Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. In this feature, Odaseva’s VP of Solutions Engineering Dave Horton offers some considerations for ensuring SaaS ransomware protection.
When enterprises deploy new applications, it’s rare that they do so in their own data center. More often than not, they’re leveraging a software-as-a-service (SaaS) application, and, increasingly, they’re also moving their legacy applications off-premises in favor of SaaS. Critical applications such as office productivity suites, CRM and ERP are all now commonly delivered as a service.
Unfortunately, although many of these applications are critical to day-today business operations, the data stored in them is not protected to the same degree as on-premises data — likely because there is still some confusion in IT about who is responsible for protecting their data.
SaaS providers, like cloud providers, almost always operate on a shared responsibility model. Under this model, providers secure their infrastructure, but the customer is ultimately responsible for the data that belongs to them. If the data is accidentally or maliciously deleted, corrupted or encrypted by ransomware, customers will be unable to recover their data unless they have a separate backup of their own.
Ransomware, in particular, is a real threat, and it may surprise many in IT how prevalent and successful these attacks are. A recent global survey of enterprise data decision makers found that just over half (51 percent) of companies surveyed who had experienced a ransomware attack had their SaaS data targeted, and, again, just over half (52 percent) of those attacks were successful. In fact, ransomware attacks were more successful against SaaS data than they were against on-premises, endpoint or cloud data.
Only 28 percent were very confident that they could recover SaaS data in a ransomware attack, so it’s not surprising that only half of the organizations whose SaaS data was successfully encrypted in a ransomware attack were able to restore all their data. That’s well below the 81 percent rate of recovery for on-premises data encrypted in a ransomware attack, demonstrating the large gap in protection between SaaS and on-premises.
Protecting Data Against a SaaS Ransomware Attack
The first step to protecting against ransomware attacks on SaaS data is to ensure that access to that data is secured. Providers invest heavily in security, because their business depends on customers trusting them to keep the infrastructure safe for them to use. As a result, cybercriminals are extremely unlikely to successfully attack SaaS data through a direct assault on the providers’ infrastructure. Attacks are far more likely to take advantage of stolen or compromised credentials, API leaks or malware on the customer side. Protect access through multi-factor authentication so that passwords and usernames don’t become a single point of failure.
The next step is to have backups of all SaaS data, but protecting it bears little resemblance to traditional processes, in no small part because IT has no control over the infrastructure that stores and manages their data. Enterprises are completely dependent on the SaaS providers’ APIs to access their data, and these APIs are far from a limitless resource. To ensure that all customers have fair access to API resources, providers set hard caps on the API calls each can make daily. Customers have many APIs with different advantages, disadvantages, and capabilities.
Finally, these APIs aren’t just used for backup. They’re also used to connect the SaaS application to other apps and resources. So, as IT considers its SaaS backup strategy, it’ll need to make careful use of these APIs to ensure they can recover quickly enough from a ransomware attack or other disaster while also ensuring there are plenty of resources available for all the other critical functions that depend on these same APIs.
There are three basic strategies for protecting SaaS data. The first is to build a solution in-house. For some niche SaaS applications, this may be the only strategy, and there are some advantages, as it provides maximum flexibility and control. But given the complexity of the task, few enterprises will possess the expertise needed to build a SaaS backup solution that meets their RPOs and RTOs while also being reliable and secure. Additionally, if a market solution exists, it’s going to be difficult to justify the time and expense required. These resources would likely be better applied to other projects.
The second option is to go with a free market solution if one is available. You can’t beat the price, of course, but these are usually created for low-volume, simple data structures. Support will be limited, at best. This option is not a good fit for an enterprise that needs to protect data in a mission-critical SaaS application.
Likely, the best option is a market SaaS backup solution designed specifically for the application you need to protect. A good vendor will have the expertise and focus to build a solution that reliably backs up and recovers data quickly, efficiently managing APIs.
Ransomware poses a significant threat to SaaS data, and organizations must make protecting against it a high priority. With so many mission-critical functions now residing in SaaS, insufficiently protecting SaaS data poses a serious risk to the ability of a business to function.