The challenges of compliance in an as-a-service world
Software-as-a-service (SaaS) is rapidly replacing applications that were once hosted on-premises. There are compelling reasons for switching to SaaS. Costs are lower, there’s no in-house equipment or software to deal with, and no updates or patches to manage. Organizations are obviously aware of the advantages. Experts at Gartner estimate that SaaS global revenue will exceed $94 billion in 2019, up 18.5 percent over 2018. The outlook for future growth is even more promising, with projections that revenue will soar to $143.7 billion by 2022.
But the as-a-service model raises a critical issue facing organizations: compliance with GDPR, HIPAA, the California Consumer Privacy Act (CCPA), Sarbanes-Oxley and other regulatory schemas that govern company data. Who owns the data and is responsible for compliance? What should customers expect from SaaS vendors?
We spoke with Dan Timko, Chief Strategy Officer, J2 Global, which includes its OffsiteDataSync and KeepItSafe businesses, to get the answers.
BN: Let’s start with one of the most basic questions: In an SaaS situation, who actually owns the data?
DT: The short and simple answer is that you as a client own your own data. It may be stored and processed by an outside party, but it still belongs to your organization.
BN: So does that mean clients are solely responsible for security and compliance?
DT: No, the responsibility is split between provider and client. For example, SaaS services typically operate on a shared-responsibility model when it comes to security, which is a key aspect of compliance. The provider is responsible for securing its own infrastructure and environment, while the customer is responsible for locking down access to the service.
This model also applies to data protection and backups. The provider protects the platform against catastrophic failure or breach; but, it’s up to the customer to handle discrete recovery of individual items due to events such as accidental deletion, for example.
While there is joint responsibility, at the end of the day, you are ultimately accountable for ensuring that your data complies with all relevant regulations. If the vendor fails, you could be liable for fines and other penalties plus suffer damage to your brand.
BN: Are end-users doing enough to protect their SaaS data?
DT: A shocking number of businesses are not doing enough to safeguard their own data. According to a recent study from 451 Research, almost three out of four organizations rely completely on the vendor to protect their SaaS data or have no protection at all. That exposes them to serious risks. Say an employee inadvertently deletes a file that’s later required for a legal investigation or a crucial business report. Or what if your SaaS vendor goes belly up or suffers a serious hack or a fire? If your data suddenly vanishes, you could face serious repercussions, especially if it’s sensitive information involving financials, health, or personally identifiable details. Even emails or texts that could be relevant in a court case need to be safeguarded. The key takeaway is that every organization needs to take responsibility for protecting data they have stored in SaaS applications. Fortunately, there are numerous solutions out there, including many that are SaaS-based.
BN: Do you need to double-check that a vendor offers adequate security?
DT: Absolutely. You need to be 100 percent positive that your provider is taking proper precautions to protect their own environment. Don’t just assume that they are. Also make sure they encrypt data stored in their systems. If a vendor lacks attestation or certification, ask them to complete a risk assessment with details about the underlying protections and controls in their system. Also, make sure that they will contact you ASAP if they experience a breach. GDPR requires that organizations notify individuals within 72 hours if their data was part of a breach.
While holding the vendor to high standards, don’t forget that you bear some responsibility for security as well. The provider has to secure their infrastructure, but it’s your job to lock down access for SaaS applications that store sensitive data.
BN: Are there less obvious considerations with SaaS data?
DT: Yes, there are a few. For example, many countries require that data produced or collected inside their borders must be physically stored there. You need to understand what SaaS data falls under these requirements and where your SaaS vendors will store it. Get documentation so you can demonstrate compliance if the need arises.
There’s also the right to be "forgotten." The GDPR requires organizations to delete an individual’s data upon request. When you delete data from your SaaS application, it must also be permanently removed from the provider’s infrastructure. It’s not entirely clear whether organizations must also delete such data from backups, but most experts believe this is not necessary. Even so, when you restore data it’s important that no "forgotten" data is recovered.
Documentation is another must. When dealing with any data that requires special treatment for compliance, get detailed documentation from your SaaS provider about their own compliance with HIPAA, GDPR, Sarbanes-Oxley, PCI DSS 3.0 and any other schemas that may apply. Regulators won’t take your word for anything.
BN: It sounds pretty complicated. Does SaaS make compliance more difficult?
DT: Not at all. In fact, in some ways, it can be much easier than on-premises compliance, because the provider assumes responsibility for many functions. But that’s only true if you choose a strong provider who does the job properly. It’s in your best interest to exercise due diligence before entrusting your data to a third party provider.