Running applications in software-as-a-service clouds has become the norm over the last several years. Cost has been the primary driver behind this transition, with organizations finding it often less expensive to subscribe to a SaaS cloud than run applications on premises.
Application vendors, meanwhile, are increasingly switching to a cloud-only delivery model where they maintain the application -- and ensure it is properly configured -- and the hardware it runs on. While there is no denying the benefits to using SaaS applications, the very nature of cloud-based applications can sometimes give IT pros a false sense of security that the application provider will handle SaaS data protection and address any problems that may occur.
There is a bit of truth behind this perception. If a SaaS application experiences stability issues, or the underlying infrastructure fails, it is the provider's responsibility to fix the problem. However, it usually will not take responsibility for any associated data. This policy has existed for as long as the IT industry itself, gaining acceptance long before the invention of cloud services.
Imagine for a moment that an organization doesn't subscribe to a SaaS cloud and runs all software on premises. Now suppose it suffers a storage-array failure, losing a number of critical document files. Are the software vendors responsible for the data loss? Of course not. Presumably, the applications are still functional, and only the data created by those applications has been affected. While application vendors are responsible for ensuring their software works as advertised, they do not bear any responsibility for an organization's data. The IT department is responsible for protecting that data by creating regular backups.
Running applications in the cloud doesn't mitigate the need for SaaS data protection. Enterprises are responsible for protecting their own data, just as they were in the days of running applications on premises. When choosing to run an application in a SaaS cloud, businesses are essentially leasing hardware in the cloud provider's data center and outsourcing hardware, OS and application maintenance as it relates to that application. Even though the software runs on a remote server and is maintained by someone else, subscribers are still responsible for protecting data they create.
Unfortunately, SaaS data protection has historically been a challenge. When running an application locally, the data generated usually resides in the organization's own data center, where it can be easily backed up. In the case of a SaaS application, however, data often resides in the provider's data center, not the subscriber's.
At first glance, the idea of storing data in a SaaS provider's cloud may seem like a nonissue. After all, cloud storage is a mainstream and reliable technology. There's a difference between SaaS storage and IaaS storage such as Amazon's S3, however. The most significant difference is that SaaS providers usually do not give subscribers volume-level access to their data. This renders typical backup applications completely ineffective when it comes to SaaS data protection, unless the backup application has been designed to work with the specific SaaS cloud.
Those who subscribe to SaaS applications must therefore consider two very important questions: What are the odds of losing your SaaS data? What is the best option for protecting that data?
The odds of suffering SaaS data loss
SaaS providers go to great lengths to prevent data loss as a result of infrastructure failure or malicious activity. Even so, it has long been known that data loss within a SaaS cloud can and sometimes does occur.
A 2013 study by the Aberdeen Group (see figure below) found 32% of SaaS cloud subscribers suffered data loss. Accidental deletion by users and users accidentally overwriting data presumably with incorrect data were among the factors cited. Somewhat surprisingly, SaaS applications themselves caused a portion of the data loss by overwriting something they shouldn't.
Of course, it is nearly impossible to discuss data loss without also addressing factors such as ransomware, hackers and malicious activity. The Aberdeen Group study found approximately 20% of all SaaS data loss could be attributed a combination of hackers and general malicious activity. Others attributed data loss to ending a SaaS subscription, which may have been a result of canceling a subscription or accidentally allowing a subscription to lapse.
A slightly more recent report by IDG Communications Inc. painted a far bleaker picture of SaaS data loss, finding an astounding 58% of businesses using SaaS applications suffered SaaS-related data loss during the previous year. Interestingly, the reasons cited for this data loss largely line up with the Aberdeen Group's earlier findings. The figure below provides a breakdown of IDG's findings.
A survey commissioned by cloud backup provider Spanning Cloud Apps LLC a couple of years later (see figure below) offered even grimmer findings. Close to 80% of respondents reported SaaS data loss of some kind over a 12-month period.
These studies illustrate a problem that has progressively worsened. Even though the three studies didn't examine the same exact types of data loss, individual data loss can be consolidated into more general categories. This makes it possible to examine the findings side by side. In doing so, it becomes clear SaaS data loss follows some consistent trends, with accidental deletion and administrative errors accounting for the bulk of the data loss, as shown below.
Cloud-to-cloud backup services to protect SaaS data
With SaaS data loss such a prevalent problem, it is necessary to consider how best to protect your SaaS data. In recent years, a number of vendors have begun to offer cloud-to-cloud (C2C) backup services that protect SaaS data against loss. Some of the more popular C2C backup services include the following:
- Axcient CloudFinder
- Barracuda Cloud-to-Cloud Backup for Office 365
- Cloud Daddy
- Datto SaaS Protection
- Veeam Backup for Microsoft Office 365
All C2C backup services are not created equally, so it is extremely important to select a service that meets your needs. When it comes to SaaS data protection, the first thing to consider is the applications a service is able to protect. Some C2C backup services may only focus on a single SaaS service, such as Office 365, while others support a variety of applications.
Even the SaaS protection provided by these services isn't uniform. You may find, for example, that some backup services can protect most or all of your Office 365 data, while others protect Exchange Online, but provide almost no coverage for other Office 365 apps such as SharePoint Online or Yammer.
When selecting a C2C backup service, it is always a good idea to sign up for a trial subscription so you can evaluate the service for yourself. In doing so, pay particular attention to recovery granularity and the speed with which data can be recovered. You should also make note of whether the backup provider has any data retention limits. Nobody wants to find themselves in a situation in which the data they need to restore is gone because the provider deemed it to be too old to be useful.
Who owns your SaaS data?
Although not one of the largest reasons identified by the three surveys, two of them identified subscription-related issues as a source of data loss. IDG attributed this data loss to departing employees or to the deactivation of a user account, while Aberdeen listed this type of data loss as "ended SaaS and lost data." Regardless, both studies pointed to the idea that organizations can suffer data loss as a result of canceling a SaaS subscription, delicensing a user or, perhaps, accidentally allowing a SaaS subscription to lapse.
Because this type of data loss occurs, organizations should question the issue of data ownership. If SaaS providers store your data within their own cloud -- without providing a way of accessing the data from outside of the application -- then the SaaS provider essentially owns your data. One reason why cloud-to-cloud backups are so important is because they give you a way to extract your data from the SaaS application. You can then store that data on premises or in a cloud of your choosing, where you can maintain ownership of that data. That way, you won't lose all of your data if you choose to cancel your SaaS subscription.
You should verify whether there are any limits on the types of data a provider will include in its backups. It isn't as much of a problem today, but some first-generation C2C backup providers would omit videos and other types of large files from their backups in an effort to save bandwidth.
Finally, go online and see what people are saying about the backup providers. Have people generally had good experiences with them? Or has the service let them down when they needed it most?
- The Gorilla Guide to Cloud-First Backup –Solarwinds MSP
- Quadrupling Backup Speed and Blocking Ransomware with Cloud Backup –Acronis
- Simplify Backup and DR with Hybrid Cloud Storage –ClearSky Data
- Moving from Capex-Reliant Data Backup and Management to Cloud-native Backup –Druva Software