Most cloud service and app vendors follow a longstanding tradition of requiring customers to back up and protect their data under the auspices of the shared responsibility model.
This agreement makes cloud providers and SaaS vendors responsible for the uptime of the service and infrastructure maintenance, while customers are responsible for backing up and protecting the data they use in the service.
That delineation, which provides app and infrastructure vendors protection from potential legal and logistical headaches, might become muddied by Microsoft.
Last month at Microsoft Inspire, the technology conglomerate unveiled plans to sell Microsoft 365 Backup, a backup and recovery service for its own Microsoft 365 productivity and collaboration SaaS suite. The service will be available in public preview in the fourth quarter of 2023 through Microsoft Azure.
The addition to Microsoft's cloud portfolio builds on a combination of resources and experience that puts the vendor in a unique position to offer such capabilities, according to backup and recovery experts. But it also creates a bellwether for future customer demand and the market has yet to settle on what a holistic SaaS backup offering looks like.
Microsoft 365 may be the most widely used productivity toolset in the world, said Christophe Bertrand, an analyst at TechTarget's Enterprise Strategy Group. Protecting Microsoft 365 data has turned into an industry all its own for backup vendors, but how Microsoft will market and execute on its protection offering remains to be seen.
Regardless, SaaS customers still need to understand and uphold the shared responsibility model before disaster strikes, according to Bertrand, which some customers continue to ignore even after almost a decade of awareness attempts.
"Microsoft 365 has been the most pervasive collaboration tool in the world," he said. "That means millions of seats out there. The question is [if] that data is adequately protected."
Important program protection
Microsoft 365 Backup provides backup and recovery services for a handful of applications within the Microsoft 365 SaaS portfolio: OneDrive, SharePoint and Exchange Online.
Capabilities include file, site and mailbox restoration at granular or massive scale as well as the ability to search backup content using metadata, according to Microsoft. The backup service does not currently extend to applications such as Teams, Word and Excel, among others.
Microsoft declined to comment for this article.
Google also provides a productivity SaaS portfolio in its Google Cloud Platform (GCP). But like other technology vendors, it doesn't offer its own backup product for Google Workspace.
SaaS buyers, who might make purchases not sanctioned by IT, may not be aware of the need to back up and protect cloud data, said Krista Macomber, an analyst at Futurum Group. Microsoft's productivity suite has a long history in the enterprise, so offering a service that buyers can add to their carts at checkout provides an avenue for protection they may have otherwise overlooked.
"We've already been protecting [software like] Microsoft Exchange on premises for decades," Macomber said. "That's an established use case. But when we think about [Microsoft 365] or Google Workspace, that's going to be a newer application born in the cloud. That's going to be something we really need to instill that [backup] use case."
Beyond promises of restoration of service level agreements as well as operating within the Microsoft 365 security boundary, the logical separation between data and the technology stack operations, details provided by Microsoft about how the service will operate are scarce.
The lack of information will have many enterprises stick with their existing backup and recovery services, especially those operating with terabytes or petabytes of information, according to Jerome Wendt, founder and CEO of Data Center Intelligence Group. Enterprise customers have data protection requirements beyond the scope of Microsoft's service, such as more demanding SLAs or workloads and third-party SaaS applications outside Microsoft's portfolio. Customers of Microsoft's backup service should also consider the possibility of service interruptions for restorations should Azure itself go offline.
Wendt believes Microsoft 365 Backup is focused more on SMB customers that may not be aware they need backup and may have less than a dozen active users. He also didn't see indications that the service would simplify recovery, such as by offering specific management tools, outside of providing backup data.
"If you're talking five to 20 users, you're looking at the majority of small businesses in the U.S.," Wendt said. "That's the sliver of business Microsoft is interested in. [Those customers] are not thinking about doing recoveries. If they can get back yesterday's or last month's emails, they're probably good."
Microsoft 365 Backup also marks the vendor's first foray into the backup and recovery market, Bertrand added, beyond selling infrastructure backup services for Azure that competes with rivals AWS and GCP.
"They're not trying to compete with the advanced capabilities other [vendors] are providing," Bertrand said. "Microsoft has never really tried to be a backup and recovery vendor."
Microsoft indicated it had no intention of competing with existing backup and recovery services and said partners can build "on top of our Backup APIs" in its initial blog post detailing the service.
"[Microsoft] doesn't want to compete against them or, frankly, get them angry," Wendt said.
An executive at HYCU, a SaaS data backup vendor that offers a Microsoft 365 recovery service, said most enterprise customers will require features that backup and recovery specialists provide.
Jerome WendtFounder and CEO, Data Center Intelligence Group
"I think there's enough opportunity for us to add value," said Subbiah Sundaram, senior vice president of products at HYCU.
Earlier this year, HYCU launched its own data protection SaaS, R-Cloud, that lets SaaS vendors use HYCU's API connections to layer backup features into their offering without extensive retooling or development.
As the number of SaaS vendors increases, creating bespoke data protection and recovery capabilities will also become a challenge, Macomber said. Because of the shared responsibility model, SaaS vendors building for the line of business may consider data backup someone else's responsibility. Meanwhile, backup vendors are running out of bandwidth to support new products. Services like R-Cloud attempt to address this but are still limited by customer interest and vendor implementation.
"[Data protection vendors] are not going to have the means to create protection for each of these SaaS applications," Macomber said.
HYCU's offering may work for smaller app vendors, but tech giants like Microsoft could still lock customers into specific services or data storage locations since it also controls the cloud infrastructure itself. Indeed, Microsoft previously caught flak from customers that wanted to run Microsoft applications in competitor clouds but faced an increase in licensing costs for operating outside of Azure.
"They're not going to be incentivized to make that easier," Macomber said.
This confusion over who is responsible for backing up what data will only continue to increase in the years to come, Wendt said. Microsoft's new service may only spark further confusion and operational complexity.
"It's going to be the wild west for the next decade," Wendt said. "Once you start taking on this data responsibility, there's a lot of complexity."
Tim McCarthy is a journalist from the Merrimack Valley of Massachusetts. He covers cloud and data storage news.