Get your pencils out. I have a pop quiz! First question: What three IT practices did you use to protect and control your on-premises data from your own employees, contractors, and partners?
If you said, identity and access management, data loss prevention and backup, and recovery you are correct! Using a combination of these three you can manage who has access to data, monitor and control what users are doing with the data, and recover from any mistakes, malicious behavior, misconfigurations or integration problems.
Question 2: How do your responsibilities for these change when you move to a SaaS application like Salesforce, Office 365, or Google Apps?
No, this is not a trick question. If you answered “They don’t change” you are absolutely correct! They don’t.
When you move from an on-premises application to a cloud-based application you are moving to a shared responsibility model where you are no longer responsible for application availability, intrusion detection, software reliability, disaster recovery, etc. The SaaS provider takes care of that but you are still responsible for protecting your data from your own people.
As Director of Products for Spanning by EMC, I’ve had the privilege of speaking with hundreds of organizations who are actively moving to the cloud. Some have just started their journey and others like AMAG Pharmaceuticals, have moved completely to a cloud-first strategy for their IT services. Across these diverse organizations, there are varying levels of risk tolerance, compliance requirements, and security processes. What I’ve been able to observe is that there are 3 key data protection needs that you should consider as you make your move to the cloud: Managing user access, monitoring and controlling data usage, and keeping a separate copy of your data so it’s always available and recoverable.
Identity and Access Management (IAM)
Every organization moving to a SaaS application like Office 365, Salesforce, or Google Apps for Work implements basic user management, authentication and authorization. They have to as part of the migration. However, some fall short of implementing the breadth of identity controls necessary to properly protect data over time, especially if the application was adopted by the line of business.
Extend your organization’s IAM solutions to the cloud where you can and look to add single-sign on (SSO), multi-factor authentication, user provisioning processes, and access certification to ensure people have the appropriate levels of access to only the applications and data necessary for their role. Remember, in the cloud, identity is your new security perimeter.
Data Loss Prevention
Most organizations I speak with cite agility and collaboration as key reasons they adopted SaaS applications but with increased collaboration users have a lot of control over corporate data. Users can easily create, copy, change, delete and share data with almost anyone. To balance collaboration with control and compliance you need to understand what types of data you have in cloud applications and then define policies that ensure data is not exposed to the wrong individuals or leaked externally.
By adding a data loss prevention solution, you will understand what data you have and who has access. Then, you can define and enforce policies that will keep your data in the right hands.
Backup and Recovery
Did you back up your application and data before you moved to the cloud? Of course you did! The primary reasons are typically related to application availability-like hardware failure, disaster recovery, and failover. But you also used your backup and recovery systems to recover from data loss caused by people.
When you move to a cloud application the service provider takes care of application availability. They’re actually very good at it. However, when you lose data because of user error, admin misconfigurations, malicious behavior, or integration failures what will you do? Vendors promise to do what you tell them to do with your data. Here’s a real world example. A user moves an entire file folder structure, mistakenly stripping multiple levels of sharing settings, and removing access from hundreds of employees, partners or customers. The vendor can’t get it back the way it was for you. The user had proper rights to move the data and the SaaS service did what it was told. There’s no undo button.
Another real world example is a Salesforce developer who writes code that mistakenly changes tens of thousands of records at compute speed. How will you get them back? In this case, Salesforce does provide a weekly export option and a paid data recovery service, but they themselves also recommend you have 3rd party backup. Can you afford to make due with 7 day old data or wait weeks and pay thousands to get your data back to the way it was?
Be prepared for when your own SaaS data loss disaster pop quiz strikes. Consider a cloud backup and recovery solution like Spanning Backup to ensure your SaaS critical business data is protected and available. It’ll help your organization stay productive and moving forward.