Software as a service: is the cloud as resilient as you think?

Many businesses rely on third parties to supply their cloud-based applications. But outsourcing any type of cloud software as a service does not guarantee the resilience that you might expect, or your regulator might require.

In a SaaS cloud-based environment, the security, data and infrastructure are all outside the end user’s direct control, but while you’ve outsourced the resource, you can’t outsource the risk associated with it sitting in someone else’s environment.

This means you, as the end user, shoulder the accountability and reputational burdens should a software vendor become insolvent or experience an outage that disrupts your business operations.

Are your third-party applications protected in the cloud?

One of the most common misconceptions when adopting cloud services is that application continuity and resilience is handled for you by your SaaS vendor. Unfortunately, that’s not the case.

In fact, each time you onboard a new SaaS vendor, you’re introducing added elements of risk. Ignore the risks and your SaaS environment, the application itself and all the vital data you rely on could disappear.

And without access to the application source code or live production environment behind your cloud-based application, it will be impossible to redeploy and maintain that piece of software or restore critical data.

Risks of using third-party applications in the cloud

Multi-tenant architecture security: An application hosted on a multi-tenant cloud environment shares it with other tenants. If anybody hacks into one tenant’s database, the privacy and data of any other tenant in that same environment could also be compromised.

Concentration risk: The reliance on some cloud service providers (CSPs) and some sector specialist providers, with a near monopoly in supporting particular sectors, means that there is a potential concentration risk. When assessing providers, consider the potential impact a cyber-attack or outage might have across your particular sector and assess your business resilience.

Third-parties’ responsibilities: Many organisations believe their CSP is responsible for business continuity and protecting data. But CSPs only manage the security of the cloud environment itself, not the data you store in it. This means that you are responsible for backing up and restoring it. Hence the term “shared responsibility model”.

Shadow IT: Since SaaS cloud applications can be easier to adopt, and cheaper, than traditional software installation, parts of the businesses may be able to use the cloud without consulting their IT department. Effective due diligence, security precautions, risk mitigation and resilience measures that should take place when procuring software could be bypassed, leaving the organisation open to regulatory and legal issues.

Three steps to improving business resilience in the cloud

1. Identify and assess the risks

Start by understanding your business objectives and critical applications, and which applications you use that are supported by third parties. Identify and define the security responsibilities across your organisation, the vendor and the cloud service provider. This will be key to finding and addressing any vulnerabilities in the supply chain.

Also, assess your risk exposure across these key areas:

  • which data will be shared with the SaaS application and the level of protection needed
  • the SaaS vendor’s own commitment to security, their capabilities and resilience
  • the SaaS application itself: how critical is the application to your business?
  • your own internal technical capabilities: can you maintain the application in-house?

This knowledge lets you build a comprehensive supplier assurance programme to help determine the effectiveness of your suppliers’ security controls.

2.  Develop a business continuity plan

With SaaS applications, your software is hosted in the cloud by a CSP, which introduces more variables and supply chain dependencies.

Before onboarding new vendors or adding SaaS applications, revisit your procurement procedures and include a software escrow into your licence agreements to ensure you have continuity of service and can restore critical data in a useable format.

As part of your legal agreement with the provider, you should also include the requirement for them to report major cyber-security and IT incidents within a tight time frame so you can take appropriate measures to engage your own incident response plans.

3. Test and validate the business continuity plan

Only by testing and validating the business continuity plan can you be confident that it works. A software escrow verification validates the accuracy and usability of the materials deposited in escrow, such as source code and infrastructure as code, and gives you the knowledge required to execute your continuity plan accordingly.


This article was written in collaboration with NCC Group, the world's largest software escrow provider. Visit their insight blog for actionable resources and information.

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top