The rapid adoption of cloud services like Microsoft Office 365, Google Docs and Box in the enterprise is a source for concern and some confusion by IT teams who see the boundary of data governance rapidly extending to the cloud. Data privacy, security, and compliance are just three reasons why data spread across multiple hosted SaaS environments needs to be strictly managed, protected and governed.
A massive and growing trend in the enterprise today is the migration of key services such as email, CRM and file servers to cloud-based applications to take advantage of the benefits of cloud, such as increased agility and flexibility while lowering IT costs. Yet, many organizations fail to understand that the cloud is just an extension of the user’s operating environment. Data in cloud is susceptible to loss, theft or malicious attack just like data located anywhere else. Enterprises are still responsible for managing data in the cloud and failure to comply with rules and regulations can result in hefty fines and, worse yet, loss of reputation.
Organizations need to think about three new challenges and considerations around data privacy, security, and compliance posture to address data protection and governance gaps brought about by the rise of cloud apps.
A common misconception among IT leaders and end users alike is that SaaS or cloud data does not need to be protected or backed up because the SaaS vendor is already backing up your enterprise data under their SLA. However, what many people aren’t aware of is the fact that the SLA provided by SaaS vendor only covers data loss due to the SaaS provider’s fault – e.g. a service outage. The SLA typically does not cover data lost due to situations like accidental deletion, migration errors, data corruption or malicious insider attacks. Some SaaS vendors may not be able to help you recover data older than 30 days as they do not keep snapshots or information stored for that long. Even if the SaaS provider is willing to work with you, they may charge you a sizeable fee and recommend that you use a cloud backup solution, as in this example. Not to mention, there are countless hours of productivity lost while trying to get your data back.
A common misconception is that SaaS or cloud data does not need to be protected or backed up because the SaaS vendor is already backing up your enterprise data under their SLA.
When it comes to meeting information governance and legal reviews, cloud data is no different than data that would be located on endpoints or on-premises in email, CRM or file services. Today, businesses can get into hot water if they fail to produce data stored on SaaS platforms. Legal or HR teams within an organization need access to user data to either support an investigative search or an active litigation. In many cases, some or all of this data (which could be key forensic evidence) reside in cloud services like Office 365 or Box which may not have been archived.
Not having timely and easy access to current and historic data for collection and review purposes could cost an organization millions of dollars in legal fees or even the outcome of a lawsuit. Collecting data in cloud applications while preserving and handing it in a way that it can be defensibly presented in court (no data spoliation) is something that every organization and their legal team should be thinking about.
A top concern for any InfoSec team is the risk associated with leakage of sensitive and confidential data, and recent research by Dimensional Research indicates that close to 95% of businesses have some kind of sensitive data in the cloud. The cost of not protecting this data can be staggering, not just in regulatory fines, but also in business reputation and loss of trust.
With privacy laws and regulations changing constantly, the governance environment is set to grow even more convoluted. For example, recent changes to the Safe Harbor legislation between the EU and U.S. are expected to impact many businesses, and this is pressuring corporate leadership to be more accountable on data governance issues. To address the above challenges, a trustworthy data protection approach should also handle data in a way that does not violate the privacy laws of a particular region or country.
A modern and comprehensive data protection solution should address the above challenges for all user data, irrespective of where it is located – on a laptop, mobile device or a cloud service like Office 365, Box or Google Apps. Effectively, a solution needs to ‘follow the user’ to collect enterprise data from these different data sources in a nimble and unified way to enable IT and security organizations to meet their data availability and information governance needs.
Druva inSync is one such solution that offers a single platform to protect end user data no matter where it resides –laptops, mobile devices or cloud applications. In this way, user data from Office 365, Box and Google Apps can be collected or backed up periodically to be restored back at a later point in time in the event of data loss due to any unforeseen circumstances. With Druva inSync, administrators can continuously track and monitor data within cloud applications such as OneDrive, in addition to mobile and laptop endpoints, and be alerted of potential data risks associated with Personal Healthcare Information (PHI), Personal Credit Information (PCI), Personally Identifiable Information (PII) and Intellectual Property (IP) to take appropriate action.