The biggest security/data protection misconception that companies have when moving to the cloud is that SaaS providers don’t do everything you want them to do.
When organizations first started shifting core applications to Software-as a-Service (SaaS), they took a cavalier approach to data backups. Most simply relied on their SaaS provider’s recycle bins to keep their data safe. Today, views are evolving. Surveys show that SaaS and backup admins believe programs like Microsoft 365 and Salesforce need more robust backups to protect data from cyber threats and accidental deletions.
Still, many continue to follow a “set it and forget it” model. A large percentage of users are relying on more functional tools that SaaS providers have started to embed in their platforms to back data up. Many in that group haven’t necessarily ruled out more robust back-ups; they’re just proceeding with the assumption that they don’t need more protection.
That group is taking a chance. They haven’t experienced a situation where they urgently need to back up data. Whether it’s a data loss event, user administration failure or automation failure, they’re playing a game of Russian roulette. They’re taking a gamble where they don’t really know the odds. The event may not be catastrophic, but they could be surprised by the ramifications.
SaaS clearly offers many benefits, from an efficiency standpoint. The barrier of entry to getting started is low. Organizations can take advantage of OpEx models, allowing them to pay as they go. SaaS applications also can seamlessly integrate to existing mechanisms in place – such as multi-factor authentication for identity management – and SaaS providers often offer expertise in designing, configuring, optimizing, and or managing a solution that the data center may not have.
By over-relying on them can have consequences. For one, organizations do not have as much control over the service delivery or the infrastructure it runs upon. While that can be seen as a benefit, it is a drawback in the event that an incident arises, and in fact this speaks overall to the ability to influence the specifics of a service that is delivered in this manner.
The biggest security/data protection misconception that companies have when moving to the cloud is that SaaS providers don’t do everything you want them to do. The best corollary is the shift to Microsoft 365 since many organizations moved from on-premises Exchange to SharePoint. Users of Microsoft 365 rightly assume that any outages involving applications, network controls, operating systems and physical networks will be managed by the SaaS provider.
But the largest number of outages aren’t caused by SaaS providers themselves. It’s other humans causing the problems – either bad actors intent on doing harm or humans just making errors. The biggest issue by far is accidental deletion. If you don’t have robust backup, your data could be gone. It’s like renting a car: SaaS providers make sure the car gassed up and ready to go, but once you drive it off the road, you’re responsible for what happens.
History has proven that whenever a new model becomes popular, people make wrong assumptions about how certain issues will play out. That’s happening now when it comes to data backup. What IT decision makers understand the benefits of shifting responsibility for deployment, upgrades and shifts in capacity, many don’t realize the actual responsibility of the data usually remains with the tenant. SaaS providers’ shared responsibility models spell it out clearly: The data will remain the responsibility of the customer. It’s the only thing that’s consistent across the cloud.
Formulating backup strategies
Here are several issues should organizations consider as they formulate backup strategies for SaaS:
Focus on preparation – It’s hard to prepare for a problem you don’t know you’re going to have. But if you have the data, you’ll be well suited to handle that type of incident. If you prepare your SaaS application for an incident you don’t know you’ll have, you’ll have control of your data.
Assume the worst – Whether it’s on prem or off, bad things can happen. It likely won’t involve equipment failure; the cloud is good at being resilient from an infrastructure perspective. But with data, mistakes happen.
Keep compliance in mind – While regulatory agencies often require organizations to keep data for several years, SaaS backups often are set up for a maximum of 120 days. If you don’t consider that up front, you tend to find out after the fact. And it’s hard to restore what you haven’t backed up.
Check your responsibilities – Organizations should be very familiar with the shared responsibility models their SaaS providers offer. Know where your data is and be able to facilitate e-discovery situations.
Plan an exit strategy – The best time to negotiate exit strategy costs and methodologies are before you integrate a SaaS backup solution. It could be possible for the provider to hold your data hostage at a price point that they determine at that time.
As organizations turn to SaaS to run mission-critical business functions, they’re paying more attention to the importance of data backups. But many are still underplaying the risks their data faces. Data is their life blood, and relying exclusively on SaaS backups could subject them to a rude awakening.
The author is Vice President of Enterprise Strategy at Veeam.