers.3 With something as essential as your mission-critical applications, you need to be assured that you will have access to your data and applications even if something were to happen to the software or host company.
Unpredicted service disruptions and loss of data are therefore very real concerns that could do serious damage. In the volatile and still-growing market for SaaS applications, you must be prepared for the possibility that your SaaS provider might go out of business, merge with another company, get acquired, or otherwise stop supporting your mission-critical applications.
And you need to keep in mind that the provider’s disaster recovery plans won’t extend to you if they disappear. They are only effective while it is still a viable entity and, likewise, disaster recovery services offered by hosting providers such as Amazon Web Services will only keep your application up and running if something happens while your SaaS provider is still around.
Unclear contracts put you in a precarious position
IACCM’s analysis of the cloud agreements of several providers reveals that SaaS contracts often place extensive responsibilities on the customer.4 Evaluating contract language and complexity, the study finds many cloud agreements limit the suppliers’ obligations and are unclear in terms of what the supplier is committing to. They are also often complicated, poorly structured and hard to interpret.
This certainly puts you in a precarious position as an enterprise subscribing to a cloud service. In a recent survey, 73% of organizations report it is “very important” or “critical” that SaaS providers offer a plan to ensure continued access to applications if the provider goes out of business, and 49% believe risks associated with SaaS are greater than for traditional on-premises software.5
Likely your organization is already dealing with the contract risks associated with cloud-based software. But even if the provider you’ve chosen maintains a stellar record of service, you don’t want to be completely dependent on them for your business continuity if an issue arises. So it’s vital to understand the risks of SaaS and have options for mitigating them to protect your organization’s operations.
Don’t just deploy the application and deal with “what ifs” later. Contract negotiations need to address the risks of SaaS - and you are in the best position to put a contingency plan in place before you sign the deal.
Understanding the risks – what’s at stake?
When we talk with our enterprise customers these are some of the issues they are most worried about:
- Vendor bankruptcy or other business failure;
- A merger or acquisition that may diminish the importance of their critical software application;
- Contract breaches or disputes;
- Force majeure for which neither party would be liable, and could result in an extended outage;
- The risk, then, of being unable to recover their data and needing to execute an exit strategy.
To fully evaluate that risk, you must look at operational risks, your investment of time, operational dependencies and associated costs, and conduct a vendor assessment.
Contract negotiations need to address the risks of SaaS
Here are some recommended questions to work through to “unpack” the disaster recovery/business continuity (DR/BC) question:
- If my application is unavailable, what will the impact be on my company and customers – in one hour, one day, or one week?
- Where is my data and what are my options to get access to it?
- Will my data be usable without the application?
- If necessary, could I take the application on-premises or find a new SaaS provider? How long would that take?
- What events will trigger my contingency plan?
- How will I document the contingency and who will be responsible for execution (internally/externally)?
- Is it possible to perform verification testing to ensure the plan works?
- Do I have a repeatable process for dealing with these situations?
Working on contract negotiations with SaaS providers, the following are key issues you need to consider in ensuring application continuity and unencumbered access to your data:
- The time it would take to migrate to a new solution;
- Being able to get timely access to components necessary to make use of your data;
- Minimizing the risk of loss;
- Avoiding litigation and the courts;
- Satisfying governance, risk and compliance policy; and
- Gaining leverage to optimize the vendor relationship.
It’s also important to talk to your SaaS provider about the Recovery Time Objectives and Recovery Point Objectives (RTO/RPO’s) you require, and build these into your Service Level Agreement.
What are best practices to safeguard SaaS applications and data?
With traditional, on-premises software, most enterprises rely on software escrow agreements, where the application source code and a complete set of deposited materials are held with a neutral, trusted third party in case something happens to their software vendor.
So, can this traditional software escrow agreement be adapted for SaaS applications? There are similarities, but a lot of differences as well. For SaaS applications, you should ensure that you can:
- Have access to the application and your data should the SaaS provider cease its business operations;
- Work with a trusted third-party partner to protect your investment in SaaS solutions;
- Satisfy internal governance, risk, and compliance policies before beginning a SaaS relationship; and
- Safeguard your business with a comprehensive contingency solution.
As with traditional software escrow arrangements, you’ll need to identify the trigger issues that will launch the SaaS escrow contingency process. But, in this case, you’ll also need to ensure your data is protected and retrievable. To remain operational, your contingency plan must provide short-term access to the application and data — whether by hosting the application in its own data center or in a private cloud — until you can transition to another SaaS provider.
The SaaS escrow environment you seek should run independently of the provider and offer adaptable levels of protection based on your specific level of risk and the recovery time objectives you’ve identified.
The Software as a Service (SaaS) market continues to grow and gain significance as software delivery shifts from traditional onsite, licensed software to a cloud-based, on-demand SaaS model. It offers very many benefits, but you need to be fully aware of the risks before entrusting your mission-critical business applications and data to the cloud. By following these recommendations you can make sure you sure you stay in control of what is yours, no matter what is happening on the provider’s end.
Subscribe and never miss out on the latest Contracting & Commercial Management news, tips and events
About the author
John Boruvka, vice president for Iron Mountain’s Intellectual Property Management group, has been involved in the technology escrow and intellectual property management field for more than 25 years. He helps companies create solutions for protecting intellectual property assets. He has participated in the development of strategies and review of thousands of technology escrow agreements for software, hardware and other proprietary information that established to protect against mergers, bankruptcies or other events that affect the ability of vendors to support their technology. A technology escrow agreement could mean the difference between losing mission-critical software that would cripple a company’s operations and maintaining continued business success.
For more information, visit www.ironmountain.com/saas
To download the IDG Research paper referenced, visit www.ironmountain.com/cloud-evaporates
To view a webinar on this topic visit: http://www2.iaccm.com/resources/?id=8708
- IBM, 2013 Annual Report.
- Cloud’s Next Big Wave: Mission Critical Applications by Mike Kavis, Forbes, June 27, 2014.
- Softletter Research, 2013 Softletter SaaS Report (see also article online.)
- IACCM and Iron Mountain webinar, What Contract Risks are hiding in the Cloud?, July 2015.
- IDG Custom Research on behalf of Iron Mountain, When the Cloud Evaporates, 2015 (See also article titled When the Cloud Evaporates - Iron Mountain) [Free – sign up required].