Shared responsibility: What it means for SaaS customers

SaaS stands for Software as a Service. It is a software delivery model in which software applications are hosted on a cloud infrastructure and provided to customers over the Internet as a service instead of purchasing and installing software on their own servers or computers.

Over the course of the past year and a half, we at Revyz have met with a large number of Atlassian customers and partners within the Marketplace, and one thing that has become apparent is the confusion around who is responsible for mission-critical business data in a SaaS environment.

This article is to help Atlassian administrators displace common myths and gain clarity over the terminology and the roles of the customer/administrator (representing the customer using the SaaS application) and SaaS vendor when it comes to data responsibility.

We hope that by reading this, SaaS administrators will be better informed in making strategic decisions around data management practices.

Software as a Service

SaaS is a popular choice for businesses of all sizes because it offers a number of benefits, including:

• Reduced upfront costs: With SaaS, businesses do not have to purchase the software upfront. They can simply pay a subscription fee to use it.
• Scalability: SaaS is highly scalable, so businesses can easily add or remove users as needed.
• Ease of use: SaaS applications are typically easy to use and do not require any special installation or configuration.
• Up-to-date software: SaaS vendors are responsible for maintaining and updating the software, so businesses can be sure that they are always using the latest version.

Popular SaaS applications

Below is a list of some popular SaaS providers:

• Atlassian - Jira Cloud, Confluence Cloud, etc.
• Google - G Suite (email, calendar, docs, etc.)
• Microsoft - Office 365
• Salesforce

While the SaaS model offers a number of benefits, there are also some trade-offs to consider.

• Vendor lock-in: When you use a SaaS application, you are essentially locked into the vendor that provides the application. If you are not happy with the vendor or their service, it can be difficult to switch to a different vendor.
• Data security: When you use a SaaS application, your data is stored on the vendor's servers. This means that you are entrusting your data to the vendor, so you need to be confident in their security practices.
• Downtime: SaaS applications are hosted in the cloud, so they are susceptible to downtime. If the vendor's servers go down, you may not be able to access your applications.
• Compliance: SaaS vendors must comply with a variety of regulations, such as HIPAA and GDPR. If you use a SaaS application, you need to make sure that the vendor is in compliance with the regulations that apply to you.

It is important to weigh the benefits and trade-offs before deciding if SaaS is the right choice for your business.

The misconception of SaaS

While the SaaS model offers a lot of benefits, there are some very common misconceptions:

• The cloud provider is responsible for everything. This is not true. The cloud provider is responsible for the security of the underlying infrastructure, but the customer is responsible for the security of their data and applications.
• The cloud provider is always up and running. This is not true. The cloud provider can experience outages just like any other IT system. The customer should have a plan in place to deal with outages, such as having a backup plan for their data and applications.
• The cloud provider is always compliant. This is not true. The cloud provider is responsible for complying with regulations, but the customer is also responsible for ensuring that they are compliant. The customer should review the cloud provider's compliance documentation to make sure that they are meeting their needs.

As a consumer of a SaaS service in the enterprise it is important for you to understand the shared responsibility model in SaaS so that you can make informed decisions about your security posture. By understanding the roles and responsibilities of both, you can ensure that your data and applications are secure.

Shared responsibility model

Every SaaS provider publishes a document that establishes the responsibilities as it relates to the service being provided, detailing the role and responsibility of the provider and that of you, the customer.

The responsibility is shared between the two parties, hence the name. In a shared responsibility model, the SaaS provider and the customer are each responsible for various components that make up the service.

The SaaS provider will be responsible for things under their control, such as physical infrastructure, environmental, and compute infrastructure, and the customer for ensuring user access to the application so that it's governed by the policy of the organization and follows the principles of least privileges and securing data that is part of the SaaS offering.

A common question in this context is why SaaS providers do not offer any protection for user data. To put it simply, any data or content created by a customer is hosted on the SaaS servers they are using, along with the data of all the provider's other customers.

Now, let's say a provider has a million users. Everything that each of those million users enters is lumped together, effectively creating an immense pool of mixed-up computer code on the part of the provider. When data loss occurs, it's extremely difficult to recover lost files and information since it's like searching for a needle in a haystack.

For this reason, many SaaS applications include provisions in their terms and conditions about what can and cannot be restored in such a case. The bottom line is that the security and protection of your data is entirely up to you!

The Atlassian shared responsibility model

Atlassian has published its Cloud security shared responsibility model for customers using the Cloud offering, which includes Jira, Confluence, and Jira Service Management among others.

In summary, Atlassian handles the security of the applications, the systems they run on, and the environments those systems are hosted within. They ensure the systems and environments used are compliant with relevant standards, including PCI DSS and SOC2, as required.

Key takeaways for the customer:

• Assess the suitability of Atlassian Cloud-based platforms using the information Atlassian provides.
• Protect your endpoints through good security practices.
• Who accesses the Atlassian platform and what access they have to your data is your responsibility.
• Create regular backups of your data.
• Assess the suitability of any Marketplace apps you want to use.
• Notify Atlassian of any malicious behavior identified in a Marketplace app.

How to protect your SaaS data

As a customer of SaaS, you are still responsible for who accesses your applications and the data within it. SaaS vendors are not responsible for this or any data loss associated with customer-initiated destructive changes.

Revyz helps simplify the responsibility of data protection by backing up your Jira Cloud data and making it readily available to you at any time to restore in the case of a data loss scenario.

Want to dig deeper? Here are some references we recommend:

• Atlassian shared responsibility model
• Atlassian security practices
• Microsoft shared Responsibility
• AWS shared responsibility
• Google shared responsibility
• Salesforce shared responsibility
• Start a free trial with Revyz