1
July 21, 2015 webinar
Presented by: Tim Cummins, IACCM & David Strouse, Iron Mountain
© 2015 Iron Mountain Incorporated. All rights reserved. Iron Mountain and the design of the mountain are registered trademarks of Iron Mountain Incorporated.
All other trademarks and registered trademarks are the property of their respective owners.
What Contract Risks are Hiding in the Cloud?
2
Today’s Presenters
Tim works with organizations to support understanding of the role that procurement, contracting and relationship management play in business performance and public policy.
David helps enterprise organizations create and implement appropriate solutions to protect their intellectual property assets.
Tim Cummins, CEO, IACCM
David Strouse, Director, Iron Mountain, Intellectual Property Management
3
Agenda
Tim Cummins –
- Industry Overview & Trends
David Strouse –
- What’s happening with SaaS today?
- What are your SaaS headaches?
- How do I assess my risk?
- How do I protect my SaaS investment with software escrow?
- What are Best Practices to safeguard SaaS applications and data?
Q&A –
- Please submit questions as you have them. Questions will be answered
at the end of the session.
A copy of the slides and a link to the recording will be available to all
participants. You will also receive a white paper, templates & other
materials from Iron Mountain.
IACCM analyzed Cloud Agreements
Comparative length of agreement
9 pages 3 pages 13 pages
Number of cross referenced documents
7 documents, plus web links, plus Order Form.
3 documents: order form and service levels, and the NDA is a separate document.
7 documents incl: SLA, Service Terms, trademark use guidelines, “Software License” and “Service Offerings License” as well as web links.
Single or Multiple offering
Dual offering: cloud services and associated consultancy services. Multiple orders for cloud services may be used against the same terms.
Single: cloud service only, but multiple in number of “cloud services”
Generic framework agreement
Flesch Test (Flesch Target: 50-60; a high score is good).
Flesch 26 Flesch 37.3 Flesch 46.9
The risks behind the Cloud
What we discovered in many Cloud agreements:
• It is not clear what the supplier is committing
• Extensive responsibilities are placed on the customer
• The supplier has few obligations and limited consequences
• The agreement is poorly structured and complicated to interpret
6
A Paradigm Shift in Technology Delivery
85% of new software is now being built for the cloud
-IBM 2013 Annual Report
7
SaaS is increasingly becoming Mainstream
8
• Bankruptcy or failure to do business in the ordinary course.
• M&A (non prevailing products suffer from extinction)
• Contract Breach & Disputes
• Force Majeure - Extended Outage
• Need to Execute an Exit Strategy
• Can’t Recover Your Data?
The Benefits of SaaS are Clear. Yes, But What-If? Then What?”
9
How Are You Assessing Your Risk?
10
72% of organizations find it highly important that a SaaS provider offers a plan to allow continued access to applications in the event that they go out of business.
-Softletter Research
Yet, 79% of SaaS providers do not guarantee their subscribers application continuity.
-IDG Custom Research
What are the Market Realities We See with Enterprise SaaS Subscribers?
Accepting traditional source code escrow and not thinking through the what will I do with it?
Not unpacking the DR/BC question. A SaaS provider’s disaster recovery plan is there only as long as the Provider is.
Not talking through the RTO/RPO’s for their data and access to it in SLA’s
Deploying the application and dealing with it later…
11
Possible SaaS Risk Contingencies
Take the application On-Premises
Hire Managed Service Provider to host and
maintain the application
Recover your data and migrate to a new solution
Update Your Resume
12
Introduction to the Contingency Plan – Ask Questions!
- If my application is unavailable, what is the impact on my
company and customers in 1 hour, 1 day, 1 week?
- Where is my data and what are my options to get access to it?
- Is my data usable without the application?
- If necessary, could you take the application on-premises or find a
new SaaS provider? How long will that take?
- What events will trigger your contingency plan?
- How will you document the contingency and who will be
responsible for execution (internally/externally)?
- Is it possible to perform verification testing to ensure the plan
works?
- Do you have a repeatable process for dealing with these
situations?
13
SaaS escrow environment runs independently of the provider
How can Traditional Software Escrow be
Adapted for SaaS Applications?
14
SaaS Escrow Contingency Trigger Process
Subscriber contacts Provider
Application Continuity Secured
Access to the Recovery
Environment is provided
Problem Occurs
Problem is rectified
Subscriber Contacts Escrow
Agent
No response
Desired Outcome
Data Recovered
Contingency Trigger process is
invoked
15
SaaS Escrow Options
16 16
Non-Profit Member Organization
Financial Services Enterprise Legal Management
Source Code and Object Code Access
Code Verification
Data Delivered Directly
Standby Replication
Failover Capability
Application & Data Continuity
Source Code Access
Code Verification
Contingency Planning for Subscriber
Full Disaster Recovery and Ongoing support
Case Study: Three Approaches to Risk Mitigation
17
Key Takeaways
• Application Continuity
• Time to Migrate to a New Solution
• Unencumbered Access to Your Data
• Timely Access to Components Necessary to Make Use of Your Data
• Leverage to Optimize the Vendor Relationship
• Satisfy Governance, Risk & Compliance Policy
• Minimize Risk of Loss
• Avoid Litigation and the Courts
18
Q&A
© 2012 Iron Mountain Incorporated. All rights reserved. Iron Mountain and the design of the mountain are registered trademarks and SaaSProtect Escrow Service is a trademark of Iron Mountain Incorporated. All other trademarks and registered trademarks are the property of their respective owners.
Want to learn more?
Visit www.ironmountain.com/saas
or email [email protected]