Sustainable Resilience in SaaS Environments

Software as a Service provides opportunities for companies to grow at scale. But they present risks that should be managed.

Neil Bellamy, Head of Technology, Media, Telecoms and Services, says: “When we focus on SaaS, we are talking about a specific type of cloud-based software application, generally licensed to a user on a subscription basis, where the data is stored on the SaaS provider’s servers .

“The uninterrupted access to the SaaS service is a key requirement for you, the client organisation, given how important it is to the delivery of your business services and ultimately your reputation and stakeholder value.”

SaaS applications will have an increasingly critical role to play in your organisation. The adoption of a comprehensive software resilience strategy will ensure your critical SaaS applications are appropriate secured

Simon Fieldhouse
Global Managing Director, Software Resilience, NCC Group

However, SaaS platforms often fail in this respect, according to NCC Group, which has, over the past 10 years, had to provide assistance to its customers once every nine days as a result of the failure of a SaaS platform.

Simon Fieldhouse, Global Managing Director, Software Resilience, at NCC Group, says: “This suggests that while SaaS is a vital resource, it incurs business-critical risks that can be offset by defining an appropriate software resilience strategy.

“An effective software resilience strategy provides the assurance that critical SaaS services will be safe, secure and always available by guaranteeing access to the application environment, the application’s source code, and the knowledge and guidance to rebuild the application from scratch,” explains Simon.

“This access is legally agreed by all parties and maintains the security of the intellectual property of the supplier while ensuring that you, the client, can maintain your operational resilience by gaining access to the application and your data should adverse challenges materialise with the provider. “

NCC Group recommends the following guidelines when building a software resilience strategy, which will enable businesses to minimise the risks associated with SaaS. Here are the nine key stages:

1. Identify and assess

You need to understand your risk exposure in four areas: the supplier’s own capabilities and resilience; the SaaS application itself; your own internal technical capabilities; and your internal operations that rely on the SaaS. A comprehensive risk assessment of these four areas should enable you to identify and classify the use of the SaaS application into a high, medium and low risk to your organisation. These risks need to be tracked and managed because, unfortunately, they are not static and will change over time.

2. Manage risks

Having understood the risks, you need to implement the controls, processes and policies that will allow you to manage the risks across all stages of the software journey, from choosing a supplier, through procurement and use, to software end of life and even provider exit plans. In many sectors, there is regulation around this risk management, so it is essential to have an awareness of the legal requirements when managing the development of the resilience strategy because the regulations become more prescriptive over time.

3. Monitor

As your software requirements change and your portfolio of software providers changes with it, you must ensure that you monitor, test and verify your SaaS applications so you have the reassurance that, even with the changes, patches, environment updates, etc, you are still able to use the application held in escrow.

4. Stay aware

Delegate an individual or team to be responsible for managing your SaaS risk. You will need to give them the support and resources to deliver the outcomes you need to protect your investment in the SaaS.

5. Review

Assess the potential cost of failure for and business-critical third-party SaaS applications and what is needed to these services back up and running.

6. Document

Collate the inventory of tested details of all third-party SaaS applications including the cloud environments, resources and expertise needed to restore the application.

7. Test

Ensure that you have the capabilities to implement your cloud recovery plan and test it. Only by testing can you ensure the plan actually works, and you are bound to identify room for improvements.

8. Implement

Engage a third-party escrow provider to deliver escrow as a service (EaaS) that delivers access to, or a fully replicated version of, your cloud environment and data to ensure a faster recover should an incident happen. This escrow holding should be stored in line with Data Protection and Privacy legislation (such as GDPR) and actively monitored to that it doesn’t become vulnerable to attackers who might look to steal or misuse your data.

9. Take ownership

Ensure that there is a clear and dedicated ownership of the cloud resilience solution within your organisation. All too often we see that the escrow of SaaS applications is left to a procurement team who are not aware of changes in the importance of the application to your organisation, do not understand the cyber and other threats to the application and the risks associated by its potential failure. Ensuring that the concept of resilience, and software resilience in particular, has a place at the top table is key to protecting the organisation from the risks it faces.

NCC Group’s Simon Fieldhouse adds: “SaaS applications will have an increasingly critical role to play in your organisation. The adoption of a comprehensive software resilience strategy, supported by dedicated personnel, and adoption of enhanced business processes, will ensure your critical SaaS applications are appropriate secured to ensure optimum operational resilience and business continuity.”

For more information about software resilience services, visit NCC Group.

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top