IP, Technology & Data

Last February, I blogged about the fallout from data centre provider 2e2 going into administration. The incident highlighted some of the key risks that can arise out of the use of third party cloud/hosted services, such as infrastructure as a service (SaaS) or software as a service (SaaS).

In short, 2e2’s financial position was so poor that the administrators were unable to keep the business going long enough for customers to access their data (and transition to alternative providers) unless the customers provided sufficient funding. For the 9 day period of service proposed by the administrators, this amounted to a shortfall of just under £1m. The majority of this funding was demanded from the company’s 20 largest customers, with all others receiving a demand for a further £4,000 plus VAT.

If the funding was not provided, the administrators stated that they would need to

cease all Data Centre operations with immediate effect without any managed wind-down of those operations.

Frightening stuff for those relying on infrastructure in 2e2’s data centres to run their business.

cloud services and risk mitigation

In my blog, I suggested a number of steps that users of cloud services could take to ensure that they reduce the risk of this happening to them.

These suggestions include ensuring that organisations

  • carry out appropriate supplier diligence;
  • monitor the financial position of their key suppliers; and
  • take proactive steps to ensure that business interruption through loss of a key system or data is minimised

This last step involves reviewing the business continuity arrangements of both your own organisation and your suppliers, and considering what additional steps can be taken to mitigate the risks.

Source code escrow doesn’t help

As I noted in the blog, traditional software escrow is pretty pointless for cloud as it is simply designed to give licensees access to the underlying source code in order for the customer to maintain software that it has already installed on its own systems.

With cloud/SaaS services, the customer never gets access to the software, never mind the source code. What the customer wants is to be able to quickly (ideally within hours) spin up a new server, on alternative infrastructure, hosting the SAAS application, complete with all the customer’s data. Ongoing maintenance of the underlying code is likely to be the last thing on their mind at that point.

One option is to ask the supplier of your cloud service to provide you with a regular (daily/weekly/real-time synched) copy of a virtualised sever containing the SAAS application and your data. But some cloud vendors are reluctant to do this.

A new type of escrow for cloud?

The good news is that escrow providers are now waking up to customer demand and offering cloud focussed escrow solutions.

For example, the NCC now offers a SaaS Assured service. As the NCC says:

SaaS Assured helps to ‘keep the lights on’ while allowing time for end users to source and transition to an alternative solution that fits their requirements

This won’t be a long term solution to any sudden supplier failure, but may just help a business to get through without being held to ransom by the administrators. For any business that is using the cloud for critical business functions/records storage, that is likely to be an insurance policy worth considering as part of its overall approach to business continuity.

Follow me

Martin Sloan

Partner at Brodies LLP
Martin is a partner in Brodies Technology, Information and Outsourcing group and has wide experience of advising clients on technology procurement and IT and business process outsourcing projects. Martin also advises on data protection (including the GDPR), and general technology and intellectual property law, and has a particular interest in the laws applying to social media and new technology such as mobile apps, contactless/mobile payments, and smart metering.
Follow me