Rubrik Forward highlighted a critical (yet often overlooked) issue: the misconception that Software as a Service (SaaS) providers offer comprehensive data protection.
This is a dangerous assumption. Your SaaS vendor does not automatically protect your data. Indeed, the shared responsibility model can commonly lead to data loss—and the impact of that data loss demonstrates why organizations are unwittingly putting their most critical data at risk.
The SaaS Data Gap: A Reality Check
Many organizations operate under the false belief that SaaS vendors like Microsoft 365, Salesforce, and Google Workspace automatically protect the data within the applications. However, this isn't entirely true. While SaaS applications offer accessibility, scalability, and reduced operational overhead, they do not promise comprehensive data protection that aligns with your organization’s expectations.
Every major SaaS provider operates under a shared responsibility model. This means the vendors are responsible for the availability of the service (think 99.9% uptime), but data protection is explicitly your responsibility. This isn't hidden in the fine print; Microsoft's service agreement, for example, clearly states that protecting your content and data is your responsibility. Salesforce recommends implementing third-party backup solutions.
This "protection gap" can be costly. When organizations are not aware of the shared responsibility model, IBM's 2024 cost of a data breach report puts the average cost of an incident at $4.88 million.
Common Data Loss Scenarios Exploiting the Gap
Three common data loss scenarios exploit this protection gap:
Insider Threats and External Attacks: These are one of the leading causes of data loss in SaaS apps. In 2024, a staggering 83% of organizations reported experiencing at least one insider attack in the past year, according to Rubrik Zero Labs. These attacks are particularly dangerous because they use legitimate credentials, making detection difficult until significant damage occurs.
Accidental Deletion and User Error: Accidental deletion and user error account for a large part of SaaS data loss. When a critical SharePoint site gets deleted or an employee accidentally purges important emails, native recycle bins only protect you for limited periods, typically 30 to 93 days, depending on the application. This happened with one of Rubrik's customers, a well-known healthcare organization in California, when a physician accidentally deleted his entire inbox—10 years worth of emails—before leaving for PTO. Upon return, he was horrified to see an empty inbox.
Misconfigurations: Organizations experience data loss due to misconfigurations or improper setup or maintenance of SaaS applications. As SaaS environments become more complex, configuration errors are increasingly common and impactful. Misconfigurations can expose sensitive data, disable critical security features, or inadvertently delete or overwrite important information.
A notable real-world example occurred in early 2024 when a large retail vendor experienced a data breach that exposed the data of more than 10,000 employees. The breach was not due to direct failure by the company itself, but rather a misconfiguration in a third-party SaaS vendor. This misconfiguration allowed sensitive information, including employee names, work email addresses, and user IDs, to be uploaded to a hacking forum by the threat actor.
Protecting Popular SaaS Platforms From Data Loss
The financial impact of unrecoverable data extends beyond the obvious, leading to millions of dollars in productivity losses from unrecoverable data, huge penalties due to compliance issues, and hundreds of thousands of legal discovery costs. Beyond the financial repercussions, there's also significant, though harder to quantify, reputational damage that can be more devastating.
So how do you protect yourself in this environment? Here are some tips to consider for each of the main SaaS vendors:
Microsoft 365: While Microsoft provides high availability for its services, protecting your content and data within applications like Exchange Online, SharePoint Online, and OneDrive is explicitly your responsibility. This means you are reliant on native recycle bins with limited retention periods (typically 30-93 days) for scenarios like accidental deletion of a critical SharePoint site or purging of important emails.. Rubrik Zero Labs report shows that 56.67% of sensitive files in OneDrive and 25.56% in SharePoint are unstructured sensitive data.
Salesforce: Salesforce, a leading CRM platform, recommends implementing third-party backup solutions to ensure the comprehensive protection of your customer data. This acknowledges that their core offering focuses on application availability and functionality, not exhaustive data recovery from all potential threats.
Google Workspace: Google's terms of service clearly specify that they are not responsible for data loss. This applies to critical business data stored in applications like Gmail, Google Drive, and Google Docs. Organizations need to understand that while Google ensures the service is operational, the ultimate responsibility for data preservation and recovery rests with the user.
Take Responsibility For Your Critical SaaS Data
The key takeaway from Rubrik's Forward event is clear: organizations must proactively protect their SaaS data. This includes understanding where your sensitive data resides, prioritizing its protection, defining and enforcing policies, and leveraging automation for data backup and recovery. For more details on the state of cybersecurity, you are welcome to look at the Rubrik Zero Labs report on rubrik.com.
Rubrik offers a robust SaaS solution that bridges this protection gap, providing comprehensive data protection for your critical SaaS applications. By automating data backup and recovery, Rubrik backs up data consistently and securely, without manual intervention. In the event of a ransomware attack or system failure, these backups are fully immutable and available for instant data recovery, drastically reducing downtime and minimizing data loss. This empowers IT teams to focus on proactive security measures rather than managing complex recovery workflows, ensuring business continuity and a stronger defense against cyber threats.
Watch the Rubrik Forward session on SaaS Data Protection on-demand to learn more about protecting your SaaS data!