It is a common misconception that data in SaaS repositories (such as Office 365) are automatically protected by the SaaS vendor.  If you think that, you may be in for a rude surprise.

Customers with Microsoft Office 365 (or any SaaS vendor for that matter) mistakenly believe that they don’t need to worry about data backups for their assets in the cloud.  The misconception is rampant at many levels.  So, let’s try and break this down systematically and understand why should we consider office 365 backup to protect our valuable assets.

Why are backups necessary in the first place?

Admittedly this part is Backup 101 and applies to all business data (not just data in SaaS applications) – but for the sake of completeness, let’s cover this.

The most obvious cause for a backup solution is data loss.  A user loses a folder, file, or email message and wants it back.  And most times when we think of a backup use case – this is what comes to mind. However, enterprises invest in commercial-grade, 3^rd party backups for several other reasons.  A few important drivers are:

Regulation

Regulations – We’ve all heard of these.  Like SOX, HIPAA, GDPR.  As the world becomes global and companies start doing business overseas – like in the US and the EU, these regulations are hard to ignore.  If you do business in the US, you most likely have to worry about SOX.  If you are in healthcare, you need to care about HIPAA.  If you have even a single customer in the EU, you fall under the ambit of GDPR.  GDPR specifically was all over the news last year as it came into effect in the EU and famously levied penalties on the likes of Google and Facebook.  It is a regulation with the most teeth and clearly defines accountability around data losses.   Several developing countries are also modeling their regulations after GDPR.  The long and short of it is – Regulations are only getting stricter and holding businesses more and more accountable for data losses.

Ransomware

For those of you who may be unfamiliar with it, ransomware is an insidious form of malware that attacks endpoints and ends up encrypting all data on the disks – while demanding a bitcoin ransom in exchange for the encryption key. 

It is very hard to defend against because the attacks come in the form of phishing or spear-phishing emails – so it is more of a social engineering attack, targeting unsuspecting, non-technical users.  All it takes is for an unsuspecting user to click on an attachment – which will then silently drop the deadly payload on their endpoint.  Within a matter of hours, ransomware will have done its damage. 

It has the potential to rapidly spread across LANs to other user endpoints and even servers and databases.  Famous ransomware attacks like WannaCry and Petya made the news a few years ago as they wreaked havoc worldwide.  Many businesses simply have had to shut down because they couldn’t afford the ransom or they simply didn’t get their data back even after paying it.  Ransomware has proved that it can get around the best security defenses.  And in the end, as it is now fairly well accepted, the best defense against ransomware is actually to have a solid backup strategy.

Insider threats

Insider threats – This is damage usually caused by trusted actors – usually inside the company.  Many times, the data losses may be due to accidental actions.  But (sometimes) they could also be due to malicious deletion of data by employees.  Many businesses want to keep a regular backup of all their user data – with or without the users’ knowledge – to hedge against this kind of action.

Ok. Next question.

Can you really lose data in a SaaS application?

Interestingly the answer is yes – and the number of data loss scenarios with SaaS is more than you may think.  Close to a third of enterprises have reported having some type of data loss or another when using SaaS applications.   Here are some statistics:

• A whopping 47% of data losses are due to end-user deletion.
• The next highest statistic is Administrative errors – 17%
• Losses due to external threat actors contribute to 13% of the problem.
• 7% is caused by malicious insiders.
• Another 7% are due to bugs in the SaaS application itself
• 13% of these are because you simply decide to stop using the SaaS application.

The last one blew my mind!  Who knew?  You may end up losing your data in a SaaS application simply because you decided to terminate the contract!

But isn’t the SaaS vendor accountable?

That’s a great question.  Let’s further break it down into 2 sub-questions:

1. Shouldn’t the responsibility or accountability of protecting data also move to the cloud – along with the data itself?
2. The SaaS vendor should backup the data for their own protection anyway – right?

To answer the first question – the accountability for data protection stays with you as the organization.  Most regulators draw a clear distinction between the owners of the data and the hosters of the data.  The latest regulation which made the news last year – GDPR actually calls them data controllers and data processors respectively.  While hosting companies (or data processors) can provide services, the majority of the accountability around data breaches or losses that could occur – stays with the data owners (or controllers).  And this is not likely to change in the near future.

A simple way to state this is that you can’t contract away responsibility.  So, the answer is YES – as an organization you still remain responsible.

Now to answer the second question.  Doesn’t the cloud vendor perform backups?

Well, they do, and they don’t.  SaaS application providers do backup or replicate their data but at a tenant level.  These backups are geared for them to recover the entire platform in case of an outage but are not really designed for granular recovery. There is also no option for an on-demand backup – for instance if you wish to make sure you have a backup right now before you get started on a large-scale internal project – you won’t be able to do that with a SaaS application.

For these reasons, many SaaS application providers admit that although they have data protection measures in place, customers should also perform their own backups in case there is a loss of data due to various factors outside their control.

And Microsoft does the same when it comes to Office 365.   If you read the Office 365 Service agreement text, it clearly states:

“We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”

But wait…. How’s that possible? 

But, how can a SaaS vendor get away with that?  Not taking responsibility for backups?

Because of the model in which SaaS vendors operate under.  It is called a Shared Responsibility Model.  You will find that no matter which SaaS you are using if you read the fine print of the contract closely – almost every one of them will refer to this in one form or another.