Cloud Security: What does Shared Responsibility mean for SaaS customers?
About This Article
Over the course of the past year and half, we from Revyz have met with a large number of Atlassian customers and partners within the marketplace and one thing that has become apparent to me is that there is so much confusion about who is responsible for mission critical business data in a SaaS environment.
I’ve written this article to help Atlassian administrators to displace some common myths, gain clarity on both the terminology and the roles of the customer / administrator (representing the customer using the SaaS application) and SaaS vendor when it comes to data responsibility.
I hope that by reading this, SaaS administrators can be better informed in making strategic decisions around your data management practices.
Software as a Service (SaaS)
SaaS stands for Software as a Service. It is a software delivery model in which software applications are hosted on a cloud infrastructure and provided to customers over the internet as a service. Instead of purchasing and installing software on their own servers or computers. SaaS is a popular choice for businesses of all sizes because it offers a number of benefits, including:
- Reduced upfront costs: With SaaS, businesses do not have to purchase the software upfront. They can simply pay a subscription fee to use the software.
- Scalability: SaaS is highly scalable, so businesses can easily add or remove users as needed.
- Ease of use: SaaS applications are typically easy to use and do not require any special installation or configuration.
- Up-to-date software: SaaS vendors are responsible for maintaining and updating the software, so businesses can be sure that they are always using the latest version.
Some popular examples of SaaS applications include:
- Atlassian - Jira Cloud, Confluence Cloud
- Google - G Suite (email, calendar, docs, etc.)
- Microsoft - Office 365
While the SaaS model offers a number of benefits, there are also some tradeoffs to consider.
- Vendor lock-in: When you use a SaaS application, you are essentially locked into the vendor that provides the application. If you are not happy with the vendor or their service, it can be difficult to switch to a different vendor.
- Data security: When you use a SaaS application, your data is stored on the vendor's servers. This means that you are entrusting your data to the vendor, and you need to be confident in their security practices.
- Downtime: SaaS applications are hosted in the cloud, so they are susceptible to downtime. If the vendor's servers go down, you may not be able to access your applications.
- Compliance: SaaS vendors must comply with a variety of regulations, such as HIPAA and GDPR. If you use a SaaS application, you need to make sure that the vendor is in compliance with the regulations that apply to you.
Overall, SaaS offers a number of benefits, but there are also some tradeoffs to consider. It is important to weigh the benefits and tradeoffs before deciding if SaaS is the right choice for your business.
The Misconception of SaaS
While the SaaS Model offers a lot of benefits, there are some very common misconceptions:
- The cloud provider is responsible for everything. This is not true. The cloud provider is responsible for the security of the underlying infrastructure, but the customer is responsible for the security of their data and applications.
- The cloud provider is always up and running. This is not true. The cloud provider can experience outages just like any other IT system. The customer should have a plan in place to deal with outages, such as having a backup plan for their data and applications.
- The cloud provider is always compliant. This is not true. The cloud provider is responsible for complying with regulations, but the customer is also responsible for ensuring that they are in compliance. The customer should review the cloud provider's compliance documentation to make sure that they are meeting their needs.
This is where you as a consumer of a SaaS service in the enterprise it is important for you to understand the shared responsibility model in SaaS so that you can make informed decisions about your security posture. By understanding the roles and responsibilities of both the cloud provider and you the customer, you can help to ensure that your data and applications are secure.
Shared Responsibility Model
Every SaaS provider publishes a document that establishes the responsibilities as it relates to the service being provided detailing the role and responsibility of the provider and that of you the customer. The responsibility is shared between the two parties and hence the shared responsibility model. In a shared responsibility model, the SaaS provider and the customer will each be responsible for various components that make up the service. The SaaS provider will be responsible for things under their control, such as physical infrastructure, environmental, and compute infrastructure, and the customer is responsible for ensuring user access to the application is governed by the policy of the organization and follows the principles of least privileges and securing their data that is part of the SaaS offering.
A common question in this context is why SaaS providers do not offer any protection for user data. To put it simply, any data or content created by a customer is hosted on the SaaS servers they are using, along with the data of all the provider's other customers. Now let's say a provider has a million users. Everything that each of those million users enters is lumped together – effectively creating an immense pool of mixed-up computer code on the part of the provider. When data loss occurs, it's extremely difficult to recover lost files and information since it’s like searching for a needle in a field of haystack. For this reason, many SaaS applications include provisions in their terms and conditions about what can and cannot be restored in such a case. The bottom line is that the security and protection of your data is entirely up to you.
The Atlassian Shared Responsibility Model
Atlassian has published their Cloud Security Shared Responsibility Model for customers using their cloud offerings, which include Jira Software, Confluence, Jira Service Management among others.
In summary, Atlassian handles security of the applications themselves, the systems they run on, and the environments those systems are hosted within, they ensure the systems and environments used are compliant with relevant standards, including PCI DSS and SOC2, as required.
Key takeaways for the customer:
- Assess the suitability of Atlassian Cloud-based platforms based on the information Atlassian provides.
- Protect your endpoints through good security practices.
- Who accesses the Atlassian platform and what access they have to your data is your responsibility.
- Create regular backups of your data.
- Assess the suitability of any Marketplace Apps you want to use.
- Notify Atlassian of any malicious behavior identified in a Marketplace App.
What this means and how you can protect your SaaS data
As a customer of SaaS you are still responsible for who accesses your SaaS application and the data within it and to protect the SaaS data that belongs to you. SaaS vendors are not responsible for who accesses your instance of the SaaS application and any data loss associated with customer-initiated destructive changes to the data.
Revyz helps simplify your responsibility of data protection by backing up your Jira Cloud data and making it readily available to you at any time to restore in the case of a data loss scenario.
Do you want to dig deeper? Here are some references we recommend: