Discussion on:

Vetting SaaS vendors may require updated policies

Have your IT policies changed as a result of adopting SaaS, PaaS, or IaaS? How do your policies enable employees to leverage new services and tools, while also maintaining appropriate IT governance?

Google "SaaSProtect"! Sorry for my shameless plug, but we have been working on this problem since the early 2000's. The bottom line for any company entrusting their mission critical data to the cloud is to have a contingency plan that they can execute independently of the SaaS provider. Consider the sudden cessation of business, where everything goes dark and the provider is non-responsive. Do you think their DR plan is going to work? Despite all of the testing, if the provider disappears, even the best laid plans will never be executed. That is why Subscribers need to consider this before they sign up. The plan should include a neutral trusted third party that can enable the contingency plan too. Testing data recovery procedures and application continuity with the neutral third party is really the only sure fire way to know that your contingency plan will work too. Lastly, consider this; such a contingency plan that is underwritten and supported by a neutral third party like Iron Mountain is a good way to overcome the risk objection to doing business. If you want practical, useful information on the subject, please let me know.

Hi Andy,

I totally agree with your comments on how decision makers should not ignore the innovations
of SaaS start-ups. It should be a gradual process of adoption over time.
The SaaS vendors that will win out in the end will not only be the innovative start-ups, but it
will be those who prove that they look after their client data well. Providing that assurance is key to the sustainability of a SaaS solution. Proving that assurance is the key differentiator right now.

Mark
@2SaaS
ISO 27001 & G-Cloud for Humans at http://www.SaaSAssurance.com