Murrstock -

Businesses still lax about SaaS backup

An ESG survey finds customers can't reliably recover Office 365 and Salesforce data, despite the criticality of these SaaS applications and the availability of third-party tools.

Backing up SaaS application data isn't a new practice, but a recent study found businesses are still struggling with the concept.

In May, Enterprise Strategy Group (ESG), a division of TechTarget, released a research report titled "The Evolution of Data Protection Cloud Strategies." ESG conducted a similar study about SaaS backup in 2019, and the new report found little improvement since then.

In this year's survey, 35% of respondents said they rely solely on the SaaS vendor to protect their data, despite inherent limitations. Microsoft's Office 365, for example, can only restore data up to 30 days old, and Salesforce actively promotes the use of third-party SaaS backup products to protect its platform.

The report was based on a survey taken in January and consisted of 381 IT professionals who were responsible for data protection technology decisions for their organization. All participants had to be using the cloud in some way, either by consuming cloud-based data protection services or by protecting applications, infrastructure or data hosted in a public cloud.

Office 365 is one of the most widely used SaaS applications today, providing communication and collaboration tools for businesses across all sectors. Some 81% of the respondents in the ESG study said they've had to recover Office 365 data. Among those, 15% said they were able to recover 100% of that data, down from 21% in 2019. Meanwhile, 43% of respondents in this year's study reported recovery ranges between 76% and 99%.

Given the number of important documents, records and communications in Office 365, there should be no tolerance for data loss, said Christophe Bertrand, a senior analyst at ESG who worked on the survey. The same should be true for Salesforce, Google Workspace and other SaaS applications -- all data that's mission-critical to a business should be backed up and 100% recoverable, he added.

There's still a big disconnect, and it's not going away. Businesses have to learn: It's your data, it's your problem.
Christophe BertrandSenior analyst, Enterprise Strategy Group

When one-third of IT decision-makers are relying on their SaaS vendors, thereby choosing a method that doesn't provide 100% recovery, it's a sign the market needs more education on SaaS backup, Bertrand said. Too many businesses are conflating the availability of the service and the availability of their data within that service, not realizing the SaaS provider isn't responsible for the latter.

"There's still a big disconnect, and it's not going away. Businesses have to learn: It's your data, it's your problem," Bertrand said.

The perception of protection

Age appears to have an impact on a company's third-party SaaS backup adoption, Bertrand said. Respondents reported the top cause of SaaS application data loss is deletion, either accidental (20%), external and malicious (19%), or internal and malicious (6%). Older, established organizations with experienced IT teams have probably already been solving for these problems with on-premises backup and are more likely to understand the importance of translating those practices to the cloud.

By contrast, organizations that have existed for 10 years or fewer, which made up 17% of respondents, tended to believe the cloud "can do no wrong" and that their data is always safe there, Bertrand said.

Krista Macomber, senior analyst at Evaluator Group, found similar results from her research. IT administrators who "grew up" in the on-premises data center tend to acknowledge the importance of SaaS applications and believe they require the same level of protection.

But it's not simply a matter of organization age or experience level of its IT staff, Macomber added. SaaS application adoption is sometimes driven by lines of business and then implemented without any IT oversight. The people managing the SaaS applications for their organization may assume all their data is protected by the application provider.

"There is still a perception that, since SaaS apps are built to be resilient, and since they have built-in capabilities like a recycle bin function, maybe third-party data protection isn't needed," Macomber said.

This is the group that's more likely to be confused about the shared responsibility model, and these are the people vendors need to reach, Macomber added.

The right people aren't getting the message

There is no shortage of SaaS backup tools on the market. Vendors such as OwnBackup and Odaseva focus primarily on backing up SaaS application data, and most data protection vendors such as Cohesity, Commvault and Druva have products for Microsoft 365 or Salesforce protection.

Third-party SaaS backup also has tangible advantages over native backup. Cohesity's backup-as-a-service for Microsoft 365, for example, provides data isolation and stores the backup data for longer than 30 days. All backup data captured with Commvault Metallic, which recently expanded its Microsoft 365 offering to include Microsoft Dynamics data, has infinite retention by default.

The problem isn't the technology, but instead lies with informing the right people, said Manoj Nair, general manager of Metallic, a division of Commvault. There are still customers who think SaaS providers are responsible for protecting everything, but they're generally not security teams or data management teams, Nair said. Instead, it's people outside those groups who either question the criticality of SaaS application data or who gamble the cost of protecting it against the likelihood of losing it.

"Some people making the decisions aren't close enough to the problem," Nair said.

Illustrating this point, a study published this month found only 8% of CEOs personally track the metrics of their company's data recovery plan. The research was conducted by Dimensional Research and commissioned by Arcserve, and it polled 709 respondents with budget or technical decision-making ability for a company with 100-2,500 employees. Twenty-seven percent of respondents said their CEO or president understands the data recovery plan in detail but do not personally oversee its implementation, and 58% said their CEO only wants basic assurances that a plan is in place but no details.

Ten years ago, the responsibility for data recovery could've been delegated to a CIO or chief information security officer, but the explosive rise of ransomware during the COVID-19 pandemic has turned it into a problem that can impact the entire organization, said Shridar Subramanian, chief marketing officer at Arcserve.

A ransomware attack can cause compliance problems if personal data is accessed or deleted, and the blow to the company's reputation can affect future business. That's why CEOs shouldn't be solely focused on expanding the business, cutting costs and maximizing profits -- they should also be thinking about protecting what they have, Subramanian said.

"It behooves every leader to stay on top of things, especially as these threats are increasing," Subramanian said. "If you're looking out for your shareholders, it's extremely important to protect your data."

Ransomware and SaaS backup are inextricably linked. The risk of ransomware is the highest reported reason customers subscribe to Metallic, according to Nair. In the ESG survey, 19% of respondents cited malicious deletion from outside attackers as their No. 1 source of SaaS data loss. Other than its maturity and size, another factor determining how closely an organization scrutinizes cloud data protection is whether it's been attacked by ransomware before, according to Bertrand.

The ESG study concluded there is still a need to educate customers about data responsibility when it comes to SaaS applications. Nair and Subramanian emphasized that those education and marketing efforts need to reach the people who are ultimately responsible for protecting SaaS application data.

Dig Deeper on Cloud backup

Disaster Recovery