Cybersecurity Spotlight: Rethinking Risk Management Strategies to Prioritize SaaS Data Protection

Every year since 2003, October has been recognized as "National Cyber Security Awareness Month (NCSAM)." This effort was brought to life through a collaboration between the U.S. Department of Homeland Security and the National Cyber Security Alliance

The transition to cloud and the adoption of SaaS-based applications is not a new phenomenon, but the pandemic clearly accelerated the shift. Notably, cloud spending increased 37% to $29 billion during the first quarter of 2020 alone, despite an expected 8% decline in overall IT spending. With hybrid and remote working models now becoming the norm, this reliance on cloud and SaaS will surely continue as organizations look for scalable and cost-effective ways to provide employees with anytime, anywhere access to information.

As SaaS-based applications have become ubiquitous, however, many organizations have traded data ownership for access to these solutions, overlooking the risks that may result if a bad actor infiltrates. That may help explain why in 2020, U.S. companies experienced 1,001 data breaches that resulted in nearly 156 million records being exposed.
As businesses continue to invest in SaaS-based solutions, they must rethink their risk management strategies to prioritize protecting one of their most important assets: SaaS app data.

Why SaaS Data Ownership is Critical

Some organizations don’t realize that they do not truly own their SaaS application data if it fully resides outside of their infrastructure. And many of those who do understand don’t realize app vendors do not have a responsibility to protect customer data. While the vendor is obligated to protect the SaaS app itself and ensure uptime, it’s the customer's responsibility to take measures to safeguard their own data.

Cloud-based applications contain massive amounts of data about crucial business activity. In fact, IT organizations say SaaS makes up one-third of their mission-critical applications, according to ESG. This makes the lack of protection especially dangerous. That’s why some organizations use backup vendors to help protect SaaS data, but when they do they run into complications because that data typically resides in another vendor’s infrastructure, under that vendor’s control, not theirs.  

The Price of Access

Because SaaS app data is valuable to users across organizations, IT departments often devote teams of IT pros to manage APIs that enable employees to access and ingest that data directly from the app. This comes at another type of price: when many people are using APIs to access the same SaaS app, performance of the app itself takes a hit. In addition, organizations pay for specified amounts of API access and if limits are reached, access is often restricted unless the organization pays an additional fee.

This not only costs the organization unnecessary time and money, but does so while leaving the organization vulnerable to bad actors and—on a somewhat less scary but just as risky scale—human error.

How to Reduce Risk

Where data is stored is critical to how accessible and vulnerable it is. One way organizations can mitigate risk when it comes to data is by bringing SaaS app data storage in-house.

 While most third-party apps offer storage, storing historical data within the application is not required. Instead, businesses should back up and archive historical data within their own cloud storage environment—whether AWS, GCP or Azure—where they can directly stream it into their own data ecosystem. By centralizing their data into an owned data lake, they can then create “watering holes” of data access for employees—instead of gatekeeping information in a vendor-owned repository or providing unfettered access with lax risk management processes. 

Other related business benefits are just as compelling. First, storage costs inevitably decrease because vendors charge much more for storage than organizations spend when using their own AWS or Azure implementation. Second, authorized users get easier, more direct and less-risky access to the data. They don’t need to jump through hoops for information or worry that too many of their colleagues are using the app, causing it to slow down or glitch.

Mitigating Data Sprawl

Compliance is a critical aspect of the shift toward data-centric risk management, especially as more countries and U.S. states enact data privacy laws and highly regulated industries continue to tighten the reigns. Reducing data sprawl is an essential component of compliance.

Today, to ensure access to the data needed to perform their work, employees often copy data from multiple applications into their own systems. This creates myriad problems, from inaccuracies caused by data being changed in one version of copied data and not others, to the more straightforward issue of not knowing everywhere data is stored—and who is accessing it. The more copies there are, the more potential touch points, the greater the attack surface, and the harder it can be to trace access. These issues can put organizations at risk for breaches and inadvertent data corruption, as well as penalties when auditors come knocking.

By taking a data-centric approach to risk management that prioritizes backing up and storing their data in their own cloud-based infrastructure, organizations can better maintain a digital chain of custody. They’ll be able to minimize touch points, set appropriate controls, enact traceability guidelines to reduce the copies of data circulating and showcase complete audit trails.