Today, we’ll be breaking down the Shared Responsibility Model and what that means for all your SaaS and cloud computing apps. Online software may be eating the world, but the cloud is the fuel feeding the beast. Cloud computing is nothing new, it’s been with us since the mid-1990s. But in recent years businesses of all sizes are turning to the cloud.
According to a 2020 survey of 250 IT professionals, more than 80% of respondents had increased their overall cloud usage. IDG’s 2020 Cloud Computing Survey showed 59% of respondents would have the bulk of their digital assets in the cloud within the next 18 months. And now, according to Gartner, global spending on cloud services will rise 18.4% in 2021, with growth continuing well into 2024.
Every type of industry, from health care, construction, accounting, even governments, has begun to embrace the cloud. Their tech stacks and the volume of data they create grow at an accelerated pace.
However, the convenience of the cloud comes at a price; SaaS customers are exposed to an underlying risk few people talk about. This risk stems from a general misunderstanding of how cloud computing works.
How Cloud Computing Works
There’s a commonly held belief that if something is “in the cloud,” it’s always there. It’s probably because we rely on the cloud for everything; in our work and personal lives. The cloud is synced to our phones, computers, wearable devices; nearly every device we use. Box, Dropbox, Microsoft 365, Google Drive: these things are always available, following us everywhere. But here’s the eye-opening truth – storing data in the cloud doesn’t mean it will always be there.
Let’s take a step back for a moment and explain how cloud computing works.
Not too long ago, vital business data used to be stored on-premise, in a giant maze of never-ending server rooms. This onsite infrastructure ran everything a company needed when it came to their networks.
Gigantic server rooms are still common. What’s changed is who owns these servers. Building and maintaining this type of infrastructure is expensive. Handing this off to another company can be easier on the bottom line. As the internet matured and the flow of information got faster, companies began to outsource even more of their IT and software needs. This evolution has led to different options for businesses. These options include Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS).
In IaaS, the company providing the cloud manages all the physical infrastructure. Customers (or users) then have access to this network, which essentially acts as an extension of their own data center infrastructure. IaaS brings many benefits, such as potentially making workloads (a workload is an application or a service deployed on the cloud) faster, easier, more flexible, and more cost-efficient. Think of Amazon Web Services, Microsoft Azure, Google Cloud, and others. More often than not, IaaS is being used by companies that build their own software.
PaaS essentially involves having third-party companies manage the IT infrastructure but giving developers access to a framework where they can build customized apps. Many companies are both PaaS and IaaS, however, some businesses such as Heroku, Netlify, and Elastic Beanstalk are just PaaS.
And finally, there’s SaaS, which is the type of online software most people are familiar with. At last count, there are over 18,000 SaaS companies worldwide today. Most SaaS applications run directly from a web browser without any downloads or installations required, although some require plugins. For decades, businesses ran their software on their own computers, hosted on their desktops or servers. Online software essentially eliminated the need to install and run applications on individual computers.
Think about this for a second. You don’t own the software, you rent it. This includes all the servers. And if businesses no longer own or control the servers which run their software, they also don’t have full control over their data. In other words, you have no physical copy of that data. So unless you have a copy, you can’t restore anything if it gets lost. And neither can the SaaS provider.
This brings us back to the Shared Responsibility Model.
The Shared Responsibility Model: How it Works
It’s an aspect of cloud computing that’s rarely talked about, but something which can have a dramatic impact. Sometimes people call it the AWS Shared Responsibility Model, probably because of how big Amazon is. Yet the shared responsibility model is a function of cloud computing itself. It outlines where a cloud provider’s duty of care ends and the customers begin. And regardless of whether you use IaaS, PaaS, or SaaS – the Shared Responsibility Model is part of the mix.
If we map all the solutions out side by side, we can see where the provider’s responsibility ends and where the users’ begins:
For IaaS and PaaS, customers have many more things they are on the hook for. SaaS has the fewest number of things, but if you notice; data and user access/security are across the board.
So whether you have a giant on-premise server room worth millions of dollars or you’re paying $99 a month for an app, software customers are ALWAYS responsible for ensuring data is protected. This is the crux of the Shared Responsibility Model. You and the SaaS provider share the responsibility for protecting your data.
Why Can’t SaaS Tools Protect Your Data?
It’s a common question. Why don’t Software-as-a-Service companies just add the final layer of protection? Why can’t they just save the data? There’s a distinction we need to make. They do “save” it – but they only save this data in a format that makes sense to them.
Every new piece of data or content you create is hosted on the servers of whichever SaaS tool you are using. This data gets lumped in with all the users of said tool. You see all the customer information, reports, project plans, financial statements, or whatever function you use that specific SaaS tool for. Other the other side of the mirror, the SaaS provider essentially sees this:
All your data is lumped together with all the other customers; regardless if they have one thousand or one million customers. It’s a never-ending sea of mixed-up computer code. And say you did lose data, finding and recovering it would be like looking for a needle in a field of haystacks.
