Blog

A Guide to SaaS Shared Responsibility Model

Written by Sanket Parlikar | Oct 3, 2022 5:15:30 PM

Introduction

Software as a service (or SaaS) is a way of delivering software applications over the Internet—as a service. Instead of installing and maintaining software, you simply access it via the Internet, freeing yourself from complex software and hardware management.
SaaS applications run on a SaaS provider’s servers and other information technology infrastructure. The provider manages access to the application, including security, availability, and performance.

The benefits of SaaS include increased efficiency and cost effectiveness

because of which many many businesses are adopting cloud-based SaaS solutions. In adopting SaaS the IT team does not have to worry about infrastructure, scalability, availability, software updates etc, and

allows for the IT team to remain focused on high-value tasks for the business, executing strategies quickly and more effectively. However, an often-overlooked aspect of utilizing SaaS, is who is responsible when an issue arises.

The Misconception of SaaS

A very common misconception in using SaaS is that the provider is responsible for“everything” let's delve into a couple examples to determine who really is:

The SaaS application is hosted in the provider’s data center and only the provider has access to the data center and the infrastructure (physical and software) within it.

Scenario Responsibility
The application is not functioning as expected SaaS Provider
There has been a new critical vulnerability reported, who is responsible for patching the appropriate systems SaaS Provider
Provisioning access to end users

Shared Responsibility

SaaS Provider

Develop and provide security controls that empower customers to manage their users effectively

Customer

Ensure the appropriate users have access to the application and corresponding data and follow the policy of least privilege

Data is accidentally deleted by a user

Shared Responsibility

SaaS Provider

Develop and provide mechanisms that empower customers protect their data

Customer

Ensure data is being backed-up up, so that they can restore it back in such a scenario

Data is accidentally deleted during a system upgrade

SaaS Provider

It is the responsibility of the SaaS provider to restore the deleted data

In summary the SaaS provider is not responsible for everything but rather it is a shared responsibility between the provider and customer

Shared Responsibility Model

The SaaS provider publishes a document that establishes the responsibilities as it relates to the service being provided detailing the role and responsibility of the provider and that of the customer. The responsibility is shared between the two parties and hence the shared responsibility model. In a shared responsibility model, the SaaS provider and the customer will each be responsible for various components that make up the service. The SaaS provider will be responsible for things under their control, such as physical infrastructure, environmental, and compute infrastructure, and the customer is responsible for ensuring user access to the application is governed by the policy of the organization and follows the principles of least privileges and securing their data that is part of the SaaS offering.

One of the largest SaaS offerings on the market is Microsoft Office 365, and they do a great job of showing what the shared responsibility is (see below).

“Shared responsibility in the cloud - Microsoft Azure.” Microsoft Learn, 25 August 2022,

https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility

Other large software vendors have similar models of shared responsibility: click on the links to review their models in detail Amazon Web Services (AWS), Google, Salesforce and Atlassian.

The Atlassian Shared Responsibility Model

Atlassian has published their shared responsibility model for customers using their cloud offerings, which include Jira Software, Confluence, Jira Service Management among others. 

In summary, Atlassian handles security of the applications themselves, the systems they run on, and the environments those systems are hosted within, they ensure the systems and environments used are compliant with relevant standards, including PCI DSS and SOC2, as required.

It is the responsibility of the customer to:

  • Manage the information within the accounts 
  • Protect their data by backing up the data regularly 
  • Manage users and user accounts accessing the data
  • Control which Atlassian Marketplace Apps that get installed

 

Detailed list of responsibilities of each of the parties involved

 

Atlassian Responsibility

Customer Responsibility

Policy and compliance

  • Consider the risk profile of our customers when assessing the need for security controls
  • Have a comprehensive security risk management program in place and effectively implement the controls detailed in our CSA STAR response
  • Be clear about our compliance state and what we can’t yet support (e.g., HIPAA)
  • Make available the information you need to make your decisions about our platforms
  • Help you to respond to cyber security incidents
  • Ensure our system has failover and redundancy built in
  • Receive and manage vulnerability reports related to our products
  • Operate within the law of the various jurisdictions we operate in
  • Understand your risk profile and the sensitivity of your data
  • Assess the suitability of our cloud-based platforms based on the information we provide
  • Ensure the platform is sufficient to meet your compliance needs
  • Meet your data breach disclosure and notification requirements when relevant
  • Protect your endpoints through good security practices
  • Only host permitted data on our platforms (e.g., Not HIPAA-related or personally identifiable information)
  • Operate within the law of the jurisdictions in which you operate

Users

  • Develop and roll out security controls that empower you to manage your users effectively (e.g., https://www.atlassian.com/enterprise/cloud/identity-manager)
  • Monitor our platforms for bad or malicious use
  • Verify your domain (https://confluence.atlassian.com/cloud/domain-verification-873871234.html) if you want to centrally manage your accounts
  • Approve user access to your data
  • Periodically review the list of users with access to your data and remove access from anyone who shouldn’t have it
  • If you have a verified domain:
  • Implement strong user access management controls such as federated identity management (SAML), two-step verification and password policies as needed based on your risk (https://www.atlassian.com/enterprise/cloud/identity-manager)
  • Monitor your organization’s user accounts for bad or malicious use
  • Force password changes when needed
  • Notify Atlassian of any unauthorized use of your organization’s accounts
  • If you don’t have a verified domain, or if you grant access to users outside your domain:
  • Communicate the importance of good password management to all users with access to your data
  • Notify Atlassian of any unauthorized use of your account
  • Be aware of the risks of Social Login (see Credential re-use’ below)

Information

  • Access your data only if there is a specific support need to do so
  • Notify you of any breach we become aware of that affects your data
  • Maintain system-level back-ups (which includes your information)
  • Set up your Atlassian products to reflect the information accessibility you want (e.g., anonymous access, public/private repositories)
  • Create backups of your data

Marketplace Apps

  • Verify the developers of Marketplace Apps
  • Receive and manage vulnerability reports related to Marketplace Apps
  • Assess the suitability of any Marketplace Apps you want to use based on the information they provide
  • Notify Atlassian of any malicious behavior identified in a Marketplace App

 

Summary

As a customer of SaaS you are still responsible for who accesses your SaaS application and the data within it and to protect the SaaS data that belongs to you. SaaS vendors are not responsible for who accesses your instance of the SaaS application and any data loss associated with customer-initiated destructive changes to the data.

Revyz helps simplify your responsibility of data protection by backing up your Jira Cloud data and making it readily available to you at any time to restore in the case of a data loss scenario.

References

Blogs from Revyz

Atlassian Data Protection - Challenges in the Cloud

7 Reasons Why A Jira Backup & Restore Solution Is A Must Have

Pro’s and Con’s of using Jira Cloud Database Backup & Restore

Mystery of Incorrect Sprint Reports

Jira - Restoring Issue Family Hierarchy

SaaS Backup: An Antidote to Ransomware

Data Backup - A Key Pillar of Insider Risk Management

What’s your Atlassian Cloud Migration & Data Protection Strategy?

A Guide to SaaS Shared Responsibility Model

Why you need a SaaS backup strategy and solution

Why we built Revyz