In a SaaS cloud-based environment, the security, data and infrastructure are all outside the end user’s direct control, but while you’ve outsourced the resource, you can’t outsource the risk associated with it sitting in someone else’s environment.

This means you, as the end user, shoulder the accountability and reputational burdens should a software vendor become insolvent or experience an outage that disrupts your business operations.

One of the most common misconceptions when adopting cloud services is that application continuity and resilience is handled for you by your SaaS vendor. Unfortunately, that’s not the case.

In fact, each time you onboard a new SaaS vendor, you’re introducing added elements of risk. Ignore the risks and your SaaS environment, the application itself and all the vital data you rely on could disappear.

And without access to the application source code or live production environment behind your cloud-based application, it will be impossible to redeploy and maintain that piece of software or restore critical data.

Multi-tenant architecture security: An application hosted on a multi-tenant cloud environment shares it with other tenants. If anybody hacks into one tenant’s database, the privacy and data of any other tenant in that same environment could also be compromised.

Concentration risk: The reliance on some cloud service providers (CSPs) and some sector specialist providers, with a near monopoly in supporting particular sectors, means that there is a potential concentration risk. When assessing providers, consider the potential impact a cyber-attack or outage might have across your particular sector and assess your business resilience.

Third-parties’ responsibilities: Many organisations believe their CSP is responsible for business continuity and protecting data. But CSPs only manage the security of the cloud environment itself, not the data you store in it. This means that you are responsible for backing up and restoring it. Hence the term “shared responsibility model”.

Shadow IT: Since SaaS cloud applications can be easier to adopt, and cheaper, than traditional software installation, parts of the businesses may be able to use the cloud without consulting their IT department. Effective due diligence, security precautions, risk mitigation and resilience measures that should take place when procuring software could be bypassed, leaving the organisation open to regulatory and legal issues.

1. Identify and assess the risks

Start by understanding your business objectives and critical applications, and which applications you use that are supported by third parties. Identify and define the security responsibilities across your organisation, the vendor and the cloud service provider. This will be key to finding and addressing any vulnerabilities in the supply chain.

Also, assess your risk exposure across these key areas:

• which data will be shared with the SaaS application and the level of protection needed
• the SaaS vendor’s own commitment to security, their capabilities and resilience
• the SaaS application itself: how critical is the application to your business?
• your own internal technical capabilities: can you maintain the application in-house?

This knowledge lets you build a comprehensive supplier assurance programme to help determine the effectiveness of your suppliers’ security controls.

2.  Develop a business continuity plan

With SaaS applications, your software is hosted in the cloud by a CSP, which introduces more variables and supply chain dependencies.

Before onboarding new vendors or adding SaaS applications, revisit your procurement procedures and include a software escrow into your licence agreements to ensure you have continuity of service and can restore critical data in a useable format.

As part of your legal agreement with the provider, you should also include the requirement for them to report major cyber-security and IT incidents within a tight time frame so you can take appropriate measures to engage your own incident response plans.

3. Test and validate the business continuity plan

Only by testing and validating the business continuity plan can you be confident that it works. A software escrow verification validates the accuracy and usability of the materials deposited in escrow, such as source code and infrastructure as code, and gives you the knowledge required to execute your continuity plan accordingly.

This article was written in collaboration with NCC Group, the world's largest software escrow provider. Visit their insight blog for actionable resources and information.