Cloud-based SaaS applications are undeniably the wave of the future.
Over the past month, multiple ‘undersea events’ impacting fibre-optic cables off the coast of West Africa and the Red Sea disrupted business as usual in South Africa.
These cables connect the country, and continent, to far-away cloud-based servers. The effects of dragging anchors and the resultant latency went on for weeks, with some users unable to access basic cloud-based Microsoft products such as Teams or Outlook, raising serious business risks when it comes to productivity, revenue and profit.
Cloud computing and SaaS (software as a service) are significant drivers of the rapid and wide-ranging digitalisation of commerce worldwide. South African business and government are largely on board with the movement to abandon their old servers in the basement and ascend to the cloud.
While there are local cloud service providers (CSPs), the cloud industry is overwhelmingly dominated by Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). These behemoth names make companies feel safer about migrating to the cloud. However, with SaaS products running business-critical operations, there is an additional added layer of risk with the addition of CSPs in the software supply chain.
“Cloud-based SaaS applications are undeniably the wave of the future,” says Guy Krige, Executive Risk Consultant at ESCROWSURE. Investment in South African data centres is scaling rapidly with AWS establishing its African hosting headquarters in Cape Town and a projected capex of R46-billion by 2029.
“South African banks and insurers, as well as many others, are already deeply dependent on distant CSPs and their third-party SaaS service providers. There are many benefits of the model that can’t be ignored, especially when it comes to on-demand scalability, rapid deployment, automated software updating, systems integration and predictable ongoing costs. What is important though is to burst the bubble that cloud computing reduces risk, so that businesses ensure they have sufficient plans in place, for both business continuity and disaster management, to mitigate the expanded risk environment.”
A particular vulnerability for businesses that adopt SaaS solutions is that their software supplier ‘owns’ the relationship with the CSP. That relationship, how the customer’s cloud is configured, the software source code and even the login credentials to the space in the cloud are remote from the client, and most often part of the SaaS provider’s IP. Therefore, their SaaS provider is their sole link to a mission-critical service which is supported by disconnected service providers they don’t know how to contact in an emergency. What happens if their SaaS provider goes out of business?
Krige says: “It’s simple. If your SaaS provider stops paying the CSP, your lights go out. You don’t have a contact or a relationship with the CSP, or access to the code and build documentation. You’re effectively hamstrung unless you have a SaaS Escrow solution in place.”
Like Software Escrow, SaaS Escrow is an integral part of both overall Business Continuity and IT-specific Disaster Recovery Plans. A trusted third-party safeguards vital organisational and third-party software supplier data such as source code and login credentials. Agreed trigger events, such as the insolvency of a software supplier, ensures that the client can access what they need to maintain operations. In the case of SaaS Escrow, firms such ESCROWSURE also connect directly with CSPs and take over the payment of their client’s tenancy in the cloud for up to three months.
Krige concludes, “We want to make sure that businesses are aware of the elevated risks associated with cloud hosted solutions With the new Joint Standard for IT Governance and Risk Management issued by the Financial Sector Conduct Authority and the Prudential Authority coming into effect on 15 November 2024, South African banks and insurers must have comprehensive business continuity plans in place, and SaaS Escrow is today, a globally recognised business resilience best practice.”