Adoption of cloud SaaS apps continues to grow, with organizations now using an average of 130 apps, according to Saas management platform BetterCloud’s 2023 ‘State of SaaS Ops’ report. But as SaaS app usage increases, so does the amount of data stored on cloud services – as of 2022, it’s estimated that over 60% of all corporate data is stored in the cloud. Which means that cloud services are a goldmine of information, much of it falling into the category of PII: personally identifiable information. It’s no surprise then that SaaS app data is increasingly likely to be targeted by hackers and ransomware attackers. And with ongoing confusion as to whose responsibility it is to secure the data stored on SaaS apps, many businesses are unaware they’re sitting on a ticking timebomb of data loss.
In August 2022, Salesforce data security specialists Odaseva published The State of SaaS Ransomware Attack Preparedness, a survey of large enterprises’ approach to securing SaaS apps – and the results were a cause for concern. Odaseva found:
- 48% of organizations surveyed had experienced a ransomware attack in the preceding 12 months
- Of those attacks, SaaS data was the target 51% of the time
- Data lost through attacks on SaaS apps was least likely to be recovered, with 50% of respondents who’d suffered a ransomware attack reporting they were unable to restore all of their data
- In spite of these worrying statistics, Odaseva’s report found that 57% of companies admitted they backed up some but not all of their SaaS data
- SaaS data is not considered a ‘top 2’ risk for 60% of businesses
In short, ransomware is a significant and increasing threat to business data, particularly data stored on cloud SaaS apps, yet businesses simply aren’t doing enough to secure that data. But it’s not just ransomware that threatens SaaS apps – both human error and threat actors are putting SaaS app data at risk. At the end of December 2022, productivity platform Slack had code stolen from its GitHub repository. Also in 2022, Atlassian (the owners of Trello and Jira) executed a maintenance script that resulted in thousands of Jira users being unable to access their data for several weeks. And before that, in February 2020, personal data from Trello boards listed as public was found to be freely available online.
So why aren’t businesses doing more to protect their SaaS data? The reason for this could be due to confusion surrounding who is responsible for the data stored on SaaS services. When Oracle and KPMG investigated understanding of the term ‘shared responsibility’ when applied to cloud services, they found that just 8% of respondents fully understood what it meant. When understanding is that low, it’s perhaps no surprise that SaaS data is going unprotected
Understanding the Shared Responsibility Model
Most cloud SaaS apps employ the Shared Responsibility Model, and what this means in simple terms is that while the provider is obliged to guarantee the uptime and availability of its services, it’s users who must take responsibility for the security of their data. It’s easy to confuse ‘service availability’ with ‘secured data’ – when you can always access your data from any device with an internet connection, you can be lulled into a false sense of security and fall into the trap of assuming your data will always be safe.
It’s vital that users change their mindset and start thinking of ‘the cloud’ as simply ‘someone else’s server’. If businesses are going to have a hope of avoiding potentially catastrophic data loss caused by hacks or breaches, they must take steps to secure their SaaS data as a matter of urgency.
Other threats to your SaaS data: Shadow SaaS and third-party integrations
It’s not just the Shared Responsibility Model that makes backing up your SaaS apps an urgent priority. Thanks to SaaS apps’ ease of use and the availability of free plans, employees often start using new applications without approval from company IT departments, creating the problem of ‘shadow SaaS’. If management teams don’t know which applications their staff are using, they also don’t know where company data is being stored and managed. What’s more, most SaaS apps have integrations with other third-party apps, further increasing the vulnerability of company data. Gaining a clear picture of exactly how much data is stored across cloud apps and which apps are being used is a vital first step in addressing the SaaS data security deficit.
How to protect your SaaS apps
Fortunately, there are a wealth of measures you can take to protect your SaaS app data.
- Conduct an audit. To get an accurate picture of which data is stored on each SaaS app, you’ll need to complete an audit of all the tools in use across your business. This will include shadow SaaS, the services that staff have started using independently without approval. You’ll need to encourage employees to be honest about the tools they’re using and their preferences, as it may be that company-approved apps aren’t actually helping staff to do their jobs.
- Familiarise yourself with your SaaS providers’ service-level agreements. Knowledge is power – take the time to read your SaaS apps’ terms of service. Saas providers don’t hide the fact that they do not take responsibility for the safety of user data, it’s usually stated clearly – take accounting software Xero’s terms of use as an example:
- “You also may have occasional access issues and may experience data loss, so backing up your data is important… Data loss is an unavoidable risk when using any technology. You’re responsible for maintaining copies of your data entered into our services.”
- Implement access controls. Tools like multi-factor authentication aren’t immune to hacks but they provide an extra barrier between a malicious actor and your data. You should also implement ‘least privilege’ access, whereby staff can only access the data and administration rights required to complete their work. No one should be able to access data they don’t need, in other words.
- Monitoring SaaS usage. Regular reviews and checks onSaaS app usage is crucial – ensuring your data is secure is an ongoing process. Introduce offboarding procedures if you don’t already have them in place, where departing staff have their access to company apps removed and login credentials are changed.
- Put third-party backup in place for your SaaS apps. Choose a provider that can ensure top-grade encryption both during transfer and at rest, a zero-knowledge policy, and secure datacenters. Third-party backup for SaaS apps is the best way to make sure that you can restore your business-critical data in the event of an incident or breach.
If you need protection for your GitHub, Trello or GitLab data, or want to be notified when backup for Jira, Notion or Asana becomes available, get in touch with us today.