How data compliance challenges emerge in an as-a-service world
Organizations are increasingly coming to rely on software as a service, replacing applications that have previously been hosted on-premises.
In April, for example, Gartner predicted SaaS global revenue would grow 18.5 percent over 2018 to more than $94 billion this year and that, by 2022, it would grow to $143.7 billion. And while there are many benefits to a SaaS approach—lower costs, no on-premises equipment or software to operate, no updates or patches to manage—it does raise significant questions around compliance with GDPR, HIPAA, Sarbanes-Oxley and other regulatory schemas that govern company data.
So, who owns the data? Who has responsibility for compliance? And what questions should customers ask a potential SaaS vendor to determine whether their data will be compliant in their service?
Let’s address data ownership first. When it comes to security (and security is an important part of compliance) SaaS services typically operate on a shared responsibility model. The provider takes responsibility for securing its own infrastructure and environment, while the customer is responsible for ensuring access to the service is locked down.
This model extends to data protection and backups, where the provider protects the platform against catastrophic failure or breach, but when it comes to discrete recovery of individual items due to events such as accidental deletion, that’s up to the customer.
Nevertheless, from a practical point-of-view, the short and simple answer is: you own the data. The vendor may store and process it for you, but, ultimately, you’re responsible for ensuring that data is compliant with all relevant regulations. If the vendor fails, you could be on the hook for fines, other penalties and damage to the organization's brand.
Compliance is an enormous topic, so we’ll just hit the highlights of the measures you should take when it comes to SaaS data.
A recent study from 451 Research shows that nearly three-quarters of organizations either depend on the vendor to protect their data or have no protection for SaaS data at all. That’s a terrible position to be in, because if someone accidentally deletes data or the SaaS vendor suffers a catastrophic hack or natural disaster, your data could be gone forever. You need to take responsibility to ensure it is protected, especially for sensitive data such as financials, health or personally identifiable information, and even emails or texts that could be relevant in a court case. Thankfully, there are solutions to help you back up data in SaaS applications, and many are themselves SaaS-based.
Many countries require that data produced or collected inside their borders be physically stored there. As such, it’s important for end users to understand what SaaS data falls under these requirements and where your SaaS vendors will store it. Make sure to get documentation so you can demonstrate compliance, should you need to do so.
Be certain that your provider is taking proper security precautions to protect their own environment. If they have achieved SOC2 attestation, that’s a great indicator, but, at minimum, ensure that they encrypt data stored in their systems. In the absence of an attestation or certification, you may have the vendor complete a vendor risk assessment which provides you more details about the underlying protections and controls in their system.
Also, make sure they will contact you immediately if there is a breach on their side. GDPR requires that organizations notify individuals if their data was part of a breach within 72 hours. From your side, ensure that you’ve locked down access for SaaS applications that store sensitive data. Your provider is responsible for securing their infrastructure, but it’s on the end-user to control access.
The right to be forgotten
This requirement from GDPR famously requires organizations to delete an individual’s data if they request it. As such, make sure that when you delete data from your SaaS application that it is also permanently deleted from the infrastructure.
There is some ambiguity about whether organizations are required to delete data from backups, but most experts believe this is not necessary to comply. That said, when you restore data, it’s important to make sure that no data is recovered that should have been “forgotten.”
If you’re storing data that requires special treatment for compliance, make sure to obtain detailed documentation from your SaaS provider regarding their own compliance with HIPAA, GDPR, Sarbanes-Oxley, PCI DSS 3.0 and any other schemas that may apply.
Compliance in an as-a-service world doesn’t have to be any scarier than on-premises compliance. In fact, in some ways, it can be much easier, with the provider taking responsibility for many functions. But it’s critical to do a lot of vetting up front to ensure you’re working with a strong provider. After all, ultimately, the buck stops with your organization.
If you entrust sensitive data to a SaaS provider that doesn’t live up to their responsibilities, regulators aren’t going to cut you any slack.