What Contract Risks are Hiding in the Cloud? July 21, 2015 webinar Presented by: Tim Cummins, IACCM & David Strouse, Iron Mountain 2015 Iron Mountain Incorporated. All rights reserved. Iron Mountain and the design of the mountain are registered trademarks of Iron Mountain Incorporated. All other trademarks and registered trademarks are the property of their respective owners. 1
Today s Presenters Tim Cummins, CEO, IACCM Tim works with organizations to support understanding of the role that procurement, contracting and relationship management play in business performance and public policy. David Strouse, Director, Iron Mountain, Intellectual Property Management David helps enterprise organizations create and implement appropriate solutions to protect their intellectual property assets. 2
Agenda Tim Cummins - Industry Overview & Trends David Strouse - What s happening with SaaS today? - What are your SaaS headaches? - How do I assess my risk? - How do I protect my SaaS investment with software escrow? - What are Best Practices to safeguard SaaS applications and data? Q&A - Please submit questions as you have them. Questions will be answered at the end of the session. A copy of the slides and a link to the recording will be available to all participants. You will also receive a white paper, templates & other materials from Iron Mountain. 3
IACCM analyzed Cloud Agreements Comparative length of agreement Number of cross referenced documents Single or Multiple offering Flesch Test (Flesch Target: 50-60; a high score is good). 9 pages 3 pages 13 pages 7 documents, plus web links, plus Order Form. Dual offering: cloud services and associated consultancy services. Multiple orders for cloud services may be used against the same terms. 3 documents: order form and service levels, and the NDA is a separate document. Single: cloud service only, but multiple in number of cloud services Flesch 26 Flesch 37.3 Flesch 46.9 7 documents incl: SLA, Service Terms, trademark use guidelines, Software License and Service Offerings License as well as web links. Generic framework agreement
The risks behind the Cloud What we discovered in many Cloud agreements: It is not clear what the supplier is committing Extensive responsibilities are placed on the customer The supplier has few obligations and limited consequences The agreement is poorly structured and complicated to interpret
A Paradigm Shift in Technology Delivery 85% of new software is now being built for the cloud -IBM 2013 Annual Report 6
SaaS is increasingly becoming Mainstream 7
The Benefits of SaaS are Clear. Yes, But What-If? Then What? Bankruptcy or failure to do business in the ordinary course. M&A (non prevailing products suffer from extinction) Contract Breach & Disputes Force Majeure - Extended Outage Need to Execute an Exit Strategy Can t Recover Your Data? 8
How Are You Assessing Your Risk? 9
What are the Market Realities We See with Enterprise SaaS Subscribers? Accepting traditional source code escrow and not thinking through the what will I do with it? Not unpacking the DR/BC question. A SaaS provider s disaster recovery plan is there only as long as the Provider is. 72% of organizations find it highly important that a SaaS provider offers a plan to allow continued access to applications in the event that they go out of business. -Softletter Research Not talking through the RTO/RPO s for their data and access to it in SLA s Deploying the application and dealing with it later Yet, 79% of SaaS providers do not guarantee their subscribers application continuity. -IDG Custom Research 10
Possible SaaS Risk Contingencies Take the application On-Premises Hire Managed Service Provider to host and maintain the application Recover your data and migrate to a new solution Update Your Resume 11
Introduction to the Contingency Plan Ask Questions! - If my application is unavailable, what is the impact on my company and customers in 1 hour, 1 day, 1 week? - Where is my data and what are my options to get access to it? - Is my data usable without the application? - If necessary, could you take the application on-premises or find a new SaaS provider? How long will that take? - What events will trigger your contingency plan? - How will you document the contingency and who will be responsible for execution (internally/externally)? - Is it possible to perform verification testing to ensure the plan works? - Do you have a repeatable process for dealing with these situations? 12
How can Traditional Software Escrow be Adapted for SaaS Applications? SaaS escrow environment runs independently of the provider 13
SaaS Escrow Contingency Trigger Process Problem Occurs Subscriber contacts Provider Problem is rectified Desired Outcome Application Continuity Secured No response Subscriber Contacts Escrow Agent Contingency Trigger process is invoked Access to the Recovery Environment is provided Data Recovered 14
SaaS Escrow Options 15
Case Study: Three Approaches to Risk Mitigation Non-Profit Member Organization Source Code and Object Code Access Code Verification Data Delivered Directly Financial Services Standby Replication Failover Capability Application & Data Continuity Enterprise Legal Management Source Code Access Code Verification Contingency Planning for Subscriber Full Disaster Recovery and Ongoing support 16 16
Key Takeaways Application Continuity Time to Migrate to a New Solution Unencumbered Access to Your Data Timely Access to Components Necessary to Make Use of Your Data Leverage to Optimize the Vendor Relationship Satisfy Governance, Risk & Compliance Policy Minimize Risk of Loss Avoid Litigation and the Courts 17
Q&A Want to learn more? Visit www.ironmountain.com/saas or email david.strouse@ironmountain.com 2012 Iron Mountain Incorporated. All rights reserved. Iron Mountain and the design of the mountain are registered trademarks and SaaSProtect Escrow Service is a trademark of Iron Mountain Incorporated. All other trademarks and registered trademarks are the property of their respective owners. 18