A Guide to SaaS Shared Responsibility Model
Software as a service (or SaaS) is a way of delivering software applications over the Internet—as a service. Instead of installing and maintaining software, you simply access it via the Internet, freeing yourself from complex software and hardware management.
SaaS applications run on a SaaS provider’s servers and other information technology infrastructure. The provider manages access to the application, including security, availability, and performance.
The benefits of SaaS include increased efficiency and cost effectiveness
because of which many many businesses are adopting cloud-based SaaS solutions. In adopting SaaS the IT team does not have to worry about infrastructure, scalability, availability, software updates etc, and
allows for the IT team to remain focused on high-value tasks for the business, executing strategies quickly and more effectively. However, an often-overlooked aspect of utilizing SaaS, is who is responsible when an issue arises.
The Misconception of SaaS
A very common misconception in using SaaS is that the provider is responsible for“everything” let's delve into a couple examples to determine who really is:
The SaaS application is hosted in the provider’s data center and only the provider has access to the data center and the infrastructure (physical and software) within it.
|The application is not functioning as expected||SaaS Provider|
|There has been a new critical vulnerability reported, who is responsible for patching the appropriate systems||SaaS Provider|
|Provisioning access to end users||
Develop and provide security controls that empower customers to manage their users effectively
Ensure the appropriate users have access to the application and corresponding data and follow the policy of least privilege
|Data is accidentally deleted by a user||
Develop and provide mechanisms that empower customers protect their data
Ensure data is being backed-up up, so that they can restore it back in such a scenario
|Data is accidentally deleted during a system upgrade||
It is the responsibility of the SaaS provider to restore the deleted data
In summary the SaaS provider is not responsible for everything but rather it is a shared responsibility between the provider and customer
Shared Responsibility Model
The SaaS provider publishes a document that establishes the responsibilities as it relates to the service being provided detailing the role and responsibility of the provider and that of the customer. The responsibility is shared between the two parties and hence the shared responsibility model. In a shared responsibility model, the SaaS provider and the customer will each be responsible for various components that make up the service. The SaaS provider will be responsible for things under their control, such as physical infrastructure, environmental, and compute infrastructure, and the customer is responsible for ensuring user access to the application is governed by the policy of the organization and follows the principles of least privileges and securing their data that is part of the SaaS offering.
One of the largest SaaS offerings on the market is Microsoft Office 365, and they do a great job of showing what the shared responsibility is (see below).
“Shared responsibility in the cloud - Microsoft Azure.” Microsoft Learn, 25 August 2022,
Other large software vendors have similar models of shared responsibility: click on the links to review their models in detail Amazon Web Services (AWS), Google, Salesforce and Atlassian.
The Atlassian Shared Responsibility Model
Atlassian has published their shared responsibility model for customers using their cloud offerings, which include Jira Software, Confluence, Jira Service Management among others.
In summary, Atlassian handles security of the applications themselves, the systems they run on, and the environments those systems are hosted within, they ensure the systems and environments used are compliant with relevant standards, including PCI DSS and SOC2, as required.
It is the responsibility of the customer to:
- Manage the information within the accounts
- Protect their data by backing up the data regularly
- Manage users and user accounts accessing the data
- Control which Atlassian Marketplace Apps that get installed
Detailed list of responsibilities of each of the parties involved
Policy and compliance
As a customer of SaaS you are still responsible for who accesses your SaaS application and the data within it and to protect the SaaS data that belongs to you. SaaS vendors are not responsible for who accesses your instance of the SaaS application and any data loss associated with customer-initiated destructive changes to the data.
Revyz helps simplify your responsibility of data protection by backing up your Jira Cloud data and making it readily available to you at any time to restore in the case of a data loss scenario.
- Atlassian Shared Responsibility Model
- Atlassian Security Practices
- Microsoft Shared Responsibility
- AWS Shared Responsibility
- Google Shared Responsibility
- Salesforce Shared Responsibility
- Start. a free trial with Revyz
Blogs from Revyz
Atlassian Data Protection - Challenges in the Cloud
7 Reasons Why A Jira Backup & Restore Solution Is A Must Have
Pro’s and Con’s of using Jira Cloud Database Backup & Restore
Mystery of Incorrect Sprint Reports
Jira - Restoring Issue Family Hierarchy
SaaS Backup: An Antidote to Ransomware
Data Backup - A Key Pillar of Insider Risk Management
What’s your Atlassian Cloud Migration & Data Protection Strategy?
A Guide to SaaS Shared Responsibility Model
Why you need a SaaS backup strategy and solution