Canadian Government Requirements for SaaS Data Backup: Revyz Addresses the Gap

The Canadian government has stringent requirements for data handling, especially when it comes to cloud services and Software as a Service (SaaS). Understanding these requirements and the shared responsibility model is crucial for any organization, particularly those dealing with sensitive government data.

Canadian Government Requirements for Data Backup

The Canadian government emphasizes a cautious and comprehensive approach to using SaaS, ensuring that all existing IT-related government policies apply. 

Key considerations for data backup and overall data security in SaaS environments include:

• Data Stewardship and Privacy: All public servants are responsible for being good data stewards. Any time government data, particularly protected information, is placed in an online service, an approval and assessment process is required, often including a Statement of Sensitivity (SoS).
• Data Accessibility: Organizational data must remain accessible for searching, analytics, and Access to Information and Privacy (ATIP) requests. This means that data backups must ensure the ability to retrieve and utilize data effectively for these purposes.
• Security and Audit-ability:
  • SaaS providers must implement encryption for customer data at rest and in transit.
  • Monitoring and auditing must be implemented for all user accounts, with alerts for misuse or suspicious activities.
  • The government must be able to view audit logs in case of insider threats.
  • There's a strong emphasis on protecting against data breaches, malicious employees, and ensuring infected files aren't brought back into the organization.
• Data Residency: While hosting data in Canada is beneficial, it's not enough to fully mitigate all risks. Compliance with all technical, security, procurement, and information requirements is paramount.
• Third-Party Certifications: While third-party security certifications are beneficial, they don't fully mitigate all risks. A comprehensive approval process is required to ensure vendors meet all government IT application requirements.
• Cloud Backup Strategy: For IaaS and PaaS, storage service encryption must be enabled for data at rest if required by a security risk assessment. For SaaS, the cloud service provider (CSP) must have implemented encryption. Additionally, the cloud backup strategy needs to be developed and approved by the business owner.
• No Unnecessary Duplication: The government encourages using existing approved SaaS solutions within its ecosystem to realize economies of scale and prevent data sprawl.
• Emergency Account Management: Procedures for emergency account management must be developed, with alerts for any use of these accounts and periodic testing.

Essentially, the Canadian government expects organizations to exercise vigilance and ensure that SaaS solutions, including their data backup capabilities, do not contravene government policies related to privacy, legal issues, usability, accessibility, and data residency. 

While the SaaS provider handles certain aspects, the organization remains ultimately responsible for its data.

The Shared Responsibility Model in SaaS

The Shared Responsibility Model is a fundamental concept in cloud computing, delineating the security and operational responsibilities between a cloud service provider (CSP) and its customer. 

In a SaaS model, this division typically looks like this:

SaaS Provider's Responsibilities (‘Security of the Cloud’):

• Infrastructure Security: The provider is responsible for the physical security of data centers, network infrastructure, servers, virtualization, and the operating systems that run the SaaS application.
• Application Security: This includes securing the underlying software application itself, patching vulnerabilities, managing updates, and ensuring the platform is secure from threats.
• System Availability: The provider is responsible for the uptime and availability of the SaaS application and its core services, often outlined in a Service Level Agreement (SLA).

Customer's Responsibilities (‘Security in the Cloud’):

