Friday July 19th, 2024 - a date that will be etched in the memories of CIOs and boards worldwide. It’s the date that elevated CrowdStrike to household name status for the wrong reasons, as businesses and organizations including airlines, hospitals, doctors surgeries, broadcasters, rail operators, and others suffered serious disruption to their operations. Starting in Australia and quickly spreading across the world, IT Managers looked on helplessly as Windows servers hosted on-premises running the CrowdStrike’s Falcon agent crashed as an automated update rolled-out. An estimated 8.5 million devices were affected, and while the full cost of the turmoil is yet to be calculated, it will certainly run into billions of dollars.
As IT Pro reports, a deeper examination of the causes of the outage reveals that parts of Microsoft’s Azure cloud infrastructure also played a role in the incident and that to some degree, a random set of coincidences contributed to the mishap. Regardless of the causes, this was a wake-up call for a global society that is almost completely reliant on IT systems for day to day operations. It also raises important questions about the future of Software-as-a-Service (SaaS).
The SaaS evolution
Today, we take SaaS for granted and don’t give it much thought. It's worth taking a moment to consider how it evolved and how it has changed the way we perform system upgrades, for example. Over time, the traditional method of deploying code upgrades and patches has shifted. Traditionally software companies would issue new versions or patches to customers who, at their own discretion, would test and evaluate the changes internally before upgrading their systems. Over the last few years this process has slowly been ceded to software companies as the adoption of SaaS has become more prevalent.
Today, software companies load changes to their products into the cloud-based platforms that on-premises customer systems rely on to operate. This yields a common control plane that provides a number of benefits to the software provider:
- A single point of application management and orchestration vs. each customer being an individual control point
- An easy point of onboarding for application use in the public cloud
- A very effective method of monitoring use and consumption, which enables accurate billing and virtually eliminates the risk of unlicensed software use
The downside to this approach is the lack of individual testing and validation of code changes, effectively shifting the responsibility outside of the company, despite the company retaining the risk and lability for failure. When you combine this with the reality of a global rollout, you get the mass failure event that we witnessed with the CrowdStrike outage.
What this means for the future of SaaS
The eroding of corporate control over the software upgrade and patch process has happened gradually over time, masked by the perception of 'ease of use' as well as the lack of alternative consumption options provided by major software providers. Just stop and think for a moment - when did you last “purchase” a Microsoft Office licence? Today, the only option to access Microsoft tools is via their SaaS platform, M365.
The CrowdStrike incident will now have every CEO and board of directors asking, "how did this happen”? The answer will consistently be that the decision was outside of the control of in-house IT staff. The demand that this change is likely to be swift. The implications for the future of SaaS will be far reaching and will change the trajectory that market segment was on until the CrowdStrike outage.
How MSPs add a level of protection in a SaaS dominated world
As organizations increasingly understand the problems that can result from SaaS software upgrades and consider ways to minimize their risk levels, they can be reassured there is a trustworthy solution. Consuming software via an MSP is a highly reliable way to completely bypass potential problems. MSPs routinely deliver products from the world’s major software brands as-a-service and have robust procedures in place to protect customers, in the event of an incident such as the CrowdStrike one. By standing in between the software provider and the customer, the MSP can ‘sandbox’ any version of a product for the customer’s environment before it goes live, acting as a buffer and providing an opportunity to identify potential issues with code before a problem arises.
Why MSPs like Assured is a safety net to medium sized organizations
In recent years, there’s been a growing trend among medium-sized companies and organizations to consume SaaS through the MSP model. Often this has been because of the cost efficiencies MSPs offer and also the ability to access products and services that are geared more towards large enterprises. As an example, Assured offers Rubrik's leading edge data protection platform as a managed service to organizations including schools, universities and public sector bodies, delivering enterprise-grade data protection at an affordable price. In a similar way, these same organizations can now benefit from the added protection and buffering that an MSP can offer during software upgrade cycles through sandbox procedures, which would normally be utilised by large enterprises.
This or a similar scenario is highly likely to repeat itself at some stage as human fallibility inevitably comes into the equation. If you’re reading this, engaging with an MSP could be the thing that saves you from the next major SaaS outage.
