Debbie Wilson

A member of the Gartner Blog Network

Deborah R Wilson
Research Vice President
4 years at Gartner
12 years IT industry

Deborah Wilson, a Gartner research vice president, covers procurement strategies and applications. Her areas of interest include procurement transaction automation, e-marketplaces, e-sourcing, spend analysis, accounts payable automation… Read Full Bio

Coverage Areas:

SaaS Business Continuity Risk Mitigation . . and the Supplier Community

by Debbie Wilson  |  July 22, 2009  |  8 Comments

I’m working on some research on the topic of SaaS business continuity risk mitigation. It’s a fascinating subject because without a doubt – some day – a major SaaS vendor will suddenly close its doors and leave its customers high and dry.  When a vendor for an on-premises solution stops supporting a solution, for whatever reason, its customers lose technical support but can still run the application.  With SaaS, however – the customer of the unfortunate vendor may loose access to its data, functionality . . . . and . . . . .ever more, its community!  Just think – all those suppliers – suddenly nowhere to log in to pick up orders, check invoice status, check inventory levels to determine whether to send replenishments.  Clearly buyers and suppliers could just simply go back to the old fashioned fax, email, account exec picking up data . . . .and it would work.  Maybe sortof kindof anyway, especially if buyers and suppliers hire some short-term administrative folks.   

I know my readers are a clever bunch, and I’m wondering if any of you have thought about this and would like to share some other ideas.  I’m all “ears!”  

8 Comments »

Category: Multienterprise Business Process Platform Risk Management Software as a Service     Tags:

8 responses so far ↓

  • 1 Subraya Mallya   July 23, 2009 at 3:40 am

    Debbie
    I had a chance to define some process for some of the prospects of our solution in my last job. Also I have written about the same in my blog (under the SaaS Buyer’s Guide) where I recommend customers have escrow process for their data and application defined as part of the contract. The details in the escrow clause should include getting a dump/slice of your data from a Multi-tenant instance along with the application and configuration documentation.

    Typically, SaaS vendors provide User acceptance/QA instances besides production but I recommend that customers have a similar instance re-created on-premise (or in another cloud) with the data and app their receive under escrow (if possible). This obviously reduce the cost-benefit value proposition but does product risk mitigation in terms of business continuity.

    Personally think something like a Amazon EC2 would work perfectly for such a setup at a fractional cost of an on-premise instance.

    This would still leave void in knowledge around activities like administration, configuration management etc. But better than nothing.

    Subraya Mallya

  • 2 Debbie Wilson   July 23, 2009 at 9:35 am

    Thanks for your comment Subraya – and I see you have an interesting website prudentcloud.com.
    We have looked at escrow and in terms of SaaS I have to say its not looking so attractive – least of which is the idea that most SaaS solutions run in a highly customized operating environment (and this is according to the vendors) and nobody seems to document the set-up /config just in case . . .

  • 3 Kevin Cornish   July 30, 2009 at 1:47 pm

    Hi Debbie-

    Thanks for your post- I think you’ll find some helpful SaaS related information on my new blog http://www.atrisk.net let me know what you think!

    -Kevin

  • 4 Julian Cook   August 13, 2009 at 2:50 pm

    I work for an ISV called RainStor that launched a cloud archive service a few months ago. We’ve focused on delivering application retirement solutions initially that allow companies to preserve historical data from legacy applications in the cloud. However, we’ve also been asked by customers, partners, commentators, analysts etc. etc. how our cloud archive service can be used for “SaaS data escrow”. There seems a real and immediate need!

    In my view, data escrow allows companies to protect and insure the data that resides within their SaaS applications by keeping a copy with a neutral 3rd party. There are many and various reasons for considering SaaS data escrow including concerns about vendor viability, unplanned service outages and potential data loss or corruption. Many businesses are also keen to ensure that they’re complying with their own data governance standards or want improved reporting and business analytics against their SaaS data

    We’re keen to understand in more detail why and how companies might use cloud archive services to keep a copy of the data within their SaaS applications so we’re running a survey. The survey is available at http://tinyurl.com/kl5l86 and the results are available to anyone who particpates.

  • 5 Debbie Wilson   August 13, 2009 at 4:57 pm

    Thanks for your comment Julian. I like the idea of data escrow much better than the idea of code escrow- but from our research we are noticing that one must be really careful in terms of defining what data is to be kept – and that the definition should go well beyond record/transaction data.

  • 6 Lincoln Murphy   August 20, 2009 at 6:00 pm

    @Debbie – I responded to a post on CloudAve by Ben Kepes titled “SaaS Certainty – Escrow is the Answer ” and thought you might be interested in both his original post and my (possibly too-long) response in the comments. Find the post and comments here: http://bit.ly/A42D4

    I thought it was better to just link you to it rather than copy my thoughts here. I’m happy to chat with you on my thoughts regarding this subject as well. Feel free to reach out.

    @Julian – RainStor is interesting… in my comments to Ben, link is above, I note the value of Application Continuity over access to the data. I wonder how you deal with situations where the context of the data is within the application itself. I’ll explore your solution in more detail, and perhaps this isn’t the best venue to play out the pros/cons of RainStor (feel free to ping me on Twitter or any other media) but this is something to consider as well.

    Lots of folks bring up the issue of vendor lock-in around the data… well, if you can take your data, is it still as valuable without the context of the application? I suppose its not completely without value, but the application often provides much of what makes it usable.

    Interesting stuff…

    - Lincoln Murphy (http://twitter.com/lincolnmurphy)
    Sixteen Ventures

  • 7 Ben Kepes   August 20, 2009 at 7:04 pm

    Debbie – great to see someone within trad analysis is thinking about this stuff (hell thinking at all is good ;-) )

    Keen to talk about this stuff – drop me a line

  • 8 Debbie Wilson   August 25, 2009 at 10:12 am

    Thanks for your comment Lincoln – sorry with the longer comment, your post did get snaggled by our comment management filter. I just noticed it today (still getting used to this software – what can I say.)
    Anyway, I agree with you – and in fact the research we published on this topic does warn about the potential limited use of escrowed data without context, your community, and without administrative data such as business rules & access rights. One thing I realized in this process is that “SaaS” apps is a very big bucket ranging from simple Google docs type apps to full ERPs. The risk profile and resulting mitigation must vary based on the situation.