Stop giving away the keys to your SaaS backup data

Joel Hans | Last updated on May 30, 2024 | 6 minute read

You’ve diligently designed systems to back up your organization’s data—even your SaaS data—for the peace of mind of knowing that even if disaster strikes, you can quickly get your peers back in action and operating at their best. You’ve thought about end-to-end security, crafting policies that insist upon encryption and administrative best practices, and choosing third-party providers who can work with the least-trust principles you hold dear.

What if the providers you trust with your backups become an entirely new threat?

That’s precisely what some SaaS data backup providers are doing. Under the guise of protecting you from unknown threats, they ask you to scan for the presence of malware, and if you agree, you give them complete access to your backup data. All your hard work around building secure backups is undermined—for all the wrong reasons.

At Rewind, we offer a real-time audit log of every interaction with your backup data—who accessed it, under which privileges, when it happened, and what they did. Can you imagine if that audit log were filled with reads from Rewind itself? Then the calls truly would be coming from inside the house.

A new era of ‘antivirus’ for your backup data

Beginning in the mid-1990s and through the 2000s, companies fought a multi-billion dollar war over antivirus. There were valid reasons for needing antivirus software, especially as a Windows user—one visit to a malware-ridden website, or an .exe downloaded from an unofficial source, meant losing your entire system and all your data. Not to mention all the dangers of grabbing expensive software—Photoshop has always been a popular choice—from one of the many piracy sites and networks, which often came with all sorts of embedded nastiness.

If you were part of that era of computing, you understood that you needed to concede your privacy and security. You could let an antivirus program run in the background, scanning all your files and applications, in exchange for that peace of mind as you went about your day-to-day-work.

The antivirus industry proved far from perfect. In many cases, folks relied on antivirus software to protect their systems and data rather than creating robust backups, quickly discovering that antivirus was actually quite limited in scope—it couldn’t protect them from stolen devices, spilled coffee, or an operating system upgrade gone awry.

Even worse, an entire category of rogue security software emerged to trick victims into installing Trojan horses and other malware, thinking they were getting an antivirus or malware removal tool.

For many reasons, the antivirus fervor just couldn’t last. Some of these brands are still around, like Norton and McAfee, but looking at Google Trends data from 2004 to today, they’re fighting over a much smaller market than they used to. Attackers changed their methodologies, Microsoft built better antivirus directly into Windows via Defender, and folks stopped downloading a lot less pirated software.

Now, roughly 20 years later, we’re seeing the same justifications from some SaaS data backup providers for new background agents sniffing around in your mission-critical data.

In exchange for giving over any semblance of privacy and security of your backup data, you get some semblance of insights into whether or not you’ve already been breached by malware… hours, days, or weeks after it’s already taken root. Even if they can help identify instances of malware, it’s at the cost of an enormous contradiction—providers can’t both claim to fortify your backup data against intruders while simultaneously accessing it themselves.

We believe providers shouldn’t excuse themselves from the security measures you designed in the name of so-called splashy feature launches. We might even call them backups gone rogue.

Why should you be so diligent about the security of your backups?

You might think that if you’re going to run malware checks against your data, you should do so against your “less valuable” backup data rather than live production data.

Your assumption could not be further from the truth:

  • Attackers can quickly learn about the architecture and configuration of your infrastructure, including cloud providers, identity providers, third-party connections, and more—essential information to help them launch targeted phishing campaigns against your employees.
  • Backups often contain personally identifiable information (PII) about your employees and customers, which you have almost certainly made strong promises to encrypt and protect from prying eyes or extraction.
  • Even in backup form, your SaaS data is an invaluable resource for intellectual property (IP) theft, as most strategy, architectural, and early design decisions happen on SaaS-based collaboration or wiki platforms like Confluence.

Data has slow-moving, long-term value to attackers—your organization’s security posture is changing even as you read this.

If you’re worried about the active presence of malware on your live data, you should be reading audit logs for strange user interactions with SaaS data or watching observability dashboards for anomalies, not hoping a malware scan picks it up after the fact. You should be implementing endpoint security and training employees to identify attacks, not giving away the keys to your valuable backup data.

Unfortunately, we all cede control, privacy, and security in exchange for simplicity and less cognitive load. We fully predict malware scans and similar features will expand in the coming years, especially as specialty AI agents become more affordable and attainable to companies that want to fold them into their offerings. Expect to see AIs that help you control backup costs by whittling away your least used data. AIs that promise “smart” backups based on some logic far more complicated (and less effective) than daily incremental snapshots. AIs that read backup data to surface past insights that may have been forgotten due to turnover or plain-old chaos.

No matter what these AI-based features promise, hold two warnings to heart:

  • They are capable of manipulating, deleting, and exposing your SaaS data in all the same ways your human counterparts are, but at the remarkable computational speed of GPU-accelerated data center hardware.
  • They fall dangerously beyond the scope of a backup provider’s job, which is quite simple: autonomous, complete, and completely reliable restorations when your next data disaster strikes.

What’s next: the Rewind way

This hasn’t been a long-winded teaser to announce a new scanning tool or malware-sniffing AI assistant to the Rewind platform. Quite the opposite: think of it as a promise of what we won’t do to the mission-critical SaaS data you back up with us.

We won’t stretch beyond the scope of our job at the expense of your data privacy. We won’t compromise the security you’ve built around your organization and data because we respect your decisions. We won’t make exceptions, especially for ourselves, because we think we’ve come up with a value-add feature that’s essentially a rogue agent lurking in the background of your SaaS.

If there is one area of your infrastructure that should remain risk-free, it’s your backups. What do you need in a provider to get that job done? 

  1. Security practices that honor and amplify the policies and procedures you’ve already built.
  2. Autonomous daily snapshots that ensure you can recover instantly from data loss of any scope on platforms like GitHub, Bitbucket, Jira, Confluence, and more.
  3. Auditing tools that show you exactly who—we mean your employees, not scanners—is interacting with your backup data.

Anything else is creating or chasing today’s edition of the antivirus fervor. It barely belonged on your Windows 98 machine then, and it certainly doesn’t belong on your mission-critical backups now.

Profile picture of Joel Hans
Joel Hans
Joel Hans writes copy and marketing content that energizes startups with the technical and strategic storytelling they need to win developer trust. Learn more about how he helps clients like ngrok, CNCF, Rewind, and others at