This is why the major SaaS apps add stipulations and limitations around what they can restore in their terms and conditions. Here is what Shopify has in its terms of service:
And here is the language in GitHub’s terms of service:
No matter what tool you use, Trello, QuickBooks Online, Zendesk, Salesforce, and so on, the Shared Responsibility Model is always present. The onus is on you, the user, to understand what data is at risk and how to protect it.
Protect the Data and You Protect the Business
Today’s tech stack is an essential part of a modern workforce. It’s not uncommon to have dozens, even hundreds of different SaaS tools all working together in some capacity. It also doesn’t matter what team you are on. Sales, Development, Finance, Customer Success, or Marketing, it’s a safe bet that you are using online software every day. And with each passing week, you are becoming more reliant and dependent on the data in these tools.
Just take a step back to think about ALL the data and content you have stored in all these tools. Think of all the ways this data helps you run the business. You make decisions on resourcing, investments, and strategic roadmaps. You may use SaaS tools to house all your customer data and or sales leads. In essence, your data IS the business. What are the chances all this vital information could disappear?
According to a major report by Oracle & the analyst firm ESG, 49% of organizations who participated in the study blamed confusion around the Shared Responsibility Model for data loss. A survey conducted by Rewind found that 40% of SaaS users have lost data.
So essentially, whether you lose data on not, comes down to the same odds as a coin flip.
The impact of this data loss varies depending on how reliant you are on these tools. Much of the data we store in SaaS is vital to our day-to-day. Since apps can’t restore this data (remember; it’s a field of haystacks), the onus is on you to put everything back. This can involve hours, days, or even weeks of manual work trying to put everything back. And that’s only if you have copies of the most recent data on hand. So again, depending on how reliant you are, it could be a minor nuisance or an earth-shattering emergency.
How Data Loss Actually Happens in SaaS
There are a number of ways this data can get lost or deleted. Some are major like data breaches or servers going down. However, if you remember how the Shared Responsibility Model works, cloud providers will be on the hook for those. Those are events that affect ALL users. Individual users, on the other hand, face a number of risks. Here’s a quick rundown:
Third-Party App Errors
All the applications we install are really just more SaaS tools. Some are dedicated to the platform in question, some apps just allow more communication between existing tools. When they work – it’s incredibly efficient and powerful – but when they don’t, that is where problems arise. Remember the “terms of service” agreements? Go back and read them. Third-party integrations typically require “read and write” permissions, meaning they can also change, manipulate, or delete your data if connected improperly.
No matter how much training we do or how many times we’ve done the same thing, mistakes happen. It’s simply human nature, especially in a fast-paced environment. It isn’t a matter of if, it’s when. And with more businesses embracing the cloud and SaaS, the opportunities for people to make mistakes will inevitably go up.
There are two kinds; attacks from people you don’t know (cybercriminals) and people you do (contractors or ex-employees). Cyberattacks are the most common here and historically large international corporations have been the targets. That’s changed dramatically, especially at the onset of the global pandemic of 2020. Ransomware, phishing attacks, and malware are still prevalent, and SaaS users are one misstep away from having their data hijacked or wiped out.
It may seem far-fetched, but it does happen, and more often than people may think. In 2020, a study of data breaches by Verizon found nearly 1 in 3 (28%) of victims were SMBs.
A Comma Separated Values file, also known as a CSV file, is a plain text file that contains tabular data and spreadsheets. They are easy to create and can be used to import large volumes of data into a tool. Not all SaaS tools allow for the use of them, but many do. But just like people, it’s easy for these documents to accidentally break things. Here is a first-hand example of an ecommerce business that lost thousands of files after trying to change things in bulk with a CSV file.
The likelihood of these things happening is relative, but the odds of SaaS users losing data is much higher than SaaS providers losing data. That brings us back full circle to why their terms of service limit their liability and why understanding the Shared Responsibility Model is critical to your business.
How You Can Protect Your SaaS Data
It really comes down to two things. First, ensure you have strict rigour around user access and permissions. Second, you need a backup strategy. If you go back and look at where Shared Responsibility starts and stops for SaaS users, these are the two areas users have to address. Implement them into your business and the odds of losing vital data will dramatically drop. You’ll spend more time focused on your work, rather than working on solving the stressful challenge of data loss.
Rewind offers automatic, set it and forget it data backup and restoration solutions. Our apps integrate directly with your SaaS platform, allowing you to restore individual items of data or your entire fileset. Learn more about how Rewind protects data.