You don’t get a pass with SaaS


Software as a Service (SaaS) is increasingly taking the place of traditional, on-premises software. In an analysis of the 2021 SaaS market, Gartner estimated that global end-user spending on public cloud services grew 23.1 percent to $332.3 billion. SaaS alone accounted for $122.6 billion and is projected to top $145 billion in 2022.

The drivers behind the success of SaaS are clear. There’s no on-premises equipment or software to buy or manage, pricing is lower and is more flexible than perpetual licenses. Less cost, less complexity, less aggravation for IT — that’s a pretty convincing proposition.

Unfortunately, these benefits are undermined because many are leaving the data in their SaaS applications dangerously exposed. Take Microsoft 365, which Okta has called the most popular enterprise app. In the 2021 Veeam Data Protection Survey, less than half of companies (45 percent) specifically backed up their Microsoft 365 data, while more (47 percent) were relying on Microsoft 365 to protect it.

There’s a problem with this approach, and it’s a critical one. Microsoft 365 doesn’t protect all the data.

What’s your responsibility?

Most all SaaS vendors work off a shared responsibility model in which they and the customer oversee distinct areas of data protection. The vendor typically handles service infrastructure security, making sure the application is up and running and data is protected should a disaster take place. If there’s a fire in the data center, security incident, natural disaster, the ball is in the vendor’s court.

But ongoing, long-term data protection? That’s the customer’s responsibility, and it’s one that many companies don’t even realize. 

Further, vendor offerings are not designed to recover that email an employee deleted, a corrupted file or specific record in NetSuite. Also, most SaaS applications — including Microsoft 365 — permanently delete all information in the recycle bin after 30 days. Without a backup, that data is gone for good, and a company could face serious retention policy gaps, security risks and compliance issues.

Their service, your problem

Keep in mind that vendor backups are meant for recovery in case of a catastrophic event. A vendor’s data protection is architected at the service level — it’s not designed for granular recovery. So, if someone from human resources (HR) unknowingly deletes a vital research spreadsheet that’s meant for an upcoming c-level briefing, after 30 days, Microsoft will automatically clear it from the recycle bin.

Without backup, that research is gone for good, and your HR team will be in for a rude awakening as they prepare to present to company leaders. But that’s not the only ramification to consider. As an example, if a company insider deletes material to cover up illegal activities, and you can’t produce that evidence, your organization could be liable and subject to severe penalties.

If a vendor does offer backup services, but they’re compromised by a disaster and unprepared to deal with it, you’ll have no fallback option without access to additional backups. And what if you simply have a dispute with your provider and they end up suddenly canceling your service? Again, that’s your problem, and without your own backup, you’ll face serious downtime and loss of revenue.

Covering SaaS in three steps

To ensure your SaaS data is covered, start by reviewing your provider’s shared responsibility model. For Microsoft 365 users, Veeam offers an overview that does a good job at breaking down who is responsible for what. 

Next, review your data to ensure high priority information is secure and meets compliance guidelines. See if the data contains financial, protected health (PHI) and personally identifiable information (PII). Also, while doing so, look for emails that may need to be saved for legal purposes.

Finally, when you have a grasp on what you’ll need for SaaS backup, decide on a solution that will enable you to easily but best protect your data. Many companies have found that when enlisting SaaS for applications, the best approach is to use another SaaS offering. 

Some solutions are designed with particular SaaS offerings in mind, including Microsoft 365. Popular options can allow secure access to backups via multi-factor authentication. You can set retention policies and recover granularly, too. Some even work in hybrid situations and can easily move data between on-premises solutions and SaaS.

Regardless, always keep in mind that you don’t get a pass with SaaS. The data these services contain require the same attention as in-house, on premise solutions. You may have a lot to gain with SaaS, but there’s also a lot to lose if your data is not backed up and sufficiently protected.

Photo Credit: Wright Studio/Shutterstock

Bret Piatt is CEO of OffsiteDataSync, a managed service provider that specializes in backup and DR as a service, including SaaS applications like Microsoft 365 and Salesforce

Author: Martha Meyer