What is the SaaS Shared Responsibility Model?
The pandemic undoubtedly accelerated our reliance on Software-as-a-Service (SaaS) applications, due to lockdowns and the subsequent increase in remote and homeworking. In 2020, SaaS providers’ revenue grew on average by 78%, with GitHub alone seeing its number of active developers increase by 22% on 2019.
There are numerous practical benefits for businesses choosing SaaS tools over traditional on-premises software, such as:
- Improved efficiency. Setting up access to cloud applications is quicker than installing and configuring on-premises software
- Ease of use and access. You can access SaaS platforms on almost any device that has an internet connection
- Scalability. SaaS applications can grow as your business expands
- Affordability. Paying a monthly or annual subscription turns a large capital expense into a smaller, more manageable operating expense.
But these advantages come with a significant caveat: by choosing a SaaS product, essentially you’re renting a service rather than buying it. Using the traditional method of installing software on your own hardware and servers means you have control of that infrastructure. Using cloud services means you don’t have control of the infrastructure – and this has consequences for your data.
The Shared Responsibility Model sets out what both the SaaS provider and the user are responsible for. Bearing in mind that the majority of SaaS providers use this model, it’s surprising that 45% of users are unaware of it.
As a SaaS user, you need to know exactly what each application’s terms of service say about your responsibilities in terms of content and data security. It’s the Shared Responsibility Model that informs those terms, and to guarantee the safety of your data, it’s important to understand how it works.
How does the Shared Responsibility Model work?
The two key elements of the Shared Responsibility Model are:
- The SaaS provider is responsible for its own hardware, infrastructure and uptime
- The user is responsible for the content and data they store and manage on the platform
How SaaS providers explain the Shared Responsibility Model
One example of how a SaaS provider explains the Shared Responsibility Model to its users can be found in GitHub’s Terms of Service:
“You understand and agree that we will not be liable to you or any third party for any loss of profits, use, goodwill, or data, or for any incidental, indirect, special, consequential or exemplary damages, however arising, that result from… unauthorized access to or alterations of your transmissions or data”.
Another example can be found in the warranty disclaimer in Trello owner Atlassian’s Terms of Service:
“You understand that use of the cloud products necessarily involves transmission of your data over networks that we do not own, operate or control, and we are not responsible for any of your data lost, altered, intercepted or stored across such networks”.
Accounting software company Xero explicitly advises users to have separate backup for their data in the section of their terms addressing maintenance, downtime and data loss:
“We really try to minimize any downtime, but sometimes it’s necessary so we can keep our services updated and secure. You also may have occasional access issues and may experience data loss, so backing up your data is important”.
Xero goes on to state in even more direct terms that there’s no getting away from the risk of data loss when using its services, and that the company is not liable for any data loss that occurs:
- ”Access issues: You know how the internet works – occasionally you might not be able to access our services and your data. This might happen for any number of reasons, at any time.
- Data loss: Data loss is an unavoidable risk when using any technology. You’re responsible for maintaining copies of your data entered into our services. For information on how to do that, check out how to export data out of Xero on Xero Central.
- No compensation: Whatever the cause of any downtime, access issues or data loss, your only recourse is to discontinue using our services.”
These SaaS providers make it clear: they are not responsible for backing up and protecting your data.
What does the Shared Responsibility Model mean for your data?
In short, the Shared Responsibility Model means that in order to guard against data loss, you need external backup for the files and data you store on any SaaS applications.
Because you can use your SaaS tools from almost anywhere that has an internet connection, it’s easy to assume that your data will always be safe and accessible. But SaaS providers store your content (and therefore your data) along with every other user’s data – essentially it’s all lumped in together. So in the event of a security incident or data breach, even if the SaaS provider was able to retrieve the data, it would be almost impossible to identify which data belonged to which user.
The Shared Responsibility Model therefore makes it clear that in the event of a data breach, the SaaS provider cannot be held liable for the loss or restoration of your data.
The risks to your SaaS data
The most common risk to the data you store on SaaS applications is user error, i.e. the accidental deletion of files and folders. There is also the risk of previous employees who may hold some sort of grudge accessing and deleting data if they still have log-in credentials for business apps. This is rare, but it can happen.
Problems with SaaS platforms themselves can also threaten your data – and some providers will delete files and/or restrict account access if they decide you have violated their terms of use in some way. You need to treat SaaS platforms as you would most other software – that is, you should assume that something could go wrong at any point and have adequate backup in place.
Any third-party apps connected to SaaS services pose another risk to the security of your data. Lots of SaaS apps can connect to each other (Slack and Trello can be linked, to give one example) so it’s up to you to make sure you know exactly who and what has access to your files. If a third-party app connected to a SaaS service is compromised, your data could be exposed.
Finally, cyber attacks like ransomware, malware and phishing can also threaten your SaaS data.
The Shared Responsibility Model offers no protection against these risks, so you need to take action to safeguard your data.
How to protect the data you store on SaaS platforms
Now you are aware of the potential issues and risks, there are a few simple but vital steps you should take to ensure the safety of your data:
- Complete a data audit. Ensure you know exactly what data you have stored on each platform. Check all the user agreements and terms of service and make sure you’re clear on your responsibilities as a user.
- Implement the ‘least-privilege’ approach. When setting up accounts for each SaaS platform, make sure each user only has access to the tools and data they need. Make sure all passwords are unique and that you have multi-factor authentication in place.
- Backup and store your data remotely. The best way to do this is to choose a third-party backup provider who will encrypt your data at the highest-possible level of encryption and store it on remote servers. If the worst happens and your SaaS data is lost or corrupted, having third-party backup will limit the damage and disruption caused to your business.
For help with backing up the data you store on SaaS applications or to arrange a free 7-day trial, contact us today.