Backup and Recovery

Prepared for the Worst: Best Practices for SaaS Data Security

Demetrius Malbrough
Director of Technical Evangelism
No items found.
  • While creating and implementing a data protection strategy for your organization may seem expensive, data loss from an accident or an attack can be far more costly. Having a recent backup saves you time and money in the event of a worst-case security scenario.
  • Diana Kelley knows firsthand the importance of backing up your data. She has helped executive leadership of some of the biggest names in tech improve their data protection strategies. She advises all her SecurityCurve clients to develop backup strategies that cover all of their SaaS applications.
  • By implementing the “3-2-1” rule, understanding your role in the shared responsibility model, and working with a senior security officer, you can help your organization prevent costly data losses.

Hope for the best, plan for the worst. This concept of optimistic pragmatism is common sense in many aspects of life and business, and data protection is no exception. Yet many organizations don’t take the steps they should to protect their business from security risks like ransomware.

Should a cyber attack or data loss occur, disaster recovery and business continuity are your top priorities. Having backups and security practices in place is critical to avoid devastating impacts to your business in an emergency.

With over three decades in the cybersecurity field, Diana Kelley has shared the importance of data protection with executives at some of the biggest companies in tech.

On the inaugural episode of the Beyond Backup podcast, Kelley—who is also the co-founder and CTO of SecurityCurve—shared a few fundamental misunderstandings about data protection, best practices to protect data, and what’s next in data security.

Data protection: A major misunderstanding for many

Even in the digital age, many companies continue to insufficiently back up their data. Diana attributes this reality to common excuses: Some are concerned that backup efforts are too expensive, and others insist that they’ll get to it later.

But the costs of both time and money if and when accidental data loss occurs—let alone the effects of breaches or cyberattacks—can be astronomical.

Depending on the size of your company, a system outage lasting hours or even minutes is expensive—and for financial institutions, milliseconds can cost millions of dollars. The cost of a breach or attack extends not just to your business but also to your brand. The damage to your reputation can trickle down, leading to losing customers and even investors.

Diana has guided many executives through creating backup and data recovery strategies. In these conversations, she works to understand each company’s recovery time objective (how long it has to restore data after a disaster) and recovery point objective (its acceptable amount of data loss). Key factors like the organization’s size and industry can impact these measurements.

Whatever the cause of disruption, having a recent backup allows you to efficiently recover lost data. “Being able to roll back to a clean, recent version is the difference between spending a lot of time and effort to restore, versus pushing a button and recovering [the data] very quickly,” Diana explains.

The perception that protecting and backing up your data requires massive, costly overhead is simply not true, she says. What’s more, you can’t put a price on the relief you feel when your backup lets you restore lost work.

Best practices for SaaS security

With companies both large and small using software as a service (SaaS) applications, each organization has its own workflow with unique security needs. And they may find that no single person knows all the SaaS applications used company-wide.

Whether your organization uses Microsoft 365, Google Suite, or another cloud-based tool for collaborative productivity, Diana offers one key piece of advice: “Make sure you have a coherent and comprehensive backup strategy that can [cover] all of the different clouds that you're using.”

When multiple SaaS applications are in use, an organization has data in many different clouds. You may know that the three primary cloud providers are Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). But you might not know which cloud each of your SaaS applications runs on.

Find a backup solution that can cover all workflows and instances to protect the critical sales and customer data in your SaaS environments. Particularly if you use a combination of solutions based in multiple clouds, you may need a third party to provide complete coverage of your data.

Diana says that the key is to create a strategy—one that spans all of the core clouds and instances where your critical customer and business data resides.

The ‘3-2-1’ backup strategy

One of the age-old rules for building a strong backup strategy is the “3-2-1 rule.”

You should keep three copies of your data in two formats, one of which is offline or in “cold storage.” Breaking this down a bit further, Diana explains that it’s not enough to have a duplicate copy of something you’re working on in the same folder of your cloud drive. You want your second copy to be in a different cloud backup — or some other format entirely.

Why is a “cold storage” version preferable to backing up data solely in the cloud? “If everything's connected—and you can get from where you are in the cloud to your backup in the cloud—it's possible [for attackers] to use your credentials to log into the backup instances,” Diana explains.

A cold storage strategy means putting your backup in another medium altogether, such as a physical copy locked away in a drawer that’s not susceptible to attackers. This is often called an “air gap”—a security term that migrated into the backup space.

“Air gap” historically referred to a physical separation between networks. But as networks became more connected, physical separation became more and more of a challenge. This reality makes it all the more important to ensure your data is safe and sound using the 3-2-1 rule.

The shared responsibility model

In an emergency, business continuity is king. When subject to ransomware attacks, for instance, many organizations will pay hackers because they don’t know how else to bring their systems back online as soon as possible.

To prevent this kind of disaster, you need a backup strategy that enables business continuity even in worst-case scenarios. Diana compares this approach to the fact that the US Navy resumed teaching celestial navigation. While GPS technology is far more accurate, officers need to be able to locate themselves if their communications go down. Celestial navigation is their “one level of backup.”

As you build your backup strategy, the shared responsibility model may bode well for data protection efforts. “The beautiful thing about SaaS and the cloud is that your main focus [can be] your corporate data,” Diana says.

Because cloud providers and large SaaS providers care for the infrastructure, you no longer need to worry as much about an electricity or network outage impacting your data. You can dedicate your focus to keeping your data available and planning for how to protect your company in the event of an attack.

This doesn’t mean shared responsibility is simple or easy, though. Just because data is stored in a SaaS application doesn’t mean it’s protected. You’re responsible for your own data in the case of stolen or insecure credentials (or a lack of security awareness among your team members). But below the data level, Diana says, cloud providers provide significant protection.

Staying on the same page with security

Some teams may find it difficult to align the priorities of different teams around security. For instance, the manager of a SaaS application like Microsoft Dynamics and whose focus is on the application itself may not be as concerned with the platform’s security.

This is where a senior leader like a Chief Security Officer can offer huge value to companies. “That person is responsible for looking across the organization and bringing the business risk into the conversation,” particularly for practical decision-making around backups or multi-factor authentication, she says.

Recently emerging roles like that of the security product officer, who works directly with application development teams, can help ensure security is built in for both the business and the customer. A subject matter expert who understands compliance, business, engineering, the product, and the customer can offer invaluable guidance.

“It’s all about balance: How do we take advantage of the benefits of all this wonderful technology but balance the risks in a way that's acceptable to the organization?” Diana explains.

Looking ahead: What’s next in data protection

With all of her experience, what does Diana see on the horizon for data security? Sophistication, first and foremost. “One of the great changes in backup was when it started to be differential,” she says, referring to backups that capture only data that has recently changed.

She sees cloud-based backup continuing to be essential. Many people who used to be resistant to backups appreciate the transparency and ease of backing up their data to the cloud. She also hopes for better compression going forward, particularly because it can lead to significantly lower data storage costs.

The more our data continues to grow, the more critical it will be to back up that data. More than ever before, the approach of planning for the worst with a strong backup strategy can only protect and strengthen your business.

This article is based on an episode of the Beyond Backup podcast, hosted by Own, the #1 SaaS Data Protection Platform. Click here to see how Own prevents you from losing mission-critical data with automated backups and stress-free recovery.

Get started

Submit your details and we will contact you shortly to schedule a custom 25-minute demo.

Book a demo
Get started

Submit your details and we will contact you shortly to schedule a custom 25-minute demo.

Book a demo
Demetrius Malbrough
Director of Technical Evangelism

Backup and Recovery
Backup and Recovery
Backup and Recovery

Get started

Share your details and we’ll contact you shortly to schedule a custom 25-minute demo.

Schedule a Demo