Published OnDecember 11, 2019When it comes to a SaaS relationship, subscribers may not fully understand who is responsible for protecting the data for their SaaS application…
When it comes to a SaaS relationship, subscribers may not fully understand who is responsible for protecting the data for their SaaS application and why they should be more proactive when it comes to selecting a SaaS provider.
Question: What could be better than working with a vendor who will manage all the processes for your business-critical application… nothing, right?
That’s why SaaS relationships are so compelling for organizations. Someone once defined SaaS to me as “the abdication of responsibility.” The idea of having someone else run your application, store your data, and manage/maintain the hardware and software is just a dream come true for IT departments. Except for one piece of misguided information. Who is responsible for protecting the data? This is a question that most organizations typically assume falls on the lap of the SaaS provider, but in reality, it’s the responsibility of the SaaS user.
In all honesty, I will admit that I was naïve to this fact as well. Like many SaaS users, I just assumed the SaaS provider was prepared to protect the data stored in their environment. The truth is, providers are prepared to protect their systems against malware, malicious internal attacks, downtime, and cyberattacks, but there is also the possibility they might go under or suffer a catastrophic event. In that case, they are not necessarily thinking about your data, and you are at risk.
Ensuring that you have access to backed up data to meet whatever business continuity or compliance requirements you have is most certainly your responsibility. Sure, the SaaS providers have a process for protecting your data against a number of risks, but ultimately, it’s your obligation.
Bottom line: Some responsibilities cannot be outsourced.
The SaaS user must be prepared to answer basic questions before partnering with a SaaS provider:
- What’s the impact on the business if there is data loss?
- Do you have any compliance requirements for your data — if so, what are they?
- Does your provider support data backup options? Consider these options:
- Built-in data backup in the SaaS application
- Add-on data backup services provided by the SaaS provider
- API extensions to existing (in-house) backup applications
- Backup solutions from a BaaS (Backup as a Service) provider
Did you know: There are escrow solutions for SaaS data backup?
One solution is Iron Mountain’s SaaSProtect Backup, a virtual snapshot of the application and data. If the application changes, the agent automatically recognizes the change and takes a new virtual snapshot of the application and/or at the time of the next scheduled data backup, typically daily. If something unforeseen happens to the SaaS provider, such as ceasing business operations or entering into bankruptcy, the subscriber may request a copy of the last data backup stored with Iron Mountain. The subscriber makes a request similar to how release requests are made with traditional source code escrow services. (For more information on the release process see my previous blog post, “Please Release My Escrow.”)
The requirements for the service are fairly simple. A downloadable backup and replication agent is deployed on each server to be protected. The agent can be installed on virtual or physical servers.
Additionally, a secure VPN connection is required for encrypted transfer of data to Iron Mountain and there are no upfront Capex hardware costs to support the service.
Final Thought: For a user to determine the correct data backup solution, it’s important to consider multiple factors. Gartner’s report “Assuming SaaS Applications Don’t Require Backup is Dangerous” recommends focusing on the following areas with your provider:
- Availability: What is the provider’s recovery point objective (RPO) and recovery time objective (RTO) for data loss due to hardware and software failures?
- Security: How does the provider protect their application from external threats to the provider’s system versus threats to the individual subscriber account?
- User Error: Does the provider support any features that prevent user error-related data loss, such as “recycle bins” or “versioning files”?
- Data Archiving: How long does the provider store client data?
- Exiting Strategy: Does the user have the ability to extract data from the provider’s system? And, is the data provided in a format that is transferable?
There’s no denying the value a SaaS application can bring to an organization. But SaaS providers are like snowflakes in the sense that they’re all uniquely different in some way. You cannot assume the level of data protection for one SaaS provider is the same as all other providers because SaaS environments are not designed the same. The systems that makeup one SaaS environment are completely different as compared to the next SaaS environment, regardless of the similarity in application functionality. At the end of the day, you must enter into a SaaS relationship knowing that you have responsibilities too — and data protection is one of them.