Using the Pareto Principle to Help Manage Cloud and SaaS Data Risk

The Pareto Principle is familiar to most people as the 80-20 rule. When it comes to cloud data risk, applying the Pareto Principle can help an organization focus risk management on where common risks originate, and where the risks may be significant.
ParetoPrinciple

First, though, let’s consider how data might be at risk within SaaS applications. Major SaaS providers are generally reliable, use multiple redundant systems to reduce risk, and are secure. SaaS application vendors like Salesforce, Microsoft and Google could not stay in business without ensuring that they are doing everything possible to protect your data.

SaaS providers cannot protect you from you, your users and your administrators.
SaaS applications, by design, make it easy for end users and administrators to update data. Unfortunately, it often is as easy for users and administrators to update SaaS application data in error, or with malicious intent. Here are just some of the “data update oops” situations I’ve learned about from speaking with people at user groups and on research calls:

  • A Google Apps user “cleans up” old client folders containing docs owned by others, “orphaning” the shared docs and putting important data in Trash in error
  • An Office 365 administrator set up their tenants incorrectly, accidentally deleting hundreds of users and their associated email
  • A Salesforce administrator uses a mass data loading tool, and inadvertently overwrites hundreds of thousands of good records with bad data due to incorrect field mapping

When a change to SaaS application data is made, whether through an end user updating a forecast stage on an Opportunity in Salesforce, a Salesforce administrator performing a mass data load, an Office 365 administrator onboarding or deprovisioning users, a Google Apps for Work user purging old client folders – as long as the change is made by someone authorized by the app to do so, it MUST be done. The SaaS application provider has no way of knowing whether that change was done in error or worse, with malicious intent.

Using the Pareto Principle as a real-world “rule of thumb for risk”
So how do you make the Pareto Principle work for you when assessing data loss risk? Let’s look at a few specific use cases that derive from one-to-one interviews I’ve done, and see how we might apply the Pareto Principle.

Use Case: Determine whether admins pose a greater data loss risk to the organization than end users, in order to focus organizational resources correctly.

Apply the Pareto Principle: While an end user might make a mess of what they have a right to access, they won’t have rights to change or update nearly as much as an administrator would. Therefore those with the most impactful access – administrators – will likely cause 80% of data loss in a SaaS application. Based on the Pareto Principle, end users will cause only 20% of SaaS data loss.

Use Case: Determine which administrative workloads pose a greater data loss risk to the organization, in order to allocate preventative resources correctly.

Apply the Pareto Principle: SaaS application administrators perform a variety of tasks with variable potential risk for data loss:

  • Routine administrative tasks (onboarding or deprovisioning users)
  • Management and testing (ensuring that the vendor’s SaaS updates will not break workflows or processes)
  • Helping implement large-scale changes (company restructurings, mass data loads, significant customizations)

Applying the Pareto Principle, 80% of the data loss risk incurred by administrators will occur on those 20% of tasks which are non-routine, and which involve significant changes to workflow, data, or SaaS architectures.

Use Case: Determine which application integrations with a core SaaS application (for example, Microsoft Outlook with Salesforce) pose a greater data loss risk to the organization, in order to allocate preventative resources correctly.

Apply the Pareto Principle: SaaS application integrations can add data loss risk, not just from a change performed in error (such as a salesperson updating their Salesforce instance with the contacts on their phone, accidentally overwriting good data in Salesforce with bad data from their phone), but from sync errors between integrated apps. Applying the Pareto Principle, 80% of the data loss risk incurred due to application integrations will occur on those 20% of situations where there is frequent use of the integrated SaaS apps.

Highest Sources of SaaS Data Loss Risk Based Upon the 80-20 Rule
Based on this fast “rule-of-thumb” application of the Pareto Principle to managing SaaS data loss risk, the riskiest 80-20 scenarios are:

  • SaaS application administrators performing large-scale changes – whether a mass data upload, or an organization restructuring, or workflow customizations.
  • Non-routine workloads or tasks performed by administrators.
  • SaaS application integrations between an “add on app” and the core app, where the “add on app” is frequently used.

As you can see, when it comes to mitigating the risk of SaaS data loss risk, you don’t have to boil the ocean – you can simply apply the Pareto Principle.

Focus on these key areas of SaaS data risk as a solid starting point, and you can identify high-risk people and processes before data loss occurs. You don’t have to just hope the worst doesn’t happen – you can use solutions like Spanning by EMC to make SaaS data loss a non-issue.

About the Author: Lori Witzel