What happens if the SaaS provider goes pop?

It used to be the case with on-premise packaged software that a copy of the source code of each release was put into “escrow”. If the author’s business went pop, then users could club together and get hold of it to facilitate any changes needed.

Some resellers of on-premise packages also held source code if they were authorised to do modifications, so could step in to help the userbase as a whole.

With SaaS (Software as a Service) applications, there is typically at least two parties in the supply chain, author and hosting company. There can also be resellers and other parties between you and the host. If any one of these businesses goes pop, the service may be lost sooner rather than later

The problem is that the timescale for implementing a replacement system, let alone also selecting one, could be longer than the notice you receive.

For business-critical apps this issue is key. How can this risk be covered?

One suggestion is to run two SaaS systems. Either in different locations, or by otherwise splitting the business in two.  In an accounting practice, one practitioner has suggested using two systems across two sets of clients.

Presumably SaaS code can be out into escrow, but I haven’t seen this happen. But what about your data? Are you taking your own copy regularly in case you can’t get at it suddenly? Is the data conversion process to the second system written and tested?

For business-critical apps in industry and practice, what would you suggest as “best practice” in this area?

Comments

Pages

daveforbes's picture

The key thing is the data

daveforbes | | Permalink

When a vendor goes "pop" - either on premises or cloud, having access to the program code is it really relevant these days ? Realisitcally it is migrating the data that is the requirement.

guyletts's picture

Escrow is over-used

guyletts | | Permalink

Agreed - the data is key. Escrow only really has value if you're procuring bespoke software development for your own use.  It's not just that escrow has no customer benefit for SaaS products, it has no customer benefit for any software product.  If your payroll software vendor goes down, the source code is no use whether it's on-premise or in the cloud.  What you need is the data - and, as Chris indicates, another vendor who can then make use of it.

Escrow is often asked for by default - in my experience by people who don't understand it but somehow feel they ought to have it.  If there's a clear set of circumstances where having the source code will be a tangible benefit or mitigate a specific risk then by all means.  Otherwise the only people who benefit are the lawyers and the escrow providers.

Fifosys's picture

Re-importing data

Fifosys | | Permalink

I would say that not jus the ability to export data but the software should ensure that the data is re-importable in a relatively easy way to a new system. Sure there will be some hassle but minimising that is key.

Our recommendation would always be to ensure a full backup of the data is kept at a different location and for test restores to be done - both onto the current system and, as part of the disaster recovery plan, onto other readily available software.

And finally, and sorry if this sounds obvious, but selecting the right SAAS vendor is important. We're an IT infrastructure company and we tend to recommend clients go with the tried, tested, reliable, safe, large software houses than trying to be too flash with a wizzy, new, bells and whistles provider.

chanpangchi's picture

Hybrid Implementation

chanpangchi | | Permalink

Great question!  

What do we do before cloud?  What was our business continuity plan?  A lot of business had what we called business continuity centre with backup system standby.  So what we should do with cloud?

My suggestion is that we should have a hybrid implementation.  The primary solution is on the cloud but we should have our own copy within our premise.  And as everyone suggest, we backup the data from cloud to our backup within our premise.

Cloud may be new!  But BCP / DRP is nothing new!  We just need to re-examine our existing BCP / DRP and incorporate cloud into our BCP / DRP.

-- Regards,

chan_a@algconsultings.com

http://ca.linkedin.com/in/alginc

http://algconsultings.wordpress.com/

daveforbes's picture

not just cloud

daveforbes | | Permalink

It is not just cloud - in on premises land some software vendors make it difficult if not impossible to migrate data to tie users in.

Perhaps it is time for all vendors (cloud or otherwise) to come out with some statements on the openness of their data.

These statments could then be independently verified.

dahowlett's picture

Duh?

dahowlett | | Permalink

What a silly question. When was the last time a SaaS vendor of business critical data went pop? Old adage: software companies dont die they get acquired.

Castroggi's picture

Business Continuity

Castroggi | | Permalink

On the contrary, as a provider of SaaS I think it's an entirely fair question.

Our business is debt free and privately owned by its directors so very low risk, but even so we encourage clients to backup and download those backups to a safe local location (this in addition to the frequent automated backups we make to a different server centre in a different city).

