More often than ever organizations are operating within a digital, cloud computing1 world. Sourcing and procurement professionals have been building software resilience – including SaaS escrow and verification – into their risk mitigation and business continuity plans. As your organization embraces digital transformation, your procurement and sourcing professionals can help ease the migration to the cloud if they embrace a resilient method from the start.
They need to carefully put safeguards in place to protect business-critical applications and data and comply with applicable industry regulations as well. Our research shows that as your business models shift to cloud computing, you must keep building resilience within your processes. What follows deepens and clarifies this perspective.
Transitioning to SaaS for business-critical applications
When we look at large enterprise clients, we see that approximately half have already transitioned to Software-as-a-Service (SaaS) or are in the process of moving their business-critical applications to the cloud, while the other half is exploring SaaS options and still relying on computing equipment on-premises to host their applications and data.
Industry statistics confirm this. According to Flexera’s 2022 State of the Cloud report,2 enterprises are running 49 percent of workloads and storing 46 percent of data in a public cloud. As well, over the next twelve months, they plan to increase this by six percent and seven percent, respectively.
Gartner’s cloud shift research3 -- which focuses on spending -- indicates almost two-thirds (65.9%) of spending on application software will be directed toward cloud technologies in 2025 -- up from 57.7% in 2022.
We all know the multitude of benefits that SaaS delivers – from flexibility, to ease of use, to a scalable infrastructure and cost model. Yet, migrations to SaaS don’t happen with the flip of a switch. They are complex and require meticulous planning to ensure success. Larger enterprises, especially, have more complexity and often more risk.
This begs the question: how can you use SaaS escrow as a solution to mitigate this risk and comply with regulatory requirements for third-party vendors?
SaaS escrow has evolved from traditional on-premises escrow but is still a three-party arrangement between the software buyer (or in the case of SaaS, the subscriber), the software developer (or SaaS provider), and the escrow agent. SaaS escrow is designed to enable access to, and use of, the application if the SaaS vendor can no longer support it. Increasingly, industry regulations are also addressing third-party risk, and escrow helps to meet these compliance obligations as well.
When using SaaS, your escrow protection exceeds the application’s source code and extends to the data, because your data now lives in the cloud. That is why, with SaaS applications, you need expert operational knowledge of your production environment or an exact, replicated snapshot of the live cloud-hosted environment.
Regulations and compliance – knowing the challenges and resolving the risks
An evolving and complex issue that must be considered surrounds the regulations that apply to operational resilience.
All companies work with outside vendors, and often it’s the new, innovative startups that have developed SaaS applications that will deliver big benefits for your company. However, outsourcing IT introduces challenges and risks. These can be operational, regulatory, or reputational risks related to the possible loss of service from the third party regardless of whether that risk results from an event such as the company being liquidated or acquired, the termination of the outsourcing contract, or the failure to meet expectations of delivery.
Certain countries have national laws that specifically regulate outsourcing. More commonly, the regulatory bodies in specific vertical industries – such as financial services – have put extensive rules or guidelines in place that dictate how they can work with third-party vendors. Compliance with IT outsourcing and third-party risk management regulations is vital for businesses that rely on third-party software.
For example, the UK’s Prudential Regulation Authority (PRA)4 has published guidance for businesses across the banking and financial services sector on how to mitigate third-party risk and help ensure business continuity in case a third-party supplier fails.
This means that under the PRA, a firm must have a pre-developed “stressed exit plan” in place – meaning that the firm has specific ways or methods for maintaining business continuity should an IT failure occur within its supply chain. These plans must also be tested to ensure that they work, and the results of this testing must be presented to the applicable regulator.
One way businesses can demonstrate compliance is to include implementing robust onboarding and procurement policies that ensure software escrow agreements and verification testing are built into any of the supplier contracts. Software escrow agreements make more sense now than ever, because regulatory bodies are now mandating how firms should comply with requirements and expectations relating to outsourcing and third-party risk management.
Because these types of regulations are becoming increasingly common, global, and international organizations tend to view a broader picture and how it might affect them on a wider scale. They are often compelled to adhere to the highest bar within the global network. They will endeavor to meet the most stringent regulatory requirements for a particular jurisdiction in which they operate and then apply that requirement throughout their businesses across all jurisdictions.
Embracing digital transformation with SaaS – using a smart strategy but preparing for the risks
Partnering with SaaS application providers is a smart strategy, yet you need to prepare for the risks – from unexpected supplier failure to your developer being acquired. When you have a SaaS escrow agreement in place, you can take advantage of these partnerships while minimizing the risks.
The regulatory environment is only one aspect of business that is changing – and challenging – how organizations effectively evolve and embrace new technologies.
We cannot overlook how the effects of the pandemic have pushed further for digital transformation as collaboration tools and cloud migration enabled companies to adapt to the new realities of remote work. As a result, spending on IT and digital transformation soared, with a growing part of that budget allocated to enterprise software – or, more specifically, to invest in the cloud.
