Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

How To Choose A SaaS Escrow Service and Ensure Business Continuity

DZone's Guide to

How To Choose A SaaS Escrow Service and Ensure Business Continuity

Not all companies can afford an in-house security team. If you're looking for a SaaS company which whom to entrust your data, keep these trends in mind.

· Security Zone
Free Resource

Address your unique security needs at every stage of the software development life cycle. Brought to you in partnership with Synopsys.

Many of our day-to-day business operations involve using Software-as-a-Service. In essence, our data is stored away from your business premises. You probably access and handle it using software which is not yours but is a SaaS solution. But how can you guarantee that this data is physically safe and that it is available to us at all times, whatever happens? A possible solution is a SaaS escrow service contract. Evaluating and selecting such a service, however, can be tricky.

First of all, we should distinguish between code repository hosts and source code escrow services. The former allows software developers to store programming code, snippets, and patches. In contrast, SaaS escrow services make an offsite copy of the software programming code you use in the cloud and a backup of your business-critical data. You can retrieve it in emergencies like service outages or SaaS provider insolvency.

SaaS Escrow: Protecting Data or Code?

Image title

Source: Statista

We should also remember the two options for data protection and storage: offsite and onsite. Onsite protection, where data backups are stored on our own hardware and use our own software licenses, can cost too much for many small and medium businesses. In any case, a SaaS escrow vendor provides real-time and offsite protection plans that fit most businesses, from early stage start-ups to solopreneurs to mid and large corporations. A SaaS escrow company operates by utilizing data and code storage on their premises, using their hardware and software.

In recent years, SaaS escrow has moved towards protecting business critical data, not only providing source code storage. The reason is that customers have encountered real problems with only having access to the source code of the bankrupt SaaS. Enterprises have also found that a code repository is not exactly what they have needed: even if the source code were usable (which is sadly far from true), they have often needed to buy additional software and hardware to work it. Plus, you need an escrow vendor that features reliable and available online and offline facilities.

Checking Online and Offline Data Storage

You should seek SaaS escrow providers with no vested interests in your business area or in the service provided by the SaaS developer. You should also look into what software verification options they provide. Reports claim that over two-thirds of source code resting in escrow are mostly unusable without debugging or additional software development.

In short, potential clients ought to probe SaaS escrow’s abilities to store data online and offsite. Any SaaS escrow should react fast in case of temporary or longer cloud service outages. A good idea here is to check what (if any) protection SaaS escrow vendors offer against Distributed Denial of Service (DDoS) attacks. In such scenarios, you are unable to access your data.

Digital and Physical Data Vaults

All escrow vendors store clients’ business data physically, whether it be on hard drives, optical disks, or magnetic tape. Whatever the physical medium, after backing up, they should store it in secure data vaults. The same applies to solutions which store data in real time. You must be sure that escrow vendors’ facilities are not only secure but provide the physical environment for safe long-term and emergency data retrieval. In the optimum scenario, your backups would be copied for redundancy and the copies would be stored across a number of locations and data centers. This would cost more, but it would pay off if a massive service outage or closure were to hit you.

Sheer physical security is an important aspect of escrow security systems’ availability and reliability. To offer appropriate storage of business critical data, data vaults and servers ought to have controlled humidity and temperature and be guarded by fire suppression systems. Air filtration and air conditioning are mandatory. Access to storage areas should be strictly controlled and granted only to authorized personnel. This is a security aspect often forgotten while we focus on hacking and data leak protection – not that these aspects are in any way secondary.

Looking Into SaaS Escrow Vendors’ Backgrounds

Disruptive and innovative market players are welcome in any industry. They stir things up and engender competition. But untested disruptors are not welcome when business-critical data is at stake. Business continuity strategy should involve an escrow vendor with a proven track record. SaaS escrow vendors’ history is very important and telling. It is worth poring over SaaS escrow vendors’ CVs and particularly those of their C-level executives and technical staff. In this context, it pays to remember that not only the largest market players have impeccable backgrounds.

Image title

Source: Statista

Reputable providers will, for example, let clients control crucial components of their service and guarantee access to their data or stored code, whatever the circumstances. They will have the technical capabilities to offer continuing service even in cases of force majeure. These capabilities include up-to-date software and hardware infrastructures, knowledgeable personnel, fast service and support responses, short reaction times, and rock solid service contracts which protect clients’ data and their ownership over it.

Scrutinizing SLA Contracts

Service level agreements (SLAs) are of the utmost importance. You should scrutinize details like contracted support and emergency response times, tiers of support and how issues and inquiries are escalated, data availability, and backup frequency. You should also look for assurances that SLAs will be observed unconditionally and at all times. Non-performance should be covered by the strictest of indemnity clauses.

Planning in advance and carefully assessing and documenting all your protection and access requirements are a necessary first step. It is worth spending the time to explore as many potential service providers as practical before shortlisting several. The very process will give you ever broadening insights into the market. Only after deciding how well particular vendors’ service plans and offerings match your individual case, and after scoring each of them, you should select the best SaaS escrow service for your business.

Find out how Synopsys can help you build security and quality into your SDLC and supply chain. We offer application testing and remediation expertise, guidance for structuring a software security initiative, training, and professional services for a proactive approach to application security.

Topics:
cloud security ,security ,security as a service

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}