Compliance in the Cloud: Why Backup for SaaS Applications Is Critical

Compliance is nothing new; as someone once joked, you could say that the first compliance violation happened when Adam ate the forbidden fruit. But when you think of compliance today, you’re likely thinking about the current period of stepped-up regulatory activity kicked off by the Sarbanes-Oxley Act of 2002.

Since Sarbanes-Oxley, we’ve seen an abundance of new laws regulating businesses and how they manage information. If you operate any kind of business today, chances are good that you’re required to comply with at least one of them – and probably far more than one, if it’s a publicly traded company.

Chances are also good that the regulations with which you must comply have to do specifically with information security, particularly as it concerns the confidentiality, integrity, and availability of information.

And that brings us to why data backup is so important to compliance, especially for SaaS applications like Google Apps, Salesforce.com, and other cloud-based solutions where you’re likely storing business-critical data.

Backup keeps businesses compliant

The most obvious reason to back up data is, of course, to be able to restore information that’s been deleted or compromised in some way. But the other, equally important reason is to keep businesses in compliance with the growing number of laws regulating how they ensure the availability of information.

Not all regulations specifically require that you back up data. Often, a regulation will more generally say that you must keep information available – and then leave it to you to determine what that means. Sarbanes-Oxley, for example, mandates that certain kinds of information be retained for five years. But if you’re going to ensure that records are kept and available for that period, it stands to reason that you need to have an effective backup solution in the event something happens to them.

Compliance frameworks provide guidance

So how do you determine exactly how to comply with regulations that don’t always spell out the actions you need to take? A number of compliance frameworks have emerged that include specific standards and controls to enable compliance. Meeting these standards and implementing these controls puts businesses on a path to meeting the broader requirements of regulations.

In this context, you could say there are two kinds of compliance that businesses should be concerned about: compliance with the laws and regulations that apply to them, and compliance with the standards in compliance frameworks – since it’s the latter that enables the former.

Which frameworks track with your compliance goals?

There are a number of compliance frameworks out there, each of which has a different focus and purpose. For example, COBIT – short for Control Objectives for Information and related Technology – originally gained favor among companies as a set of guidelines for complying with information-related requirements of Sarbanes-Oxley. Today, it’s a widely adopted framework that includes hundreds of control objectives to address regulatory mandates in a number of areas, including information availability. (Next time, we’ll take a closer look at the specific guidance it provides for backup and recovery activities.)

Determining which frameworks are relevant to your business depends on what compliance requirements you need to meet. For backup and recovery, COBIT is certainly relevant. So is the framework provided by NIST, the National Institute for Standards and Technology, which includes a set of controls specifically related to backup. In cloud-based environments, the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a controls framework that addresses, among other things, backup and recovery in the cloud.

Make sure your SaaS application data is compliant

Compliance is an issue for your business whether the information that’s affected by regulations is in on-premises systems or in the cloud. And data backup is an issue wherever the data resides, too. Sure, your cloud application provider should be taking steps to protect your data,  and companies like Google and Salesforce have a number of security controls in place to help protect the data in their applications. But there’s always still a risk of data loss occurring due to something beyond their control. That’s why a backup solution is so critical.

When it comes to compliance, you need backup that enables you to meet the standards or roll out the controls recommended in the compliance framework or frameworks that are specifically relevant to your business. And in the cloud, you also need backup that enables you to conform to the direction provided by the CSA CCM. Next time, we’ll take a closer look at what that means for you.

What to do next

With the growing number of regulations that govern how companies manage information, compliance is an issue for just about anyone who runs any kind of business today. And if you use SaaS applications in the cloud, reducing the risk of losing your Google Apps data is imperative to reducing your compliance risk. That’s why having a reliable backup solution for SaaS application is so important.

Learn more about compliance and backup next time, when we explore how different compliance frameworks tackle backup. Meanwhile, you can dig a little deeper into the subject by checking out the Forrester Report Back Up Your Critical Cloud Data Before It’s Too Late and Spanning’s webinar “How to Prevent Data Loss and Ensure Compliance for Your SaaS Applications.”


GOT SOMETHING TO SAY?