Cyber Resilience Begins with Rethinking Backup in Cloud and SaaS

Cloud computing has enabled organizations to offload infrastructure management and leverage computing resources on demand through cloud computing services. However, a critical misconception persists: that cloud service providers inherently take care of all data protection. In reality, ensuring comprehensive backup and recovery is the responsibility of the user organization, not the cloud provider​. 

That's why a strong backup and recovery plan is important. This is especially true for cloud-based and Software-as-a-Service (SaaS) settings often accessed via a simple web browser.

Together, these practices underpin cyber resilience, support cybersecurity investigations, and safeguard business continuity.

‍

Shared Responsibility for Data Protection in the Cloud

Cloud providers operate on a shared responsibility model, meaning that while the provider secures the underlying infrastructure as a service, the customer is ultimately accountable for protecting their own data storage and configurations. For example, Microsoft’s documentation plainly states: “For all cloud deployment types, you own your data and identities. You are responsible for protecting the security of your data and identities...and the cloud resources you control.”​ 

‍

In other words, businesses must treat cloud-stored data with the same diligence as on-premises data. This includes maintaining backups to cost-effectively preserve critical information. 

‍

Major cloud and SaaS vendors explicitly remind customers that data management is a customer duty. Microsoft’s service agreement urges customers to “regularly back up the content and data that they store on the services.” Salesforce likewise advises developing a routine data backup strategy as part of security planning.

‍

You can find similar disclaimers and recommendations from many service providers.  Many clouds replicate data across regions for high availability, but this replication is not a backup — it only guards against infrastructure failures, not against accidental or malicious data changes​. If ransomware encrypts your cloud data, highly-available replicas will simply sync the corrupted or encrypted data across sites, leaving you with no clean copy to recover​. 

‍

Cloud Identity and SaaS Services: No Built-in Backups

Even core services like cloud identity providers (IdP) and popular SaaS applications lack comprehensive native backup capabilities. Identity providers in the cloud do not back up user data or configurations on your behalf. They protect the service’s infrastructure and keep it running well. However, you are responsible for the safety and recovery of your tenant’s data storage. 

‍

They protect the service’s infrastructure and keep it running well. However, you are responsible for the safety and recovery of your tenant’s data storage. 

‍

For example, the popular IdP Okta, operates under a shared responsibility model where “Okta, by itself, does not provide a native built-in backup solution for its customer’s data.” Instead, “securing your tenant’s application data, content, and settings falls under your responsibility as a customer.”​ This means that if an administrator accidentally deletes users or misconfigured access policies in an identity service, the vendor does not provide a rollback button, leaving your business operations at risk without sufficient storage space for backups.

‍

The same holds true for many SaaS applications managing enterprise data. SaaS vendors generally do not include full data backup/restore features as part of the service. Organizations often assume data in services like email, CRM, document collaboration, or identity management is “safe” because it’s in the cloud. Yet more than a third of SaaS users have reported losing data in the cloud — through user error, malicious deletion, or other issues​. 

‍

And when such loss occurs, the vendor’s support can offer little help beyond perhaps short-term recycle bins or trash folders. There is typically no provider-maintained archive of your data changes over time. Thus, if a record or setting is changed or purged, without an independent backup you have no historical record or snapshot to restore. 

‍

The Unacceptable Risk of Not Having Backups

Failing to maintain your own backups can lead to disastrous consequences when things go wrong. Without a backup and recovery plan, an organization has no recourse to undo or mitigate the following scenarios:

Cyberattacks

Modern cyber threats target data for encryption, deletion, or exfiltration. If an attacker gets in and destroys or encrypts data in the cloud, and you have no secure-storage space backups, that data is lost. 

User Error & Misconfiguration

Simple mistakes by administrators or users can cause big problems. These mistakes include accidentally deleting important data, misconfigured access controls, or updating the wrong records in bulk. In many cloud services, once a change is replicated across cloud resources, it’s irreversible unless you maintain your backup copy. 

Data Corruption and Software Bugs

No system is infallible; a software bug, sync error, or malicious logic could corrupt your cloud data. If the corruption is propagated across all live copies (as cloud platforms often eagerly sync data), you won’t have a clean version to fall back on without proactive data management.

Malicious Insider or Credential Compromise

An internal user with elevated privileges or an external threat actor who steals credentials could intentionally alter or delete critical data and configurations. Cloud services might not detect this as “abnormal” if done through valid access. By the time you realize the damage — for example, dozens of virtual machines or user accounts wiped out — it’s too late to protect business operations without backups.

Preserving the Digital Crime Scene

Beyond the recovery of operations, backup systems also play a pivotal role in cybersecurity investigations and digital forensics after an incident. When a breach or data-altering event occurs, investigators need to determine what happened — the who, how, what, and when of the incident — to remediate and prevent future occurrences, ensuring regulatory compliance.

‍

Without a backup, if intruders delete data or log files, there may be nothing to investigate. This makes it hard to learn from the attack or take legal action. Conversely, a well-thought-out backup and recovery infrastructure not only restores your business but also provides the data needed to understand and report on the incident (e.g. to regulators, customers, or law enforcement). 

‍

Backup and Recovery Are the Cornerstones of Cyber Resilience

The main point is that no matter how reliable your cloud or SaaS providers are, they focus on keeping their systems running. Your data's safety and storage are still your responsibility. If you do not own and manage your backups, you have no safety net. In a cyberattack, insider threat, configuration error, or data corruption, you cannot roll back your data. 

‍

Conversely, organizations that invest in comprehensive backup and recovery strategies gain confidence in their cyber resilience and business continuity. They can handle attacks by restoring clean data copies. This helps reduce downtime and keeps serving customers.

‍

They can handle attacks by restoring clean data copies. This helps reduce downtime and keeps serving customers. They also help forensic teams with preserved evidence. This strengthens security measures for the future.

‍

When disaster hits and you have to act fast, MightyID helps you failover to a new IdP so you can keep business running. Contact us today to learn more..

‍