Data breaches are the most common threat to cloud databases; despite this there’s still a lot of misconception, particularly among SMEs on security and data back up in the cloud versus on-premise.
While most cloud providers typically offer a basic level of protection, many businesses don’t realise that data protection is ultimately their responsibility. Unfortunately, it’s this level of cloud complacency that can lead to a lack of cyber-hygiene and ultimately data breaches caused by simple errors.
The recent NSW driver’s license data breach is a good example of this type of cloud complacency. Back in September, it was revealed that a cloud storage folder hosted on Amazon Web Services with over 100,000 images was mistakenly left open by an unidentified commercial entity.
It’s hence critical for businesses to be aware of their data responsibilities and ensure they have the right infrastructure and processes in place.
Exploring cloud versus on-premise security
A recent study by Datto, State of the MSP 2020, shows that managed service providers (MSPs) are rapidly migrating their SME customers to the cloud, mainly to Microsoft365 applications. Cloud migration proved to be an important focus for 2020, and the COVID-19 pandemic has significantly increased the demand for SaaS applications. In fact, 60 per cent of MSP customers currently use SaaS solutions. But as SMEs quickly accumulate more and more cloud applications and services, it is important that they are aware of the security considerations.
Data stored in software-as-a-service (SaaS) applications such as Microsoft365 and Google G Suite are just as vulnerable to ransomware, data loss or other security issues as data stored in on-premise applications. The user agreements of SaaS applications clearly state that data protection, data security and long-term data preservation are ultimately the end user’s responsibility. This is also the reason why Microsoft recommends, for example, backup by another party.
It is a common misconception among businesses that data stored in SaaS is automatically protected. The end-user is partly responsible for this. Of course, SaaS providers themselves are also partly responsible for their users’ data. For example, they have to ensure application uptime, data availability, basic storage and security at infrastructure level.
Analysing the shared responsibility model
The shared responsibility model defines that the SaaS party (cloud provider, platform or infrastructure) is responsible for the IT infrastructure and services, that is, the security of the cloud. But privacy, backup and security lie with the end-user, they should take care of what’s in the cloud. However, the model still lacks the all-important MSP.
More and more often, we see organisations, mainly SMEs, looking to MSPs as partners in data protection and storage. This makes the MSP a third party in the shared responsibility model, with its own responsibilities and obligations. As an intermediary between the SaaS provider and end customer, the MSP has the knowledge of this shared responsibility and is responsible for informing customers about it.
Despite the fact that the shared responsibility model has existed for a long time, knowledge among business of their cloud responsibilities remains low. This is where the role of the MSP as an educator is critical to ensure that businesses are aware of their data obligations. The cloud has given organisations the power to quickly scale services to meet real-time business needs, but it’s important to remember that with great power, comes great responsibility.
James Bergl, Regional Vice President – APAC, Datto
