With quick startup times, transparent updates and pay-as-you-go pricing, Software-as-a-Service (SaaS) has a lot to like. But SaaS also carries risks that are unique to its hosted business model. Choosing a SaaS provider and negotiating contracts requires thinking about what could go wrong – and how to avoid becoming the victim of somebody else’s mistakes.
The nightmare scenario for any customer of course, is to have a SaaS provider shut down. While that’s not a likelihood if you’re using one of the major SaaS providers, such as Salesforce.com, Microsoft or Google, it’s a possibility to consider when using one of the many small service providers that host traditional on-premises applications in the cloud. Bankruptcy isn’t the only risk. Troubled companies may be acquired by other firms that then decide to de-emphasize parts of the business or even sell them off. There are well-documented cases of cloud companies ceasing operations with as little as two weeks’ notice to their customers. If the provider is hosting a lot of data, there may be barely enough time to fetch information off the server, much less move to an alternative provider.
The best defense against letting a SaaS provider’s troubles hurt your business is to have a subscriber based contingency plan and backups in place. Take a moment to ask yourself some crucial questions like – how long can I be without this application? How old can my data backup be? How much am I willing to invest (time and effort) to have a plan B? Once you have a high-level understanding then you can decide what is possible and best, given the scenario.
It comes down to basically three choices; you find another provider (and have an interim plan); you bring it in house (if you have the technical ability); or you take it to a third party to run it for you. If the application is especially critical to your business, you may even consider running a mirrored version of the software in a hosted environment you can control if something happens to the SaaS provider
Know Where Your Data Is
Another intrinsic vulnerability of SaaS services is that the customer doesn’t physically hold the data. It lives on the SaaS provider’s servers, which may be down the street or halfway around the world. SaaS companies like to say that their security is world-class, but most are vague about precisely what that means for fear of tipping off attackers. That’s a valid concern, but customers need to know where their data is and how it’s protected, particularly if their industry regulates the physical location of data.
Be sure your contract specifies how quickly you can get access to data in machine-readable form and what formats that will be supported. If applicable, require the SaaS companies notify you if your data is moved outside of a designated area.
You should also ask basic questions about how your data is protected. How often are backups performed and retained? How quickly can data be restored from backup? Does the cloud provider maintain mirrored equipment to prevent against data loss? Is data stored in encrypted format? Who within the SaaS company has access to your data and what access controls are in place to prevent abuse? It’s perfectly okay to ask that the answers to these questions be specified in writing.
One of the best features of SaaS applications is that they can be accessed from anywhere, but that can create unintended security headaches as well. Employees working from home don’t necessarily meet enterprise standards of security and data protection. When accessing SaaS applications over the open internet, they may be vulnerable to malicious software that steals keystrokes or holds their data hostage. New policies and software updates may not be pushed to their PCs, and there may be no way even to monitor the status of their devices since they are invisible to the corporate network. If employees are going to use mission-critical SaaS applications at home or on the road, be sure they connect through a VPN so that they appear as fully managed clients on the corporate network.
SaaS applications are really no different from the software you’ve probably run on premises for years. It’s just that someone else hosts them. Read terms and conditions carefully, get service-level commitments in writing and consider worst-case scenarios. Then enjoy your new-found flexibility.