What’s your “Plan B” if your Software Vendor Disappears?

A Changing Market Landscape

There’s a paradigm shift taking place in technology delivery today, with the model changing from licensed software that resides on-premises to a Software-as-a-Service (SaaS) model that is subscription-based and resides in the cloud.

In the early days of SaaS, smaller and less important applications were the initial drivers, while mission-critical applications were still operated via traditional, on-premises software models. However, today SaaS is being adopted for more and more mainstream and mission-critical applications. “The cloud is now being considered a viable target for deploying mission-critical applications,” states a Forbes article on the topic. “…customers are expecting their vendors to be SaaS providers.”

The benefits of SaaS are clear. Cloud-based applications and services continue to give subscribers options for flexibility, streamlining operations, and controlling costs. That’s why 85% of new software developed is being built for the cloud.

Yet, although the benefits of SaaS are hard to ignore, there are risks inherent in the cloud.

There are always questions of accessibility and security when dealing with SaaS providers. With something as essential as your mission-critical applications, you need to be assured that you will have access to your data and the application itself even if something were to happen to the software or the company hosting it. You need a way to make sure that you stay in control of what is yours, no matter what is happening on the provider’s end. Failure to protect SaaS investments can lead to:

• Lost revenue
• Potential brand damage
• Productivity impact
• Application downtime
• Data loss

It is likely that your organization is already dealing with these new risks. For example, one major difference with SaaS is that both your application and your data reside in the cloud. How can you ensure that your applications and data are protected if something happens to your SaaS provider?

What Are the New Risks of SaaS and how are they Being Addressed?

When we talk with our enterprise customers about their SaaS headaches, some of their areas of concern include:

• Concern over vendor bankruptcy or failure to do business in the ordinary course;
• A merger or acquisition that may diminish the importance of their critical software application;
• Contract breaches or dispute issues;
• Force majeure – a chance occurrence or unavoidable accident – which frees both parties from liability , and could result in an extended outage;
• The need to execute an exit strategy; and
• The inability to recover their data.

So, how do you assess your risk, and then do something about it?

A recent survey conducted by IDG Research on behalf of Iron Mountain shows that 49% of respondents believed that risks associated with SaaS are greater than those of traditional on-premises software. To fully evaluate the risk, you must look at operational risks, your investment of time, a vendor assessment, and the associated costs.

The IDG survey also reported that 73% of organizations say it is “very important” or “critical” that their SaaS provider offers a plan to allow continued access to applications in case their provider goes out of business. Yet, 79% of SaaS providers do not guarantee that type of application continuity to their subscribers, according to Softletter Research. Professionals in Software Asset Management need to realize that this is a strategic issue, and one that needs to be proactively addressed.

Practical Strategies to Mitigate SaaS Risk

To deal with these risks, it is important to “unpack” the disaster recovery / business continuity (DR/BC) question. Remember, a SaaS provider’s disaster recovery plan is only effective if the provider is still a viable entity. Likewise, disaster recovery services offered by hosting providers such as Amazon Web Services will only keep your application up and running if something happens when your SaaS provider is still around.

It’s also important to talk to your SaaS provider about the Recovery Time Objectives and Recovery Point Objectives (RTO/RPO’s) you require, and build this into your Service Level Agreement (SLAs).

Security breaches can be additional risk factor with SaaS. To address this risk, you need to put all the precautions in place as you normally would do with an on-premises solution as dictated by the type of application, and then additionally review data breach vulnerabilities as part of your technical assessment/evaluation of the SaaS provider. Remember that by placing your data in the cloud via a SaaS solution is not an abdication of your responsibilities for that data.

As a final word of caution, don’t just deploy the application and deal with “what ifs” later; you are in the best position to put a contingency plan in place before you sign the deal.

Challenges for Software Asset Managers, Contracting and Legal Professionals

With traditional, on-premises software, most enterprises rely on software escrow agreements where the application source code and a complete set of deposited materials are held with a neutral, trusted third party in case something happens to their software vendor.

