Keeping your property in the clouds

When the earthquake hit Sumatra, what was your first thought? Probably not, will my online data service still be available?

But perhaps it should have been. With the move towards Software as a Service, multiple dependencies are being created with entirely new points of failure. Most SaaS vendors do not maintain their own in-house IT infrastructure. Instead they largely rely on outsourced service providers to provide the ultimate server farm on which their applications – and your data – reside.

One of the leading cloud computing data centres is based in San Francisco. And according to geologists, the big tectonic shocks in the South Pacific are likely to have weakened the San Andreas fault.

With “the Big One” moving a step closer, you need to start looking into where an hosted solution is physically based. It is also worth asking the question, what happens if the lights go out at my SaaS operation? While it appears that ASPs have ridden out the recession well, applying business continuity approaches to hosted solutions increasingly makes sense.

“People who enter a relationship with a third party have to bear in mind the worst case scenario, yet that is not mormally considered at the start. You need to think about the dependencies and what would happen if there was a problem,” says Jon Leigh, operations director, escrow, UK and Europe for NCC Group.

His company specialises in the arrangements necessary for rescuing clients in such a situation. Escrow involves a service provider giving a deposit of its programme to a trusted third party like NCC who can then unpick the “end of life” relationships. “You have probably got a service level agreement that spells out what the service provider has to do in a given time scale. What that may hide is your underlying assumptions as to who owns what,” says Leigh.

The most overt risk is from a service falling over and leaving your own systems unable to function. For example, if an online data service is embedded in data verification as part of transaction processing, its absence may stop you being able to take any more orders.

But there is also a risk of losing more than just availability. “How is your data backed up and who has access to it? Most good outsourcers have back-up in place, but where is your access point?” asks Leigh. Even escrow deposits can turn out to be less useful than might be imagined – often multiple terabytes are handed over which do not provide a roadmap as to what is application data or operational data.

As a SaaS client, you are also dependent on what SLAs and escrow arrangements your vendor has made with their own outsourcers. While you may have UK-based account management for your hosted service, it could be a US operation with American cloud computing behind it. In a worst case scenario, your data may have been backed up or deposited in escrow, but those files could be in a bunker in a US state.

Many of the online data services are plugins to larger web operations, such as data validation. Their absence may be awkward, but there are multiple rivals who could step in if the failure is final. Apart from a short-term loss of trade, the downside risk is relatively limited. That is less true of more marketingfocused hosted services. Some of the bestknown solutions are all-in-one customer, prospect and campaign management applications. Marketing departments use them as productivity tools, including building segmentation or predictive models within these online environments.

In this scenario, the potential loss could be more significant. “There are two sides. The first is the basic one of extracting your data and just getting it back. That is a practical issue of escrow and is down to your confidence in the contract,” says Ilya Kazi, partner at Mathys and Squire, a lawfirm specialising in patent applications.

“The second is how you have been making use of your data. You may not just be running a database, you may have put code on top of it for modelling. That is not just a database right, it may be your sole intellectual property,” he says.

Facebook provides a prime example of how it is wrong to assume that an hosted service just lays claim to its own application data. “They’re providing the service for free and in return it says that they own any data you put into it. That may be reasonable for a social network, but if you are paying somebody to host your database, it is less so,” says Kazi.

While the focus may be primarily on ensuring privacy and the security of personal information in the SaaS environment, the potential value of intellectual property being built up should not be overlooked. A key element of many hosted services is to provide analytical tools for clients to build their own routines. Stumble on an incredible new algorithm for predicting response and you might not actually own it.

“You own the database right and copyright in your data. But what if you want to file a patent on something you have built?” asks Kazi. That is when the small print in the contract may emerge as a barrier to cashing in. To avoid just this sort of situation arising, Coremetrics takes the approach that, if it can’t do it for you, you probably don’t want to do it. “We also provide a solution to clients’ requirements from within our main product, not by customising for every single client. As a SaaS provider, that is a logistical nightmare when you do a new product release,” says Craig Whiston, client services manager for EMEA.

Contracts explicitly state that, while the client owns the data, Coremetrics owns the application. “The most important piece of information we collect is on website visitors, not anonymous people. Hopefully, clients are able to add identifiable pieces of infromation to that, such as an email address. If they couldn’t take that data out, they would lose the value of all the information they had been collecting,” he says.

Many clients do extract data to use in other tools, such as business intelligence applications, so there is a constrant stream of data extractions. Wehkamp in the Netherlands takes its data into a SAS platform for analysis and follow-up, for example. But Coremetrics also offers a suite of other tools, such as reporting and analytics to support clients within its hosted environment, without having to leave it for other applications.

As the fee payer, it is all too easy to assume that you hold the whip hand. Yet most standard terms and conditions strongly favour the service provider. It is perfectly legitimate to cross out any conditions you do not agree with or ask for changes, yet most sales people working for SaaS organisations are not empowered to make them.

If you have worked in the data industry for a decade, you will probably know the story of the High Street bank which signed on for three years with one of the first major hosted marketing applications. After year one, it was so dissatisfied, it wanted to break the contract, only to find that the contract was watertight and would have made it too expensive to do so.

Stumble on an incredible new algorithm for predicting response and you might not actually own it.”

Steven Day, director of UK Changes, says his company has not encountered any such challenges. “We make it clear that intellectual property in the data is the clients, IP in the way the database is built and presented belongs to us,” he says.

Day argues that clients should not get too hung up on legal finery. “Before you start going through the detail of what the agreement is, you have to understand what you are trying to achieve. If you have got a topline heads of agreement, everybody understands in normal language what is being described,” he says.

Even so, clients have become more sensitive around issues such a licencing and also disclosure, with multiple non-disclosure agreements limiting what the service provider is allowed to say. Data security has also risen up clients’ agendas, with business continuity getting more attention, too.

“We have got a disaster recovery plan in place. How many other data bureaux do?” he wonders. A secure facility holds back up copies on behalf of UK Changes and is regularly visited by Day and other directors. At Postcode Anywhere, co-founder and IT director Jamie Turner says: “Because we don’t store data, we give access to data, the issue doesn’t come up very often.” Ironically, as an online business, his company realised five years ago that it could migrate its service into a commoditised data centre, only to have it go offline within days.

The cause was almost certainly impossible to foresee – burglars targeting a neighbouring business cut through all the telephony cables serving the industrial estate where the outsourced data centre was based. That exposed its own dependency on a single point of entry for multiple access lines.

“We realised we couldn’t have all our eggs in on basket by using a single data centre. One of the expectations of an online service is that it is always there and available. Even in the middle of the night, we’re doing doing lots of interactions as people place orders online,” says Turner.

Now his business uses multiple commercial data centres in the US and Europe and is planning to introduce one in Asia Pacific to support its Australian client base. But Turner says he is wary of going into a cloud environment for the simple reason that the ultimate data centre is not visible and could be in an exposed area like California.

What that reveals is the extent to which the Internet has internationalised all aspects of business, and also that critical dependencies could lie at the end of an unexpected path.

You might think of your online data service as being as solid as your office building. But the servers it relies on could be hosted on less substantial ground.