Escrow as a service shows cloud is a way forward for software providers

Cloud handshake

According to Gartner, the cloud computing market will reach $150 billion by 2013, with 50 percent of the world’s applications being held in the cloud by 2015. Cloud adoption is integral to the future of corporate computing, so the potential risks - such as vendor dependency, data possession and data migration - are going to become increasingly significant to organisations.

The perils of the cloud – public cloud in particular – stem from the increased degree of separation between a business and its key applications, data and services. This detachment puts full reliability on one or more third parties in terms of preserving and protecting your data assets.

For those companies using software as a service (SaaS), business-critical applications are no longer in the hands of the company itself. In this instance, effective business-continuity planning needs to cover the scenario of partial or full supply chain failure. Even if a cloud vendor offers a bomb and hazard-proof data centre, access to the critical information can never be completely safeguarded. It's vital, therefore, that businesses need a backup strategy specifically addressing the potential failure of each element of the supply chain.

An established practice for business-critical software is to place the software source code in escrow. Under the terms of an escrow agreement, a copy of the source code (and where required, application executables and end user data) is held on behalf of the organisation by a trusted third party with the agreement of the software provider. The information held is updated at regular intervals to ensure that the deposit is up to date and reflects the latest version of the application. Should the worst happen and the software supplier fails or the application becomes unavailable to the organisation, the escrow provider can legally release the deposit so that the end user can source an alternative supplier and continue operations with minimal disruption to their business.

Escrow is common practice with local desktop software, but can also provide continuity for SaaS – in a provision known as escrow as a service (EaaS).

Nevertheless, there has been much discussion lately of how this would work with cloud computing and it's been claimed that lack of object code, amongst other factors, renders escrow for cloud software as unsuitable.

However, the problem with most arguments against software escrow for the cloud is that they assume a limited escrow service. Using escrow for cloud-based software is very much a viable business continuity strategy – but it must be carried out properly.

For example, many see verification as an optional add-on. Verification involves integrity tests on each deposit to ensure it is accessible, virus free and consists of the correct type of material. However, a watertight escrow agreement would come with verification included, mitigating a substantial amount of risk. Viewing it as an optional extra is not valid for regular software escrow, let alone EaaS.

By the same token, insisting upon regular deposits of code as the supplier updates and maintains the software shouldn't be an added extra – it's a necessity. Again, this is something that should be standard in all escrow agreements.

A further criticism that’s been levelled is that cloud software suppliers won’t want to enter into escrow arrangements with customers who are paying low prices for standardised software. But a standard escrow agreement offered to all customers before they subscribe to the standardised service would reassure customers of the vendor’s stability and commitment to best practice.

An effective cloud escrow service would take a snapshot of the cloud environment – so this would include protection of data deposits and critical data too. This is arguably of greater significance to licensees than the software source code and provides a further layer of security. Updates to the deposit should come as standard too – whether that’s monthly, weekly, nightly or every time data is created or modified– ensuring data is always backed up.

Software escrow does fit with the cloud, and is as important to software as a service (SaaS) as it is to traditional software – the recent criticisms are based on a low standard of escrow. However, escrow providers must ensure the service they deliver is tailored to the cloud's peculiarities and is as foolproof as possible. Verification and updates shouldn’t be non-compulsory: there’s too much at risk.

The cloud market is growing at such a rapid pace, and businesses need to be aware of the risks as well as the benefits. Escrow is only going to grow in importance for vendors and users, but it’s up to the EaaS providers to ensure their service is as thorough as possible.

Pete Stock is a director at NCC Group. He joined the company after the acquisition of SDLC Solutions in 2010 and is now responsible for the management, development and continued growth of the Group's Escrow division. Pete was the managing director of SDLC from its formation in 2001 through to its successful integration into the Group. Prior to this, Pete’s extensive career in IT has included roles of developer, solutions architect and programme manager.