Third-party enterprise software support companies such as Rimini Street promise to cut business customers’ application update and support prices, but buyer beware: It’s important to review the total costs of such software support services.
The differences between the ongoing maintenance provided by the software’s developer (which typically charges from 18% to 22% of the original purchase price per year) and the maintenance provided by a third party are very real. Failure to understand the differences in software support will result in unforeseen costs—and big risks.
Get the protection you need
As your company evaluates its options, consider these five factors besides up-front price.
1. Can you trust the third-party support provider?
No one understands the details of a software program better than its developer. Third-party maintenance companies don’t have access to the source code, so they don’t have complete knowledge of the software. They also lack visibility into the product’s road map beyond what the software publisher is willing to share publicly or under a non-disclosure agreement. Only the software developer understands the history and future of its product in complete detail.
Companies should also consider the track records and reputations of the different parties. How long has each company been in business? How financially stable is each? Has the third-party maintenance provider been the target of lawsuits?
2. Is the third-party support provider truly securing your company’s applications?
Security represents the highest degree of business risk. Third-party software maintenance companies are unable to write certain software patches because they lack access to the relevant source code. As a workaround, they may offer something that sounds like patching but is not actually patching.
For example, Rimini Street, which provides support services for Microsoft, Oracle, and SAP software, offers “virtual patching,” which is actually firewalling. In fact, Rimini Street CEO Seth Ravin argued in court, in a lawsuit brought and eventually won by Oracle, that security patching is “an outdated model”—guidance that runs counter to the warnings of security experts and the US government.
It’s important to understand the difference between a patch and a firewall. A patch is a fix for a logic defect in code. When an error is discovered, often by independent security researchers, the software developer analyzes the root cause of the error and writes a patch that rectifies the potential vulnerability at the source. The developer then tests the patch to make sure it doesn’t negatively impact the software it’s intended to fix or other applications that rely on it.
The purpose of a firewall is to prevent attackers from breaching a network. However, firewalls may not provide adequate software protection because enterprises open holes in those firewalls to allow legitimate traffic through. Hackers commonly exploit such holes to gain access to corporate networks and applications.
“Unless you have access to the source code, you can’t patch software,” notes Denis Pombriant, managing principal at Beagle Research. “The source code probably isn’t in the customer’s data center [because] it’s fully compiled. You apply a patch to a compiled program to change the characteristics.”
The cost of inadequate cybersecurity—lawsuits, regulatory fines, reputational damage, intellectual property theft—can be exponentially higher than the 18% to 22% annual maintenance fees software developers charge.
3. Will your software remain fully compliant?
Any gaps in software updates can affect your company’s ability to comply with regulations and its own governance policies.
“You use a piece of software to do certain tasks, but the underlying functions are constantly evolving,” notes Albert Pang, president of IT market research firm Apps Run The World. “Microsoft, Oracle, and SAP have a slight advantage because as the original developers of the software, they know what changes someone has to make in order to really ensure 100% compliance.”
4. Will you get access to the latest innovations?
“If you’re paying for maintenance, you’re paying for future enhancements of the application,” Pombriant says. “If you’re not paying for maintenance, you can pay less money for less support, but over time you’re going to have an orphaned application. It’s not like you’re really saving money. You’re saving money at the cost of depreciating your asset.”
5. What happens when you move software to the cloud?
Developers offer maintenance across all of their software products, whether on-premises or cloud. Because cloud subscriptions generally include all maintenance, third-party providers typically can’t provide unified support across a customer’s legacy and modern software.
“We track 3,000 software vendors. Many of them are migrating to the cloud. You have to ask yourself: Can third-party maintenance accommodate those changes?” Pang says. “Right now, we still have a lot of on-premises software, but it’s going to be cloud-enabled in five to 10 years. I’m skeptical that any third-party maintenance company can handle that type of transition.”