Guest Blog with Kemp Little Consulting & NCC Group
The cloud is here to stay and according to a recent survey, organisations are going to be investing more in cloud services to support their core business operations.
But have companies properly considered the risks of SaaS supplier failure if the software is supporting their core processes?
The Kemp Little Consulting (KLC) team has been working with NCC Group to identify some of the risks of SaaS supplier failure and to identify the main problems that end user organisations would need to solve to effectively mitigate these risks.
In the on-premise world, the main way of mitigating against software supplier failure is Software Escrow. This was designed as a means of gaining access to source code for an application in the event of supplier failure.
If a supplier goes bust, there is no short term problem as the application and the business processes supported by the application continue to work and the corporate data remains within the control of the end user.
However, the end user company has a problem as they will not be able to maintain the application long term and this issue is effectively solved by Software Escrow and related services such as verification.
In the cloud arena, however, the situation is different. If the supplier fails there is potentially an immediate problem of the SaaS service being switched off almost straightaway because the software supplier no longer has the cash to continue to pay for its hosting service or to pay its key staff.
For the end user, this means that they no longer have access to the application; the business process supported by the application can no longer operate and the end user organisation loses access to their data.
The business impact of this loss will vary depending upon the type of application affected:
- Business Process Critical (e.g. finance, HR, sales and supply chain)
- Data Critical (e.g. analytics or document collaboration)
- Utility (e.g. web filtering, MDM, presentational or derived data)
In our research, we found that both suppliers of cloud solutions and end user organisations had not properly thought through the implications of these new risks, nor the services they would require to mitigate against the risk of supplier failure.
The primary concerns that end user customers had were around their business critical data. They were concerned by lack of access to data; loss of data; the risk of compliance breach by losing control of their data and how they might re-build their data into usable form if they could get it back. There was also concern about access to funding to keep the infrastructure running in the SaaS vendor in order to buy time to make alternative arrangements.
They were much less concerned about access to the application or getting access to the source code.
This is understandable as their primary concern would be getting their data back and porting it to another solution to get the business back up and running.
In a separate part of our study, the Kemp Little commercial team looked at the state of the market of the provisions generally found in SaaS contracts to deal with the event of supplier failure. The team found that even if appropriate clauses were negotiated into the contract at the outset, there may be real difficulties in practically enforcing those terms in an insolvency situation.
End user organisations were more concerned than SaaS suppliers about their capability to deal with all of these problems and were amenable to procuring services from third parties to help them mitigate the risks and solve the problems they could not solve purely by contractual means.
End users were also concerned that many SaaS solutions are initially procured by “Shadow-IT” departments as part of rapid business improvement projects and deployed as pilots where the business risks of failure are low.
However, these solutions can often end up being rolled out globally quite quickly and key parts of the business become dependent upon them by stealth.
It is therefore considered important for companies to develop a deep understanding of their SaaS estate and regularly review the risks of supplier failure and put in place appropriate risk mitigation measures.
KLC recently worked with global information assurance specialist NCC Group to help it enhance the service model for its SaaS Assured service.
This article was originally posted on the Kemp Little Blog and can be found here.
John Parkinson, Global SaaS Business Leader at NCC Group will be speaking at the Cloud World Forum on 24th June 2015 at 12.45pm.
His talk will take place in Theatre D: Cloud, Data Governance & Cyber Security on ‘Outsourcing to Software as a Service? Don’t Overlook the Critical Commercial Security Risks.’