In extremis the code would also be made available but in any event our application is SQL based rather than a proprietary db, there is a high probability that the data can be read, reconfigured, and represented in a meaningful way.

Regards, Paul

chanpangchi's picture

Would American International Group (AIG) collapse?

chanpangchi | | Permalink

If someone asked me if there was any chance that AIG collapsed before 2008, LOL, NO WAY!

Lesson learnt is that no matter how small the chance is, we have to prepare ourselves.  Otherwise, AIG is a very good example.

-- Regards,

chan_a@algconsultings.com

http://ca.linkedin.com/in/alginc

http://www.algconsultings.com/

dahowlett's picture

There's a difference

dahowlett | | Permalink

....between doing due diligence and ringing the doom bell of disaster. Of course any business can go under but that ignores the fact there has NEVER been a case of a mission critical business application provider  leaving customers in the lurch. EVER in more than 100 years of computing history.

In any event, good advisers know how to manage software and data so I repeat - it's a silly question. 

And brining in the AIG question is just plain crass. That was a very specific issue under very specific circumstances. 

C'mon people - talk sense not insanity.

daveforbes's picture

@dahowlett

daveforbes | | Permalink

Just tell me of one occasion in the past when my house has burnt down.

guyletts's picture

Might want to move for other reasons

guyletts | | Permalink

There have been at least two high profile cases this year where SaaS vendors (in the U.S. & not accounting) have hiked their prices aggressively.  If I were a customer of theirs I'd want the option of voting with my feet and taking my data with me.

Not so much because of the price increase as the inept way they handled it.  Maybe they had VCs breathing down their necks and it affected their judgement?

'Hope for the best and plan for the worst' is another useful phrase, Mr. H!

(And on a point of terminology, please could we avoid the pejorative references and call new companies 'innovative' rather than 'wizz bang & probably flakey'?  Some of us used to work for the larger corporates but we are embracing the coalition-favoured zeitgeist in a spirit of enterprise & citizenship!)

daveforbes's picture

googlywoogly

daveforbes | | Permalink

I just googled

"customers left in the lurch by business software provider"

(very specific I know)

but I think there must be at least 1 in the last 100 years.

chanpangchi's picture

Australia's Virgin airline suffers check-in system outage

chanpangchi | | Permalink

The problem began at 8 a.m. Australian Eastern Standard Time), and lasted for 21 hours, until 5 a.m. today. The airline said it was caused by a failure on servers hosted by IT supplier Navitaire, that run its reservations and check-in system.

http://www.computerworld.com/s/article/9188146/Australia_s_Virgin_airline_suffers_check_in_system_outage

Just 2 months ago.

-- Regards,

chan_a@algconsultings.com

http://ca.linkedin.com/in/alginc

http://algconsultings.wordpress.com/

dahowlett's picture

Wrong

dahowlett | | Permalink

That analysis is wrong...read better informed people 

dahowlett's picture

Wrong again

dahowlett | | Permalink

With all due respect to Mike who is a close colleague - he's blowing smoke on this one. And he knows it. When you look at the FACTS - server failures in SaaS that lead to catastrophic failure (which is NOT what we're debating) are very few and far between. They are almost ALWAYS caused by poor architecture. As was the case with Clearbooks recently.

dahowlett's picture

Wrong again

dahowlett | | Permalink

This is NOTHING to do with the argument about a company going pop.  

dahowlett's picture

Not on topic but...

dahowlett | | Permalink

 @guy - this is nothing to do with the topic but I will deal with the point. Due diligence and attention to detail ni the pre-sales situation solves these problems...

chanpangchi's picture

Salesforce.com outage - systems can go down

chanpangchi | | Permalink

http://www.networkworld.com/news/2010/031110-salesforce-outage.html

No matter it is within your data center, outsource to IBM's data center or even up in the cloud, system can fail.  Theere can be many reasons, bug, human error, hardware failure, network congestion... whatever the curcumstances, systems can fail.

Sometime, it fails just after month end when everything is done and we don't care.  Sometime, we may not be that lucky and it fails at the most critical moment, the moment that you have been waiting for your whole life!

Is it a sales pitch?  I let you to figure out!

