Security

Cloud providers’ default retention policies are not enough: You better back your SaaS up

Comment

Network cables connected to cloud
Image Credits: Eoneren (opens in a new window) / Getty Images

Brian Spanswick

Contributor
Brian Spanswick is the chief information security officer (CISO) and head of IT at Cohesity.

If there’s one thing that recent earnings reports from Microsoft, Google and Amazon made clear, it’s that their cloud businesses are booming.

While the shift to the cloud is well underway, many companies aren’t paying attention to a critical aspect of this growth: the dramatic increase in data generated by SaaS that is not adequately protected. This exposure can put companies at greater risk for ransomware attacks, breaches, compliance woes and much more.

The growth of enterprise SaaS is rapid and inevitable. Gartner expects end-user spending on SaaS to rise over 18% to $171.9 billion in 2022 from $145.5 billion in 2021 — and it’s easy to see why.

The SaaS model offers significant value to both service providers and customers, ranging from reduced costs to simplified management and maintenance. The benefits of SaaS are many: It eliminates the need to install and configure software; it gives the customer greater financial flexibility by moving from licensing fees to subscriptions; there is no need to purchase and maintain hardware; and new releases and upgrades are automatically deployed.

But despite its rapid growth and countless benefits, there are significant challenges associated with managing and protecting SaaS data. That’s a problem that can only get worse, as for many organizations, SaaS is the fastest-growing segment of their data.

Cloud providers’ default retention policies are not enough

Each cloud service provider (CSP) and SaaS provider has its own data retention policy, and once that policy expires, the customer is responsible for backing up, protecting, and, if needed, restoring the data in the event of a cyber attack.

Not only is the customer responsible, but data retention policies can differ based on the provider and the type of SaaS data. In the current world of rampant ransomware attacks and stringent privacy and compliance regulations, leaving data unmanaged and unprotected is a risk few organizations can take.

Let’s look at Microsoft 365 as an example. Microsoft 365 adoption has been phenomenal, with nearly 300 million users and over 50% subscriber growth over the past two years. It is one of the most popular enterprise SaaS applications, and yet backup options are limited in terms of data stored on Azure.

The default options for the product suite are retention policies with little consideration for recovery SLAs — meaning data management and protection largely becomes the sole responsibility of the customer. Add to these the different data retention policies for Microsoft 365 Exchange Online, OneDrive and Teams, and assuring your Microsoft SaaS data is sufficiently secured and managed becomes even more challenging.

A recent Enterprise Strategy Group survey, “The evolution of data protection cloud strategies” queried found that of the 78% of the IT professional respondents using Microsoft 365, 74% rely on native Microsoft 365 default services for backup. However, 81% reported having to recover their Microsoft 365 data, and only 15% were able to recover all of their data.

These numbers are a red flag signaling that too many organizations are leaving data unprotected and vulnerable to cyber attacks including malware, ransomware and data exfiltration.

In addition, each provider has its own retention policies. This can all quickly become overwhelming and undermine the reason SaaS is so attractive: its simplicity in management and administration.

How to move forward

Relying on providers’ default retention and recovery policies is just not enough. Without the right policies in place, organizations often have little visibility into what SaaS data they actually have; whether that data is in compliance, protected or compromised.

What happens if I’m hit by a ransomware attack? Can I recover my SaaS data quickly so I don’t have to pay the ransom and can continue my operations? What happens if I need to back up that SaaS data beyond 30 days? What happens if ransomware hits more than one site at once? These are all questions you have to be prepared to address when a crisis occurs.

The good news is there are several ways to protect your SaaS data from the impact of cyber attacks, which can disrupt business, solicit ransom payments, expose customer data and damage your brand and reputation.

