Who’s getting SaaS-y with your data?


5 Apr 2024

Image: © Mario Breda/Stock.adobe.com

Onymos CEO Shiva Nathan explains the pitfalls of putting too much trust in your SaaS provider and gives advice to strengthen your data privacy and security posture.

Software-as-a-Service (SaaS) has roots going all the way to the early days of computing. Even though it wasn’t called SaaS back then, delivering software over a network or accessing it remotely was a strategy being leveraged by large corporations such as IBM as well as by government agencies like NASA.

By the late 1990s, SaaS was finally going mainstream, and the premise was simple: enterprises pay money to receive software. Then, over the next three decades, the equation was rewritten. In 2024, enterprises still pay money to receive software, but they also hand over their data.

This change in the SaaS equation has put a major target on the backs of software providers who have amassed so much customer data. They are now honeypots for bad actors everywhere.

At the beginning of 2023, cybercriminals launched a mass hack that breached 130 companies, but they only had to infiltrate one of them – Forta, a cybersecurity and automation software firm. The affected organisations had been using Forta’s compromised file-transfer software, GoAnywhere. In late January, hackers captured an unknown number of shared files, including patient health data and insurance information.

But it gets worse. After the breach was publicised, at least two impacted companies reported that they were told their data was safe. They only found out it wasn’t when the hackers tried to ransom their stolen data back to them.

An organisation’s digital attack surface is sometimes described as the sum of its ‘weak spots’. The modern SaaS model, however, is changing that equation. Today, we’re all connected. One company’s weak spot could be its SaaS provider’s ‘SaaS provider’, and chances are, its cybersecurity isn’t as good as you want it to be.

A recent report by Varonis Systems found that the average company has at least 10pc of its cloud data exposed to every single employee. Although, this doesn’t mean the other 90pc is safe; as the report revealed, more than half of all accounts with the highest levels of data access don’t have multi-factor authentication enabled.

The qualms of a vendor lock-In

The typical enterprise relies on more than 100 different SaaS products, some of which are actually inside its own products. Wherever they are, and however they’re being used, they inevitably ingest a significant amount of an enterprise’s data (including their customer data).

This creates a kind of ‘stickiness’ for SaaS providers called vendor lock-in. If you want to get out, the costs could be prohibitive – if it’s even possible. When Austen Allred, CEO of BloomTech, tried to migrate his online code boot camp out of Slack, he seemed to be given just days to pay a $78,000 fee or have years of accumulated data entered into a deletion queue.

Allred’s issue, though it was later resolved by Slack to his satisfaction, highlights a growing problem: the issue of trusting SaaS companies to be good stewards of your data. Even when an enterprise can successfully move out of unwanted SaaS tool, the long-tail problem of ex-providers holding on to previously shared data still exists.

AI is putting data at even greater risk

Now, many SaaS providers have a whole new use for their customer data (and their customers’ customer data): AI.

SaaS providers are increasingly using machine learning algorithms to extract insights from customer data, leading to more personalised services and enhanced user experiences. This approach is transforming how businesses operate, allowing them to make data-driven decisions and optimise their operations.

At the core of these advancements lies machine learning, a subset of AI that enables systems to learn and improve from experience without being explicitly programmed. These machine learning training systems are training AI with data, and that data has to come from somewhere. SaaS providers have an enormous incentive to use customer data to train their own machine-learning models. They might even share that data with other companies to train the models for them or sell it outright to create new high-value revenue streams.

In February, Reddit made a $60m AI content-licensing deal with Google as part of its IPO plans. The agreement gives Google access to Reddit’s API data for training generative AI models.

And even the Associated Press is getting involved with data licensing – in July of last year, it announced a partnership with OpenAI, the company behind ChatGPT. As part of their arrangement, OpenAI will have access to AP content to train its models.

The potential for SaaS providers to share or sell this data to third parties raises important ethical and privacy concerns. While data sharing can lead to collaborative innovation and the development of new solutions, it also raises questions about data ownership, consent and transparency. This underscores the need for a comprehensive framework that addresses these issues and ensures that data is used responsibly and ethically.

Time for different approach?

Unfortunately, there are no easy solutions to these issues. For all its problems, SaaS is too useful. It’s here to stay but doesn’t have to stay the same. Enterprises, governments, research institutes and individuals all have to come together to create new norms around data.

In the near term, enterprises and organisations must begin to take back control of their data. The first step is to find vendors that enable organisations to self-host or self-manage their software and applications – a reversal of the standard SaaS engagement model that gives you full control. There are also vendors that provide solutions that have no data access – sometimes called no-data architecture.

By taking these steps and choosing the right SaaS vendor, enterprises and organisations can better manage their software and applications as well as strengthen their data privacy and security posture.

By Shiva Nathan

Shiva Nathan is the founder and CEO of Onymos, a Features-as-a-Service platform. He is the former head of Intuit’s Platform and Services organisation, and has also held technical and leadership positions at Oracle and CA. He understands what it takes to build robust, powerful apps that serve a broad customer base – and how to avoid the roadblocks that can get in the way.

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.