What could possibly go wrong? Strategies to Lessen your Risk in the Cloud

By John Boruvka

“CEOs and CFOs have a fiduciary responsibility to the organization. If your executive team and IT organization haven’t recently discussed and implemented SaaS data recovery plans, now is the time to do so,” according to Security Boulevard.

Software-as-a-Service applications are certainly growing, and the benefits are numerous. However, if you believe that “as-a-Service” means you don’t have to worry about software risk because it’s in the cloud, you’re making a mistake. This article will focus on how to ensure you are systematically reviewing the potential risk factors with SaaS and putting a plan in place to protect your applications and data.

IT Asset Management professionals today must get a seat at the table alongside your peers in the Privacy, Security, and IT functions to gain a voice in critical issues such as SaaS risk mitigation.

SaaS: Everybody’s Doing It

Software-as-a-Service has enormous benefits in terms of budgeting, lower up-front costs, quick deployment, easy upgrades, scalability, and accessibility by users. According to IDC, cloud computing spending is growing at 4.5 times the rate of IT spending since 2009 and is expected to grow at better than 6 times the rate of IT spending from 2015 through 2020.

So, what does that mean for the average organization and how they use SaaS?

The State of the SaaS-Powered Workforce report from BetterCloud surveyed over 1,800 IT professionals on how SaaS is being used in their companies. Each year, the average number of SaaS applications used per organization jumped – from eight in 2015, to 12 in 2016, to 16 in 2017 – so doubling in just two years. The trend continues with 73% of organizations reporting they believe that nearly all their apps (80+%) will be SaaS by 2020.

SaaS is no longer flying under the radar as part of shadow IT. Large enterprises are embracing SaaS and IT has realized it needs more control. Cost, security, and ease of use are the top three criteria that IT professionals care about when then purchase SaaS. But, interestingly, only 12% of these IT pros were concerned with a disaster recovery plan.

The Risks: What Could Go Wrong?

Nearly half of organizations view SaaS as a greater risk than on-premises software. Individuals with higher title levels, such as those in the C-suite, perceive a greater risk.

Today’s software vendors are either building new SaaS products or acquiring SaaS companies, which leads to market consolidation and could put your existing solutions at risk. Cloud-based applications present unique risks to their customers in the event of bankruptcy or lack of support. Failure to protect your SaaS investments and the associated data can lead to:

  • Revenue risks
  • Application downtime
  • Productivity losses
  • Penalties & fines for noncompliance
  • Reputational cost
  • Potential brand damage
  • Labor cost
  • Recovery cost
  • Legal cost for noncompliance

As you think about SaaS risks, we recommend starting at the end. What if your SaaS provider fails or disappears? What risks are you trying to address?

  • Application continuity
  • A window to migrate to a new solution
  • Unencumbered access to data
  • Timely access to complete materials for long-term support

Look at the ideal state for risk mitigation along with your minimal acceptable state. This allows you to balance what is desired with what is achievable. Once you define your outcome, you can start to build your foundation with both software escrow and a disaster recovery/business continuity (DR/BC) strategy.

Is Software Escrow the Answer?

Many SaaS customers who are familiar with software escrow assume that standard escrow protections for the SaaS application’s source code will offer sufficient protections. Meanwhile, other customers assume that there are no practical solutions to mitigate the risks of the cloud. Both sets of customers are wrong.

Most companies today rely on SaaS solutions at least some of their critical business applications. You may think that means software escrow is no longer needed. (It’s in the cloud, right?) Actually, with SaaS, you need to think about both your software application and your data which adds a level of complexity. It’s also important to know that your SaaS provider’s business continuity/disaster recovery plan does not extend to your application and data.

Numerous strategies are available to address the risks associated with SaaS applications and the protection of data in the cloud. Factors to consider for the appropriate solution include Recovery Point Objectives (RPOs), Recovery Time Objectives (RTOs), retention periods, cost, single/multi-tenancy, AWS environments, and existing disaster recovery (DR) provisions in place for the cloud service provider.

Practical Solutions for a SaaS Risk Mitigation Strategy

It’s important to remember that Disaster Recovery is not the same ass Business Continuity. Disaster recovery (DR) strategies are critically important to establish and understand. However, they do not address all the risks that enterprises need to account for if an application is considered mission-critical.

You need something more: a business continuity strategy that works in any situation not addressed by the provider’s DR strategy. This gives you access to your applications and data to “keep the lights on,” even if your SaaS provider can’t.
Man-made disasters — such as hacking, server crashes, and bugs — and natural disasters that impact the short-term availability of the SaaS application are more likely to occur than the catastrophic disasters that compromise a provider’s ability to ultimately survive. Does your SaaS provider have a business continuity plan that can get you through any type of crisis and provide continuous business operations?

Another issue to consider: If your provider cannot recover from a disaster, and ultimately goes out of business, any service level agreement or DR strategy you have in place will provide little benefit. If your provider goes permanently dark, it can instantly cut off access to both your data and the use of the application, taking your company down with it.

To remain operational, you need a contingency plan that ensures short-term access to the application and data — whether by hosting the application in its own data center or in a private cloud — until you can transition to another SaaS provider.

Ideally, your contingency plan should rely on an independent third party that can:

  1. Provide independent access to your data, even if your provider ceases to operate;
  2. Name you as the beneficiary to your data and enable continued use of the application;
  3. Provide continued use of the SaaS applications for an extended time while you evaluate replacement options.

There are different levels of practical solutions that you can explore. As with most things in life, there are tradeoffs. With low-risk applications and lots of time, you can use strategies like negotiation and litigation. As your applications become more important, you’ll want solutions that ensure access to your intellectual property and credentials or environments. For business-critical applications where recovery time is of the essence, you should look into solutions that give you access to your data and provide recovery-as-a-service.

The cloud provides undeniable advantages. However, in a volatile and still-growing market, companies must be prepared for the possibility that their SaaS provider might go out of business, merge with another company, get acquired, or otherwise stop supporting your business-critical applications.

Prudent organizations must understand the risks of SaaS and have options for mitigating these risks to protect their operations.

About the Author

John Boruvka, vice president for Iron Mountain’s Intellectual Property Management group, has been involved in the technology escrow and intellectual property management field for more than 23 years. His focus is helping companies create solutions relating to protecting intellectual property assets. John is considered an authority in the field of technology escrow and issues surrounding the role of a neutral third party in protecting intellectual property. He has participated in the development of strategies and review of thousands of technology escrow agreements for software, hardware and other proprietary information that established to protect against mergers, bankruptcies or other events that affect the ability of vendors to support their technology. A technology escrow agreement could mean the difference between losing mission-critical software that would cripple a company’s operations and maintaining continued business success. Additionally, escrow accounts can serve to protect software from patent, copyright or trade secret infringement. Courts have ruled that source code kept with a neutral third party helps meet the burden of proof for conception of an idea and serves as documentation of how a technology was developed. Mr. Boruvka has also written many articles on this topic and presented extensively at associations, industry meetings and prestigious law firms across the United States, Canada, South America and Europe, including presentations for:

  • American Chamber of Commerce – Argentina
  • International Association of IT Asset Managers (IAITAM)
  • Caucus Software Licensing Course
  • Caucus Technology Procurement Conference
  • Independent Computer Consultants Association
  • International Association of Contract and Commercial Managers (IACCM)
  • ITechLaw Association • Licensing Executive Society (LES)
  • MIT Enterprise Forum Computing SIG (special interest group)
  • Software & Information Industry Association (SIIA) Software Division
  • Softletter’s SaaS University