MSP Guide to Understanding the Shared Responsibility Model

Unpacking the Shared Responsibility Model

An ESG report commissioned by Asigra reveals that 88% of clients believe a SaaS provider is fully or partially responsible for protecting their data. This...

Unpacking the Shared Responsibility Model

An ESG report commissioned by Asigra reveals that 88% of clients believe a SaaS provider is fully or partially responsible for protecting their data. This common misconception puts businesses at risk of data loss. 

When data is stored in on-premises data centers, the question of who is responsible for data (and data protection) is clear. However, as organizations shift data to the cloud, particularly when adopting SaaS applications, the question of data responsibility becomes muddy. Responsibility is not solely with the provider or the client. Cloud and SaaS services rely on a shared responsibility model, making it crucial for businesses to prioritize understanding this concept.

What is the Shared Responsibility Model?

Anyone who has stayed in a hotel, booked an Airbnb, or driven a rental car understands the concept of shared responsibility. The hotel is responsible for the room and its amenities, but their terms clearly state they're not liable for the guest’s lost or stolen items. It's up to the renter to secure their valuables.

The same concept applies to cloud services and SaaS apps, which operate under a shared responsibility model. This model defines how cloud and SaaS providers handle security threats and maintain the overall infrastructure. Like a hotel, cloud providers are responsible for the infrastructure's operation and protection. However, the business must safeguard its data and assets. The division of responsibilities varies by service type, like how Airbnb guests have more responsibilities than hotel guests. 

The concept of shared responsibility exists because cloud providers couldn't offer profitable services otherwise. If they were fully liable for all client data under any circumstances, a major outage resulting in data loss could bankrupt them. Service providers already invest heavily in maintaining high availability for their infrastructure. Additional efforts and liability insurance would make these business models unfeasible.

So, while it may seem burdensome for customers to be responsible for their own SaaS data, this shared responsibility is essential for the sustainability of the cloud model.

MSPs in the Middle of Shared Responsibility

A complexity that arises regarding shared responsibility model is determining accountability when a client hires a managed service provider (MSP) for their IT operations. Using the hotel analogy, it's like a guest hiring an assistant to bring their bags to their room. If something gets lost or stolen, who is responsible? While the hotel's liability remains clear, the responsibility could fall on either the guest or the assistant, depending on the terms and conditions of their agreement.

As a trusted advisor, understanding the Shared Responsibility model means you, as the MSP, should proactively take on the responsibility for securing and protecting all business-critical SaaS data—not just the applications you sold and implemented. However, it's crucial to discuss SaaS management expectations with clients to not only ensure both cloud and business resiliency are prioritized, but to also establish proper contracts and SLAs.

MSPs guiding clients through shared responsibility models recommend considering these best practices: 

  1. Maintain Cloud Vendor Relationships: Build and maintain strong relationships with clients' core cloud and SaaS vendors to stay informed about new features, updates, and best practices.
  2. Set Clear SLAs: Work with clients to set clear boundaries regarding cloud responsibilities, data protection, and accountability if something goes wrong.
  3. Stay Aware of Regulatory Compliance: Stay up to date on industry-specific and region-specific regulatory changes that affect cloud data.
  4. Look for Cloud & SaaS Backup Solutions: Don't depend on the cloud provider or SaaS vendor for data backups. Instead, seek MSP-friendly, third-party solutions that automate regular backups and, if possible, automate recovery. Prioritize systems supporting multiple SaaS apps and multitenancy to streamline backup and recovery operations.
  5. Watch for Data Residency Requirements: Compliance regulations may require backed up data to be stored in specific regions, so look for backup solutions that provide storage repository flexibility.
  6. Ensure Data Encryption: Don’t just export data from SaaS apps or cloud services. They often are transmitted as unencrypted .csv and .zip files. Look for solutions that have strong in-flight and at-rest encryption, even for exports.

Shared Responsibility Model: The Upside

Although much of the responsibility falls on the business adopting the SaaS application, cloud services with shared responsibility offer significant benefits. 

Enhanced Security

Cloud providers invest heavily in their overall security, making their core systems highly secure despite the vulnerability of individual user account credentials. They allocate significant resources to continuously enhance their security measures, ensuring their systems can withstand a variety of threats. By constantly advancing their security practices and quickly adapting to new challenges, these providers offer robust protection for their customers' data and operations.

Cost Efficiency

The cost of cloud services and SaaS is a fraction of the expense of building and maintaining data centers and applications in-house. This cost efficiency allows businesses of all sizes to allocate resources more effectively, enabling them to develop new digital services rapidly and manage their operations with greater efficiency. Additionally, leveraging cloud services and SaaS solutions reduces the need for extensive IT infrastructure and personnel, further lowering operational costs. This financial flexibility empowers businesses to innovate, scale, and adapt to market changes more swiftly, ultimately enhancing their competitive edge.

Improved Compliance

Regulations can impose a significant "infrastructure tax" on IT teams, burdening them with the costs and complexities of compliance. Managing regulatory requirements such as data protection, privacy laws, and industry-specific standards often demands substantial resources and expertise. 

Cloud providers, however, have a greater capacity to absorb these costs. They can leverage their scale and specialized security and compliance teams to manage regulatory compliance more efficiently. By spreading these expenses across many businesses, cloud providers can offer compliance solutions at a fraction of the cost it would take for individual businesses to achieve the same level of compliance on their own. This enables organizations to stay compliant without diverting excessive resources from their core operations, allowing IT teams to focus on innovation and other strategic initiatives.

Increased Reliability

Achieving five nines (99.999%) reliability is a significant challenge typical to larger organizations with extensive IT infrastructures. This level of reliability demands substantial investments in redundant systems, failover mechanisms, and continuous monitoring to ensure minimal downtime. It involves sophisticated infrastructure, skilled personnel, and comprehensive disaster recovery plans, all of which require considerable financial and human resources. 

Cloud providers can make these substantial investments and distribute the costs across many customers, allowing them to offer high-reliability services at a significantly reduced expense compared to what individual businesses would spend to achieve the same level of reliability on their own. Economies of scale allow cloud providers to affordably implement advanced technologies and maintain the robust infrastructure necessary to deliver exceptional reliability. This means that even small and medium-sized businesses can benefit from enterprise-grade reliability and uptime, enabling them to operate more smoothly and with greater confidence in their IT systems. 

Faster Time-To-Market

A core benefit is simply time-to-market. Setting up a new cloud provider or SaaS service can be accomplished in just a few minutes, compared to the months it takes to purchase, install, and deploy IT infrastructure, or the years required to develop and build applications from scratch. This rapid deployment capability allows businesses to quickly launch new services, respond to market demands, and stay ahead of competitors, ultimately driving innovation and growth more effectively.

Assured Responsibility with SaaSAssure

While shared responsibility can place a burden on clients (and their managed service providers) with respect to data protection, it offers enough benefit to be worth it. Clients need to be more aware of their need to protect their cloud data, specifically SaaS data. With SaaSAssure, clients are offered a seamless, automated, and secure way to back up their data, ensuring they can recover operations in the event of data loss. IT professionals gain peace of mind with SaaSAssure, knowing their critical data is protected, recoverable, and compliant with regulatory requirements. 

Topics Discussed

Related Posts