Recent research reveals that while SaaS adoption is high, there are relevant reasons to worry about its risks — and to have a contingency plan.

Cloud-based applications and services continue to give companies ever more ways to streamline operations and control costs in the digital economy. However, trusting mission-critical applications and data to a third party is not without its risks.

Significantly, one-third of IT leaders who recently participated in an IDG Research Services survey say they have subscribed to mission-critical software as a service (SaaS) applications for which the provider ultimately failed to meet expectations for support.

This white paper shares insights from the survey about the ongoing proliferation of SaaS, the potential risks of relying on cloud applications, and the actions companies are taking to mitigate those risks.

SaaS adoption rates climb

SaaS has more than doubled in the last seven years. IT leaders reported in a similar 2008 survey that on average, 11 percent of their organizations’ applications were deployed in the cloud, while 79 percent were on-premises software. Today, SaaS has risen to 25 percent of the average applications portfolio, while on-premises software has dropped to 67 percent.

What’s more, this trajectory shows no signs of stopping. More than one-third of the respondents to the recent IDG survey plan to adopt more SaaS applications and services over the next 18 months, while six in 10 expect to hold steady on their SaaS deployments. By comparison, fewer than one in 10 intend to cut back on their use of SaaS.

IT leaders acknowledge risks

Despite their eagerness to adopt SaaS, half of the IT leaders in the survey say they consider it more risky than on-premises software when it comes to mission-critical applications. Another 44 percent say SaaS and on-premises software pose an equal level of risk to mission-critical applications. This did not differ significantly by company size.

There was, however, a notable split in the perception of SaaS risk based on job title. Respondents with titles at the VP level and higher are significantly more likely than those at the director or manager level to perceive SaaS as a greater potential threat to critical operations. This may be because executive management is less handson at the technical level or perhaps has a lower appetite for risk. It’s equally possible that being pushed to adopt cloud solutions for greater agility, lower costs, and faster time-to-market has given top executives a broader awareness of risk than lower-level managers, who are not responsible for purchasing decisions.

Concerns about access to critical apps and data

The majority of the IDG survey respondents (73 percent) say it’s “very important” or “critical” that a SaaS provider allow continued access to applications and data, even if the provider goes out of business. Unsurprisingly, this was a more likely response among those who say SaaS is more risky than traditional on-premises deployment; anyone who believes SaaS poses a particular risk would logically be especially concerned about mitigating that risk.

Well over half of respondents also say they’re willing to pay a flat fee for a contingency plan that ensures business continuity for mission-critical SaaS applications. The larger the organization, the higher the fee it’s willing to pay.

Negative experiences with SaaS vendors

Putting IT leaders’ fears about SaaS risks — and the willingness to pay to mitigate them — into context, the survey revealed that one in three organizations have licensed mission-critical SaaS applications from vendors who ultimately did not meet expectations for application support.

In most of these cases, respondents report that their organizations terminated the vendor relationship. Several also sought legal recourse. When asked to elaborate, IT leaders said:

  • “We scrambled to pick up the application, provide ongoing maintenance, and engage an alternate partner.”
  • “We served them notice for breach of contract and obtained relief for migration to a competitor.”
  • “We transferred the workload to another vendor and filed a lawsuit.”

How can contingency plans designed for the subscriber mitigate SaaS risks before it’s too late?

Disaster Recovery is Not Business Continuity

Disaster recovery (DR) strategies are critically important to establish and understand. However, they do not address all the risks that enterprises need to account for if an application is considered mission-critical.

You need something more: a business continuity strategy that works in any situation not addressed by the provider’s DR strategy. This gives you access to your applications and data to “keep the lights on,” even if your SaaS provider can’t.

Man-made disasters — such as hacking, server crashes, and bugs — and natural disasters that impact short-term availability of the SaaS application are more likely to occur than the catastrophic disasters that compromise a provider’s ability to ultimately survive. Does your SaaS provider have a business continuity plan that can get you through any type of crisis and provide continuous business operations?

Another issue to consider: If your provider cannot recover from a disaster, and ultimately goes out of business, any service level agreement or DR strategy you have in place will provide little benefit. If your provider goes permanently dark, it can instantly cut off access to both your data and the use of the application, taking your company down with it.

To remain operational, you need a contingency plan that ensures short-term access to the application and data — whether by hosting the application in its own data center or in a private cloud — until you can transition to another SaaS provider.

Ideally, your contingency plan should rely on an independent third party that can:

  1. Provide independent access to your data, even if your provider ceases to operate;
  2. Name you as beneficiary to your data and enable continued use of the application;
  3. Provide continued use of the SaaS applications for an extended time while you evaluate replacement options.

This is not to say that companies should reverse their migration to cloud-based solutions; the cloud provides undeniable advantages. However, in a volatile and still-growing market, companies must be prepared for the possibility that their SaaS provider might go out of business, merge with another company, get acquired, or otherwise stop supporting your mission-critical applications.

Prudent organizations — even SaaS providers themselves — must understand the risks of SaaS and have options for mitigating these risks to protect their operations.