SaaS Backup: How Secure is Your Data in 3rd Party Apps?

SaaS Backup: How Secure is Your Data in 3rd Party Apps?

Paul Gray
Product Portfolio Manager (Cloud), JT Enterprise

Software as a Service (SaaS) has revolutionised how we deliver and consume applications. Per-seat pricing and no installs make it easy for organisations of all sizes to access the best tools, without the complexity of running these systems in-house.

While SaaS has become ubiquitous in recent years, its true value was shown as many organisations started operating remotely. SaaS has enabled us to continue doing our jobs from any location and collaborate with our colleagues in the process. No wonder there’s been an uptick in adoption over the last year. But there’s an elephant in the room when it comes to SaaS that’s not being widely addressed – backup.

In this blog post, we look at the risk of data loss from within SaaS tools and what the future of backup could look like.

The Shared Responsibility Model

Data stored in the cloud is always available and accessible, creating a false sense of security. Data is backed up as part of a SaaS service, right?

Wrong. SaaS providers typically operate on a Shared Responsibility Model. They manage and maintain the software and supporting infrastructure while your business is responsible for any data stored on the platform. In the event of a catastrophic failure at the provider’s cloud data centre, their job is to get the platform up and running again. The provider will endeavour to restore operations and enable you to access the application. The data that resides within the application is your organisation's responsibility. SaaS providers will get it back to its last known working state but make no guarantees as to whether they can save your data.

Surely Our Data is Backed Up?

Do SaaS providers back up your data? Yes and no. SaaS backups are typically for the provider’s benefit, allowing them to restore operations as described above. Others offer very minimal recovery options as your last resort.

Take Microsoft Office 365 for instance. All data hosted in Exchange 365 or One Drive is backed up and recoverable. For 30 days, almost like a recycle bin. This gives you a very small window to recover lost information before it is deleted forever.

The trouble is that you may not realise an important email or file has been deleted until months after the event – at which point it is lost forever. This is a serious concern when most industries require data to be held for several years. For instance, seven years in healthcare and 25 in construction.

How Seriously Should I Take This Issue?

Any data loss is a serious matter. You may find that you are unable to fulfil a client order or that key project details go missing. You may be unable to defend against a contract dispute – or you could be heavily fined for GDPR breaches if personally identifiable information relating to individuals is permanently lost.

SaaS data loss isn’t just a theoretical event either. Research from Infosecurity Magazine found that 40% of SaaS users had permanently lost data from their hosted service. And 45% had never heard of the Shared Responsibility Model either, suggesting that a chunk of businesses are in danger of experiencing similar losses.

Do SaaS Vendors Offer Backup as an Add-on?

No, none of the major SaaS vendors offers backup as part of their services. The cost and complexity of providing backup at such a scale is just too great to be profitable, which is why providers rely on the Shared Responsibility Model.

The Problem Doesn’t Stop There

Shadow IT doesn't arise out of malicious intent. Users are just keen to get started as quickly as possible, which is another benefit of SaaS. But while IT teams want to perform due diligence and responsible analysis, end-users imagine obstruction and delay. By bypassing the IT department, they get what they want more quickly – while creating serious governance headaches for the business.

Often, it is only once data is lost that the IT department becomes aware of shadow IT applications, by which time it is far too late. The shift towards remote working is already forcing IT departments to increase their agility and responsiveness. Now it is time to make the rest of the business aware that you are here to facilitate and not obstruct, acting in the best interests of all stakeholders.

Building a Plan for the Future

Where possible, it makes sense to encourage users to maximise tools your organisation already has, that they may not know about, instead of adding new services.

If your business already subscribes to Microsoft 365 or Google Workspace, for instance, you can steer them towards OneDrive/Google Drive if they suggest using Dropbox. With M365 in particular, there is a whole ecosystem of tools that many users don't know exist. You can then use a specialist service like JT’s Cloud Backup – Microsoft 365 Backup to provide true recovery equivalent to those you use in your data centre.

Other applications may not be so easy to backup. For example, Marketers’ favourite Hubspot does not offer any simple backup method – nor are there any viable third-party solutions at present. Instead, you will need to script a manual data export that downloads data to a local system for backup.

As the risk of SaaS data loss becomes more publicised and cloud offerings continue to mature, we expect to see a move towards APIs for backing up data. For example, Asigra will begin providing backup solutions for third-party applications in the future, so there is movement in the market to solve this challenge.

This will allow SaaS providers to continue with the Shared Responsibility Model while providing subscribers with a viable way to extract and backup data according to their preferences and compliance requirements.

To learn more about using JT Cloud Backup for backing up data in popular SaaS platforms like Microsoft Office 365 get in touch with our team using the form below: