Two data protection questions 85% of IT pros get wrong

Back when software was a thing you physically bought and installed, it was simpler to understand where precisely the data it generated was stored. You installed the software locally, stored application data on your local computer, and (maybe) backed it up on an external drive.

SaaS has turned this paradigm upside down. Instantaneous, seamless delivery in a browser is now the norm, and both application and client data are stored in the cloud.

Unfortunately, all of the convenience comes at a price; the risk of losing data stored in SaaS platforms.
Even many experienced IT professionals are unfamiliar with the default backup and recovery capabilities of most SaaS applications. When asked, “True or False: SaaS applications include backup & recovery capabilities by default,” just 14.9% of respondents answered with the correct answer, False, according to a recent survey from Rewind.

Question	% of respondents who answered correctly (“True”)	% of respondents who answered incorrectly (“False”)
True or False: SaaS applications include backup & recovery capabilities by default.	85.1%	14.9%
True or False: If data is deleted by mistake or a malicious employee, the SaaS vendor will restore the data on request.	83%	17%

Data from Rewind survey. N=377

Furthermore, when asked, “True or False: If data is deleted by mistake or a malicious employee, the SaaS vendor will restore the data on request,” only 17% of respondents answered with the correct answer (False).

These misconceptions likely stem from a misunderstanding of the Shared Responsibility Model.

SaaS platforms take no responsibility for individual account data

Under the Shared Responsibility Model, users and platforms share the responsibility of protecting the data generated and stored in the SaaS product. SaaS providers cover platform-wide backups that can be used in a disaster recovery scenario. If, say, an asteroid hits the data centers used by your SaaS provider, the platform would be able to recover all application and client data on the platform. But if the issue is more localized, i.e., affecting only the data on your account, SaaS providers typically can’t help you. Their platform-wide backups simply aren’t designed to restore individual account-level data.

That’s why the majority of large SaaS providers explicitly state in their terms and conditions that they are not responsible for any data loss experienced by users on their platform. For example, Atlassian, makers of popular software like Jira, Confluence, and Bitbucket, states, “We are not responsible for any of your data lost, altered, intercepted or stored across such networks.”

Similarly, GitHub’s terms of service tell users that “You understand and agree that we will not be liable to you or any third party for any loss of profits, use, goodwill, or data.”

Same thing with most platforms aimed at ecommerce, accounting, productivity, etc. While they occasionally offer data recovery services (typically within a pricier service offering), the best method to secure account-level data is with a third-party account-level backup.

Not all backups are created equal

While SaaS platforms maintain a disaster recovery plan (including backups) for their entire platform, only third-party, account-level backups protect the data that pertains to your specific instance. Loss or corruption of this data can result in significant delays, downtime, and lost work. Imagine your team has lost access to all of their tickets, documentation, repos, or metadata – how could work continue?

Data loss is not a rare occurrence. Multiple reports from IBM. Oracle/KPMG and others over the past several years indicate that close to half of SaaS users have lost data stored in the cloud, with incidents ranging in severity from trivial to catastrophic. And SaaS adoption is on the rise, meaning that more and more data is moving from on-prem solutions to the cloud, creating a bigger and bigger target for cybercriminals.

The most common risk factor for data loss in a SaaS environment is human error, but there’s no shortage of other threats, including external hackers, disgruntled employees, ransomware, incompatibility with 3rd party apps, and many more.

Today’s IT and security professionals need to understand the shared responsibility model and include SaaS data protection in disaster recovery planning with the same level of reliable backups and recovery processes as they specify for on-premise applications. Relying on misconceptions about what SaaS platforms can and cannot restore could leave you in hot water should disaster strike.

An account-level data backup and recovery service for your SaaS data fills this gap in disaster recovery planning and ensures your team always has reliable access to business-critical data.

James Ciesielski">

James Ciesielski

James is the co-founder and CTO of Rewind, the leading data backup and recovery provider for cloud and SaaS data. After completing a Bachelor of Math, Computer Science/Software Engineering at the University of Waterloo, James has over 20 years of experience building highly scalable software and services in the fields of telecommunications, media, and financial technology in both enterprise and start-up environments. An experienced technical leader, James has successfully overseen the development and launch of a variety of software products, including Rewind’s inaugural backup-as-a-service (BaaS) app, Rewind Backups for Shopify. In 2019, James was honoured as a member of the Ottawa 40 Under 40. When he isn’t in front of his computer, James can typically be found running after his kids, cooking with his wife, and volunteering to be in net for every pick-up hockey game he can find.