-- Regards,

chan_a@algconsultings.com

http://ca.linkedin.com/in/alginc

http://algconsultings.wordpress.com/

dahowlett's picture

Wrong yet again

dahowlett | | Permalink

If you're going to point to links then at least have the brains to figure whether what is being said is real.  

garyturner's picture

Sigh

garyturner | | Permalink

Yet another negative debate. Look, I realise that anything north of armageddon comes across as biased shilling, and therefore is verboten under the universal rules of the house, but, really?

Is it a thought crime to actually hold positive thoughts about cloud computing?

daveforbes's picture

It did all start well balanced

daveforbes | | Permalink

It did start all quite balanced .... escrow possibly not relevant any more for cloud or on premisis, getting data out was the critical thing.

Then suddenly it got very polarised.

Maybe there should be a debate on why discussions about cloud get very polarised. I have a few theories.

chanpangchi's picture

Should we only consider it is a disaster if our SaaS provider go

chanpangchi | | Permalink

What if we don't have the services for a month? a week? a day? an hour? 

If a global accounting firm migrate to their email services to SaaS and the sevices go down for 4 hours; is this a disaster? 

I have enjoyed SaaS a lot.  I have used email, web hosting, online storage, collaboration, CRM but I have a backup plan for each one of them.

-- Regards,

chan_a@algconsultings.com

http://ca.linkedin.com/in/alginc

http://algconsultings.wordpress.com/

daveforbes's picture

Hmmmm

daveforbes | | Permalink

I thought it stayed quite balanced and sensible until someone came in and said "duh - what a silly question" and then it all kicked off.

chanpangchi's picture

Great SaaS (Cloud) future

chanpangchi | | Permalink

I think SaaS has great future.  I use it a lot and I encourage all my clients to seriously consider it.  However, it doesn't mean SaaS is perfect and we would NOT have any trouble from SaaS,  We should also consider the risks and find ways to mitigate the risks.

Risks can be disastrous or it may just cause us inconvenience.  We don't know until we evalute them.

I think Chris started a very good question and most of the discussion are very informative.  There is NO silly question!

-- Regards,

chan_a@algconsultings.com

http://ca.linkedin.com/in/alginc

http://algconsultings.wordpress.com/

dahowlett's picture

Idiotic

dahowlett | | Permalink

...don't go there Dave.... it's specious baiting talk as you very well know

daveforbes's picture

sorry for being idiotic and baiting

daveforbes | | Permalink

@dahowlett

I notice that your comment "no business software company in the last 100 years has left its customers in the lurch" has disappeared. Now that comment  I would describe as baiting. The removal of that comment after people have responded it makes later posters seem rather extreme - but in fact they were just reacting to a comment that was left by you. 

 

EDITED: you can call me idiotic after all - your comment is still there. My scrolling skills have not fully woken up yet.

challisc's picture

Some further ideas – other contributions that add to the debate

challisc | | Permalink

Field service management is at the critical end of business critical. If the system is unavailable the engineers are immediately left twiddling their thumbs. I asked the MD of a SaaS company what he had to do to satisfy his corporate customers to cover the risk of provider failure. Two things:

  • His service runs simultaneously with two hosting providers. A third could easily be added if one went pop, given the technology he uses. This approach addresses other continuity risks in addition to financial ones.
  • He also puts source code into escrow in case his company goes pop and fixes/development are required.

The Cloud Industry Forum are just launching a Code of Practice. It suggests hosting companies can and should continue to provide service to end-users if any intermediary goes pop. For how long and on what commercial basis is up to the hosting company.

The Code also highlights the need for end-users to be able to get hold of their data, as mentioned above.

The combination of the ideas above neatly addresses the issue of a cloud provider going pop. Hopefully any additional costs would be relatively modest and acceptable for business critical apps.

It was good to be reminded that software companies and resellers are typically taken over if they go pop. But would you rely on that for a business critical app? Especially given the likely time delay between loss of service and its reinstatement (unless there is some continuity arrangement in place). 

The key to realising the undoubted benefits of the cloud is to do so safely. With the industry in its relative infancy we need to foresee the issues and plan accordingly.

What further ideas are there for how providers or end-users can address the risk of a provider going pop?

