What is SaaS Escrow?
We often get asked by our customers, what is SaaS Escrow? And what is Cloud Escrow?
There are several different SaaS escrow services available, the most suitable solution for you will depend on your chosen business continuity plan.
To determine which SaaS escrow service you need it’s always best to consult with your SaaS escrow agreement provider. It is recommended that all business-critical SaaS applications should be protected by a SaaS escrow agreement to ensure resilience.
But before the SaaS Escrow agreement is signed and any applications are deposited into escrow, testing on the application, environment and architecture should be undertaken to validate the accuracy and ensure the usability of the materials held under the agreement.
The technical information produced from the verification acts as a guide to help the SaaS end-user understand, redeploy, and maintain the third-party SaaS application, without additional support from the SaaS vendor.
Is the SaaS Vendor responsible for my application and data?
Not entirely. In fact, there is a shared responsibility model (SRM) that is inherent to the use of cloud services.
As described in a report by Oracle and KPMG, this shared responsibility model conveys how a cloud service provider is responsible for managing the security of the public cloud, while the subscriber of the service is responsible for securing what is in the cloud.
Therefore, data security is always the customer’s responsibility.
To clarify, a cloud service provider, or CSP, is a company that offers components of cloud computing — typically, software as a service (SaaS), infrastructure as a service (IaaS), or platform as a service (PaaS). Cloud services typically are priced using various pay-as-you-go subscription models. The most well-known cloud service platforms are Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.
For our purposes, we’ll focus on SaaS. With SaaS products, cloud service providers may either host and deliver their own managed services to users or they can act as a third-party, hosting the application of an independent software vendor (ISV), or SaaS provider.
In the cases where you have a CSP and an independent SaaS provider, the CSP can be holding up their end of the bargain in terms of hosting, but this doesn’t mean you will have access to your application if something happens to your software vendor – the CSP can’t just hand over the software it is hosting to the vendor’s customers.
Often, software subscribers think that if their SaaS vendor is no longer around to support their application, they can contact the CSP and their application and data will be there waiting for them, but this isn’t the case.
That’s where a SaaS escrow agreement comes in. With a SaaS escrow agreement, both your application and your data are protected by the escrow agent in the case of a release event.
Is SaaS Escrow necessary for large SaaS vendors?
Certainly, larger well-established software vendors tend to be more stable and less risky than startup vendors.
That said, SaaS escrow addresses risks across the cloud software supply chain.
That risk goes beyond a SaaS provider going out of business – there are many ways their businesses can shift; from discontinuing support of a product that you rely on, to being acquired by another company. In addition, larger vendors will be greater targets for ransomware and hacks.
In any of these situations, a copy of your software source code and data securely stored with an escrow provider is an important safeguard for your business.
If your cloud-based software application is business-critical or hosts critical data, you should consider SaaS escrow.
Do I need SaaS Escrow if we have a Disaster Recovery plan in place?
A disaster recovery plan is important, but it does not replace the need for escrow. Disaster recovery (DR), which is a subset of business continuity (BC) and focuses on the IT systems that enable business functions, is an organization’s ability to respond to and recover from an event that negatively affects business operations.
It is important to note, as outlined in the Bode Law blog, that “disaster recovery does not cover the situation where the SaaS supplier itself becomes insolvent.”
“In these circumstances, a SaaS customer will have no right to access its data and backups at the data centre, as it is not a party to the hosting agreement between the data centre and the SaaS supplier.”
Escrow services with service continuity options can supplement disaster recovery plans and provide the SaaS customer with a solution to mitigate supply chain risk and keep their application up and running.
Now that we’ve debunked some of the key misconceptions around cloud migration, here’s how things really work: ��
- Escrow is still relevant for the cloud. Escrow for SaaS applications addresses the short-term risk of no access to cloud-hosted software AND relevant data. A SaaS escrow agreement provides additional protection for the licensee.
- CSPs and software vendors are not responsible for your application and data. CSPs cannot just hand over the software it is hosting in your vendor’s environment.
- There are various cloud escrow agreements available. However, all escrow agreements should be supported by verification to validate the accuracy and usability of the materials held under the agreement.
- No matter how large or small a software vendor is, it is essential to plan for business disruption. To safeguard your business, ensure a copy of your software source code is securely stored with an escrow provider.
- Disaster recovery does not cover the situation where the SaaS supplier itself becomes insolvent so supplement your current disaster recovery with software escrow.
