S 6.137 Trusted storage (escrow)

Initiation responsibility: IT Security Officer, Emergency Officer

Implementation responsibility: Persons responsible for individual applications

The more business-critical a process is, the more important it is to protect this process against failure. Many products that support the business processes (software, equipment, automatic machines etc.), are delivered to the purchaser without all of the components required to maintain the product. Maintenance in this case is often provided by the supplier. If the manufacturer or supplier goes out of business, then it may not be impossible to maintain the product any more under some circumstances. It should be examined if this risk can be reduced by placing the missing components in trusted storage (escrow).

Escrow is the holding of material not supplied with the product but that is needed to maintain and care for a product by a "trusted" third party (escrow agency). This material can include software (in the form of executable code or as source code), manuals, construction plans, configuration states, consumption data, keys, passwords or other components.

Depending on type of product, this instrument can be used by companies or government agencies to protect against the following risks, for example:

• stoppages of service by a contractor in terms of the manufacturing, maintenance or continued development of a product
• failure of suppliers of components and assemblies
• in the case of software in particular: loss of the source and/or object code in the event of large-scale damage to the IT area
• lack of ability to verify when which version level was used, for example in terms of copyrights, liability or bankruptcy

Method of operation

Using escrow, the user of a product ensures the continuity of one or more business-critical processes. To accomplish this, the user is granted the right to access the stored material under defined conditions and use it to maintain the product, for example in the event that the supplier cannot deliver the services specified in the contract to the users. On the other hand, the supplier is able to protect its competitive advantage and trade secrets as long as it is able to fulfil its obligations. The escrow agency checks and stores the material for both parties.

Users and suppliers close a contract with the escrow agency that defines the following aspects at a minimum:

• assurance of the rights to hand out the stored material and the conditions under which it is handed out
• verification of the material
• proper storage of the material and adequate protection
• updating the material

The conditions for escrow, and in particular the duties of the escrow agency in terms of verification and issuance, must be precisely described in the escrow contract. The design of any given contract depends on the estimation of the risks against which the escrow client wants to protect itself as well as on the legal framework.

The following information should be taken into account when formulating and closing the escrow contract:

• Discrepancies between the license agreement and the escrow contract must be avoided.
• It helps to close the license agreement and the escrow contract at the same time. A delay between them could result in disadvantages for the users.
• Depending on the legal framework, an escrow contract can be at risk if is signed too late, e.g. shortly before the supplier declares bankruptcy.
• How the material will be issued should be clearly defined. The escrow contract should contain a precise description of the procedure for initiating the release of the material and for how it will be issued.
• The escrow agency must be considered trustworthy by both parties and offer secure and suitable storage capabilities for the material to be stored.
• The technical aspects of the storage must be specified. The escrow agency should possess the technical competency required to check the re-usability of the material and ensure all updates are installed.
• The usability of the material after it has been issued must be suitably tested as soon as it is delivered. The depth of testing depends on the estimation of the risks and the technology used. Examples of such tests include compiling software from the stored source code or assembling a product by following the assembly instructions.
• The material must be kept up-to-date by specifying suitable update cycles. The update cycles required depend primarily on the estimation of the risks and on the production processes of the user.

Review questions:

• Was it examined if escrow could be used to reduce the security risks?
• Are all conditions relating to escrow, updating and issuance as well as the rights and duties of the parties involved specified precisely in the escrow contract?
• Has it been ensured that the escrow contract is compatible with the corresponding license agreement?
• Does the escrow agency have the necessary qualifications?
• Does the escrow agency check if it will be possible to use the material stored when it is issued some time later?