Brightpearl's picture

Escrow

Brightpearl | | Permalink

We've looked extensively into escrow for Brightpearl, but there is no easy or cost effective solution for software that can change as often as every 2 weeks. Back in the day, when Brightpearl used to run on one server, a client *may* have been able to get back on their feet with a copy of the source code but now, with the system running across multiple servers in different data centres, multiple code languages and with obviously tight hardware security restrictions in place, I would not expect a client the size that ours are (<50 staff) to be able to run Brightpearl on their own in a month of Sundays.

However, we get asked the question "what happens if you go pop?" very regularly. It's a challenge for any business critical SaaS startup. Salesforce, Netsuite, Twinfield - these guys are large enough to not warrant the question so often I guess. 

So what do we do to answer the question? We give users excellent access to download all their business critical data as often as they like. You can produce reports of all critical data in Brightpearl and download to Excel. If you're smart enough you could even put this data back into Sage with a little trickery.

We've also got solid investors behind us and a great growth curve to give buyers confidence.

Of course this isn't a new issue just for Saas players - look at the recent withdrawal of MYOB from the UK market. Although less critical for businesses owners in that their system doesn't just disappear overnight, they are left with a legacy product that has no continued support. Extracting data and migrating systems is the same headache for them too.

-- Web based Accounting and CRM in one place : www.brightpearl.co.uk

Hosted Desktop UK's picture

Security ideas

Hosted Desktop UK | | Permalink

Chris posed this question above: “What further ideas are there for how providers or end-users can address the risk of a provider going pop?”

 One of the ways we at Hosted Desktop UK Limited (hosted desktop / on line cloud server providers to the accountancy profession) provide re-assurance to our clients is to provide a real time backup of all client data back to their site.That way, client data is held on our servers, on our reserve servers at a physically different location, and then the data is held back in the clients own premises.See our website www.hosteddesktopuk.co.uk for more information.

guyletts's picture

Transparency would help too

guyletts | | Permalink

One big difference is that the default position with SaaS is that you cede control over your data to the supplier and currently that’s on technical and commercial terms that are often vague, absent, or buried deep in terms and conditions.  Ultimately it’s always your responsibility to safeguard your data.  Now it may well be that delegating that with SaaS means your data is far better protected than if you were doing it yourself.  But that’s not certain.  The lack of clarity is a problem and in the absence of some sorely needed industry standards I think the two most helpful things a vendor can do are:

-          Be specific about baselines.  What is the worst case loss of data in the event of a failure: a second, a minute, a day?  Then the customer can incorporate that into their plans.

-          Continue to educate and inform the customer of their need to make DR plans to minimise business disruption, such as the procedures to be invoked for some kind of fall-back operation.  This should also incorporate preparation for other disruptions such as internet outages.

Brightpearl

Mikerichards | | Permalink

I was very interested to read Brightpearl's response but it is untrue. As a user I have written 2 letters to the MD asking if we can have access to download all our data on a regular basis -I have had no reply from either letter.

It is true you can export pre existing standard reports to csv files but to cover enough ground to give you a genuine history of everything in the event of the business collapsing would take half the week - then you would have to start again!

What we need is a method of downloading in one hit everything so that someone with the relevant skills could read it using a tool like Crystal reports or similar - Unfortunately if you are not an IT geek the responses from the likes of the support team are unintelligible.

We are feeling very precarious at present

chanpangchi's picture

Windows Azure

chanpangchi | | Permalink

Did anyone try Windows Azure?

http://www.microsoft.com/windowsazure/windowsazure/

Windows Azure provides business with on-demand compute and storage to host, scale, and manage web applications on the internet through Microsoft datacenters.   We virtually rent a server that is hosted by Microsoft and we deploy whatever applications we use.

Together with Open Source, it may give us a better control on our critical business applications.  We have the source code (i.e. this is why it is called Open Source).  We deploy the application to the cloud (Microsoft Azure is only an example, there are many similar services providers) and we can run a backup on a desktop within our premise or we can find a second service provider.  We sync our data at whatever interval we choose.

 

So if Microsoft Azure pops, then we just deploy our applications to another service provider.

