Who is responsible for cloud data security? The SaaS vendor or the enterprise?

This is a critical question challenging many enterprises today.  Ask this question to different roles in an enterprise and I promise you’ll get different answers.  Legal, Risk & Compliance, CISO, Business Owner, and so on!

The benefits of functionally rich cloud SaaS applications like mobile support, dashboards or lower costs are clear. Enterprises have to take advantage of this to move forward.

However, the question remains.  Don’t confuse the response from all SaaS vendors – “your data is very secure in our data centres” – with the need for the enterprise to examine and understand what is their sensitive data and what are your company’s legal and regulatory obligations to meet various data compliance requirements before that sensitive data is placed in the SaaS environment and now out of your control. Or at least not only controlled by you.

SaaS vendors need to understand that this question is not about how e.g. physically secure or available my data is in the cloud. Therefore, “Data Security” is more about protection against unauthorized access. And as your enterprise has a legal or regulatory compliance obligation to protect CID (Client Identifiable Data) or PID (Personal Identifiable Data) and “Data Compliance” for business sensitive data will always be the responsibility of the enterprise – and not of the SaaS vendor.

Especially with market leading SaaS applications such as Office 365, Salesforce, ServiceNow or others, data protection for compliance should play a role in the adoption of cloud SaaS. With some encryption gateways, the enterprise are the only ones that control the encryption keys to access their sensitive data therefore meeting their responsibilities for data compliance.

Ravi Pather
Senior Vice President, Global Sales
ravi.pather@eperi.de