Gartner Blog Network


Trusting SaaS With Your Data, eh?

by Erik T. Heidt  |  June 19, 2014  |  2 Comments

Two significant SaaS data loss events is short order…

May 6th, dedoose.com, a SaaS solution for qualitative research announced a major data loss event and today (June 19) codespaces.com announced that they are down,  have lost significant amounts of client data, and may be out of business.

What should current or prospective SaaS users learn from this right away?

  1. Take responsibility for having copies of your data! 
  2. Establish regular and routine procedures for backing up your data.
  3. Ensure you can use those backups!
  4. Be prepared to accept the consequences of provider failure.

Both of these services provided mechanisms for their customer to create their own backups – but how many users used them? In the case of codespaces, there primary service was providing svn based code repositories and svn tools for creating backups are commonly available. Dedoose offers an export to excel capability.

Many SaaS providers make no commitment about the availability of your data – none. For those providers that do, and that you might have a contract with, you can’t get data (or a settlement) from a company that doesn’t exist anymore.

It’s a simple rule, if you care about that data, make sure you have copies of it.

If a supplier can’t provide you with a means to get copies of the data, then you need to have a contingency plan for when they are no longer able or willing to provide it. The most important component of any supplier relationship is a solid exit strategy.

Note, that it doesn’t appear that the root cause of either of these events was an infrastructure failure. It sounds like, it was a operations failure for Dedoose and a security failure for codespaces (similar to Wizard Lays Waste to Acme Data Analytics with Chef Spell…). 

Thanks,
Erik

@CyberHeidt

P.S. Here is a quote from www.codespaces.com:

“Code Spaces will not be able to operate beyond this point, the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in a irreversible position both financially and in terms of on going credibility.”

Category: cloud-risk-management  real-world-information-security  risk-management  

Erik Heidt
Research Director
1 years at Gartner
20 years IT Industry

Erik Heidt is a Research Director on the GTP Security and Risk Management Strategies team. His research focus areas include IT risk management, IT GRC, application security and cryptographic controls. Read Full Bio


Thoughts on Trusting SaaS With Your Data, eh?


  1. TechYogJosh says:

    Didn’t these SaaS providers have “data recovery” or “backup” sites? Are they saying they were running one instance of the database? That is not possible. How did they lose the data, some sites might have gone down or database/storage might have become corrupted, but their must be other copies of the data that could be restored. I don’t know how this has happened. And if this has, should their be a regulator for these SaaS companies who inspect their data management strategies. Not many customers would be aware of the data protection mechanism of these SaaS providers.

    • Erik T. Heidt says:

      TechYogJosh –

      In both of these cases I have only the information that is posed by these organizations. At any rate, it appears that in both cases they had flaws in their design of risk and security controls. In the case of CodeSpaces, it appears that, even if they were using multiple regions to store the data, that all of the data was administrated from a single powerful administrative account – which they lost control of.

      Again, at this time the only data that I have is the narratives that these organizations have self-reported.

      Thanks, Erik



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.