Written by Mark Molyneux, EMEA CTO at Cohesity

The explosive growth of Software as a Service (SaaS) has changed how we do business for the better. Rather than being tied into long-term and expensive contracts, companies now have the flexibility to scale application services up and down to meet their specific needs. However, IT and business leaders must avoid common pitfalls around how their data is stored, retained and protected in a SaaS world.

The SaaS delivery model, where software is licensed on a subscription basis and is centrally hosted, continues to rise in popularity. Analyst firm Gartner says almost two-thirds (65.9%) of spending on application software will be directed towards subscription based cloud offerings in 2025, up from 57.7% in 2022.

The results of that success are clear – SaaS is ingrained into how businesses run their applications. Yet a side effect of that success is that more data is stored in the cloud too, which could have big implications going forwards. Their data is stored on external infrastructure, but the responsibility to protect it from loss, human error or infections remains with the businesses.

Sign up with a SaaS provider and you get all the benefits of an on-demand service, but that doesn’t mean you can log in and simply forget about how your data is held. Companies that rely on SaaS will have data spread across a host of providers. Any IT or business manager that uses SaaS must focus now on how data is stored, retained and protected in these distributed environments- with different providers involved who are guided by different service level agreements.


Think about the terms and conditions of data storage

Buying SaaS is so straightforward that analyst Gartner says many IT and business managers complete more than 60% of the buying process on their own before even engaging a vendor. And as a result, many IT and business managers buy the service without needing to engage with the vendor.  The big SaaS providers have designed their sites and purchasing mechanisms to make B2B procurement as simple as those a customer might find at a major online retailer.

With SaaS perceived as an easy, lower-risk investment, many decision makers are delegating the buying process to team members. So, while a senior manager might make the final spending decision, someone else covers most of the selection process for a new service. Gartner says decision makers often enter the fray for just the final 5% to 10% of the SaaS buying process.

However, IT and business managers must recognise that signing up with a SaaS specialist doesn’t mean you pass on storage responsibilities to the cloud provider. When it comes to regulatory compliance, it’s up to the end customer to ensure data is backed up safely and securely, not the cloud provider.

So, while your SaaS partner maintains the cloud provision, your business is responsible for everything it puts in the cloud. Senior managers must, therefore, be engaged from the start of the contractual process. They must consider the range of services the business is buying and ask these following pertinent questions:

Does your team pour over every detail of the terms and conditions when it signs up to a new cloud relationship? Or do the people who buy the services simply click ‘accept’ when it comes to the legal agreement, much like a consumer might do when purchasing a new service online? If that situation sounds familiar, then it’s time to act.

Senior managers must think carefully about the implications of the SaaS deals their organisations are signing. Crucially, they must ensure the systems and services they use abide by legal mandates, including the General Data Protection Regulation (GDPR).


Create an approach to data availability  that’s right for your business

Data storage isn’t your only concern when you move to a cloud provider. Another big issue is retention. Once you pay for a SaaS service, you might assume data is retained by the provider for as long as you are signed up with the provider. However, that’s not necessarily the case.

Data retention policies and procedures vary significantly between providers and across product ranges. While some providers offer enterprise-level deals that give longer periods of retention, some services only retain deleted data for 30 days. That might sound like a reasonable timeframe, but what about if someone deletes information unknowingly and your company needs the data months later? What does the deletion of data mean for your obligations for European legislation data such as the GDPR and national-level data protection regulations?

Organisation can’t really afford to take a risk on data storage and retention, but rather they require the mechanisms to help ensure data is stored, retained and secured, even in the worst-case scenario such as a ransomware attack. For managers who want to do more than set and forget SaaS provision, then the answer is to work with a dedicated Data Security SaaS partner.

This provider should simplify your data management processes. Look for a partner who combines three critical security capabilities into one SaaS solution: threat detection, data classification and cyber vaulting / data isolation. Together, these capabilities can help customers protect, detect, and recover data in the event of a cyber attack.

The best backup and cyber vaulting services can help your business reduce data protection costs by 70% or more. This helps ensure your data is protected, resilient, and immutable in a virtual air-gapped vault, so in the event of a ransomware attack, you can quickly and safely recover.

With integrated Data classification you can accurately detect and identify sensitive data or personal identifiable information (PII) more quickly. This helps you to easily understand and assess the impact of an attack and determine if sensitive information was compromised. And you can centrally control the retention of data and stay compliant.

Also, a Data Security SaaS partner who constantly scans data to detect ransomware threats and anomalies can ensure data is protected across tiers, service levels, and environments. And ones with a single platform to manage data across all your providers will help ensure SaaS is a trusted, effective and manageable IT resource.