More than ever, companies are working in digital cloud computing1 World. Sourcing and procurement professionals have built software resiliency—including SaaS escrow and verification—into their risk mitigation and business continuity plans. As your organization embraces digital transformation, your sourcing and sourcing professionals can help simplify migration to the cloud if they use a resilient methodology from the start.
You must use diligent security measures to protect business-critical applications and data, while also complying with applicable industry regulations. Our research shows that when you convert your business models to cloud computing, you need to further strengthen the resilience of your processes. The following deepens and clarifies this perspective.
Transition to SaaS for business-critical applications
If we look at large enterprise customers, we see that about half have already transitioned to software-as-a-service (SaaS) or are in the process of moving their mission-critical applications to the cloud, while the other half are exploring SaaS options and exiting still rely on on-premises computing equipment to host their applications and data.
Industry statistics confirm this. According to Flexera’s 2022 State of the Cloud report2 Enterprises run 49 percent of workloads and store 46 percent of data in a public cloud. They also plan to increase that by 6 percent and 7 percent, respectively, over the next 12 months.
gardeners cloudshift research3 — which focuses on spending — says nearly two-thirds (65.9%) of application software spending will go to cloud technologies in 2025 — up from 57.7% in 2022.
We all know the numerous advantages that SaaS offers – from flexibility to ease of use to a scalable infrastructure and cost model. However, migrations to SaaS are not instantaneous. They are complex and require careful planning to ensure success. Larger companies in particular are more complex and often more risky.
This begs the question: how can you use SaaS escrow as a solution to mitigate this risk and meet third-party regulatory requirements?
SaaS escrow has evolved from traditional on-premises escrow, but is still a three-party agreement between the software buyer (or in the case of SaaS, the subscriber), the software developer (or SaaS provider), and the escrow agent. SaaS escrow is intended to enable access and use of the application when the SaaS provider can no longer support it. Increasingly, industry regulations also deal with third-party risks, and Treuhand also helps to meet these compliance obligations.
When using SaaS, your escrow protection goes beyond the application source code and extends to the data as your data now lives in the cloud. That’s why with SaaS applications, you need expert operational knowledge of your production environment, or an exact, replicated one snapshot the live cloud-hosted environment.
Regulations and Compliance – knowing the challenges and solving the risks
An evolving and complex issue to consider is the regulations governing operational resilience.
All companies work with external providers and it is often the new, innovative startups that have developed SaaS applications that will bring great benefits to your company. However, outsourcing IT brings with it challenges and risks. This may be operational, regulatory or reputational risk related to the potential failure of services by the third party, whether that risk results from an event such as the liquidation or acquisition of the business, termination of the outsourcing agreement, or failure to meet delivery expectations.
Certain countries have national laws that specifically regulate outsourcing. More commonly, regulators in certain vertical industries – such as B. Financial Services – have extensive rules or policies in place that dictate how they can work with third-party providers. Compliance with third-party IT outsourcing and risk management regulations is critical for organizations that rely on third-party software.
For example the UK Prudential Regulation Authority (PRA)4 has published guidance for companies in the banking and financial services sector on how to mitigate third party risk and ensure business continuity in the event a third party fails.
This means that the PRA requires a company to have a pre-developed “stress recovery plan” in place – meaning the company has specific ways or methods in place to maintain business continuity should an IT outage occur within its supply chain. These plans must also be tested to ensure they work, and the results of these tests must be submitted to the appropriate regulator.
One way companies can demonstrate compliance is by implementing robust onboarding and procurement policies that ensure software escrow agreements and verification testing are built into all supplier contracts. Software escrow agreements make more sense than ever today as regulators dictate how companies should meet third-party outsourcing and risk management needs and expectations.
As these types of regulations become more prevalent, global and international organizations tend to look at the broader picture and see how they could impact on a larger scale. They are often forced to hold themselves to the highest bar within the global network. They will endeavor to meet the most stringent regulatory requirements for a particular jurisdiction in which they operate and then apply that requirement in their businesses in all jurisdictions.
Embrace Digital transformation with SaaS – with an intelligent strategy, but prepared for the risks
Partnering with SaaS application providers is a smart strategy, but you need to prepare for the risks—from unexpected supplier failure to losing your developer. Having a SaaS escrow agreement allows you to leverage these partnerships while minimizing risk.
The regulatory environment is just one aspect of business that is changing – and challenging – how organizations effectively evolve and embrace new technologies.
We cannot overlook how the impact of the pandemic has further fueled digital transformation as collaboration tools and cloud migration enabled organizations to adapt to the new realities of remote work. As a result, spending on IT and digital transformation has skyrocketed, with a growing portion of that budget going to enterprise software — or more specifically, cloud investments.
Expect important challenges in your applications and Data is in the cloud
Most procurement and sourcing professionals and legal advisors are familiar with traditional software escrow (also called source code escrow or technology escrow) and often recommend it as protection when onboarding new business-critical software solutions – especially from small or untried vendors. Essentially, the trustee keeps a copy of the software source code as a form of “insurance” that also protects the vendor’s intellectual property.
Should a problem ever arise with the vendor in the future – such as bankruptcy, takeover, lack of support, or other conditions specified in your release terms – the trustee will release the software source code to the buyer (along with all building instructions and other materials), so you can rebuild the application and ensure business continuity.
SaaS escrow is very similar in concept, but there are three main differences. For SaaS applications:
- you own nothing – With SaaS, you do not physically own the software applications, your data, the operating systems, or the infrastructure.
- Your data is more vulnerable – With the extreme growth of SaaS adoption, the risks of data loss are increasing exponentially. And while SaaS tools may be able to bring back a storage snapshot of your data, it might be in a format your business can’t use.
- In the cloud, you share responsibility – Your Cloud Service Provider (CSP) – such as Amazon Web Service (AWS) or Microsoft Azure – is not liable for any disruption or loss you may incur as a result of outages. Her Shared Responsibility Model means that the CSP is responsible for managing security from the public cloud, while the subscriber to the service is responsible for securing what is there in the cloud. Just because your critical assets are hosted in the cloud doesn’t mean you’re guaranteed resiliency.
One of the most common misunderstandings When adopting third-party cloud services, it is assumed that the SaaS provider is responsible for ensuring application continuity, data availability, application security and regulatory compliance. Unfortunately, this is not the case. The truth is, every time you onboard a new third-party SaaS provider, you’re introducing an additional element of risk into your business—and you need to have an operational resiliency strategy in place.
So how does SaaS escrow work to ensure operational resiliency? and How do you mitigate cloud risk?
This is where SaaS escrow comes in. A SaaS escrow agreement protects a SaaS subscriber’s business-critical applications and data by storing source code, critical data, and other critical materials needed to support an application over the long term Provided you have the ability to quickly and accurately redeploy and maintain your third-party application and critical data.
With SaaS escrow, you can support your cloud strategy wherever you are in the migration process.
SaaS customers need to consider what they would do if they lost access to a mission-critical application due to a third-party outage or lack of support. SaaS escrow enables business continuity and operational security when this situation arises.
As organizations increasingly operate in a digital, cloud-first world, procurement and procurement professionals should address building software resiliency including SaaS escrow and verification – with risk mitigation and business continuity plans to manage the risk of Introducing new technologies from third-party SaaS providers to mitigate.
Additional Resources:
END NOTES
- What is cloud computing… a Investopedia article
- Flexera 2022 State of the Cloud Report
- Gartner’s “Cloud Shift” research
- NCC Newsroom article on the UK’s Prudential Regulation Authority (PRA)
[View source.]
