The Truth about Data Protection for SaaS

Don’t you hate that feeling when you realize something you always thought was true, wasn’t true? Maybe it is something your parents told you and you have confidently told others about it. Then one day, your friend or co-worker proves you wrong. You are shocked and wonder, what else am I wrong about? Like when you learned that a large terrifying bunny didn’t leave eggs full of candy all over your yard? That happened to a…….friend……. Anyways, for many enterprises, they got this same feeling when they found out that their favorite SaaS solution doesn’t backup their data by default. This is, unfortunately, a common misconception.

Thankfully, many SaaS companies define a shared responsibility model that details responsibilities between them and the end customer. Infrastructure, replication between sites, temporary storage for mistakes, and security of the cloud for physical infrastructure are typically provided by the vendor as the end customer doesn’t have access to the backend cloud resources. But what does catch many enterprises off guard is the lack of backup and long-term retention.

Data replication or even a recycle or trash bin is often thought of as a form of data protection, but it is not backup. Replication ensures the data is available in the event the SaaS provider loses a datacenter. This is high availability to ensure you still have access to your data in the event of a failure. But just like your on-premises data center methodology, replication is not backup. When data is deleted (accidentally or maliciously), it gets deleted in both the primary and secondary data centers. The recycle or trash bin can also be confusing in its functionality. Yes, this can protect you from quick accidental deletions, but the recycle bin only holds short-term data, not for long-term retention. That would be like keeping all your family photos in your recycle bin on your laptop. Not a great idea.

Some SaaS providers provide data protection for higher-tier users at additional costs, but it does not come by default in all tiers. The biggest challenge here is having a different data protection methodology for each SaaS solution. This brings a new set of challenges including consistency and increased management costs to monitor each solution to ensure compliance and data are being protected as things evolve.

Knowing the truth is half the battle and with email being a critical business function, data needs to be protected from both internal and external bad actors as well as deliver on compliance and legal requirements.

  • Accidental Deletions: These happen all the time. Employees accidentally delete an email, files, or database data and forget about it long enough that the recycle or trash bin doesn’t save them. When they need the data restored, they often remember very little information about it, so having the ability to search and restore specific data is very useful.
  • Compliance and Legal Requirements: Since most of the communication and content today is electronic, SaaS data becomes a corporate record which is required to be stored for longer-term compliance and legal requirements such as SOX and HIPAA. Data needs to be available and searchable anytime to pull for legal holds or eDiscovery.
  • External Bad Actors: Ransomware and malware are becoming more and prevalent and the criminals don’t take breaks or vacations even in a pandemic. COVID-19 is already proving to be a theme that has one of the largest concentrations of cyber attacks that we have ever seen. Data needs to be stored outside the primary account in an air-gapped solution so that the hacker cannot access the protected data if your primary account is compromised.
  • Internal Bad Actors: This happens when someone internal, who has access to accounts, maliciously deletes data to impact the business. This could be a series of emails or an entire mailbox for example. Having the ability to restore entire mailboxes or specific deleted emails from a solution that is outside your environment is a requirement.

Data protection in an all-cloud world can be complex when it comes to providing consistency and security with predictable costs. Clumio is focused on eliminating this complexity for our customers with a single service that can protect data across private cloud, public clouds and SaaS. Stay tuned for part two of this series where I will focus on specific SaaS solutions.

Until next time, stay SaaSy my friends.


By Chadd Kenney
Vice President and Chief Technologist

 

paper airplane icon