The popularity of SaaS options has been growing rapidly. Software as a service is usually easier to implement and typically less expensive than on-premises alternatives or managing your own software in a cloud. However, SaaS data protection is not bulletproof and data can still be vulnerable.
For a long time, there was a general impression that SaaS data created in the cloud was inherently more protected because it was also stored there. "There is a big disconnect when it comes to SaaS backup and recovery," Enterprise Strategy Group analyst Christophe Bertrand said. "A large number of users believe they don't need a backup" as they would for on-premises workloads or that the vendor has tools that suffice for this purpose. The big gap in perception "also creates a high level of noncompliance exposures," he said.
Gartner analyst Nik Simpson called SaaS backup and recovery an unrecognized problem that is often driven by business units selecting SaaS applications. "They don't think about this [recovery issue] -- or at least not until after they've lost data," he said.
SaaS data protection has only recently begun to be recognized as a need-to-have for businesses of every size, though there have been some vendors who have offered it for years, said Steven Hill, analyst at 451 Research. However, he said, most licensing agreements specifically state that a SaaS vendor is not responsible for data protection.
Ransomware protection depends on mix of local, cloud infrastructure
When it comes to resilience, most public cloud platforms far exceed the capabilities of any but the largest IT environments. But for SaaS, or any other shared data environment, the most common challenge is protecting against accidental deletion or malicious activity like ransomware.
Ransomware is no joke, and there's little if anything companies can do other than pay if their data protection isn't up to the task, Hill said. And there's no guarantee you'll get data back even if you do pay. These common dangers reinforce the need for the age-old model of "having multiple backup copies of your data and at different locations, whether in the cloud or on premises," he said.
Unfortunately, according to Hill, there haven't been any real innovations from SaaS companies that can address these challenges. "The recent innovation in SaaS backup lies in the fact that it's actually becoming table stakes for data protection vendors," he said. Backup is the oldest model for data protection, and "it's hard to improve on the basic premise of having a second copy of your important business data that's kept at a different location."
The cloud does change the model a bit, he added. That's because in the case of SaaS, the cloud is both a source and a potential destination for backup data. It often becomes a question whether you should use the same cloud for both primary and backup copies of SaaS data.
"The resilience of data is really quite good in the cloud, so it comes down to greater availability or industry-specific compliance policies," Hill said. The real innovation is happening after the fact, where the industry is moving toward simplifying long-term unstructured data lifecycle management and governance and finding ongoing value from backup data through analytics.
Doug Hazelman, vice president of technical marketing at MSP360, a managed backup and recovery provider formerly known as CloudBerry Lab, said vendors now aim to deliver backup and recovery through a mix of local and cloud infrastructure. He said backup vendors are shifting from their own cloud storage platforms to using public cloud storage and offering the ability to recover as cloud virtual instances. "That allows them to lower downtime when the on-premises hardware is not ready or was damaged," he said.
Multi-cloud complexity looks for simplification
Another trend that complicates SaaS data protection is the increase of multi-cloud platforms. Hill said 451 Research's Voice of The Enterprise Q1 2019 survey showed that multi-cloud adoption is far more common than most people suspect, with 72% of the organizations polled indicating they use two or more cloud platforms. "This can complicate things for multi-cloud customers, so it's something that should be a consideration when it comes to choosing a SaaS data protection vendor," he said.
"Multi-cloud is becoming the norm, and the challenge is pretty much the same for SaaS as it is for any other cloud production environment," Hill said.
In other words, not all cloud platforms are the same. Customers should expect their SaaS data protection vendors to help minimize the complexity of data protection that crosses multiple cloud environments. A lot depends on the nature of and need for that data -- for example, unstructured data like documents and media, semi-structured data like email or proprietary data from SaaS environments where the application environment only runs on that vendor's public cloud platform.
According to Hill, most of the SaaS data growth today is unstructured data in the form of media and other file-based content. Hill said he and his colleagues believe the next challenge for the IT industry is to establish a better model for identifying, managing and automating the governance of unstructured data. Along with offering a massively scalable model for data retention, the flexible metadata capabilities offered by object storage provide a model for granular data management. That is something that could better serve the challenges of e-discovery, personally identifiable information-based privacy and future deep learning initiatives, he added.
"From a disaster recovery perspective, a company should first address any industry compliance issues that may dictate data protection," Hill said. Then it comes down to finding a vendor that best covers your mix of SaaS applications and enterprise file synchronization and sharing platforms in the cloud. "From a business continuity standpoint, it's often as much about availability as protection. So having a current backup that exists in more than one place offers both data protection and better odds for continued availability," he said.
In terms of finding the best backup approach, Enterprise Strategy Group's Bertrand said there are competing topologies. These include backup to cloud as an extension of your on-premises infrastructure or backup of data and applications in the cloud, which could be to the same cloud, another cloud or even back on-premises. "In the case of SaaS, backup is imperative to another cloud or on premises," he noted.
Best practices when choosing a SaaS vendor
In any event, SaaS data protection best practices should be driven by service levels, typically recovery time objectives and recovery point objectives, Bertrand explained. These choices are also influenced by operational efficiency aspects and costs.
"In some cases, organizations start by extending their on-premises solution to add a cloud destination. In other cases, they will shift to a service approach, with backup-as-a-service or disaster-recovery-as-a-service vendors," he said.
451 Research's Hill advised trying to find a SaaS vendor that can do the following:
- meet industry-based compliance requirements;
- provide comprehensive protection from ransomware and other forms of accidental or malicious data corruption and deletion;
- integrate with existing security and data protection systems, policies and requirements;
- deliver consistent capabilities across multiple on-premises and cloud platforms and access data in the absence of the primary SaaS platform;
- offer self-service data recovery capabilities; and
- support e-discovery, as well as future data identification, governance and lifecycle automation.
Service Organization Control 2, or SOC 2, certification should be table stakes for any SaaS or cloud-based backup platform, noted Doug Barbin, principal and cybersecurity leader of Schellman & Company, a global independent security and privacy compliance assessor. "If a company cannot back up its commitments to security and availability, that is a significant concern," he said. In fact, Barbin added, more comprehensive providers have International Organization for Standardization 27001 certification, Payment Card Industry validation and a documented process for dealing with GDPR and other privacy regulations.
At the end of the day, SaaS data protection is about supporting business-critical applications and processes in a way that fosters compliance and, ideally, enables further data reuse, Enterprise Strategy Group's Bertrand stressed.
Gartner's Simpson advised that companies consider in advance what data they're putting in SaaS applications and what would happen if they lost access to that data. "It's the same question you ask when you put apps in the data center that you control yourself," he said. "If you can't answer satisfactorily, then you shouldn't adopt the SaaS app."