Logo

SaaS data ownership

Turning privacy and governance into competitive advantage. By Joe Gaska, Founder and CEO of GRAX.

Do we really own our data in third-party SaaS applications? This is one of the most important questions organizations are starting to ask themselves today – and the reason for asking goes well beyond simply “checking the box” on data privacy and governance. With over 97% of organizations using SaaS applications, the data stored and used within these applications has become the lifeblood of every business. Sales, commerce, customer service, marketing, support, finance, human resource and just about every other team uses SaaS applications to get their jobs done. With such widespread use of SaaS, the data stored in those applications becomes a leading indicator of changes happening in the organization.

While some may see this SaaS data as a governance liability that they would prefer to sweep under the rug, more and more organizations are embracing it as a strategic weapon. Rather, many are realizing the data is an asset they can take control of, secure and use to compete and win in their markets.

SaaS Data Ownership: Turning Liability into Compliance

The elephant in the room is that SaaS applications pose enormous data governance and privacy challenges to most organizations, regardless of their size or industry. This can be illustrated by asking a simple question: Who is responsible for the sensitive customer data stored in SaaS applications? The answer always seems to be: “it depends.” But what it depends on is unclear at best. Regional, national and international regulations requiring auditability, access control and historical records of changes in sensitive data require organizations to extend those same measures to everywhere sensitive data resides. The application providers are responsible for the integrity of their systems, while the organization may be responsible for ensuring the data has been stored in a secure format or properly anonymized. This constant back and forth creates a privacy, governance and security nightmare for most organizations. They audit their software vendors, force them to sign BAAs (Business Associate Agreements) and at the end of the day, cross their fingers and hope they have done their best to keep their customer data safe. At the same time, the security, governance and cost profiles of cloud infrastructure providers such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) have matured to the point where organizations can provision HIPAA-compliant cloud environments with the click of a button. So why are we still playing ‘hot potato’ with sensitive customer data? This is where some organizations are starting to take a different approach by using an old tool – data backup and archiving – in a new way.

There are a myriad of SaaS data backup tools on the market, and some of them allow organizations to capture and archive data out of SaaS applications into the organization’s cloud environment on AWS, Azure or GCP. Still other tools allow organizations to go one step further by keeping that backup and archived data available inside of the SaaS application, even when the data is moved to a customer-owned cloud storage facility. This effectively puts the sensitive SaaS application data into a world-class, secure facility, while giving the organization the ability to keep the SaaS application fully operational and at arm’s length from the data on which it operates (in the case of archived data that remains available in production). It also improves application performance and reduces storage costs to the lowest market price available: organizations no longer have to purchase additional storage on the application – they can purchase cloud storage from commodity public cloud providers.

SaaS Data Ownership Unlocks Strategic Advantage

Taking ownership of SaaS application data also immediately grants organizations unfettered access to the raw data. And since this data is at the forefront of changes happening in the business, it is an incredible signal source for new patterns emerging in the organization: a veritable goldmine of cause and effect patterns. Here we hit another point of cognitive dissonance – this time on the DevOps and DataOps side of the house. On the one hand, organizations may be backing up a cloud application with a traditional SaaS backup tool as an insurance policy. On the other hand, they may be replicating and ingesting the same data out of the same application into their own DataOps or DevOps ecosystem so that they can integrate it into their data warehouse, analyze it and use it to build new applications or as training sets for machine learning algorithms. The inevitable data islands, data copies and associated costs quickly spiral out of control simply because organizations replicate and integrate the data for each separate use case. What’s worse, due to limitations around capturing SaaS application data, organizations are often left putting together a mosaic of point-in-time snapshots of their business across different systems in their data warehouses – and then trying to make accurate predictions based on a broken mosaic of data sources made up of varying levels of data fidelity. It’s no wonder that, according to McKinsey, only 20% of insights deliver business value.

Three Ways to Bring it All Together

While the theoretical answer of “taking ownership of your SaaS data” is the ultimate solution to both the governance and analytical scenarios above, the reality is that there is no one silver bullet, no tool that does it all. The clearest path to success may be SaaS data ownership via cloud data backup, but it is littered with a myriad of tools fragmented across a series of systems. Traditional backup providers still often store data in their own clouds, and lease back limited access to that data to their customers. Specialized SaaS backup tools are fragmented and clustered around each SaaS solution’s third-party ecosystem and have high variance in the types of features they offer. The most important thing very quickly becomes the criteria with which organizations make purchase and implementation decisions. Regardless of the tools or processes chosen, organizations should look for three key indicators of long-term success:

o Ownership – does the tool enable ownership of SaaS application data in the organization’s cloud?

o Access – is there unfettered and direct access to the organization’s SaaS data? Does archived or backup data continue to be available in both the application and your cloud infrastructure?

o Capture – can an organization capture up to every single change in SaaS application data over time? This is critical to turning a ‘broken mosaic’ of data into a time-series heatmap of cause and effect patterns of change in business over time.

By James Preston, Security Architect for ANSecurity.
By Tod Beardsley, research director, Rapid7.
It’s undeniable that cybercrime is quickly becoming one of the biggest threats to businesses today....
By Richard Hutchings, CTO at Littlefish.
For a long time many have thought of identity security as a necessary burden. All those passwords, a...
At a recent forum of senior CTOs, CISOs and analysts, several participants expressed a dislike for t...
Ever since Snowden revealed the extent to which US intelligence agencies can so easily access our da...
By Peter Carlisle, Vice President, nCipher Security.