Data protection experts weigh in on SaaS backup confusion

Recent research from ESG shines a light on a potentially troublesome misunderstanding about SaaS data backup and protection.

The cloud has transformed IT operations -- and data protection is no exception. Many organizations, however, still fail to properly back up their SaaS applications.

Enterprise Strategy Group (ESG), a division of TechTarget, recently released the findings of its 2021 survey on cloud data protection. Those findings suggest that, while cloud backup is on the rise, there is still much confusion about the roles and responsibilities related to SaaS data protection. In some especially alarming cases, organizations run mission-critical SaaS applications without backup.

In this Q&A, provided to SearchDataBackup from ESG, two analysts explore a lack of awareness around SaaS backup and the reasons behind it. They also discuss where SaaS providers and backup vendors have a responsibility to step in and educate the organizations they work with.

The below Q&A contains insights from Christophe Bertrand, ESG senior analyst, and Vinny Choinski, ESG senior lab validation analyst. Monya Keane, senior research analyst at ESG, moderated the discussion.

Editor's note: Answers and questions have been edited for clarity and brevity.

What is fundamentally different between SaaS backup and recovery versus traditional backup?

Vinny Choinski: SaaS applications are born in the cloud, and you're governed by the distinctive limits of these applications when protecting their associated data. In the old days, applications lived onsite on a server in a data center. You'd install a backup product on that server and back up data in the traditional way.

But now, it's all in the cloud. When you back it up, you use APIs. You run the risk of making too many API calls and shutting down your ability to back up. Each API call is a different object, so every time you perform a backup, copy, delete or move operation, you risk hitting your API call limit and therefore shutting down your ability to perform the backup.

Additionally, you're sharing these cloud resources with a lot of other tenants. They're all doing analytics, strengthening security, and so on. Basically today, you're governed by the way the application was developed for the cloud versus how fast you can stream data to tape, as in years past. You've got to make those calls efficient.

Christophe Bertrand: SaaS applications were not developed with backup in mind. There is a disconnect in the market that's not going away. With a SaaS application, there's nothing on premises. You have web access to it, but somebody else is hosting, running, managing and optimizing it within an infrastructure shared with a bunch of other clients you don't know.

But here's the thing: Your data is always your responsibility, and that's where the big disconnect arises. Thirty-five percent of the market thinks that their SaaS vendor -- for example, Salesforce or Microsoft 365 -- is responsible for data protection. That's not true at all. People are confusing the availability of the service itself with the recoverability of the data that the service contains.

Bottom line: You have to back up your Salesforce or your Microsoft 365 data. It's your responsibility, even if only from a compliance perspective. Aside from that 35%, a good portion of the rest of the market believes it's a shared responsibility. But the truth is that they're totally, solely responsible. And only 13% of the businesses we surveyed understood that fact. It is concerning to me how many organizations are totally disconnected from the reality that they are responsible for protecting this data. Using a SaaS application doesn't absolve them from having to do the backups.

That disconnect -- the fact that levels of unawareness remain so high -- is it worrying?

Bertrand: Yes, including the fact that we see variation based on an organization's age. Younger organizations that are 'digital natives' tend to be more trusting of the cloud. For that reason, they think the SaaS providers will take care of the data protection. Older organizations are less trusting and better understand that they are solely responsible because they'd been doing backups onsite for so many years.

This is an educational issue. It's starting to get better regarding Microsoft 365, but we still have a long way to go. The same goes for Salesforce. We've found that the majority of Salesforce users do not use third-party tools to back up their environments, and there is no native Salesforce backup tool anymore. Only 41% of the respondents report using a third-party tool to protect their Salesforce data, which means about 60% of Salesforce users are running this mission-critical application without backup, which is nuts.

Choinski: A year and a half ago, we interviewed one of the most supposedly savvy CIOs in the business world. He told us he's trusting the SaaS vendors to take care of his backups. That is really dangerous. If a data mishap occurred one hour ago, the app may still be there for you, but customer records might be gone. How do you get them back? You're in a multi-tenant setup. The SaaS vendor might be able to do a rollback, but not if you're one of 200 clients on that Salesforce instance, as it would impact every tenant.

It's also fraught with danger because the stakes are so high with Microsoft 365 and Salesforce -- they are two mission-critical applications that many end users depend on constantly throughout the workday. Being unable to recover even an hour's worth of accidentally corrupted or deleted data because your SaaS vendor is not capable of providing recovery services is a real risk. So, yes, the fact that this disconnect remains so prevalent is alarming.

