SaaS: Accountability Can Get Lost; Not Liability

Recently, I received a call from a former client about an incident involving an outsourced business-critical application. His experience illustrates both the advantages and hazards of outsourcing a business-critical application. These issues affect all pay-as-you-go providers, whether Software-as-a-Service (Saas) or Applications Service Providers (ASP).

Pay-as-you-go applications have undeniable allure. Pay-as-you-go providers have had a major impact, whether characterized as SaaS or ASP. They are now often seen as far more cost-effective means of providing applications than in-house hosting. Taken at face value, the savings seem irresistible. However, there are serious issues of accountability that also bear consideration. It is all too easy for the change to an outside provider to obscure risks and dangers behind an outsourcing veil. It is crucial to verify that cost savings realized by switching to a pay-as-you-go model (e.g., SaaS) are the result of true economies of scale and not accounting illusions realized by shortchanging capabilities or processes. It is all too easy for a vendor to reduce prices by reducing the quality of the goods provided; an implicit bet that problems will not arise.

The temptation to cut corners can be overwhelming. It is simple to realize substantial economies by reducing or eliminating precautions against infrequent situations that seem unlikely. Precautions for these infrequent events are often disproportionately costly. In effect, this is the complement of the Pareto principle that 80% of the cases only require 20% of the effort.

Put another way, it is not a question of event probability, but whether one can afford the forfeit if the event comes to pass. Infrequent events with severe consequences are precisely the problem. This is a version of the argument put forth by Nassim Nicolaus Taleb in The Black Swan. The liability to an enterprise of a serious event is often far larger than the liability of the SaaS provider. It is this difference in hazard that is often a source of serious problems.

IT managers need to be as careful with outsourced applications as they are with applications hosted in-house. Accountability requirements and the need to audit data revisions remain unchanged, regardless of how or where the application is hosted. When discrepancies arise, whether from error, accident, or mischief, internal or external, the ability to determine who did what remains important. Without this accountability, a business information system loses reliability, instead becoming nothing more than a vehicle for pranks and fraud. Outsourcing an application is unlikely to relieve an organization of any requirements concerning data integrity, including those covered by Sarbanes-Oxley (often referred to as “SOX”) and HIPAA.

My former client's small business is a local franchisee of a national enterprise. The arrangements for the SaaS application were made by the franchisor. Since neighboring franchisees and the franchisor can coordinate joint meetings, multiple individuals have access to data records. Such a shared application can improve efficiency and coordination. However, when multiple people can add, delete, or otherwise modify records, there is a significant potential for accident, error, and mischief.

Using an SaaS provider seems an ideal way to leverage a professional service establishment far out of the scale that either the franchisees or franchisor could afford to establish in-house. However, a professionally managed SaaS installation is not the be all and end all of the potential problems. While the responsibility for the day-to-day operation of the service is the provider's, legal accountability likely remains with the SaaS user. The operational tasks may be outsourced to the SaaS provider, but the legal responsibility remains with the district or the SaaS user.

This is a clear analogy to insurance: Insurance does not change legal responsibility, it merely liquidates damages. An insurance carrier can defend and pay monetary damages, but cannot assume full responsibility for the actual damages. Pay-as-you-go providers would be foolish to accept unbounded liability for consequential damages. This treatment of liabilities is not without precedent. Outside photographic laboratories routinely processed film with liability limited to an equivalent amount of unprocessed film and processing. The compensation was the same, whether the images on the film were someone's wedding or birth pictures, or a routine picture of a house. Irreplaceable had the same value as the mundane.

With applications potentially involving multiple individuals, the potential for accident and mischief becomes significant. Consider calendaring, an easily outsourced application. What happens when an appointment or commitment is not met? Clearly, the responsibility for the missed appointment or commitment is that of the business (the SaaS user), not the SaaS provider. The SaaS user is in the end accountable for the commitment. Yet, the SaaS user is ill-positioned and ill-prepared to manage the SaaS implementation. Is there an audit trail as to who created, deleted, or changed an appointment? Does the application maintain audit trails of each operation? Do these audit records log the user account, time, and location (IP address) of the change request?