-- Regards,

chan_a@algconsultings.com

http://ca.linkedin.com/in/alginc

http://www.algconsultings.com/

chanpangchi's picture

Exporting Data from SQL Azure: Import/Export Wizard

chanpangchi | | Permalink

It is an article from Microsoft and it illustrated how to export data from cloud or reverse.

http://blogs.msdn.com/b/sqlazure/archive/2010/05/19/10014014.aspx

With cloud database, e.g. SQL Azure, we have much better control on our data.

Again, SQL Azure is only an example that I am more familiar.  So if you do some googling, you should be able to find the providers you want.

If you need more insights on Azure, you are welcome to email your questions to me.

-- Regards,

chan_a@algconsultings.com

http://ca.linkedin.com/in/alginc

http://www.algconsultings.com/

daveforbes's picture

What happens when accountancy practice goes pop ?

daveforbes | | Permalink

Perhaps SaaS could adopt some of the established ideas.

Richard Messik's picture

Data availability is the key

Richard Messik | | Permalink

 I dont understand why you guys are always going for the negatives. Obviously in the unlikely event of something going wrong with a provider it is important at the outset to establish how easy it is to get hold of the data. Some of the more established providers have arrangements with their hosting companies that data would be available for a period of time after a business closure. Likewise if the SaaS application is a good one it will be easy to download data on a regular basis if this is something that is a concern. As with so many of these arguments it is very much a non point.

daveforbes's picture

@Richard Messik - getting out the data

daveforbes | | Permalink

Perhaps somebody could survey the providers produce one of those big grids with with lots of columns

There was a list of SaaS providers listed on some other thread which could compromise the first column.

Questions could include .....

1. Is it possible to export 100% of the data stored for a particular client in a single operation.

2. If not 100%, what data is not included.

3. In what format is the data exportable.

4. For an accountant dealing with multiple clients is it possible to do this in a single operation for multiple clients.

5. Is it possible to automate this as an scheduled, say one a week, process.

6. Can you supply a URL to the step by step instructions for users to do this.

 

daveforbes's picture

and ...

daveforbes | | Permalink

Just read your post

 

7. Please provide details of arrangements with your service provider to allow access to data in the unlikely event of business closure.

Bob Harper's picture

Am I missing something?

Bob Harper | | Permalink

How about a TB is run at the end of each month after the bank has been reconciled then if a system is unavailable it is just a case of loading opening balances and a journal.

Worst case is that the system is unavailable on the last day of the month so the last month books need top be re-entered but that would be good training on the new system.

Bob Harper

Portfolio Marketing 

david_terrar's picture

Unhelpful debate on a real issue

david_terrar | | Permalink

I'm with @dahowlett, @garyturner and @Richard on this.  Why does this debate have to be couched in such loaded and negative terms?  I would ask anyone who's been in the software business for any length of time just how hepful ESCROW is, but that's another story/argument.  You need to do due dilligence on your provider and understand the terms of service covering this aspect.  All of the 3 major cloud vendor groups in the UK (Intellect SaaS Group, EuroCloud UK ad BASDA Cloud SIG) endorse the best practice defined by the Cloud Industry Forum.  The CIF board has a mix of vendors, customers, consultants and industry representatives and so looks at this from all sides. 

http://www.cloudindustryforum.org/

David Terrar

www.d2c.org.uk and www.twinfield.co.uk

challisc's picture

Why discuss this subject?

challisc | | Permalink

Richard asks "why you guys are always going for the negatives" and suggests this question is a non-point.

  1. The benefits of SaaS are clear. What isn't yet clear to many people is what the risks are and how to manage them, to reap those benefits on an ongoing basis. This forum is a good way to exchange views and information, if contributions (including disagreement) are made in positive spirit
  2. SaaS providers vary, and nothing can be taken for granted. As has been indicated, getting data is not always easy. In this and other areas, many providers need to improve when providing business-critical apps.
  3. We're not just talking about software for accounting firms, but apps in business that can take many weeks or months for a replacement system to be implemented. Depending on choice of SaaS apps, that can mean going back to on-premise with all the delay and expense that entails, and which is therefore best avoided

The industry itself has acknowledged through the formation of the Cloud Industry Forum (CIF) that there are issues such as this that are slowing down adoption of cloud. As an existing user, Mike has said "We are feeling very precarious at present". So how can issues like these be tackled, for the benefit of existing SaaS users and the providers who want to sell more?

CIF's Code of Practice encourages providers to be clear in publicity and sales proposals how they address this and other issues, but from necessity are leaving it to providers to say how they are doing it.

So discussing this issue is part of determining what users should be looking for when selecting a SaaS system, or discussing with existing providers.

carnmores's picture

of course its a reasonable debate

carnmores | | Permalink

and it is characterised by those with clear vested interests shouting the loudest .... how unusual....

challisc's picture

By coincidence...

challisc | | Permalink

.. I have just received a newsletter from a SaaS provider, which still provides on-premise software. The document starts by talking about "numerous benefits" of the cloud and then asks "But what about the potential risks?"

They then say "With proper planning and the right tools, companies can take advantage of the benefits of a cloud environment and mitigate potential risks." That's exactly where I'm coming from.

The paper isn't comprehensive, and is focused on the larger organisations this company serves. Nonetheless it's a good intro for businesses of all sizes.

The company is obvious from the link address:

http://www.sap.com/community/flash/10_2010_Security.pdf

 

 

daveforbes's picture

negativity is inherent in the subject matter

daveforbes | | Permalink

@david terrar

It does sound not any more cheerfull in points A2.4 and A2.5 in you cloud industry code of practice !

Reading the code of practice it all sounds eminently sensible. The only thing I would possibly change, is to move A2.4 and A2.5 from under the blanket introduction saying "these would normally be under non-disclosure" into a "shout it out loud" section.

 

 

petersaxton's picture

Yes

petersaxton | | Permalink

 “Am I missing something?

How about a TB is run at the end of each month after the bank has been reconciled then if a system is unavailable it is just a case of loading opening balances and a journal.”

Yes, you are.

There would be no details available of who owed what or who was owed money.

There would be no history of sales.

Proper accounting records would not have been kept. I admit it may not result in any penalties but I would prefer to have the option of retaining all accounting records.

John Stokdyk's picture

Can we have a grown-up discussion please?

John Stokdyk | | Permalink

I'm sorry this thread kicked off into unseemly squabbling over the weekend, from what appears to be deliberate trolling from Dennis Howlett. Please note AccountingWEB's terms and conditions about refraining from abuse and abide by them.

I'm entirely with Chris on this - it's a perfectly fair question to ask, and one that any sensible accountant would do as part of their due diligence. Calling people idiotic and ill informed is out of order and the way you are behaving does a disservice to the industry sector you're purporting to represent. When you slag off David Forbes, for example, Dennis, you fail to have taken note that he is now working on Cloud applications.

I'm equally disappointed that Gary Turner and David Terrar have adopted the "why is everyone on AccountingWEB against the Cloud?" stance. That too is a misrepresentation. This is a group for people who are interested in the technology and it's perfectly fair for them to talk around the positives AND the negatives.

In this forum, Gary, you can be as positive as you like about the Cloud and your products as it is relevant to the points being discussed. It would also be a breath of fresh air compared to some of the posts that have been made. I would also refer to you the pro-Cloud threads on Total Cost of Ownership comparisons and Flexibility and business continuity advantages. At least you've commented there Gary, but it still surprises me that people are drawn to squabbles like this one rather than discussing the issues that should matter to AccountingWEB.co.uk members.

 

Bob Harper's picture

Add to the list

Bob Harper | | Permalink

@Peter - add to the list:

  • Monthly debtor and creditor reports
  • Sales ledger
  • VAT account/summary for each quarter.

Would that make a non-issue of the potential problem?

Bob Harper

Portfolio Marketing

 

chanpangchi's picture

How about in the middle of M&A?

chanpangchi | | Permalink

Or you are trying to get money from an angel fund and your critical business apllications fail.  That would be a very good impression!

Do any of you buy insurance?  I have insurance and I hope I would NEVER need to claim any of them.  I want to prepare the worst for my family.  Do you want to prepare the worst for your business?

-- Regards,

chan_a@algconsultings.com

http://ca.linkedin.com/in/alginc

http://www.algconsultings.com/

Pages

Add comment
Log in or register to post comments
Group: Cloud Computing for Accountants discussion group
A place for accountants to share their thoughts about web-based systems