Erik Heidt

A member of the Gartner Blog Network

Erik Heidt
Research Director
1 years at Gartner
20 years IT Industry

Erik Heidt is a Research Director on the GTP Security and Risk Management Strategies team. His research focus areas include IT risk management, IT GRC, application security and cryptographic controls. Read Full Bio

Coverage Areas:

Trusting SaaS With Your Data, eh?

by Erik T. Heidt  |  June 19, 2014  |  2 Comments

Two significant SaaS data loss events is short order…

May 6th, dedoose.com, a SaaS solution for qualitative research announced a major data loss event and today (June 19) codespaces.com announced that they are down,  have lost significant amounts of client data, and may be out of business.

What should current or prospective SaaS users learn from this right away?

  1. Take responsibility for having copies of your data! 
  2. Establish regular and routine procedures for backing up your data.
  3. Ensure you can use those backups!
  4. Be prepared to accept the consequences of provider failure.

Both of these services provided mechanisms for their customer to create their own backups – but how many users used them? In the case of codespaces, there primary service was providing svn based code repositories and svn tools for creating backups are commonly available. Dedoose offers an export to excel capability.

Many SaaS providers make no commitment about the availability of your data – none. For those providers that do, and that you might have a contract with, you can’t get data (or a settlement) from a company that doesn’t exist anymore.

It’s a simple rule, if you care about that data, make sure you have copies of it.

If a supplier can’t provide you with a means to get copies of the data, then you need to have a contingency plan for when they are no longer able or willing to provide it. The most important component of any supplier relationship is a solid exit strategy.

Note, that it doesn’t appear that the root cause of either of these events was an infrastructure failure. It sounds like, it was a operations failure for Dedoose and a security failure for codespaces (similar to Wizard Lays Waste to Acme Data Analytics with Chef Spell…). 

Thanks,
Erik

@CyberHeidt

P.S. Here is a quote from www.codespaces.com:

“Code Spaces will not be able to operate beyond this point, the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in a irreversible position both financially and in terms of on going credibility.”

2 Comments »

Category: Cloud Risk Management Real World Information Security Risk Management Uncategorized     Tags:

2 responses so far ↓

  • 1 TechYogJosh   June 20, 2014 at 7:53 am

    Didn’t these SaaS providers have “data recovery” or “backup” sites? Are they saying they were running one instance of the database? That is not possible. How did they lose the data, some sites might have gone down or database/storage might have become corrupted, but their must be other copies of the data that could be restored. I don’t know how this has happened. And if this has, should their be a regulator for these SaaS companies who inspect their data management strategies. Not many customers would be aware of the data protection mechanism of these SaaS providers.

  • 2 Erik T. Heidt   June 20, 2014 at 12:12 pm

    TechYogJosh –

    In both of these cases I have only the information that is posed by these organizations. At any rate, it appears that in both cases they had flaws in their design of risk and security controls. In the case of CodeSpaces, it appears that, even if they were using multiple regions to store the data, that all of the data was administrated from a single powerful administrative account – which they lost control of.

    Again, at this time the only data that I have is the narratives that these organizations have self-reported.

    Thanks, Erik