Software as a Service (SaaS) is a software distribution model in which a third-party provider hosts an application and makes it available to customers over the Internet. One obvious benefit of using cloud-native solutions is their low or non-dependence on installed in-house infrastructure. Another benefit is a fixed monthly cost per user. Most SaaS distributors have seen a large upward trend during the Covid-19 outbreak, and this is expected to continue.
Software as a Service (SaaS) applications such as Microsoft Office 365 reached 180 million monthly active users last year and more than 5 million paying businesses are currently using Google G Suite. The volume of SaaS application data has been on the rise for several years. However, only 29% of small and midsize enterprises protect their SaaS data via a third-party backup application.
When it comes to SaaS applications, most organisations operate under a common misconception. They believe that they have backup and recovery with their SaaS provider, but there are significant limitations on what is typically provided.
SaaS providers practice a “shared responsibility” model when it comes to data protection. They will protect their customers from failures of their network, storage, servers, and the application, but the customer is responsible for protecting their data from user and admin failures as well as from cybersecurity attacks.
Here’s the breakdown of responsibilities for Microsoft Office 365:
Customer Responsibility – Microsoft Responsibility
Common causes of SaaS data loss
Administrators or users may inadvertently delete data that should have been kept. With all SaaS applications, once the data has been deleted it’s gone unless there’s a point-in-time backup copy in place that can recover the lost data.
Malware and malicious-insider cyberattack accounted for one-third of the cybercrime costs in 2019. Disgruntled employees can delete data to spite of their employers or for personal gain.
Malware and cyberattacks
According to a 2019 Analysis Report, 51% of breaches were caused by malicious attacks. Of course, a data breach may be different from a data loss involving your SaaS application data. But the statistic illustrates the relative frequency of malicious attacks that could impact your SaaS data.
Let’s take a closer look at Office 365 data retention
When a retention policy is assigned to an Office 365 mailbox or public folder, content can follow one of two paths.
Office 365 Data Retention Policy
- If the item is modified or permanently deleted by the user (either SHIFT+DELETE or deleted from Deleted Items) during the retention period, the item is moved (or copied, in the case of edit) to the Recoverable Items folder. There, a process runs periodically and identifies items whose retention period has expired, and these items are permanently deleted within 14 days of the end of the retention period.
- If the item is not modified or deleted during the retention period, the same process runs periodically on all folders in the mailbox and identifies items whose retention period has expired, and these items are permanently deleted within 14 days of the end of the retention period.
Note, 14 days is the default setting, but it can be configured up to 30 days.
However, Microsoft’s policies are not designed so that the customer has direct access to backed up data with the ability to easily restore it. In fact, the Office 365 service-level agreement addresses availability, not recoverability of your data.
For these reasons, it’s important for businesses to take the responsibility for their SaaS data backups and recovery in order to prevent data loss.
Enhanced protection for SaaS data
Data loss by human error, malicious insider action, or cyberattack can be extremely detrimental to an organisation’s business continuity.
Having a cost-effective backup and recovery solution that enables you to backup & recover your SaaS data should be a critical consideration for all businesses.
If you need to protect your SaaS application data, contact the Asystec data management team to get the right advice for the protection of your business-critical data.