The adoption of the SaaS (Software-as-a-Service) software deployment model – in which the software a company uses to run its business processes is hosted by a vendor or service provider and made available over a network, most often the internet – is boosting the need for tried and tested methods of protecting access to source codes as well as data.
This is the opinion of Escrow Europe director, Andrew Stekhoven, who argues that, in today’s risk averse and corporate governance-driven business environment, companies would be prudent to investigate how an escrow agreement could help them safeguard their mission critical systems that are dependent on SaaS software.
He explains: “The deployment of software through the SaaS model is becoming an increasingly credible and established option internationally, and within the South African market. This shift is well recognised, with leading industry experts such as Gartner predicting that 25% of all new business software will be delivered as SaaS by 2011.
“However, with the adoption of SaaS, user data is often stored on third party systems, with third party licensors, within their physical walls and managed by their staff. As a result, the user can loose control over his own data should the supplier no longer be able to meet its delivery obligations.
“As a risk management tool, software escrow becomes very relevant in this situation because it can enforce reliable back-up procedures and provide the user with access to his data should the supplier no longer be able to, or want to.”
Software escrow is an obligation on the part of the supplier of the software your company uses to deposit the source code for this software with a neutral and independent trusted third party, the escrow agent. The third party is authorised to release the source code – and stored data in the case of the SaaS model – to you under conditions agreed upon by the supplier and your company.
Stekhoven provides an example of how it could be used in a SaaS environment: “In an ever-changing marketplace, young and small software development companies can abandon their products for myriad reasons – insolvency, the sale of the company to a competitor, etc. This leaves its customers with an unsupported, un-maintainable product.
“Larger companies, too, are not beyond risk within the world of mergers and acquisitions, and 'orphanware' – the name given to abandoned products – can easily be the prodigy of a well-established parent, leaving the customer with sometimes substantial direct and indirect cost and affecting business continuity.
“Take Oracle’s acquisition of Hyperion, for instance. In both international and local user communities there’s a fear that – in order to migrate users to Oracle solutions – the company will turn existing Hyperion installations into orphans either by upping maintenance rates until they are too onerous for even the most-dedicated Hyperion user to continue paying, or by discontinuing the maintenance and support of these systems. There’s even suspicion that Oracle will simply kill the product range.
“So, given the very real incidence of orphanware out there, particularly within the SaaS environment, how do you protect your company against being left holding the baby?
"You can avoid contracting with smaller companies or start-ups, especially for mission-critical functions, and opt for established companies with lengthy track records. But, as the Oracle-Hyperion acquisition alludes, this is not always an option. And, what if the established companies can’t offer you the custom-fit system that you need.
“Certainly, one of the most elegant ways of managing the risk of your business’s absolute dependence on information technology is active software escrow,” he concludes.
The Institute of Directors in South Africa (IoD) has endorsed active software escrow as an operational risk management measure. IoD believes that active software escrow complies with corporate governance imperatives and bridges the source code – object code divide. IoD also notes that currently South African law does not provide for the protection of, and access to, software source code in the event of software supplier insolvency.
Furthermore, the IoD has confirmed that King III will address the role of active software escrow when it comes to managing ICT Operational Risk in its next update because, to date, this ICT operational risk has generally been underestimated, if not ignored.
Currently, King is said to be of the same opinion as Gartner, which regards technology escrow as a smart and effective component of a business continuity strategy that software licensees can use to protect their mission critical applications in an ever-changing environment.
"It is an insurance policy to make sure you have access to that source code should that vendor no longer maintain that software for your organization, so this gives you an alternative," notes Jane Disbrow (Research Director, Gartner IT Asset Management and Applied Research Group) emphasising the need for escrow.