Unpacking the Shared Responsibility Model
An ESG report commissioned by Asigra reveals that 88% of clients believe a SaaS provider is fully or partially responsible for protecting their data. This common misconception puts businesses at risk of data loss.
When data is stored in on-premises data centers, the question of who is responsible for data (and data protection) is clear. However, as organizations shift data to the cloud, particularly when adopting SaaS applications, the question of data responsibility becomes muddy. Responsibility is not solely with the provider or the client. Cloud and SaaS services rely on a shared responsibility model, making it crucial for businesses to prioritize understanding this concept.
What is the Shared Responsibility Model?
Anyone who has stayed in a hotel, booked an Airbnb, or driven a rental car understands the concept of shared responsibility. The hotel is responsible for the room and its amenities, but their terms clearly state they're not liable for the guest’s lost or stolen items. It's up to the renter to secure their valuables.
The same concept applies to cloud services and SaaS apps, which operate under a shared responsibility model. This model defines how cloud and SaaS providers handle security threats and maintain the overall infrastructure. Like a hotel, cloud providers are responsible for the infrastructure's operation and protection. However, the business must safeguard its data and assets. The division of responsibilities varies by service type, like how Airbnb guests have more responsibilities than hotel guests.
The concept of shared responsibility exists because cloud providers couldn't offer profitable services otherwise. If they were fully liable for all client data under any circumstances, a major outage resulting in data loss could bankrupt them. Service providers already invest heavily in maintaining high availability for their infrastructure. Additional efforts and liability insurance would make these business models unfeasible.
So, while it may seem burdensome for customers to be responsible for their own SaaS data, this shared responsibility is essential for the sustainability of the cloud model.
MSPs in the Middle of Shared Responsibility
A complexity that arises regarding shared responsibility model is determining accountability when a client hires a managed service provider (MSP) for their IT operations. Using the hotel analogy, it's like a guest hiring an assistant to bring their bags to their room. If something gets lost or stolen, who is responsible? While the hotel's liability remains clear, the responsibility could fall on either the guest or the assistant, depending on the terms and conditions of their agreement.
As a trusted advisor, understanding the Shared Responsibility model means you, as the MSP, should proactively take on the responsibility for securing and protecting all business-critical SaaS data—not just the applications you sold and implemented. However, it's crucial to discuss SaaS management expectations with clients to not only ensure both cloud and business resiliency are prioritized, but to also establish proper contracts and SLAs.
MSPs guiding clients through shared responsibility models recommend considering these best practices:
- Maintain Cloud Vendor Relationships: Build and maintain strong relationships with clients' core cloud and SaaS vendors to stay informed about new features, updates, and best practices.
- Set Clear SLAs: Work with clients to set clear boundaries regarding cloud responsibilities, data protection, and accountability if something goes wrong.
- Stay Aware of Regulatory Compliance: Stay up to date on industry-specific and region-specific regulatory changes that affect cloud data.
- Look for Cloud & SaaS Backup Solutions: Don't depend on the cloud provider or SaaS vendor for data backups. Instead, seek MSP-friendly, third-party solutions that automate regular backups and, if possible, automate recovery. Prioritize systems supporting multiple SaaS apps and multitenancy to streamline backup and recovery operations.
- Watch for Data Residency Requirements: Compliance regulations may require backed up data to be stored in specific regions, so look for backup solutions that provide storage repository flexibility.
- Ensure Data Encryption: Don’t just export data from SaaS apps or cloud services. They often are transmitted as unencrypted .csv and .zip files. Look for solutions that have strong in-flight and at-rest encryption, even for exports.
Assured Responsibility with SaaSAssure
While shared responsibility can place a burden on clients (and their managed service providers) with respect to data protection, it offers enough benefit to be worth it. Clients need to be more aware of their need to protect their cloud data, specifically SaaS data. With SaaSAssure, clients are offered a seamless, automated, and secure way to back up their data, ensuring they can recover operations in the event of data loss. IT professionals gain peace of mind with SaaSAssure, knowing their critical data is protected, recoverable, and compliant with regulatory requirements.