Expert Insights: SaaS Application Data Protection Fundamentals

SaaS applications appeal to organizations because they make running the application “somebody else’s problem.” However, this is only partially true; in particular, SaaS vendors rarely take responsibility for preventing data loss and rarely offer backup as part of their service.

Although the SaaS vendor may be running the application, the data loss risks are the same as on-premise applications: the only difference is, you share responsibility for protecting your application and the critical data it stores.

Figure 1 – Data loss risks:

Table 1 – Potential causes of data loss:

The greatest risk to data from cyberattacks applies to services such as Microsoft OneDrive or Google Drive where data is cached locally, edited, and then synced back to the service. In this scenario, the local copy can be encrypted by ransomware and then synced back to the service to overwrite the master copy. Attacks on SaaS applications that don’t store data locally are harder, but it is still possible to use application APIs to read and encrypt the data and then overwrite the original data in the application.

When it comes to the risks at the provider, it’s harder to assess as much will depend on the provider in areas such as:

• Security processes: Any breach of the administrator’s security could allow attackers free reign to delete, encrypt, modify, or steal customer data.
• Testing and deployment processes: Providers can and do make mistakes that allow poorly tested updates to their service which can lead to data loss for clients.
• Infrastructure design and implementation: Many SaaS providers build their applications on top of infrastructure provided by vendors such as Microsoft and Amazon. The use of major public cloud providers allows the SaaS provider to benefit from the security blanket provided by the major cloud providers who can hire the best people to protect their operations. However, some SaaS providers build their infrastructure which puts all the responsibility on the SaaS provider, who may or may not have the required expertise. 
  

The key point is that you can’t assume that data stored in a SaaS application is safe and that it’s the customer’s responsibility to ensure that the data is protected. Though not widely publicized, SaaS vendors usually include disclaimers to this effect but bury them deep in the small print of the terms of service for the SaaS application.

Click here to learn more about SaaS data protection for mission-critical SaaS applications, including Google Workspace, Microsoft 365, Salesforce, and Slack.