• Data Protection: This is perhaps the most critical customer responsibility in SaaS. While the provider secures the infrastructure, the customer is responsible for the actual data they upload, manage, and store within the platform. This includes:
  • Data Backup and Recovery: The SaaS provider typically focuses on the availability of its service, not the recovery of individual customer data due to accidental deletion, malicious activity (like ransomware), or configuration errors. Therefore, customers are responsible for backing up their own data from the SaaS application to an independent location.
  • Data Classification and Sensitivity: Understanding the sensitivity of the data being stored and applying appropriate controls.
• Access Management: Controlling who has access to the SaaS environment, including:
  • User accounts and identities (including privileged accounts).
  • Setting roles and permissions for users.
  • Implementing multi-factor authentication (MFA).
  • Monitoring user activity to prevent unauthorized access.
  • Managing guest user accounts and their privileges.
• Content Distribution and Sharing: Ensuring data is shared securely and only with intended recipients, and configuring appropriate permissions.
• Configuration Management: Proper configuration of the SaaS application's settings to ensure security and compliance. Misconfigured settings can expose sensitive information.
• Endpoint Security: Securing the devices used to access the SaaS application (e.g., employee laptops, mobile phones).
• Compliance: Ensuring their use of the SaaS platform aligns with their specific industry regulations and internal compliance standards (e.g., GDPR, HIPAA, or Canadian government policies).

The Microsoft 365 / Atlassian Misconception: A common misunderstanding, particularly with widely used SaaS platforms like Microsoft 365 or Atlassian, is that the provider handles all data protection. However, Microsoft and Atlassian's own service agreements recommend third-party backup apps like Revyz for customer data. 

Issues like accidental deletion, ransomware, security threats, application failures, or retention policy gaps are generally the customer's responsibility.

How Revyz Can Address the Gap

Revyz specializes in data management and protection for Atlassian Cloud products, such as Jira and Confluence, which are widely used by organizations, including government entities. 

Revyz helps bridge the gap in the shared responsibility model by focusing on the customer's side of data protection for these critical SaaS applications.

Here's how Revyz can help organizations meet their data backup requirements, particularly in the context of Canadian government regulations:

• Comprehensive Data Backup for SaaS: Revyz provides automated and comprehensive backups of all Jira and Confluence data objects, including tickets, projects, configurations, attachments, and assets. This goes beyond the basic replication or limited retention offered by SaaS providers, ensuring that organizations have a complete copy of their operational data.
• Granular Restore Capabilities: A key feature of Revyz is its ability to perform granular restores. This means users can recover specific data points (e.g., a single deleted Jira issue or a specific version of a Confluence page) without needing to roll back the entire system, minimizing disruption and data loss. This addresses potential human error or targeted malicious attacks.
• Offsite and Isolated Backups: Revyz stores backups offsite and isolated from the primary Atlassian Cloud environment, typically in secure and compliant AWS data centers. This separation is crucial for disaster recovery, protecting against widespread outages or security incidents affecting the primary SaaS provider. For Canadian government requirements, Revyz's flexible deployment with multiple data residency options across AWS data centers could be leveraged to meet data sovereignty needs.
• Compliance Ready: Revyz is designed with compliance in mind, being SOC 2 Type 2 certified. This helps organizations meet regulatory requirements for data protection, auditing, and retention, which are essential for government entities subject to strict compliance mandates (e.g., GDPR, ISO, or specific Canadian federal policies). It also extends audit history beyond the typical 180-day limitation of some SaaS providers.
• Ransomware and Insider Threat Protection: By providing secure, independent backups, Revyz offers a robust defense against ransomware attacks and insider threats, allowing organizations to recover quickly and mitigate data loss.
• Configuration Management and Optimization: Beyond data backup, Revyz offers tools for managing and optimizing Jira and Confluence environments. This includes comparing, cloning, and migrating project configurations, which can be crucial for maintaining consistency and recovering from configuration errors.
• Enhanced Security and Control: Revyz operates with dedicated cloud compute per customer (no shared resources) and supports "Bring-Your-Own-Storage" for AWS/Azure, giving customers more control over their backup data's storage location and security. It also integrates natively with Atlassian's authentication and authorization controls and encrypts data at rest and in transit.

In summary, while Canadian government requirements for SaaS data are extensive and demanding, Revyz helps organizations using Atlassian Cloud services to fulfill their ‘security in the cloud’ responsibilities by providing a dedicated, robust, and compliant backup and recovery solution. 

This addresses a critical gap in the shared responsibility model, empowering government agencies and their partners to protect their vital data effectively.