Some best practices include:

  • Take control of your data. Data is an organization’s greatest competitive asset, and it’s best to have your own data backup, protection and recovery service in place.
  • Simplify data management and bring your SaaS data into your core data management system, with one set of policies for all your data.
  • Add SaaS data protection to your existing backup and recovery system if you can. If not, consider a next-gen data management platform that is extensible to address current and future data management needs.
  • Try a proof of concept with a data management as a service (DMaaS) solution that allows you to add SaaS data backup and protection without adding infrastructure, letting you spend more time taking care of other business-critical tasks.
  • Protect your data as you move to the cloud in a way that works for you — on-premises, in the cloud, as a service or a combination of these options — as you navigate and leverage a hybrid, multicloud world.
  • Plan ahead. Given all the SaaS apps you use today and how they will evolve, you need to get ahead of the curve and plan for a data management strategy that will serve your needs for the next five years and beyond.

Whatever path you choose, make sure you back your SaaS up. The amount of information and data generated via SaaS is only going to increase in the coming years, and having a plan to backup and protect all your data should be a critical part of any organization’s data and risk management strategy.

It’s the only way to answer those tough questions when a ransomware attack hits, operations grind to a halt and the board wants to know why you weren’t prepared.

More TechCrunch

Featured Article

In 2024, many Y Combinator startups only want tiny seed rounds — but there’s a catch

When Bowery Capital general partner Loren Straub started talking to a startup from the latest Y Combinator accelerator batch a few months ago, she thought it was strange that the company didn’t have a lead investor for the round it was raising. Even stranger, the founders didn’t seem to be…

1 hour ago
In 2024, many Y Combinator startups only want tiny seed rounds — but there’s a catch

The keynote will be focused on Apple’s software offerings and the developers that power them, including the latest versions of iOS, iPadOS, macOS, tvOS, visionOS and watchOS.

Watch Apple kick off WWDC 2024 right here

Welcome to Startups Weekly — Haje’s weekly recap of everything you can’t miss from the world of startups. Anna will be covering for him this week. Sign up here to…

Startups Weekly: Ups, downs, and silver linings

HSBC and BlackRock estimate that the Indian edtech giant Byju’s, once valued at $22 billion, is now worth nothing.

BlackRock has slashed the value of stake in Byju’s, once worth $22 billion, to zero

Apple is set to board the runaway locomotive that is generative AI at next week’s World Wide Developer Conference. Reports thus far have pointed to a partnership with OpenAI that…

Apple’s generative AI offering might not work with the standard iPhone 15

LinkedIn has confirmed it will no longer allow advertisers to target users based on data gleaned from their participation in LinkedIn Groups. The move comes more than three months after…

LinkedIn to limit targeted ads in EU after complaint over sensitive data use

Founders: Need plans this weekend? What better way to spend your time than applying to this year’s Startup Battlefield 200 at TechCrunch Disrupt. With Monday’s deadline looming, this is a…

Startup Battlefield 200 applications due Monday

The company is in the process of building a gigawatt-scale factory in Kentucky to produce its nickel-hydrogen batteries.

Novel battery manufacturer EnerVenue is raising $515M, per filing

Meta is quietly rolling out a new “Communities” feature on Messenger, the company confirmed to TechCrunch. The feature is designed to help organizations, schools and other private groups communicate in…

Meta quietly rolls out Communities on Messenger

Featured Article

Siri and Google Assistant look to generative AI for a new lease on life

Voice assistants in general are having an existential moment, and generative AI is poised to be the logical successor.

8 hours ago
Siri and Google Assistant look to generative AI for a new lease on life

Education software provider PowerSchool is being taken private by investment firm Bain Capital in a $5.6 billion deal.

Bain to take K-12 education software provider PowerSchool private in $5.6B deal

Shopify has acquired Threads.com, the Sequoia-backed Slack alternative, Threads said on its website. The companies didn’t disclose the terms of the deal but said that the Threads.com team will join…

Shopify acquires Threads (no, not that one)

Featured Article

Bangladeshi police agents accused of selling citizens’ personal information on Telegram

Two senior police officials in Bangladesh are accused of collecting and selling citizens’ personal information to criminals on Telegram.

