‘Clearing the Cloudiness of SaaS: A SaaS Continuity Control Certification Framework’

Published: Wednesday, 02 September 2020 07:31

A Masters thesis by N.P. Xavier from the Utrecht University Faculty of Science looks at the requirement for maintaining the continuity and availability of SaaS applications and proposes a certification framework.


Within the inter-dependent hierarchical structure of the cloud, its foundation, data centers, store data from Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) providers who offer their services as computing utilities. The SaaS business model offers SaaS customers with software solutions along with the required computing infrastructure, all within a quick and easy to install, and supposedly cheap package.

Small and medium SaaS customers are typically not aware or do not have the resources to assess the risks involved when entering into a potential vendor lock-in situation with a SaaS provider. The unseen risks become evident when a SaaS provider's services stop as a result of a disruption event (natural or man-made), or bankruptcy.

Only when a SaaS customer is unable to access their data and services are continuity options for their SaaS services queried. Loss of business-critical data and services can mark the beginning of the end for these businesses. As such, it is beneficial to all parties within the SaaS ecosystem to raise awareness of continuity risks by certifying SaaS providers through an assessment of the risk level associated with their system's continuity controls. Successfully doing so can improve SaaS customers' trust in the services they consume, and improve the overall health of the ecosystem.

To achieve this, a research approach consisting of a multivocal literature review (MLR), expert evaluations, and case studies is applied to create and evaluate a SaaS continuity control framework; and two case studies to create and evaluate a SaaS continuity control framework [are provided]. This framework assesses eight domains within a SaaS system using 125 questions to extract insights used to award a risk assurance certification mark. The promising evaluation of this framework demonstrates the ability of the applied scientific methodology, methods, techniques, and tools in the creation of a security control certification framework.

The SaaS continuity control framework can be downloaded from www.saascontinuityframework.com, allowing practitioners to benefit from its useful insights. 

Read ‘Clearing the Cloudiness of SaaS: A SaaS Continuity Control Certification Framework’ (PDF).