Within today’s fast-paced modern business landscape, sophisticated software plays a crucial role in an organisations ability to innovate and grow. However, organisations that rely on software to run day-to-day operations leave themselves vulnerable if access to applications should ever be compromised.
Given the importance of software for almost every organisations’ performance, an established practice adopted by IT leaders is to implement a Software Resilience solution. There are different ways businesses can achieve Software Resilience, one of which is through Software Escrow. Software Escrow serves as a hugely effective tool in protecting your business-critical assets regardless of whether they're hosted on-premise or in the Cloud.
At its simplest, software escrow is the deposit of software source code with a third-party escrow agent, such as NCC Group.
The source code is securely administered by a trusted, neutral third party to protect the developer’s intellectual property while at the same time keeping a copy safe for the licensee in case anything happens, such as the vendor no longer being able to support the software. If that situation does happen, the licensee requests a release of the source code from the escrow account and can keep their business up and running.
Traditionally, businesses have hosted and managed software within on-premise data centres. In these circumstances, a “traditional” or “on-premise” Software Escrow agreement enables organisations to protect their investment and mitigate the risks associated with software failure by having a physical backup or copy of its data, software or applications held securely by a third party.
However, many organisations are now migrating from on-premise software to delivery of software as a service via the cloud (cloud-hosted applications) which poses the question; is Software Escrow still relevant for the Cloud?
Nevertheless, regardless of where the software is housed, there will always be concerns over the protection and continuity of business-critical applications.
The result of moving to a cloud-hosted application is that the production environment of that software (including its object code) will become controlled and managed by the software supplier.
But what happens if the software supplier suffers a service failure, defaults in its service obligations, pulls the plug, becomes insolvent or is forced to sell the related asset to a third party.
Well, other than the customer losing access to the software (including the production environment, and any data is has stored within it), they would most likely have difficulties deploying and managing the application since they have only ever experienced it as a user.
Whilst traditional software escrow agreements relate to more traditional types of software licensing where the customer already has access to the object code due to the licensed software running on its own servers, where does this leave those organisations currently using cloud-hosted software?
With traditional Software Escrow agreements, the material held is typically the software source code. This is still relevant when protecting cloud-hosted software but customers will also need to protect cloud subscriptions, cloud resource scripts, data, environment access credentials and resource snapshots to ensure complete cloud resilience in the event of failure.
Other features of Software Escrow agreements that are also present in a cloud software escrow agreement are details on how and when deposits are to be made, what happens if critical information such as build instructions are deficient, and very importantly, the trigger events allowing the escrow agent to release the solution to the customer (2).
The two most common solutions we implement for our customers are:
To coexist with the basic access and replication solution, Cloud Escrow verification is recommended to ensure the reliability of the deposit in a release event scenario. NCC Group’s EaaS verification services may be most useful in the following scenarios:
NCC Group supports organisations with Software Resilience at all stages of their Cloud journey, whether you are born in the cloud or just starting to migrate critical applications. We’re able to show you which processes and policies should be included to ensure the resilience of business-critical third-party SaaS applications.
Our experts are here to help you.