Gigantic server rooms are still common. What’s changed is who owns these servers. Building and maintaining this type of infrastructure is expensive. Handing this off to another company can be easier on the bottom line. As the internet matured and the flow of information got faster, companies began to outsource even more of their IT and software needs. This evolution has led to different options for businesses. These options include Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS).
In IaaS, the company providing the cloud manages all the physical infrastructure. Customers (or users) then have access to this network, which essentially acts as an extension of their own data center infrastructure. IaaS brings many benefits, such as potentially making workloads (a workload is an application or a service deployed on the cloud) faster, easier, more flexible, and more cost-efficient. Think of Amazon Web Services, Microsoft Azure, Google Cloud, and others. More often than not, IaaS is being used by companies that build their own software.
PaaS essentially involves having third-party companies manage the IT infrastructure but giving developers access to a framework where they can build customized apps. Many companies are both PaaS and IaaS, however, some businesses such as Heroku, Netlify, and Elastic Beanstalk are just PaaS.
And finally, there’s SaaS, which is the type of online software most people are familiar with. At last count, there are over 18,000 SaaS companies worldwide today. Most SaaS applications run directly from a web browser without any downloads or installations required, although some require plugins. For decades, businesses ran their software on their own computers, hosted on their desktops or servers. Online software essentially eliminated the need to install and run applications on individual computers.
Think about this for a second. You don’t own the software, you rent it. This includes all the servers. And if businesses no longer own or control the servers which run their software, they also don’t have full control over their data. In other words, you have no physical copy of that data. So unless you have a copy, you can’t restore anything if it gets lost. And neither can the SaaS provider.
This brings us back to the Shared Responsibility Model.
How the Shared Responsibility Model Works
It’s an aspect of cloud computing that’s rarely talked about, but something which can have a dramatic impact. Sometimes people call it the AWS Shared Responsibility Model, probably because of how big Amazon is. Yet the shared responsibility model is a function of cloud computing itself. It outlines where a cloud provider’s duty of care ends and the customers begin. And regardless of whether you use IaaS, PaaS, or SaaS – the Shared Responsibility Model is part of the mix.
If we map all the solutions out side by side, we can see where the provider’s responsibility ends and where the users’ begins:
For IaaS and PaaS, customers have many more things they are on the hook for. SaaS has the fewest number of things, but if you notice; data and user access/security are across the board.
So whether you have a giant on-premise server room worth millions of dollars or you’re paying $99 a month for an app, software customers are ALWAYS responsible for ensuring data is protected. This is the crux of the Shared Responsibility Model. You and the SaaS provider share the responsibility for protecting your data.
Why Can’t SaaS Tools Protect Your Data?
It’s a common question. Why don’t Software-as-a-Service companies just add the final layer of protection? Why can’t they just save the data? There’s a distinction we need to make. They do “save” it – but they only save this data in a format that makes sense to them.
Every new piece of data or content you create is hosted on the servers of whichever SaaS tool you are using. This data gets lumped in with all the users of said tool. You see all the customer information, reports, project plans, financial statements, or whatever function you use that specific SaaS tool for. Other the other side of the mirror, the SaaS provider essentially sees this:
All your data is lumped together with all the other customers; regardless if they have one thousand or one million customers. It’s a never-ending sea of mixed-up computer code. And say you did lose data, finding and recovering it would be like looking for a needle in a field of haystacks.
This is why the major SaaS apps add stipulations and limitations around what they can restore in their terms and conditions. Here is what Shopify has in its terms of service:
And here is the language in GitHub’s terms of service:
No matter what tool you use, Trello, QuickBooks Online, Zendesk, Salesforce, and so on, the Shared Responsibility Model is always present. The onus is on you, the user, to understand what data is at risk and how to protect it.
Protect the Data and You Protect the Business
Today’s tech stack is an essential part of a modern workforce. It’s not uncommon to have dozens, even hundreds of different SaaS tools all working together in some capacity. It also doesn’t matter what team you are on. Sales, Development, Finance, Customer Success, or Marketing, it’s a safe bet that you are using online software every day. And with each passing week, you are becoming more reliant and dependent on the data in these tools.
Just take a step back to think about ALL the data and content you have stored in all these tools. Think of all the ways this data helps you run the business. You make decisions on resourcing, investments, and strategic roadmaps. You may use SaaS tools to house all your customer data and or sales leads. In essence, your data IS the business. What are the chances all this vital information could disappear?
According to a major report by Oracle & the analyst firm ESG, 49% of organizations who participated in the study blamed confusion around the Shared Responsibility Model for data loss. A survey conducted by Rewind found that 40% of SaaS users have lost data.
So essentially, whether you lose data on not, comes down to the same odds as a coin flip.
The impact of this data loss varies depending on how reliant you are on these tools. Much of the data we store in SaaS is vital to our day-to-day. Since apps can’t restore this data (remember; it’s a field of haystacks), the onus is on you to put everything back. This can involve hours, days, or even weeks of manual work trying to put everything back. And that’s only if you have copies of the most recent data on hand. So again, depending on how reliant you are, it could be a minor nuisance or an earth-shattering emergency.
How Data Loss Actually Happens in SaaS
There are a number of ways this data can get lost or deleted. Some are major like data breaches or servers going down. However, if you remember how the Shared Responsibility Model works, cloud providers will be on the hook for those. Those are events that affect ALL users. Individual users, on the other hand, face a number of risks. Here’s a quick rundown:
Third-Party App Errors
All the applications we install are really just more SaaS tools. Some are dedicated to the platform in question, some apps just allow more communication between existing tools. When they work – it’s incredibly efficient and powerful – but when they don’t, that is where problems arise. Remember the “terms of service” agreements? Go back and read them. Third-party integrations typically require “read and write” permissions, meaning they can also change, manipulate, or delete your data if connected improperly.
No matter how much training we do or how many times we’ve done the same thing, mistakes happen. It’s simply human nature, especially in a fast-paced environment. It isn’t a matter of if, it’s when. And with more businesses embracing the cloud and SaaS, the opportunities for people to make mistakes will inevitably go up.
There are two kinds; attacks from people you don’t know (cybercriminals) and people you do (contractors or ex-employees). Cyberattacks are the most common here and historically large international corporations have been the targets. That’s changed dramatically, especially at the onset of the global pandemic of 2020. Ransomware, phishing attacks, and malware are still prevalent, and SaaS users are one misstep away from having their data hijacked or wiped out.
It may seem far-fetched, but it does happen, and more often than people may think. In 2020, a study of data breaches by Verizon found nearly 1 in 3 (28%) of victims were SMBs.
A Comma Separated Values file, also known as a CSV file, is a plain text file that contains tabular data and spreadsheets. They are easy to create and can be used to import large volumes of data into a tool. Not all SaaS tools allow for the use of them, but many do. But just like people, it’s easy for these documents to accidentally break things. Here is a first-hand example of an ecommerce business that lost thousands of files after trying to change things in bulk with a CSV file.