Are there any other special considerations companies that depend on SaaS backup should know?

Bertrand: Yes, there are situations in which the service itself corrupts the data. Twenty percent of our respondents have experienced an outage or data destruction due to unavailability. But if you add up all of the possibilities that can result in data deletion -- that is, internal and external malicious deletions plus human errors -- that 20% number rises to 45% that have experienced an outage or data-loss event, which is a pretty big number.

Also, some organizations don't really understand the retention/deletion policies of Salesforce or other SaaS applications they're using. If you close your account with Salesforce but don't understand the deletion policy, you can lose data before you're ready.

And with Microsoft 365, recoverability success rates still leave a lot to be desired. If all companies were still using the traditional Microsoft Exchange on premises, you would expect to see a rate of nearly 100% recovery success across a survey sample. We're not quite there yet for this mission-critical application in its SaaS form.

SaaS backup
Microsoft 365 recoverability is slowly improving, but100% still seems elusive for many.

Choinski: We are, however, seeing a renewed focus by the data protection vendors in terms of touting their ability to back up SaaS data. Expanded usage of Microsoft 365 -- beyond just email messaging -- makes that platform so much more important to a business. I believe people are now starting to think that they need better protection capabilities than what's inside any built-in tool because their workers are using Microsoft 365 so extensively. Microsoft is trying to incorporate capabilities for data loss prevention and governance, but it's not true, full data protection.

Do you think SaaS providers should take a bigger role in educating end users about data protection responsibilities?

Bertrand: Yes, but really the backup vendors should be doing the bulk of the educating. After all, it's not just Salesforce and Microsoft. We see the same disconnect with other SaaS vendors who perhaps have been escaping the scrutiny that's needed from a data protection standpoint. The market today is only focusing on two tips of the iceberg: Microsoft 365 and Salesforce. But that's just the beginning.

In all cases, though, organizations have a low tolerance for data loss. Unfortunately, they're disconnected in terms of what they need to do from a backup/recovery or high-availability standpoint. Our research shows that for Microsoft 365, 23% of companies want no data loss. A larger percentage want no more than 10 minutes of data loss. This represents a big gap between desired service levels and understanding their own responsibility to ensure such tight service-level agreements (SLAs) are achievable.

Can third-party backup vendors realistically reassure organizations that they will be able to retrieve lost SaaS data?

Bertrand: Most do offer Microsoft 365 SaaS protection today, and some are starting to cover Salesforce. It's just that not enough SaaS-using organizations are deploying these solutions because they mistakenly believe they don't have to -- again, they think the SaaS application providers are taking care of that effort. But they're not.

IT organizations make a lot of assumptions related to anything in the cloud.
Vinny ChoinskiSenior lab validation analyst, ESG

Choinski: IT organizations make a lot of assumptions related to anything in the cloud. They assume that some kind of data protection is just going to be there. Aside from Salesforce and Microsoft 365, I expect we are going to uncover some really big protection-related shortcomings with a lot of the other up-and-coming SaaS applications as well.

What is the underlying reason for the lack of education about SaaS backup responsibilities?

Bertrand: One underlying reason is that the role of the backup and recovery specialist has really changed a lot in the past few years, mainly because of the large-scale movement away from traditional, on-premises backup. The mass movement of business to the cloud has put IT operations at the forefront. So, instead of seeing teams of dedicated backup specialists on payrolls, we are seeing larger teams of IT generalists managing all the cloud stuff. And they may not understand all the details and subtleties of backup and recovery.

We don't see that as much within older organizations, but certainly we do in the younger ones. Older businesses seem less likely to trust that data protection is automatically being done for them.

The other root cause is that with some applications deployed to support business requirements, maybe the backup checkbox was just not checked. Look at DevOps for example. Developers focus on things like using the GitHub platform to help them collaborate and create applications. They're not thinking about backup.

What specific advice would you give end users?

Bertrand: First, educate yourself thoroughly about the SLAs of all your SaaS applications. Second, classify your SaaS applications in order of priority: There may be some that you don't have to spend too much time on. Third, ensure that you have an actual backup and recovery schema in place. And finally, test it all.

Choinski: And never forget -- don't confuse availability of the SaaS with the protection of the data in that service.

Next Steps

Box backup tips, options and considerations

HYCU R-Cloud expands data protection for SaaS

Dig Deeper on Remote data protection

Disaster Recovery