Expect key challenges when your applications and data are in the cloud
Most procurement and sourcing professionals and legal counsels are familiar with traditional software escrow (also called source code escrow or technology escrow) and they may often recommend it as a safeguard when onboarding new business-critical software solutions – especially from a small or unproven vendor. Essentially, the escrow agent securely holds a copy of the software source code as a type of “insurance,” which also protects the vendor’s intellectual property.
If ever a problem arises with the vendor in the future – such as bankruptcy, acquisition, lack of support, or other conditions specified in your release conditions – the escrow agent releases the software source code to the buyer (along with all build instructions and other materials) so that you can recreate the application and ensure and business continuity.
SaaS escrow is very similar in concept, but there are three major differences. With SaaS applications:
- You don’t own anything - With SaaS, you don’t physically possess the software applications, your data, the operating systems, or the infrastructure.
- Your data is more vulnerable - With the extreme growth of SaaS adoption, the risks of data loss increase exponentially. And although SaaS tools may be able to bring back a storage snapshot of your data, it could be in a format that isn’t usable for your business.
- You have shared responsibility in the cloud - Your cloud service provider (CSP) – such as Amazon Web Service (AWS) or Microsoft Azure – is not liable for disruption or loss you may suffer from outages. Their Shared Responsibility model means that the CSP is responsible for managing the security of the public cloud while the subscriber of the service is responsible for securing what is in the cloud. Essentially, just because your critical assets are hosted in the cloud, doesn’t mean you are guaranteed resilience.
One of the most common misconceptions when adopting third-party cloud services is the assumption that the SaaS provider is responsible for ensuring application continuity, data availability, application security, and regulatory compliance. Unfortunately, that’s not the case. The truth is each time you onboard a new third-party SaaS vendor, you’re introducing an added element of risk to your organization – and you must have a strategy in place for operational resilience.
Therefore, how does SaaS escrow work to provide operational resilience and how do you mitigate cloud risk?
That’s where SaaS escrow comes in. A SaaS escrow agreement protects a SaaS subscriber’s business-critical application and data by storing source code, critical data, and other important materials necessary to support an application long-term providing you will have the means to redeploy and maintain your third-party application and critical data swiftly and accurately.
SaaS escrow lets you support your cloud strategy, wherever you are in the migration process.
At NCC Group, our SaaS escrow offering is called Escrow as a Service, or EaaS. Different EaaS solution options are available, depending on your hosting arrangement, application configuration, and the level of resilience you require. All are designed to provide operational resilience by mitigating vendor risk, minimizing downtime, and safeguarding your reputation by ensuring your SaaS applications, code, and data are always available.
Here is a top-level, step-by-step view of how it works:
- Set up – First, you will need to set the terms of the EaaS agreement which will set out several legal positions, such as release events (intended to trigger the release of the material deposited from escrow) and will impose some standard obligations on the software supplier, such as deposit frequency.
- Verify – It is strongly recommended to strengthen the escrow agreement with EaaS verification. With that verification, the source code and relevant materials held under the agreement are validated to provide the knowledge to rebuild and maintain the SaaS application in the software vendor’s absence.
- Deposit – NCC Group’s View portal makes it easy for your software vendor to keep the deposited source code and data up to date. The software vendor will simply connect to their preferred source control repository and automate the deposit of verified materials.
- Secure storage - When the verified materials have been deposited, they will then be placed into a highly secure repository. These materials are monitored 24-7 by our Security Operations Centre and will be released only when the pre-agreed release conditions are met.
- Manage – The View portal also gives on-demand administrative access and 24-7 visibility to Software Resilience portfolio. Real-time updates will be sent to you on the status of deposits and will give you immediate access to important documentation.
- Release (if required) - If a release condition occurs, the NCC Group will promptly release the materials to you in accordance with the terms agreed in the escrow agreement. This gives you access to data and lets you maintain any business-critical application—either by operating in-house or by engaging with another supplier—providing your original SaaS provider can no longer support the application.
SaaS customers must consider how they would operate if they lost access to a business-critical application due to a third-party vendor failure or lack of support. SaaS escrow enables business continuity and operational resilience if this situation happens.
Because organizations are increasingly operating within a digital, cloud-first world, sourcing and procurement professionals should look at building software resilience including SaaS escrow and verification – into risk mitigation and business continuity plans to mitigate the risk of adopting new technology from third-party SaaS providers.
About the Author
Jamie Mackay is the Head of Product Innovation and Solution Architecture at NCC Group. Jamie helps companies understand how software resilience services can be applied to their business-critical applications and the part that they play within business continuity and disaster recovery (BCDR) strategies.
ABOUT NCC GROUP
NCC GROUP, Software Resilience is a global leader in providing Software Escrow services that protect customers from unforeseen technology disruption while providing credibility and IPR protection for software providers. Learn more at: NCC GROUP Software Resilience
- What is cloud computing… an Investopedia article
- Flexera 2022 State of the Cloud Report
- Gartner’s ‘cloud shift’ research
- NCC Newsroom article on UK’s Prudential Regulation Authority (PRA)