By Niels Van Ingen, Chief Customer Officer, Keepit
We're all familiar with the saying, "better late than
never." Still, when it comes to backing up and recovering your critical,
cloud-based business data, there's no "better late than..." option. That is, if
you want to keep your business up and running following a data breach, loss, or
ransomware attack.
So, who is ultimately responsible for safeguarding
cloud-based data? Surprisingly, this simple-sounding question is often
overlooked until it's too late, which is why SaaS customers need to be
proactive when it comes to protecting their own data.
IT professionals may unknowingly assume that widely deployed
SaaS services, such as Microsoft 365, Azure AD, Salesforce, and Google
Workspace offer customers adequate data backup and recovery. After all, most
companies rely on these essential SaaS services to run their daily operations,
so they should be protected, right?
The truth is that these providers do offer some level of
data backup and protection in their service agreements, but if you read the
fine print, you'll discover the hidden truth that cloud vendors offer very
limited protection, and when the time comes to rely on them to recover lost
data, it's usually disorganized and prohibitively expensive to recover.
Taking Shared
Responsibility
When it comes to backing up and recovering the data that
keeps businesses running, Keepit, as well as other SaaS providers, urge
companies to follow a Shared Responsibility model, where customers take control
of their own data by assuming the lion's share of responsibility for protecting
it. After all, entrusting your email, collaboration tools, financial documents,
legal contracts, intellectual property, and proprietary information to SaaS
vendors whose focus is other than backup and recovery represents tremendous exposure.
Look at Microsoft's own documentation, which states, "it's critical to
understand the Shared Responsibility model and which security tasks are handled
by the cloud provider and which tasks are handled by you. For all cloud deployment types, you own your data and
identities. You are responsible for protecting the security of your data and
identities, on-premises resources, and the cloud components you control (which
varies by service type)."
Microsoft goes on to say
that if a customer loses data due to third-party software, malicious deletion,
or human error (the most common cause of data loss, by the way), they will not
provide data backup because they follow the Shared Responsibility model and are
not liable.
As you can see, the stakes are too high to take a hands-off
approach. Just look beyond the immediate impact of a ransomware attack. Not
only are you facing a catastrophic business interruption, but the long-term
consequences can also lead to damaged customer relationships and keeping your
business in compliance, not to mention the high cost of paying ransom to cyber
thieves who are always looking for vulnerable targets.
The Customer's Role
in a Shared Responsibility Model
The days are gone when customers could rely solely on cloud
service providers to offer meaningful backups as part of their service. With
the Shared Responsibility model becoming more prevalent, it's clear that
customers must have their own backup and recovery strategy.
You may be familiar with the 3-2-1 backup rule,
which requires storing multiple copies of backup data on different devices and
in separate locations. Even though the 3-2-1
principle comes from the days of on-premises data storage, it's still commonly
referenced today in the modern, cloud-computing era.
While the 3-2-1 rule it isn't 100
percent applicable to cloud data, it can still be useful today to help guide
security decision-makers toward improving their infrastructure against the
current onslaught of data risks, with the biggest change being the shift
of how data is created and where it is stored.
In today's cloud environment,
remote workers who use SaaS applications are creating data in many different
locations around the world, where it is then transferred and stored in a
location different from a company's physical office. Rather than asking where
your data is stored (in the cloud), the better question is whether it's backed up in the cloud and whether it is
really backed up.
In short, components
of the 3-2-1 rule include:
3
Copies of Your Data. This refers to the number
of copies of your data, with one being the primary dataset in the production
environment while the remaining two copies are backups. This is still
applicable to modern data protection best practices.
- 2 Administrative Domains. Having two administrative domains ensures that
copies are managed independently from one another or are stored within separate
logical environments, such as two types of media, which helps create what's
known as a logical gap.
1 Copy External. Formerly known as the single off-site storage copy, this still applies
for the same reasons as it did in the past: You don't want to store all of your
data in the same exact location, taking into account that the cloud is located
in physical data centers. This
means having a backup copy outside the cloud of the production environment and
outside the administrative domain of the other backup.
Finally, here are a few data points that shine a light on
the financial costs associated with data loss and ransomware:
- A successful
ransomware attack resulting in disruption to operations for an organization
with 5,000 employees for five days would cost more than $5 million. (Forrester
Research).
- An ESG study found
that only 50 percent of the organizations were able to recover all their data
in a clean and recent state.
- Verizon's annual Data
Breach Investigations estimates that a large data breach (with 100 million
records or more) costs an average of $5 million to $15.6 million and can top
out at $200 million.
So, returning to the original question about who's
responsible for protecting your cloud-based data, it's clear the onus is on the
customer for what we believe are obvious reasons.
##
ABOUT THE AUTHOR
Niels Van Ingen, Chief Customer Officer and VP of Business Development
at Keepit, has a strong 20-year track record in data protection/data
management, eDiscovery, and compliance space having worked with both the
smallest and the largest of customers globally.