The premise of SaaS is that the provider keeps data secure and removes the need for boring things like backup. But the reality is that data in SaaS applications can be lost or stolen, so backup is vital.
Backup is not a black art: you make copies of primary data in case something happens to it, keep the copies safe and make sure you can restore the data in case of emergency.
But as more data moves to the cloud, or is created there and never leaves the cloud, well-known precepts of backup start to blur. It becomes less obvious who is responsible for protecting data and the kind of damage that must be guarded against.
Consider, for example, how you might restore an Office 365 mailbox. Or how you would protect data in software-as-a-service applications like Salesforce? Or whose job it is to back up cloud storage services like Google Drive or Dropbox?
Many customers assume that data protection is handled by SaaS providers and cloud serivces, bevcuase they make such a a fuss about their investments in resilient infrastructure.
That assumption is partially sound. SaaS providers, like any good IT shop, will have backups that protect their systems from damage, but the motivation of the SaaS provider is not quite the same as that of customers. The SaaS provider’s main motivation is to protect their service as a whole, not to protect individual customer data inside the system.
“The biggest challenge is the assumption that ‘It’s in the cloud’ means data protection is addressed,” says Curtis Preston, chief technologist at cloud backup vendor Druva.
“Even if the SaaS app offers built-in basic protections against some things, like accidental deletion, these features do not protect against things like ransomware or malicious users.”
That means that SaaS providers can be blind to incidents like a disgruntled employee who deletes records. Such a worker looks like a logged-in user doing something they’re authorised to do. So does a worker who accidentally deletes data. In both cases, the SaaS provider happily deletes the data, even though it is a critical business asset, while still keeping the remaining data safe with its resilience tools.
Using SaaS therefore changes the nature of data protection requirements, rather than eliminating them. This presents an opportunity for resellers to educate customers about the change in requirements, rather than letting unfounded assumptions place their data at risk. This is particularly important for customers attracted to cloud because it reduces the infrastructure they need to manage.
“Moving data and applications to the cloud does not eliminate the need for a data protection policy,” Preston says. While you may no longer need backup servers in a datacentre, the data still needs to be protected.
So what are the options for backing up data in the cloud?
“Organisations need to understand their systems and requirements first, and then select what cloud solution is best for them,” advises Scott Gosling, national practice manager of cloud
This is where resellers play a crucial role, helping customers to understand the difference
between traditional backups and SaaS backups.
One substantial challenge is that because SaaS applications are hosted and provided via website or API, the backup mechanisms available vary by SaaS application, resulting in complexity. Backing up accounting data from Xero is a different process to backing up data from Salesforce.
SaaS providers will often provide some kind of data export function—particularly with the advent of the UK’s General Data Protection Regulation (GDPR), which makes data export mandatory—but this is often a manual process. For automated data protection, the appropriate solution will depend heavily on the set of SaaS applications a customer is using.
Druva supports backing up of data from Salesforce, for example, but not from Xero (at time of writing).
Traditional backup providers are also adding SaaS support to their products. Veritas has a product for backing up from Salesforce, Office365, and G Suite, as does Commvault. The challenge for customers comes when they choose less mainstream SaaS offerings. Office365 and Gmail are well supported by various tools, but what if you decide to go with local-to-Australia provider Fastmail instead?
This can affect customers’ future choices of SaaS offerings. Their current backup tool may not support the SaaS option that would best suit their business, so do they compromise on a less-than-suitable SaaS solution that is supported by their backup tool, or add another backup tool? This is another area where a trusted channel partner can add a lot of value by helping customers to make a decision they’ll be happy with now and well into the future.
Combining SaaS with a good backup strategy can provide a lot of advantages. So, despite the complexity, it’s worth encouraging customers to use SaaS services when it makes sense for to do so.
“If a staff member deletes something, either by mistake or maliciously, the great thing about SaaS is that the data can be recovered quickly, meaning there is no loss of sensitive information or company IP,” says Data#3’s Gosling.
Many backup options can also provide a bridge from more traditional methods of backup to more cloudy, SaaS-enabled ways of working.
Gosling advises a hybrid approach that includes some tape for maximum safety. “Leveraging physical tapes for backup is still a valid part of the backup strategy for any organisation. The use of cloud can speed up the time for recovery, while having piece of mind that your data is safe and secure,” he says.
Things to watch
Designing the right data protection strategy for SaaS applications requires just as much care as any traditional backup regime.
Druva’s Preston advises keeping an eye on how SaaS vendors charge for getting access to your data. “There are a few components to this but the primary ones are egress costs (getting your data back), which many vendors charge additional fees for, and storage costs,” he says.
“If the system doesn’t scale well, or offers inefficient data deduplication capabilities, costs can skyrocket and then nobody is happy.”
Data#3’s Gosling also advises customers to keep an eye on costs. “Balance your costs versus requirements and ensure you are partnering with an experienced provider,” he says. The world of SaaS backup is complex at the moment, so inexperienced vendors can overlook important details.
Testing is one detail that is often overlooking with data protection, both traditional and with SaaS. “You should ask if they have tested their restore and where they restored to,” says Owen Hollands, an enterprise architect and former data management consultant.
“If the cloud provider loses your data, or they go down, or out of business, can you restore the data somewhere else if you needed to?” Hollands asks. “And if you can’t, is that an acceptable risk?”
With so many workloads moving into the cloud, customers need data protection options to keep their data safe. Traditional, on-site-only backup solutions aren’t suitable, so resellers will need to add new options to their portfolio.
Happily, most vendors are adding cloud-compatible features to their products, so if you have a favourite backup vendor, make sure you ask them about their SaaS capabilities.
1If you’re not wedded to a particular vendor, now is a good time to look for SaaS backup options, so you have something to offer customers who will inevitably ask about it.
It’s also a great time to ask your customers how they’re protecting their cloud-based data.
SaaS apps provide a massive opportunity for savvy channel partners who can help customers reduce IT overhead while keeping data safe.