19 hours ago
Bangladeshi police agents accused of selling citizens’ personal information on Telegram

Carta, a once-high-flying Silicon Valley startup that loudly backed away from one of its businesses earlier this year, is working on a secondary sale that would value the company at…

Carta’s valuation to be cut by $6.5 billion in upcoming secondary sale

Boeing’s Starliner spacecraft has successfully delivered two astronauts to the International Space Station, a key milestone in the aerospace giant’s quest to certify the capsule for regular crewed missions.  Starliner…

Boeing’s Starliner overcomes leaks and engine trouble to dock with ‘the big city in the sky’

Rivian needs to sell its new revamped vehicles at a profit in order to sustain itself long enough to get to the cheaper mass market R2 SUV on the road.

Rivian’s path to survival is now remarkably clear

Featured Article

What to expect from WWDC 2024: iOS 18, macOS 15 and so much AI

Apple is hoping to make WWDC 2024 memorable as it finally spells out its generative AI plans.

1 day ago
What to expect from WWDC 2024: iOS 18, macOS 15 and so much AI

As WWDC 2024 nears, all sorts of rumors and leaks have emerged about what iOS 18 and its AI-powered apps and features have in store.

What to expect from Apple’s AI-powered iOS 18 at WWDC 2024

Apple’s annual list of what it considers the best and most innovative software available on its platform is turning its attention to the little guy.

Apple’s Design Awards highlight indies and startups

Meta launched its Meta Verified program today along with other features, such as the ability to call large businesses and custom messages.

Meta rolls out Meta Verified for WhatsApp Business users in Brazil, India, Indonesia and Colombia

Last year, during the Q3 2023 earnings call, Mark Zuckerberg talked about leveraging AI to have business accounts respond to customers for purchase and support queries. Today, Meta announced AI-powered…

Meta adds AI-powered features to WhatsApp Business app

TikTok is testing streaks that are similar to Snapchat’s in order to boost engagement, including how long people stay on the app.

TikTok is testing Snapchat-like streaks

Welcome back to TechCrunch Mobility — your central hub for news and insights on the future of transportation. Sign up here for free — just click TechCrunch Mobility! Your usual…

Inside Fisker’s collapse and robotaxis come to more US cities

New York-based Revel has made a lot of pivots since initially launching in 2018 as a dockless e-moped sharing service. The BlackRock-backed startup briefly stepped into the e-bike subscription business.…

Revel to lay off 1,000 staff ride-hail drivers, saying they’d rather be contractors anyway

Google says apps offering AI features will have to prevent the generation of restricted content.

Google Play cracks down on AI apps after circulation of apps for making deepfake nudes

The British retailers association also takes aim at Amazon’s “Buy Box,” claiming that Amazon manipulated which retailers were selected for the coveted placement.

Amazon slammed with £1.1B data abuse lawsuit from UK retailers

Featured Article

Rivian overhauled the R1S and R1T to entice new buyers ahead of cheaper R2 launch

Rivian has changed 600 parts on its R1S SUV and R1T pickup truck in a bid to drive down manufacturing costs, while improving performance of its flagship vehicles.  The end goal, which will play out over the coming year, is an existential one. Rivian lost about $38,784 on every vehicle…

1 day ago
Rivian overhauled the R1S and R1T to entice new buyers ahead of cheaper R2 launch

Twitch has come up with a solution for the ongoing copyright issues that DJs encounter on the platform. The company announced Thursday a new program that enables DJs to stream…

Twitch DJs will now have to pay music labels to play songs in livestreams

Google said today it is partnering with RapidSOS, a platform for emergency first responders, to enable users to contact 911 through RCS (Rich Messaging Service).

Google partners with RapidSOS to enable 911 contact through RCS

Long before product-led growth became a buzzword, Atlassian offered free tiers for virtually all of its productivity and developer tools. Today, that mostly means free access for up to 10…

Atlassian now gives startups a year of free access