Business women using cloud technology showing SaaS shared responsibility model

Are You Aware of the Shared Responsibility Model? The SaaS Data Loss Risk You Might Not Know You’re Taking

Using SaaS platforms is just the way we do business these days. Most organizations, large or small, deploy a bevy of cloud apps and services to take care of everything from core ERP to running their mom-and-pop-shop ecommerce stores.

However, there’s one thing they all have in common: the risk of data loss.

The uncomfortable truth is that just because your data is stored in the cloud, it’s not immune to being stolen, deleted, corrupted, or rendered unavailable.

Let’s consider the rules and mechanics of SaaS-related data preservation and outline the steps you can take to protect your data and your business.

SaaS and your data – the good, the bad, and the ugly

Ongoing technical innovation has catapulted SaaS into a billion-dollar industry. According to Gartner, worldwide end-user spending on public cloud services is forecast to increase to by 2023, and the global SaaS market is expected to reach $720.44 billion by 2028.

Much of this investment is made by small and medium-sized businesses that account for around 44% of the U.S. economy. You don’t have to look far to understand why. SaaS products are easy to use, flexible, accessible from anywhere, and perhaps most importantly, cost-effective, thanks to their pay-per-use pricing plans that eliminate waste associated with unused licensing.

Statista reports that over 60% of all corporate data is stored in the cloud. But with this, the risk of a SaaS data disaster is amplified. The 2022 Thales Cloud Security Study found that 45% of companies have experienced a data breach involving data in the cloud.

Other top reasons for SaaS data loss

1. Malware

Different types of sophisticated malware continue to emerge. According to authorities, the top malware detected in 2021 included remote access and banking trojans, information stealers, and ransomware.

Ransomware attacks doubled between 2020 and 2021, increasing by 92.7% year-on-year. North America and Europe regions were hardest hit, a trend that’s likely to continue. Hackers work at honing their craft 24/7, adapting their strategies and techniques. Every new SaaS platform presents another potentially lucrative opportunity.

But data loss in cloud applications doesn’t only happen when an expert cyber gang targets your business; it can happen for many other reasons.

2. Old-fashioned finger-trouble

The first “undo” button was developed in 1968 at Brown University. (How many times have we all given thanks for its invention?) Sadly, its capabilities don’t yet extend to all SaaS user accounts and interfaces. Employee negligence and human error are responsible for most data loss incidents and breaches in the SaaS world.

Verizon’s 2022 Data Breach Investigations Report revealed that over 80% of breaches involve a human element. According to an Enterprise Strategy Group research report, in the majority of cases, this is accidental (20%), although external and malicious (19%) or internal and malicious (6%) data loss happens too.

3. When good code goes bad

People aren’t the only weak link in the chain. When any authorized user with credentials takes action, SaaS apps will deem the request legitimate and process it, including deleting or modifying data.

The context of the action (accidental, malicious, fraudulent, etc.) doesn’t matter if valid credentials authenticate the command, including programmatic and scripting errors. So, just one rogue buggy app or poorly written script in a third-party tool, and your data could be gone for good.

Shared responsibility: Understanding where it starts and ends

When you sign up as a SaaS customer, you’re not buying the software; you’re simply renting it[1]  and the vendor’s servers. You have a limited degree of control over your data. If it were to be lost due to an issue on the vendor’s side, you wouldn’t be able to restore it, and neither would the SaaS provider.

SaaS providers aggregate all their customers’ data and content into the same backup. So, finding and recovering individual account-level data would be like finding the proverbial needle in the haystack. For this reason, SaaS vendors don’t assume that responsibility and are upfront about it in their terms of service. If you read the fine print, they do their best to ensure their applications are up and running at all times. When the worst happens on your end, you’re responsible for the data loss or corruption you (or your tools) created.

Here’s an excerpt from GitHub’s terms of service:

We will not be liable for damages or losses arising from your use or inability to use the service or otherwise arising under this agreement. Please read this section carefully; it limits our obligations to you.

Atlassian is explicit about customers’ responsibilities concerning third parties in its terms of service:

We are not responsible for any access to or use of Your Data by third-party providers or their products or services or for the security or privacy practices of any third-party provider or its products or services. You are solely responsible for your decision to permit any third-party provider or third-party product or service to use Your Data. It is your responsibility to carefully review the agreement between you and the third-party provider, as provided by the applicable third-party provider.

This concept is known as the Shared Responsibility Model. SaaS vendors are responsible for ensuring the security of their cloud environments, but each customer is responsible for securing their data in those clouds.

Unfortunately, too many companies falsely believe that their solution provider protects their data and that a reliable third-party backup solution is an unnecessary investment.

Continuity during SaaS platform unavailability

A backup tool makes business sense to recover lost, deleted, stolen, or corrupted data. It can also be a lifesaver if SaaS vendors experience unplanned hardware or software failures, power outages, cyberattacks, or natural disasters that take their systems offline.

Such incidents don’t happen often, but when they do, a business can grind to a halt.

On May 11, 2021, at around 2100 UTC, a configuration change was applied to Salesforce’s Domain Name System (DNS) servers, resulting in users being unable to access the service reliably for about five hours.

And in April this year, Atlassian suffered an outage that went on for weeks for some customers. The outage impacted a range of services, including Confluence, Jira Software, Jira Work Management, Jira Service Management, Opsgenie Cloud, Statuspage, and Atlassian Access.

Code-sharing service GitHub recently suffered repeated outages that affected millions of users. The company admitted that issues affecting the health of its database were the cause.

A spokesperson commented on the incident: “We sincerely apologize for the negative impacts these disruptions have caused. We understand the impact these types of outages have on customers who rely on us to get their work done every day and are committed to efforts ensuring we can gracefully handle disruption and minimize downtime.”

Say you’re a developer whose code base resides exclusively in GitHub. If disaster struck and GitHub went down, a backup tool would enable you to access a separate copy of your code base in just a few clicks and continue being productive until the outage was resolved.

According to Veeam’s 2022 Data Protection Report, the average cost of downtime is $88,000 per hour or $1,467 per minute. Of course, this figure is skewed by larger enterprises that report higher sums, but even if you’re a small or medium-sized business, we don’t need to tell you that you’ll still be significantly impacted.

Commenting on recent high-profile SaaS platform outages, a Forrester analyst had this to say:

“The resilience of your business is your concern; don’t pass the buck to your vendor. With SaaS, you avoid running and maintaining an application, but in the case of service outages, you incur business losses. You don’t run the infrastructure to put it all back together. Prepare for the risk scenarios your SaaS provider does not cover, and develop a plan of controls and mitigations that your business can take to minimize the impact of SaaS outages on your business.”

Ultimately, an independent third-party backup solution is an essential element of a proactive data protection strategy and a sensible business continuity plan in the event of the worst-case scenario.

Learn more about protecting your cloud assets

The best way to secure assets such as business-critical data on the cloud is an account-level backup and recovery tool. While these can be created using DIY scripts to regularly download data, restoring that data can be significantly harder. Data dependencies and the internal data structures of a SaaS platform often mean that simply uploading JSON or CSV files will result in a data soup. In an emergency, every second counts when restoring data. There’s also the question of maintenance: will you have the engineering resources to ensure your scripts are running properly, API changes have been handled, and backups are being stored securely?

Many organizations choose managed backup-as-a-service, or BaaS, tools to ensure their data is backed up and easily restorable if need be. BaaS tools take the burden of backup and recovery away from your team, allowing them to focus on what they do best.

Whether its through DIY scripts, or using a software as a service solution, it’s imperative you take control of your data and protect your hard earned assets. Nobody thinks it will ever happen to them until it does.