Skip to main content

Safeguarding data in an SaaS environment

(Image credit: Image Credit: Wright Studio / Shutterstock)

SaaS is soaring as organisations of all types and sizes adopt the software-as-a-service model for their application needs. Just look at the numbers: Recent research from Okta found that SaaS usage in both large and small businesses climbed sharply between 2017 and 2018. Large organisations used an average of 129 SaaS apps last year, up 68 per cent from 2017. Smaller companies were no slouches, averaging 79 SaaS apps, a 38 per cent increase from the prior year.

Clearly, savvy businesses see the advantages in SaaS. You no longer have to invest in costly perpetual licenses and the hardware needed to run them in favour of easier-to-swallow subscription pricing. Treating software as a service rather than an asset means there’s less for your in-house staff to manage, maintain and update, further reducing costs. You also gain flexibility, with an enhanced ability to respond to changing needs and technologies.

That’s all good, but there’s an important issue to consider. Is the data stored in these applications protected? Surprisingly, some organisations aren’t asking that question. A recent study from 451 Research shows that just under half of organisations — 49 per cent, to be exact — are relying on their SaaS vendor to protect their data. More alarming, another 25 per cent don’t protect their SaaS data at all.

That’s risky business. It’s not that SaaS vendors aren’t doing their part. Most take this charge seriously, so they invest heavily to protect the data entrusted to them. But they are focused on protecting against catastrophic loss, not accidental deletion of individual files. Almost all SaaS licenses require the customer to share the burden of protecting data. Everything from Microsoft Office 365 to Google’s G Suite operates under this shared responsibility model.

Here’s what that means. The provider takes ownership of certain aspects of data protection, but it’s up to customers to handle others. For example, vendors generally ensure that their environment is secure and their service, and any data involved, is available at all times. But the data itself? That belongs to the customer, and it’s ultimately their responsibility to keep it safe.

What can go wrong

Here’s an example of what can go wrong if data isn’t properly protected. Imagine your sales department inadvertently deletes important documents that are necessary to create a quarterly report. Let’s say these files accidentally wind up in the trash in January. If nobody looks for them until March, when it’s time to prepare the quarterly report, they could be in for a shock. The files won’t be there. Microsoft automatically empties the recycle bin after 30 days, and the contents are permanently deleted. That data is gone forever, unless you have taken the precaution of backing it up. Microsoft, itself, recommends that customers create separate backups of their 365 data.

While a botched sales report is bad enough, the repercussions of deleted data can be even more serious. Let’s say an employee involved in some illegal activity deliberately deletes documents, emails or other data that could be used as evidence. If the authorities decide to look into the alleged wrongdoing and issue a subpoena for e-discovery, the files will probably be long gone. That’s a grave problem with potentially serious legal implications for the organisation.

You might find this surprising if you, like many SaaS clients, assume that vendors back up your data. That’s true — they generally do. But it’s almost always a backup of your entire platform, to be used in case of a major security breach, a fire, flood or other natural disaster that destroys all your data. Their data protection infrastructure is architected at a service level and isn’t designed for granular recovery of specific data. It won’t be able to recover a key email that your CFO trashed or a specific sales record in NetSuite that you need to generate a report.

Those might be extreme examples, but they do happen. And in any case, do you really want to be wholly dependent on the vendor to protect your data? That’s a precarious position to put yourself in. What if your service abruptly goes out of business? What if you have a major disagreement with your supplier and your data is held hostage? And worst case scenario, what if the vendor didn’t properly prepare for a catastrophic loss of its own?

If any of these situations develop, you will fervently wish that you had taken the precaution of an outside backup.

Keeping SaaS data secure

When a lot of data is involved, it makes sense to classify and prioritise it to create a backup plan. Once it’s organised, you can determine what’s most important and make sure you comply with relevant regulations and legal requirements for retention.

Examples of high-priority data that needs special attention include: financial information, protected health information (PHA), personally identifiable information (PII), as well as emails and any documents that you may need to produce in case of a lawsuit

After you’ve determined what data you need to back up, the next step is deciding what kind of system you’ll use to protect it. If you’ve committed to using an SaaS model as much as possible, as most companies are doing, it’s logical to consider a SaaS solution for protecting it.

Embracing the SaaS approach doesn’t mean you have to sacrifice data protection. Far from it. With the number and variety of options now available, there’s no reason to leave data at risk. It’s vital to realise that SaaS data deserves the same level of protection you’d give to on-premises data.

Dan Timko, chief strategy officer, J2 Global and OffsiteDataSync