Platt Perspective on Business and Technology

Code escrow and due diligence in the cloud and in support of value chain participants

Posted in strategy and planning by Timothy Platt on July 4, 2010

My objective in this posting is to look into a due diligence and risk remediation approach that is coming back into increased prominence, and in a new and emerging context.

Source code escrow is a practice whereby software source code is maintained in escrow by a third party. This approach is most commonly used for management of licensed software, and generally at the request of a software licensee to cover against the possibility that the licensing business might go into bankruptcy or otherwise fail to maintain and update their software offerings. The software source code would then be released to the licensee if any of a specific list of triggering events (e.g. bankruptcy filing by the licensing company) were to take place. Terms of release may keep this source code maintained as proprietary, or it may include release of the source code as open source and there are a lot of other potential terms and conditions that can go into setting up this type of agreement as well.
Software as a service (SaaS) data escrow is a variation on this for securing continuity of access to application data developed in and through SaaS applications. Bankruptcy, as cited above can invoke data release as can unplanned service outages if they extend sufficiently so as to meet triggering criteria. Data loss or corruption can also trigger this type of release from escrow repository sources and release or no-release decisions would all be specified in a data governance policy that would be agreed to by all concerned parties.

Cloud computing and virtualization create new levels of opportunity for these and similar backup strategies to offer value, and to both licensee and licensor. I bring this up as a posting here both to point out the value of this basic approach as a part of the due diligence considerations of any business or organization, and to propose a third basic context (of many possible) where source code/data escrow approaches would make sense.

• Value chain developed, shared and distributed business intelligence.

When businesses enter into agreements whereby they create and share value through supply chain and other networking systems, much of this takes place through the pooled sharing of data and of explicit knowledge developed from that data. This creates potential vulnerabilities for all businesses connected into these systems where the more value they individually derive from these business arrangements, the more they would stand to loose if there were an interruption in this information availability as a reliable resource. The more connected and effective a business is in its business ecosystem, the greater and more far reaching this source of potential vulnerability would be for it. In this, it becomes vitally important that the shared information resources that connect these organizational networks be backed up and duplicated, and with effective synchronization and updating, and in reliable, vetted repositories.

I have written several times in this blog about single points of failure, where crucial capabilities and functionalities are invested in systems without backups or alternatives in place. These failure points can be easier to see, prioritize and address within the organization, but when businesses enter into a more and more connected marketplace and business ecosystem, simply carrying out single point of failure due diligence and remediation within the organization cannot be enough. So I write this posting both to highlight the need for internal due diligence on this and for securing the business context as well. Few if any modern businesses, after all, operate in a vacuum and this fact has to be explicitly addressed for its implications.

Tagged with:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: