As the COVID-19 pandemic spreads around the globe, there has been a swift and significant shift to telecommuting. Around 56 percent of American jobs are compatible with working online; a steep increase from 3.6 percent of the workforce that worked remotely before the pandemic. This shift to remote work and cloud technology won’t simply return to the status quo after stay-at-home restrictions are lifted either. Experts predict that a quarter of the American workforce may work at home at least part of the time. With this massive uptick in remote workers, there has been an equivalent increase in the dependence on cloud technology and Cloud Service Providers (CSPs). This is because cloud solutions provide an apt platform for collaboration with seamless scalability – perfect for enabling remote work. However, organizations need to keep in mind that migrating their business workflows to SaaS solutions does not absolve them of data protection. The onus of adhering to compliance checks and data protection regulations lies with your organization. Here, we’ll talk about the audit and compliance requirements for SaaS backup solutions. Pointers you should keep in mind when contracting with CSPs and in particular with your SaaS backup providers.
This article contains information about:
- Shared Responsibility for Your Data With Your CSP
- Demonstrable Recovery a Must for Compliance
- Audit and Compliance Requirements for SaaS Backup Solutions
- How CloudAlly Can Help
Shared Responsibility for Your Data with Your CSP
Many companies mistakenly believe that their CSPs are fully responsible for the security of their data. While SaaS solutions such as Office 365, G Suite, Salesforce are stringently secure, they cannot assure data security at your end. Hence the phrase – “shared responsibility” used in compliance laws like GDPR, HIPAA, and SOX, among others. What does “shared responsibility” mean? It means that both the “data controller” (you) and the “data processors” (your CSPs) share duties with regard to customers and supervisory authorities about data security. Typically, the CSPs’ responsibility encompasses everything “of” the cloud – securing the facilities, hardware, and software that run cloud services. Your organization is responsible for the security “in” the cloud such as customer data, access management, network security, client-side data encryption.
AWS’ Shared Responsibility Model
If you aren’t clear about your data security responsibilities, it can lead to unfortunate (and preventable) security failures. To make sure that you don’t run into issues, consult your CSP to discuss the exact parameters of your cloud service agreement, so you can ensure you fulfill your data protection responsibilities.
Demonstrable Recovery a Must for Compliance
A misconception about cloud service providers is that you’re immune from data breaches. Unfortunately, the most secure CSPs cannot protect you from data loss at your end due to hackers, malware, malicious intent, synchronization errors, or primarily, human error.
Audits require that you guarantee the “demonstrable recovery” of customer data. While CSPs are certainly useful in keeping employees connected during this time, recovery of lost data via native solutions like the Recycle Bin are tedious and time-bound. For efficient disaster recovery and seamless business continuity, you need a third-party backup solution to recover quickly from data loss.
Data regulatory laws world over – GDPR, HIPAA, SOX, Stop Hacks and Improve Electronic Data Security Act (SHIELD), California Consumer Privacy Act (CCPA) – mandate data encryption, shared responsibility, and demonstrable recovery. Article 3 of the GDPR states that organizations should “have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”.
However, regulatory compliance is also demanded of your SaaS backup solution.
Audit and Compliance Requirements for SaaS Backup Solutions
Data regulatory laws and audits also inspect other aspects of your SaaS backup solution that have to do with data protection such as the extent of encryption, security credentials, and location of the data centers. Here are some of the audit and compliance requirements for SaaS backup:
For optimal compliance, data should be encrypted at-rest and in-transit. Here are some recommendations by the Cloud Security Alliance on the encryption of cloud data. If your CSP doesn’t encrypt your data both while storing it and during data transfer, your data may be more likely to be breached.
If your CSP doesn’t support Multi-Factor Authentication (MFA), then your data is prone to attack. Compromised credentials are the major cause of data breaches. Even strong passwords can be hacked easily through phishing, keystroke logging, and phishing malware attacks. By reducing dependence on passwords itself, MFA has been proven to block 99.9% of breaches. Best-in-class cloud platforms like Microsoft themselves mandate that those part of their CSP network secure authentication with MFA/2FA.
Location of Data Centers
Since we’re discussing CSPs here, you might think that the physical location does not matter. Rather, location is a critical audit requirement – one to do with data sovereignty. This refers to the fact that data is under the jurisdiction of the country in which it is collected or processed and must remain within its borders. Hence most laws require local storage and highly regulate how the data can be moved out of the country and for what reason. For example, GDPR requires that all data collected on citizens must be either stored in the EU, so it is subject to European privacy laws, or within a country that has similar levels of protection.
Connectivity, Data Access, and Security
The location also makes a difference regarding connectivity and security. Specifically, if you choose a data center location that isn’t effectively situated, you can face latency issues. The number of network links can also make a difference in the speed and reliability of your connection. A data center in a country or region that can be affected by natural disasters or political unrest is also not a wise choice in a CSP.
Additionally, CSPs in the European Union must provide users the functionality of accessing or deleting their data. So check on the ease of data access, particularly the ability to selectively delete data with your CSP.
CloudAlly Meets ALL the Audit and Compliance Requirements for SaaS Backup
CloudAlly is a top-rated third-party cloud solution that provides secure automated backup and easy restore options for SaaS platforms like Office 365, G Suite, Salesforce, SharePoint, and OneDrive, Dropbox, and Box. Thus ensuring that you not only have “demonstrable recovery” in the event of data loss but can also recover data quickly with a few clicks.
Moreover, CloudAlly ticks all the audit and compliance requirements for SaaS backup:
- We provide AES 256 bit encryption via Amazon Web Services, the leading cloud services platform, for your data in-transit and at-rest.
- You have the choice of multiple data center locations in the EU, Australia, the US, and Canada. We recently added new data centers in Germany and the U.K.
- We support MFA and OAuth. We even offer the option to make it mandatory for access.
- Our solutions are stringently secure and compliant – ISO 27001 certified, GDPR, and HIPAA compliant, with 99.9% Uptime / Availability SLA.
- We offer granular and point-in-time recovery which coupled with unlimited data retention and unlimited storage, means you have demonstrable recovery of any/all of your data from any point-in-time.
MSPs can differentiate themselves from their competitors by offering backup for the very real threat of data loss with common SaaS platforms. This will enable their customers to securely work on the cloud while growing their business.
As many organizations are undergoing large-scale changes to facilitate remote work, CloudAlly doesn’t add to the workload with its effortless out-of-the-box integration with your SaaS platform. CloudAlly pioneered SaaS backup, and thus our solutions are robust and proven. In a time of wide-scale change in the way we work, and the resultant implications on audit and compliance, and data security, you need the assurance of data backup that’s secure and compliant. CloudAlly can be the stability you’ve been seeking.