SaaS Due Diligence - Part 2 of 2
Transitioning to SaaS
• data migration tool - is there a tool readily available - is there a choice of tools?
• data migration process - do you have the expertise to carry this out in-house, who else can provide this service, at what cost?
• if no proven data migration path, employ 3rd party migration tools / services, at additional cost
• clean start option - dual run both old and new systems, if economically and practically viable
Service and Support and Security
• software trial - how long, how scalable, is this representative of final state performance and usage?, is it easy to transition from the trial to operational, or is a fresh data load required?
• service availability, including application and data
• security standards support - e.g. ISO 27005, NIST SP80-300
• the need for a cloud security standard
• offline data availability
• availability of support channels - and their fit to how your organization operates
• support desk response times
• redundancy - of power supply, computing resource, data repository availability, internet backbone connection,
Internet Service
- compensation for disruption to service
- minimum service upload and download speeds
- alter contract to more favourable conditions to suit your heavier usage/custom of their services
Data
• data portability - how easy is it to retrieve data out of this particular SaaS service?
• accessibility of data - how easy is it to snapshot and download your data for your own use
• data removal - what traces of customer data would be retained on the system should a customer cancel their contract?
• confirm data ownership will continue to rest with you
• are there any need to upload or refresh additional data or metadata
• data security - hardware and software - software intrusion detection, encryption, table names, security mechanisms used by the SaaS provider?
• what level of access would the SaaS provider's staff have to read data and how rigorously is this managed?
• physical security of your data - data center design
Contract
• T&Cs
• Data security and portability
• Non-renewal actions
• Licence terms
• Source code ownership - a recent mention of escrow services for SaaS was covered by my respected friend Ben Kepes at CloudAve. Trust you don't mind being considered a friend, Ben...
• Other IP
• Charging model - data throughput
• data migration tool - is there a tool readily available - is there a choice of tools?
• data migration process - do you have the expertise to carry this out in-house, who else can provide this service, at what cost?
• if no proven data migration path, employ 3rd party migration tools / services, at additional cost
• clean start option - dual run both old and new systems, if economically and practically viable
Service and Support and Security
• software trial - how long, how scalable, is this representative of final state performance and usage?, is it easy to transition from the trial to operational, or is a fresh data load required?
• service availability, including application and data
• security standards support - e.g. ISO 27005, NIST SP80-300
• the need for a cloud security standard
• offline data availability
• availability of support channels - and their fit to how your organization operates
• support desk response times
• redundancy - of power supply, computing resource, data repository availability, internet backbone connection,
Internet Service
- compensation for disruption to service
- minimum service upload and download speeds
- alter contract to more favourable conditions to suit your heavier usage/custom of their services
Data
• data portability - how easy is it to retrieve data out of this particular SaaS service?
• accessibility of data - how easy is it to snapshot and download your data for your own use
• data removal - what traces of customer data would be retained on the system should a customer cancel their contract?
• confirm data ownership will continue to rest with you
• are there any need to upload or refresh additional data or metadata
• data security - hardware and software - software intrusion detection, encryption, table names, security mechanisms used by the SaaS provider?
• what level of access would the SaaS provider's staff have to read data and how rigorously is this managed?
• physical security of your data - data center design
Contract
• T&Cs
• Data security and portability
• Non-renewal actions
• Licence terms
• Source code ownership - a recent mention of escrow services for SaaS was covered by my respected friend Ben Kepes at CloudAve. Trust you don't mind being considered a friend, Ben...
• Other IP
• Charging model - data throughput
Comments
Post a Comment