Is Software Escrow still relevant in the cloud?

Within today’s fast-paced modern business landscape, sophisticated software plays a crucial role in an organisations ability to innovate and grow. However, organisations that rely on software to run day-to-day operations leave themselves vulnerable if access to applications should ever be compromised.

Given the importance of software for almost every organisations’ performance, an established practice adopted by IT leaders is to implement a Software Resilience solution. There are different ways businesses can achieve Software Resilience, one of which is through Software Escrow. Software Escrow serves as a hugely effective tool in protecting your business-critical assets regardless of whether they're hosted on-premise or in the Cloud.

What is Software Escrow?

At its simplest, software escrow is the deposit of software source code with a third-party escrow agent, such as NCC Group.

The source code is securely administered by a trusted, neutral third party to protect the developer’s intellectual property while at the same time keeping a copy safe for the licensee in case anything happens, such as the vendor no longer being able to support the software. If that situation does happen, the licensee requests a release of the source code from the escrow account and can keep their business up and running.  

Traditionally, businesses have hosted and managed software within on-premise data centres. In these circumstances, a “traditional” or “on-premise” Software Escrow agreement enables organisations to protect their investment and mitigate the risks associated with software failure by having a physical backup or copy of its data, software or applications held securely by a third party.

However, many organisations are now migrating from on-premise software to delivery of software as a service via the cloud (cloud-hosted applications) which poses the question; is Software Escrow still relevant for the Cloud?

Nevertheless, regardless of where the software is housed, there will always be concerns over the protection and continuity of business-critical applications.

Software Escrow in the cloud

The result of moving to a cloud-hosted application is that the production environment of that software (including its object code) will become controlled and managed by the software supplier.

But what happens if the software supplier suffers a service failure, defaults in its service obligations, pulls the plug, becomes insolvent or is forced to sell the related asset to a third party.

Well, other than the customer losing access to the software (including the production environment, and any data is has stored within it), they would most likely have difficulties deploying and managing the application since they have only ever experienced it as a user.

Whilst traditional software escrow agreements relate to more traditional types of software licensing where the customer already has access to the object code due to the licensed software running on its own servers, where does this leave those organisations currently using cloud-hosted software?

What's the difference between traditional and cloud Software Escrow agreements?

With traditional Software Escrow agreements, the material held is typically the software source code. This is still relevant when protecting cloud-hosted software but customers will also need to protect cloud subscriptions, cloud resource scripts, data, environment access credentials and resource snapshots to ensure complete cloud resilience in the event of failure.

Other features of Software Escrow agreements that are also present in a cloud software escrow agreement are details on how and when deposits are to be made, what happens if critical information such as build instructions are deficient, and very importantly, the trigger events allowing the escrow agent to release the solution to the customer (2).

What Software Escrow solutions are available for cloud applications?

The two most common solutions we implement for our customers are:

• Solutions that aim to provide the customer with continued access to the latest iteration of the software supplier’s cloud-hosted application, and its data, within its current production environment (see Escrow as a Service Access). Although this type of solution isn’t appropriate for multitenant environments, it is perfect for off-the-shelf functionality, low risk, or nonessential cloud-hosted applications and where access to data is the main priority.
• Solutions which aim to enable the customer to replicate (or re-build) the production environment of the software supplier’s cloud-hosted application, so that it can be hosted at a location of the customer’s choosing, or transferred to another third-party provider, who can host it on the customer’s behalf (see Escrow as a Service Replicate). This is preferred when the customer requires complete control of the production environment which hosts the software, and the data stored within it. This might be the case where the cloud-hosted application is business-critical, or the data being held by it is particularly sensitive or valuable, or where stringent legal or regulatory requirements apply.

To coexist with the basic access and replication solution, Cloud Escrow verification is recommended to ensure the reliability of the deposit in a release event scenario. NCC Group’s EaaS verification services may be most useful in the following scenarios:

• Where the customer does not have its own technical expertise, or in-house technical function, which it can rely on to interpret and validate, the technical information provided by the software supplier.
• Where a cloud software solution is critical to the operation of a business, and the customer wants additional assurance that the service can be properly restored, and the relevant continuity plan enacted, if there is a failure of the software supplier.

Start your journey to Software Resilience today

NCC Group supports organisations with Software Resilience at all stages of their Cloud journey, whether you are born in the cloud or just starting to migrate critical applications. We’re able to show you which processes and policies should be included to ensure the resilience of business-critical third-party SaaS applications.