If you think using a SaaS application alleviates the need for backup, you're wrong. But you're not alone.
A recent survey of 1,000 IT professionals and business executives conducted by security and backup vendor Barracuda Networks Inc. found that while cloud backup is on the rise, only 16% of companies back up data in their SaaS applications. Specifically, nearly 40% of the respondents who use Microsoft Office 365 said they don't have third-party SaaS backup for that data.
"Because it's a SaaS, there's a false sense of security. People think they have backup and recovery with the service, and they don't," said Christophe Bertrand, senior analyst at Enterprise Strategy Group (ESG). "The data is always your responsibility. The fact that you've given up control to a service does not absolve you from responsibility, from a compliance and stewardship perspective."
'Isn't the cloud provider backing that up for me?'
Wray Smith, vice president of technology services at managed service provider (MSP) Lewan Technology, said few people do SaaS backup because they are confused about who is responsible for that data.
"There's a common misconception, a wishful hope, that by putting anything in the cloud, you get that naive, 'Isn't the cloud provider backing that up for me?'" said Smith, whose MSP sells data protection products from Barracuda, Commvault, Veeam Software and others.
They're not backing it up for you, said Priyank Ghedia, practice manager in cybersecurity and risk management at Lewan Technology. Contracts with SaaS vendors usually provide for availability and reliability of the vendors' services, but they do not take on the responsibility for customers' data.
Wray SmithVice president of technology services, Lewan Technology
"It's a fine point which nobody reads," Ghedia said. "The first time I meet a client, they always have the perception where they're on the cloud, they think they're backed up."
If a customer loses data due to malicious or accidental deletion, it's not up to Salesforce -- or Office 365, Slack or Box -- to restore that data. SaaS providers' responsibility only extends as far as their software and not the data on it, said Vinny Choinski, senior lab analyst at ESG.
"They'll guarantee the uptime of the application itself and the supporting infrastructure, but they can't guarantee the integrity of the data you put in there," Choinski said.
Office 365 keeps deleted email messages live in the Recycle Bin for 93 days before permanently deleting them. Microsoft OneDrive and SharePoint retain deleted files for 14 days, but users must open a support ticket to restore them. Additionally, neither can restore individual files -- the entire instance must be restored.
How vendors provide SaaS backup
Today, many backup vendors offer SaaS protection, often in what is known as cloud-to-cloud backup. That method will protect data in SaaS apps such as Office 365 and Salesforce by creating copies in another public cloud, often AWS. Some vendors will instead store copies of SaaS files on an on-premises disk system.
Customers don't always view their SaaS data as mission-critical. To some, SaaS backup is unnecessary.
Greg Arnette, technology evangelist in data protection at Barracuda, said SaaS providers will guarantee uptime for users, but that is not the same as a granular backup that can restore individual email messages and files that were mistakenly deleted.
"The SaaS vendors make backup copies of the data, but at a system-wide level, so if the vendors themselves have some kind of outage, they can recover back to a consistent state and get their customers up and running," Arnette said. "But what SaaS vendors don't and can't know is when data changed by someone logged into the SaaS service is valid or invalid."
While SaaS protection is integrated in traditional backup apps, there are also products designed specifically for backing up cloud-native data. Spanning, Backupify (now part of Datto) and CloudAlly were among vendors that created cloud-to-cloud backup from the start.
Odaseva tackles 'huge misunderstanding' in market
Odaseva comes at SaaS backup from a slightly different direction, building it into its Salesforce management platform. Odaseva started in 2012 specifically to address Salesforce data management for large enterprise customers. A team of Salesforce veterans developed the Odaseva Data Management Cloud, which includes backup for Salesforce data.
Odaseva COO Vincent Delamarre said his company uncovered a common misconception among Salesforce customers that the SaaS provider is responsible for any data on the platform.
"Whether on SaaS or on-prem, it's the responsibility of the customer" to protect data, Delamarre said. "This is a huge misunderstanding in the market."
Odaseva's software, which is sold as a service, works by the extract, transform and load process. It takes data from Salesforce, manages the data for a particular use case, then pushes it back onto Salesforce. Use cases covered by Odaseva's platform include Salesforce backup, governing API call limits with AI, predictive capacity planning and compliance.
Many backup tools available to customers today still assume a traditional, on-premises environment. ESG's Bertrand said, given Odaseva's Salesforce expertise, its go-to-market strategy makes sense.
"Overall, data protection of SaaS-based environments still has a lot of ways to go," Bertrand said. "Recoverability is nowhere near what you can do on premises today."