• 170 likes • 269 Views
Building-In Assurances When Contracting for Software as a Service . Frank Bruno, Director Iron Mountain Intellectual Property Management Break out session #1101 11:00AM – 12:00PM. On Premise. SaaS. Application and data hosted by SaaS provider.
E N D
Building-In Assurances When Contracting for Software as a Service • Frank Bruno, Director • Iron Mountain Intellectual Property Management • Break out session #1101 • 11:00AM – 12:00PM
On Premise SaaS Application and data hosted by SaaS provider Software developer delivers executable on media to the user Internet User accesses Software via the internet (Saas) User accesses software on local system End user does not have a copy of the object code (executable) & their data End user has a copy of the object code (executable) & their data Licensing Models
On Premise Software developer delivers executable on media to the user User accesses software on local system End user has a copy of the object code (executable) & their data Risk with On-Premise Licensing NO ACCESS TO SOURCE CODECustomer is not able to recreate the application development environment should the developer be unwilling or unable to continue supporting the software
SaaS Application and data hosted by SaaS provider Internet User accesses Software via the internet (Saas) End user does not have a copy of the object code (executable) & their data Risk with SaaS Licensing Model NO ACCESS TO SOURCE CODE Plus • No copy of the executable code readily available to reload and run in a live production environment • Generally no access to data • Often hosted through a third party, introducing additional risks
What if… • you experience a significant outage? • your provider can’t failover? • your SaaS provider shuts down and their disaster recovery relationship fails? • you can’t recreate the live production environment? • you can’t have access to your data? What would this mean to your business?
Expert Opinions: Protect SaaS Applications “ • If you were smart, you made sure from the get-go that your SAAS vendor offered a code-escrow deal so you would have the option of running the application internally if the service were to be shut down. • —Jim Rapoza, eWeek, August 2006 • Setting up an escrow account becomes critical when using SaaS, since loss of support by the SaaS provider means not only the loss of the application functionality but access to all of the proprietary data along with it. • —Marcia Gulesian, CIO Update, December 2006 ” “ ”
Be Prepared… • Escrow source code, data and object code • Verify all deposits for usability • Prepare contingency to provider’s DR Plan • Test the plan!
What is Technology Escrow? • An “insurance policy” for a software licensee’s mission critical technology investments • Provides controlled access to a licensor’s proprietary code under specific release conditions with limited use rights • Compromise by which the licensors address the clients’ reasonable concerns • Engenders trust between two parties partnering in business!
Source Code Data Object Code What is a SaaS Escrow? • Protects the SaaS Provider and the Subscriber • Ensures access to all technology assets to provide business continuity • Verifies escrow deposits for usability Verification Testing • Two Escrow Deposits • Source Code governed by traditional release conditions (bankruptcy, failure to support, M&A activity) • Object Code and Data is governed by “Demand Release” (Provider does not issue contrary instructions) Both are verified for usability, usually before the relationship is consummated.
Problem Occurs Desired Outcome Subscriber is satisfied Subscriber contacts Provider Problem is rectified No response Demand release of Object Code Subscriber Contacts Escrow Agent Data restored to specified target site via LiveVault Live Production Environment restored Typical DR Scenario
Benefits of a SaaS Escrow Service • Customer Benefit • Beneficiary • Escrow best practice • Leverage (better support, response time, quality service, etc.) • Quick application recovery (Disaster Recovery/Business Continuance) • Recovery Time Objective (RTO) • Recovery Point Objective (RPO) • Depositor • Assurances to prospective clients that they are protected in the event of a significant outage • Shortens the sales cycle • Marketing value: Competitive differentiation, which is communicated via website advertisement or press release (i.e. Fidelity Information Solutions) • Cost can be passed along to beneficiaries as a premium value added service
Actionable Guidance • Review the DR plan and ask what are the contingencies? • Identify a failover back-up host to restore application • If necessary, insist on assuming rights of SaaS provider if they default on their obligations to the DR supplier • Mandate a SaaSProtect escrow to ensure long-term viability of the relationship • Specify the deposit materials(source code, object code, data & everything else needed to restore services) • Verify that the deposit materials work! • Compile the source code, validate build instructions • DR test on the object code, restore data & validate procedures • Establish a repeatable process to ensure consistency
Iron MountainSaaSProtect Escrow Service™ INDUSTRY FIRST! Combines escrow protection with award-winning LiveVault® automated backup and recovery services to protect access to critical SaaS applications and your data.
SaaSProtect Escrow Service Source code is securely deposited so you can recreate the production environment if provider ceases support Object code and compile instructions are securely deposited so you can continue running the application in the event of an outage
Award-Winning Data ProtectionLiveVault® • Fully managed online solution service provides automatic, secure and reliable server data protection and recovery • Protects data on distributed and remote servers • Eliminates the risks and failures inherent in tape backup for disaster recovery purpose
SaaSProtect is a Critical Component of a Solid DR Plan Demand Release Conditions minimize downtime by defining when you may access application object code and proprietary data Deposit verification and DR testing validate code and compile instructions to ensure you can meet RTO and RPO