One expects an SaaS provider to fully understand their environment and application. Yet third-party vendors often have significant economic disincentives toward customizing accountability information (e.g., audit trails). It is this accountability gulf and conflict of incentives that presents challenges to all parties: providers, purchasers, and users.

Business trends accentuate these challenges. Pay-as-you-go charging models have dramatically reduced the costs of “enterprise” applications. These applications were previously limited to the Fortune 100 and similar sized organizations; they now appear to fit within the budgets of small and medium enterprises. However, the applications remain complex. If anything, each successive version is more complex and powerful than its predecessor. SaaS, with its pay-as-you-go charging model, has made these applications appear economically viable on a per-seat basis for the smallest enterprises. This creates a dangerous disconnect between cost and complexity. Previously, complex high-cost applications were limited to large enterprises with extensive internal staff and budget; they are now available to all, from largest to smallest. Now, even the smallest enterprise can be exposed to complex software risk.

The difference lies not in the software, but in how the software is configured, used, supported, and maintained.

This is the difference between an enterprise-class application implemented within a major organization and the same application “securitized” and sold to many small customers on a seat-by-seat basis. One of the major differences is the difference in economic incentives between the provider and the customer.

The “biggest snake is the one nearest you”^[1] is an interestingly apropos proverb. To be precise, the importance of a particular feature to an individual customer varies. In the global sense, the feature may be unimportant to the overwhelming majority of customers; to a far smaller population of specific customers, the feature may be a life-or-death question. This is a problem that I have encountered quite a few times in my firm's consulting practice, often in conjunction with litigation.

Keeping a calendar for a single user is one thing. Keeping a collection of calendars is a far more complex environment, particularly so when each of the calendars can be modified by multiple individuals. For some users, audit trails are an unneeded luxury. For others, knowing who was responsible for making a change, and when that change occurred, is a serious question with significant financial and legal consequences. An error of a single day can have severe consequences. Errors of a single day in a legal or regulatory filing can accrue significant liabilities, penalties, and consequences. It is far too easy to create a hypothetical situation where such an error could be laid at the feet of an SaaS provider when the contract immunizes the provider from any responsibility for the consequences.

This is not restricted to calendaring. Every application has a suite of features. Which features are important or unimportant varies from user to user. Similar problems occur in other contexts whenever an application is hosted on a subscription basis by a third-party.

In my client's situation, an appointment disappeared from the calendaring application. The service provider claims that there are no audit trails. In short, it as if the appointment was never made. This is a significant business danger. The answer is simple: SaaS providers should provide audit trails. Unfortunately, most users of SaaS applications are not sophisticated enough to ask these questions before a situation occurs and the risks have already been incurred.

Notes

^[1]	Edwin Layton, Roger Pineau, John Costello (1985) And I Was There

References

Seymour Bosworth, Mich Kabay, Eric Whyne (2009) Computer Security Handbook, 5th Edition John Wiley & Sons, Inc., New York, New York [Bosworth2009]
Caleb Coggins, Diane Levine (2009) Monitoring and Control Systems Chapter 53 in [Bosworth2009]
Mich Kabay, Don Holden, Myles Walsh (2009) Operations Security and Production Controls, Chapter 47 in [Bosworth2009]
Edwin Layton, Roger Pineau, John Costello (1985) And I Was There, William Morrow, New York, New York
Nassim Nicholas Taleb (2007) The Black Swan: The Impact of the Highly Improbable, Random House, New York, New York
Myles Walsh (2009) Applications Controls Chapter 52 in [Bosworth2009]

URLs for referencing this entry

Long:	http://www.rlgsc.com/blog/ruminations/saas-accountability-lost-not-liability.html
Short:	http://rlgsc.com/r/20110110.html