So, how can the traditional software escrow agreement be adapted for SaaS applications? There are similarities, but there are a lot of differences as well.

Unpredicted service disruptions and loss of data are very real concerns that could do serious damage. Even if the provider you’ve chosen maintains a stellar record of service, you don’t want to be completely dependent on them for your business continuity when an issue arises. As stated earlier, you need to keep in mind that the provider’s disaster recovery plans don’t extend to you if they disappear.

With SaaS applications, you should ensure that you can:

• Have access to the application and your data should the SaaS provider cease business operations;
• Work with a third-party partner that you trust to protect your investment in SaaS solutions;
• Satisfy internal governance, risk, and compliance policies before beginning a SaaS relationship; and
• Safeguard your business with a comprehensive contingency solution

Similar to a traditional software escrow arrangement, you’ll need to identify the trigger issues that will launch the SaaS escrow contingency process. But, in this case, you’ll also need to ensure your data is protected and retrievable. To remain operational, your contingency plan must provide short-term access to the application and data — whether by hosting the application in its own data center or in a private cloud — until you can transition to another SaaS provider.

When evaluating escrow solutions for SaaS, seek an escrow environment that runs independently of your SaaS provider and offers adaptable levels of protection based on the specific level of risk and the recovery time objectives you’ve identified.

Key Issues to Consider

In conclusion, here are some of the key issues you should consider as you implement new SaaS solutions:

• Application continuity;
• Time to migrate to a new solution;
• Unencumbered access to your data;
• Timely access to components necessary to make use of your data;
• Gaining leverage to optimize the vendor relationship;
• Satisfying Governance, Risk & Compliance policy;
• Minimizing risk of loss; and
• Avoiding litigation and the courts.

In the volatile and still-growing market for SaaS applications, you must be prepared for the possibility that your SaaS provider might go out of business, merge with another company, get acquired, or otherwise stop supporting your mission-critical applications. By proactively implementing an escrow solution that deals with the unique risks of SaaS, you will have a solid “Plan B” if something happens to your SaaS provider.

Sources:

[i] Cloud’s Next Big Wave: Mission Critical Applications,” by Mike Kavis, Forbes, June 27, 2014.
[ii] IBM, 2013 Annual Report.
[iii] IDG Custom Research, “When the Cloud Evaporates,” 2015.
[iv] IDG Custom Research, “When the Cloud Evaporates,” 2015.
[v] Softletter Research, “2013 Softletter SaaS Report.”

About John Boruvka

John Boruvka, vice president for Iron Mountain’s Intellectual Property Management group, has been involved in the technology escrow and intellectual property management field for more than 23 years. His focus is helping companies create solutions relating to protecting intellectual property assets. John is considered an authority in the field of technology escrow and issues surrounding the role of a neutral third party in protecting intellectual property. He has participated in the development of strategies and review of thousands of technology escrow agreements for software, hardware and other proprietary information that established to protect against mergers, bankruptcies or other events that affect the ability of vendors to support their technology. A technology escrow agreement could mean the difference between losing mission-critical software that would cripple a company’s operations and maintaining continued business success. Additionally, escrow accounts can serve to protect software from patent, copyright or trade secret infringement. Courts have ruled that source code kept with a neutral third party helps meet the burden of proof for conception of an idea and serves as documentation of how a technology was developed. Mr. Boruvka has also written many articles on this topic and presented extensively at associations, industry meetings and prestigious law firms across the United States, Canada, South America and Europe, including presentations for: • American Chamber of Commerce – Argentina • International Association of IT Asset Managers (IAITAM) • Caucus Software Licensing Course • Caucus Technology Procurement Conference • Independent Computer Consultants Association • International Association of Contract and Commercial Managers (IACCM) • ITechLaw Association • Licensing Executive Society (LES) • MIT Enterprise Forum Computing SIG (special interest group) • Software & Information Industry Association (SIIA) Software Division • Softletter's SaaS University