top of page
Search

Rethinking SaaS, Data Protection, and Privacy in AI era

Updated: Aug 3

One of the most predictable features of any technology curve is the obituary phase, with people across the industry declaring a particular paradigm or application “dead”.  VDI has been declared dead several times in past decades, same for local data centers.  In truth, things all persist, even as they evolve.


These proclamations are often (unsurprisingly) made by vendors pushing the disruption. In the current AI moment, there’s a lot of these obituaries being written. But when the CEO of Microsoft says that SaaS is dying, you take notice.

While his words weren’t that dramatic, Satya Nadella did predict how agentic AI might disrupt the SaaS paradigm: "I think the notion that business applications exist, that's probably where they'll all collapse, right, in the agent era. Because if you think about it, they are essentially CRUD (create, read, update, delete) databases with a bunch of business logic.”


Why does that matter?

The Software as a Service (SaaS) model has been a key driver of digital transformation, and the convenient adoption of software and automation has propelled enterprises towards unprecedented efficiency. Household names like Box, DocuSign, Slack, Zoom, and Notion among others have become integral to enterprise operations, streamlining workflows like secure document exchange, e-signatures, large file transfers, data rooms, and messaging.


But, as we proceed into a cloud-native, AI-powered, and privacy-aware era, a critical reassessment of the traditional SaaS model may be prudent. There are old challenges to solve for, including security and privacy. But there’s also a brand-new set of requirements around AI data governance, that are similar but not the same to past infosec challenges.


AI data governance is like traditional data protection but more complicated

That’s why nearly every survey you read about AI implementation lists AI data governance as a top challenge.


A glaring issue with traditional SaaS solutions is exposing and storing (sensitive) enterprise data with third parties (i.e., the SaaS providers themselves), raising significant third-party risks, cybersecurity threats, and compliance issues.

While streamlining operations, these platforms become attractive targets for cyberattacks, with the potential costs of breaches posing significant risks to hundreds if not thousands of businesses and millions of individuals. Also, because each SaaS typically focuses on a small number of workflows, ensuring consistent configurations and security postures may not always be the easiest, especially when their backends are built on different public clouds.

It is also extremely difficult (if not flat-out impossible) to know exactly where enterprise data resides or is copied to (for backup reasons) among others. There are also no technical guarantees (only vague contractual and/or policy languages) that SaaS providers will not utilize customer data in advance of their machine learning and other AI/LLM capabilities, which may inadvertently leak sensitive enterprise information.

Is the efficiency worth the data protection risk?

The purported advantages of SaaS, including ease of use, lower cost and maintenance, continuous software updates, and outsourced security, often do not fully materialize. Instead, organizations face a reality of high costs due to bloated management and inefficient operations of SaaS providers, sensitive data sprawl, compliance challenges, and a locked-in ecosystem, all of which amplify the risk and complexity of the enterprises' data protection and cybersecurity endeavors.

 

A practical path to secure GenAI:  Cryptographically Augmented Private SaaS (CAPS)

 

While the thought leaders argue about whether or not SaaS is dying, dead, or doing just fine, there are alternatives that enable both productivity and solid AI data governance. They’re built for overcoming the standard SaaS challenges. The advent of cloud-native infrastructures, commoditized cloud storage, advancements in cryptography and Privacy Enhancing Technologies (PETs), and the rise of automation and AI pave the way for what we call the "Cryptographically Augmented Private SaaS (CAPS)" model. CAPS envisages a future where data privacy is paramount — no third party, not even the CAPS "SaaS" provider itself, cloud services, or ISPs, can see user data.

In this model, data is encrypted not only at rest or in transit but upon generation or ingestion and also at the content layer, ensuring maximum protection. The CAPS model also promotes ease of setup, cloud-to-cloud migration, and cost efficiency by potentially replacing multiple SaaS solutions with a single CAPS platform, leveraging amortized cloud costs.

 

A new standard in data protection: Building the CAPS model

We advocate the following features when building toward such a future, especially when looking to build wide across on prem and the cloud and deep to accommodate LLMs and other AI use cases.

  • Fine-Grained Cryptographically Enforced Access Control: Ensuring that access to data is tightly controlled and secure and implementing the principle of least privilege (POLP) at the sensitive object level, not only at folder or file levels.

  • Shift-Up Paradigm in Data Protection: By embedding protection directly within the data containers (e.g., documents) per the above requirement, a consistent level of data protection travels with the data wherever it goes and is always on.

  • Split Keys and Threshold Cryptography: Enhancing security by distributing decryption and signing keys and operations using them (ala the secure multiparty computation paradigm), making unauthorized access considerably more difficult in the case of a backend compromise.

  • Post-Quantum Cryptography Ready: Preparing for the quantum computing era by adopting encryption methods that are resistant to quantum attacks. And even beyond that, ensuring cryptographic agility is built in in such platforms from the start.

  • Document View and Use Tracing: Implementing mechanisms for tracking how and by whom (whether machines or humans) documents are accessed and used, even after such documents are downloaded or shared outside the CAPS infrastructure.

  • Automated Deployment and Operation: Utilizing modern advances in AI and machine learning for efficient and self-managing deployment processes is within reach with recent advances of no-code infrastructure and LLM-powered development and DevOps tools.

  • Microservice Native: Ensuring that the CAPS platform is built for the cloud-native era, facilitating scalability, resilience, and ease of integration.


The transition towards CAPS that we advocate for, represents a paradigm shift in how one approaches thinking about enterprise software solutions. By addressing the inherent flaws of traditional SaaS from the ground up through a focus on privacy, security, and efficiency, we argue that CAPS offers a promising roadmap for a more secure and private future.


Sensitive data protection --- “as a service” that you control

As businesses become increasingly aware of increased enforcement around data and cybersecurity, we expect the demand for solutions like CAPS to rise, heralding a new era of secure, efficient, and privacy-aware enterprise operations. This will be especially true as AI opportunities get further explored and operationalized.

 



See what Confidencial can do

We're building for a better kind of data protection through selective encryption. Take a trial and see what we can do.

Comments

bottom of page