Companies have become increasingly comfortable with public clouds. The battle for productivity is over and its unlikely that anyone investing in new workplace productivity suites with mail, word processing and spreadsheets is going to opt for an on premise solution.
Microsoft O365 leads the way, with G Suite also popular especially with startup companies.
Our trust in these services has steadily increased over the years, but as it has done so, have we become too trusting on just how much they protect our valuable data?
When you look into “who is responsible for what” between you and your cloud provider, you will come across the term “Shared Responsibility”. By this it means that your cloud or SaaS provider does not take on all aspects of responsibility for the service you purchase.
When you delve in deeper, you will find that when it comes to protecting your data, most of the real responsibility falls on you and NOT the provider.
If we look at O365, this does not mean that Microsoft don’t have measures in place to protect your data. They do. However, there are two really important things you need to consider.
The first is the data protection service level- what is it exactly that your SaaS provider is contractually obligated to do to protect your data. The answer is usually quite surprising. The following is taken directly from the most current Microsoft services agreement:
“We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”
To paraphrase – we will try our best to protect your data, but if we lose it, it’s on you!
The second important thing to understand is, even though your SaaS provider may have no substantive legal obligation to protect your data, many of them do still put data protection functionality in place. It is critical that you understand exactly whether the built-in protection meets the level of backups and recoverability your business needs.
Looking at O365, the time to recovery data can be lengthy and you have almost no ability to affect the speed of recovery. The policies are changed without proactive notification, rolling back to specific points in time is not possible, the list goes on.
If you understand what the basic built-in data protection includes, then you can decide whether that meets your needs. In most cases however, companies realise they need to take ownership of protecting their SaaS environments. It is your data, even if it sits in your SaaS provider’s cloud. You have to take responsibility for protecting it.
Druva is a “born in the cloud” data protection specialist with leading solutions for protecting and recovering SaaS services like O365, G suite and even salesforce.com – you can find out more about their offerings by clicking here.