The one risk of using SaaS no one talks about
The convenience that SaaS applications have afforded us can never be overstated, especially in a working world that is significantly different than just two years ago. However, there is one specific risk of using SaaS that I was unaware of; even with two decades of working with the cloud.
Even before the pandemic, SaaS was eating the world. Access to the cloud and the technology that supports the cloud is cheaper than ever. The average small business, with just under 100 employees, is likely using over 100 apps. Some are used more than others but there is a good chance they rely on a select few to run daily operations.
For the modern DevOps or IT team, these are challenging but also exciting times. In the early stages of my career, we were handcuffed to giant server rooms. As Director of Technical Operations at Rewind, our team runs a large tech stack with just laptops and a wifi connection. We are constantly learning how to manage all these tools and spend a significant amount of time ensuring this mosaic of online software is running smoothly.
The convenience that SaaS applications have afforded us can never be overstated, especially in a working world that is significantly different than just two years ago. However, there is one specific risk of using SaaS that I was unaware of; even with two decades of working with the cloud. It’s not spoken about in many DevOps or IT circles. And it’s a risk that can have a dramatic impact on how a business operates.
The Shared Responsibility Model for SaaS
It’s important to remember a key distinction between SaaS applications versus the other types of cloud computing services (IaaS and PaaS). The distinction is this: you rent everything, you don’t own it. The operating system, infrastructure, network and especially the servers, are all owned by your go-to online software tool. That is their business model and you are paying for access.
What you do own is all the data you create with these tools. All the data you rely on every day. And it is a lot of data when you consider that the average small business is now using over 100 apps in their day-to-day operations. This is where the Shared Responsibility Model comes into play. It was a term coined by AWS but it applies to all of cloud computing. Essentially you and the cloud provider share the responsibility of protecting everything.
The above chart breaks everything down nicely. You can see depending on the type of cloud service you are using, your level of responsibility changes. And this is the thing DevOps and IT teams don’t talk about when it comes to SaaS.
As more institutions and businesses turn to SaaS, the risks of data loss increase exponentially. IT and data protection professionals have a well-used phrase: There are two types of people in this world – those who have lost data and those who are about to lose data”. Even using SaaS, this is no less true. A recent survey we conducted found that over 40% of SaaS users have suffered from data loss. It’s inevitable that at some point in our personal or professional lives, some kind of data loss will occur.
But surely I can get my data back?
Well, yes and no. SaaS tools may be able to bring back a snapshot of the data, but it could be in a format that isn’t usable for your business. Your data is essentially grouped with all other users of said SaaS application. So it’s not easy for some SaaS applications to find your specific data and restore it completely. And if by chance they can, it will likely be an out-of-date snapshot.
This is always met with skepticism (And I understand, I had the same reaction) but I always point people to the terms and conditions page of any SaaS site. Here is Shopify’s and here is GitHub’s. It’s all there in black and white. Whether you are using Trello, Zendesk, Salesforce, QuickBooks Online or others, some aspect of the Shared Responsibility Model is present. The onus is on you, to understand how your data is at risk and how to protect it.
Strategies for Protecting Your SaaS Data
At the end of the day it comes down to three things:
- Use the least privileged approach when setting user access. You may already be doing this and kudos to you if so. Humans are statistically the main culprit of data loss; whether intentional or not. If you limit people’s ability to use a SaaS tool based on their corresponding skills or responsibilities, then the odds of a person causing data loss drop dramatically. Protip: Always use unique passwords or phrases, two-factor authentication, and work with revenue or marketing operations teams to put these things in place.
- Audit everything connected to your major SaaS tools. Go back and read the terms and conditions for third-party apps. You may be shocked at what you find. Some apps can override or delete data! Look, I understand this is a tedious process, so I recommend doing this once a year. Weight the cost/benefit of each one with various teams and decide if it’s worth keeping or uninstalling.
- Have a backup and restoration strategy. You can do this manually for the most part but it can be tedious and time-consuming. Maybe this involves exporting hundreds of CSV files or running backup scripts. Regardless, you are up against ever-changing data and an endlessly evolving API. It is possible to outsource this to a BaaS (Backup-as-a-Service) provider. This can make it easier to manage data continuity but do your homework. There are more and more players every month and many are not mature in their approach to security and compliance.
That’s it. Follow these three steps for a data protection and continuity strategy and you’ll be further ahead than most businesses who have gone all-in on SaaS. I’m still a big believer in the future of SaaS being the dominant tool but DevOps, SRE, and IT professionals need to understand the risks these tools bring with them. The last conversation you want to have is with a CIO as to why X data is missing. The old adage that “it’s in the cloud” won’t mean much at that point.