How do you include SaaS in your Resiliency Program? 

Software As A Service (SaaS) applications are a fact of life in business today.  By some estimates between 80% and 99% of businesses use at least one SaaS application, and it’s been estimated that 70% of new applications going into businesses these days are SaaS-based.  The bigger the business is, the more SaaS applications they use — businesses with over 10,000 employees use nearly 450 SaaS applications, on average.

Despite their ease of use and prevalence, SaaS applications are entirely different from traditionally hosted applications from a recoverability point of view.  There’s many things to consider, so rather than doing a deep dive on each one of them I figured I would borrow from Generation X popular culture and write up a top ten list of things to absolutely take into consideration when including SaaS in your resiliency program.  In no particular order… 

• Identify the critical SaaS applications in your environment – Conduct an inventory of all the SaaS applications used in your organization, and perform some type of Business Impact Analysis (BIA) to determine what your dependencies are.
•  Understand your provider’s Service Level Agreements (SLA’s) and their shared responsibility model – You should periodically review your SLA’s for uptime, and backup and recovery. Get clarification on what your providers are responsible for versus what your organization needs to handle regarding recovery. If possible, start to develop contingency plans for provider outages. 
• Assess your backup and data retention options – Work with your provider to verify the type of backup and recovery options they have available, and make sure that those options meet the data retention requirements of your business. With some SaaS products the only solutions available for true backup and recovery (or longer data retention) are through third parties, so consider third party backup solutions if you need additional protection. 
• Ensure availability for authentication and access – Most solutions have the capability to interface with a variety of single sign-on (SSO) and/or multifactor authentication (MFA) systems. Work with your SaaS providers to develop alternative access methods in case there is some problem with system authentication. 
• Define your recovery objectives for your SaaS application environment – Set Recovery Time Objectives (RTO’s) and Recovery Point Objectives (RPO’s) for your applications (ideally using input from that BIA discussed in #1, above).  Make sure that your Recovery Time and Recovery Point goals align with your overall business requirements. 
• Document SaaS- specific recovery procedures – Clearly establish and document steps to be performed when recovering your SaaS data, or using some type of workaround during an outage. Document roles and responsibilities for executing those steps, in the event a recovery is needed. 
• Conduct annual testing and simulations – Like the recovery process for any other application in your environment, your SaaS applications should be included in your annual Disaster Recovery exercises. Test your failover and workaround options alongside your data restoration processes. Test both failover AND failback so you’re sure everything will work like you expect it to when you need it. 
• Address the issues of data portability and vendor lock-in – Vendor lock-in is a characteristic many products, and has been for over a century.  Make sure that you have the ability to export critical data in the case of some type of provider failure (both that you have the capability to do it, and that you are contractually entitled to do it). Have a migration strategy outlined, in just case you need to switch to another provider. 
• Create communication plans and escalation procedures – Regardless of how developed your Business Resiliency program is, it’s an excellent idea to have these in place. Being able to contact your employees and handle escalations during an outage will help to minimize the impact of any sort of business disruption (SaaS or otherwise).
• Integrate your SaaS application recovery into your overall resiliency program – Periodically review and update your SaaS application recovery and Resiliency plans right along with your annual reviews of your Business Continuity and Disaster Recovery plans. Regularly update your plans to account for changes in usage, and the needs of the business.  (This is also a good time to check your license counts against your usage data and trim away any overprovisioned licenses.  About 73% of users don’t use their SaaS apps, and about 16% of SaaS apps don’t get used at all.) 

Concerned about recoverability for your SaaS environment?  Have a few more questions than you have answers after reading this list? Sayers is here to help.  Our team has helped dozens of companies protect their SaaS environments to make sure their businesses stay running, and we can help your business too.