How financial organisations can ensure their data is protected in a SaaS world 

Mark Molyneux, EMEA CTO at Cohesity


The rapid expansion of Software as a Service (SaaS) has changed how we do business for the better. Rather than being tied into long-term and expensive contracts, financial organisations now have the flexibility to scale application services up and down to meet their specific needs. However, IT and business leaders must be wary of common pitfalls around how their data is stored, retained and protected in a SaaS world.

The popularity of the SaaS delivery model, where software is licensed on a subscription basis and is centrally hosted, is on an upward trajectory. Analyst firm Gartner says almost two-thirds (65.9%) of spending on application software will be directed towards subscription based cloud offerings in 2025, up from 57.7% in 2022.

It’s clear to see the results of that success – SaaS is ingrained into how organisations run their applications. Yet a side effect of that success is that more data is stored in the cloud too, which could have big implications going forwards. Whilst that data is stored on external infrastructure, it is the responsibility of the organisation to protect it from loss, human error or infections. 

You will get all the benefits of an on-demand service when signing up with a SaaS provider, but that doesn’t mean you can log in and simply forget about how your data is held. Financial companies that rely on SaaS will have data spread across a host of providers. Any IT or business manager that uses SaaS must focus now on how data is stored, retained and protected in these distributed environments – with different providers involved who are guided by different service level agreements.

The importance of reading the terms and conditions of data storage

The process for buying SaaS is so straightforward that analyst Gartner says many IT and business managers complete more than 60% of the buying process on their own before even engaging a vendor. And as a result, many IT and business managers buy the service without needing to engage with the vendor.  The large SaaS providers have designed their sites and purchasing mechanisms to make B2B procurement as simple as those a customer may entail with a major online retailer.

A number of decision makers are delegating the buying process to team members as SaaS is seen to be an easy, low risk investment. So, while a senior manager may make the final spending decision, someone else covers most of the selection process for a new service. According to Gartner, decision makers often enter the fray for just the final 5% to 10% of the SaaS buying process

However, IT and business managers at financial organisations must recognise that signing up with a SaaS specialist doesn’t mean you pass on storage responsibilities to the cloud provider. When it comes to regulatory compliance, it’s up to the end customer to ensure data is backed up safely and securely, not the cloud provider. 

So, while your SaaS partner maintains the cloud provision, your business is responsible for everything it puts in the cloud. There must, therefore, be senior managers engaged from the start of the contractual process and for them to consider the range of services the business is buying and ask these following pertinent questions:

Does the team at your organisation pour over every detail of the terms and conditions when it signs up to a new cloud relationship? Or do they simply click ‘accept’ when it comes to the legal agreement, much like a consumer might do when purchasing a new service online? If that situation sounds familiar, then it’s time to act. 

Senior IT managers at financial organisations must think carefully about the implications of the SaaS deals their organisations are signing. Crucially, they must ensure the systems and services they use abide by legal mandates, including the General Data Protection Regulation (GDPR).

Simplify data management processes for your business

Data storage isn’t your only concern when you move to a cloud provider. Another key issue is retention. Once you pay for a SaaS service, you might assume data is retained by the provider for as long as you are signed up with the provider. However, that’s not necessarily the case.

Policies and procedures for data retention vary significantly between providers and across product ranges. While some providers offer enterprise-level deals that give longer periods of retention, some services only retain deleted data for 30 days. That might sound like a reasonable timeframe, but what about if someone deletes information unknowingly and your company needs the data months later? 

Financial organisations can’t really afford to take a risk on data storage and retention, but rather they require the mechanisms to help ensure data is stored, retained and secured, even in the worst-case scenario such as a ransomware attack. The answer is to work with a dedicated Data Security SaaS partner.

This provider should simplify your data management processes( . Look for a partner who combines three critical security capabilities into one SaaS solution: threat detection, data classification and cyber vaulting / data isolation. Together, these capabilities can help customers protect, detect, and recover data in the event of a cyber attack. 


Explore more