What State and Local Governments Need to Know About Risks in G Suite and Office 365

Software as a Service (SaaS) collaborative platform adoption is increasing among state and local government for many good reasons–but along with increased adoption comes added risk. In this blog, you’ll learn more about why SaaS collaboration platforms are becoming more widely used by state and local governments; the new division of responsibility for those adopting these tools; and some risk areas, including the rise of ransomware attacks on local and state agencies. It will also help your organization assess sources of SaaS collaboration data risks, as well as suggested next steps to reduce those risks.

State and local governments are increasing their cloud and SaaS adoption

Government organizations seeking the benefit of cloud-based collaboration have put “cloud first” initiatives front and center (more than 70% of state government CIOs are “cloud first,” and local government continues to grow adoption of SaaS)–and it’s no surprise why.

The reasons for the growing adoption of collaboration tools such as G Suite (formerly Google Apps) and Office 365 by government are similar to the well-known reasons many business adopt these platforms. Yefim V. Natis, VP and Gartner Fellow, wrote, “Rigid organizations cannot produce agile IT solutions. As delivery shifts more to the cloud, most IT organizations will have to reorganize to reflect the business realities of cloud computing: continuous innovation and change, pervasive integration, competing with cloud providers for some initiatives, and crucial prevalence of influence over control in ITs relationship with lines of business.”

  • Agility. SaaS provides multiple supports for agile IT in ways that on-premises management and maintenance cannot, facilitating the ability to adapt to rapid change in organizational needs and constituent-focused requirements.
  • Scalability. SaaS applications provide the ability to rapidly scale up or down as the needs of state and local governments change. For example, post-election budget shifts are easier to accommodate when IT can add or shed subscriptions, rather than being stuck with more (or less) on-premises capacity than is needed..
  • Staffing. SaaS applications reduce the need for on-premises management of application storage, updates, patches, and maintenance, freeing IT to do more even if budgets restrict adding staff.

The risks, however, may not be as familiar. And the biggest risks to government organizations do not generally originate from the SaaS vendor’s infrastructure, but from the new division of responsibilities arising from SaaS architecture.

SaaS applications: A new division of responsibilities between vendor and IT

saas responsibilities vendors and IT

Before the advent of cloud computing and SaaS applications, IT was responsible for managing everything in the technical environment. The adoption of SaaS and cloud technologies does not remove the responsibility for data protection from IT; the shift may, however, obscure areas of risk. SaaS and cloud vendors are secure, and generally protect customer organizations from their own infrastructure failures. They cannot, however, fully protect organizations from human mistakes, programmatic errors, or malicious activity. Changes initiated by your organization, or external threats, are carried out by the SaaS provider, because they appear to be legitimate, intentional actions.

Regardless of which model of service delivery is in place within an organization, IT is responsible for ensuring data management aligns with regulatory requirements, organizational governance, and defined controls. Ultimately IT must also meet the organization’s need for business continuity – including backing up SaaS data in a way that facilitates a fast return to operational readiness (Recover Time Objective, or RTO).

The primary risk to your SaaS data comes from you, not your platform vendors

SaaS data loss is rarely caused by a vendor’s infrastructure issues. It is most commonly caused on the customer’s side, in three scenarios:

  • Human error (misconfiguration of retention policies, improper data loads that overwrite good data with bad at compute speed, end user accidental deletions). Aberdeen Research notes that 64% of all data loss is caused by human error; in our interviews with G Suite and Office 365 sysadmins, we’ve heard stories confirming how common human error is. For example, one government agency we spoke with told us how setup errors led to the loss of more than 200 tenants in Office 365.
  • Programmatic errors (sync errors, integration errors, both of which can overwrite good data with bad, or delete good data). The Register reports, “Sync failures are perhaps the biggest frustration for Office 365 users and those who support them, and when it happens the usual advice is to delete and resync everything, with possible loss of recently changed files.” But it’s not just an issue for Office 365. G Suite sync errors led to the loss of “hundreds of corporate emails,” according to this G Suite Help Forum thread.
  • Malicious activity (disgruntled employees or other authorized users, malware including ransomware). Government sysadmins are familiar with the risks posed by disgruntled employees. They may not be as familiar with the rise in government ransomware attacks. The central issue for those using collaboration apps such as G Suite and Office 365 is the “folder grenade” – when a document or email is shared, and the ransomware encryption spreads from one shared folder or document through every shared folder or document, at compute speed. This may have been why the malware lock-out spread so quickly through recent victims’ systems.


What to do now to mitigate the risks

Your SaaS collaboration providers are likely not a significant source of risk to your SaaS data. Your admins and your end users are. It’s important to train your end users in being “phishing proof” regarding SaaS data. Beyond training and limiting access to admin rights, however, IT needs to plan to ensure SaaS data is safe, backed up, and quickly restorable for business continuity needs. If your organization has adopted, or is considering adopting, a SaaS collaboration platform such as G Suite or Microsoft Office 365, ensure you can protect against the common issues that can lead to SaaS data loss.

Spanning Backup provides enterprise-class backup and restore for G Suite and Office 365 data, developed to meet the fastest Recovery Time Objective (RTO) requirements for business continuity. Spanning backs up your data in SaaS applications automatically, every day.

Spanning also supports customers making additional on-demand backups any time, such as before making major changes as a new administration is onboarded post-election.

Metadata is included in the data that Spanning backs up daily, to enable fast recovery in the event of data loss. Spanning supports the rapid restoration of your SaaS items to their full original state – including point-in-time snapshots of folder structures, categories, labels, sharing settings and more.

What to look for in a SaaS data protection solution for state and local government

Start with this security checklist, as you begin the process of evaluating SaaS data protection solutions to mitigate the risk of SaaS data loss.

SaaS provider security checklist


Don’t wait until a SaaS data disaster occurs within your government agency or organization. Evaluate solutions like Spanning, and trial us for free in your organization today.