This content is part of the Essential Guide: Cloud-based backup: Best strategies and practices
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

SaaS backup tips, trends outlined by Spanning VP

Listen to this podcast

Mat Hamlin, vice president of products at Spanning, details the importance of backing up SaaS applications and being able to restore those cloud workloads successfully.

As organizations continue to create more data in cloud-native applications, protection of those workloads is increasingly important. SaaS applications are popular and useful, but they need protection.

Organizations are starting to understand that they need SaaS backup, but there is still work to do, Mat Hamlin, vice president of products at Spanning, said in a podcast Q&A with SearchDataBackup. Spanning provides cloud backup and recovery for cloud-native applications Salesforce, Office 365 and G Suite.

"It's definitely an exciting time for cloud-to-cloud backup," Hamlin said. "I still feel like we're in a high-growth, emerging market."

One of the biggest challenges in the SaaS backup market is also one of the biggest challenges in data protection in general: recovering from ransomware. Hamlin said he believes that the next major target for ransomware is the cloud. Data can travel fast through the cloud, within an organization and into others, so it's critical to be careful.

Organizations need to make sure that not only are they backing up cloud data, but they can recover effectively. That means testing is key to a good SaaS backup strategy.

"Backup is one thing, but restore is everything," Hamlin said.

In addition, as security threats evolve and worsen, customers require less and less downtime. So, organizations need to be able to not only recover, but recover quickly.

In the last year, Spanning has featured several advancements and partnerships. Spanning's Salesforce backup product now directly restores metadata components to production and sandbox environments in a few clicks. The company launched collaborations with Kaseya and Unitrends, which Hamlin discusses in the podcast. Spanning, based in Austin, Texas, is also looking to make additions to its protection platform in the near future.

For more information on the need for SaaS backup, what's going on in the market and what Spanning has been working on, listen to the podcast, and read the transcript below.

Editor's note: The following transcript has been edited for clarity and condensed.

How aware are users of SaaS applications -- such as Salesforce and Office 365 -- that they probably need more backup and protection than what those apps offer?

Mat HamlinMat Hamlin

Mat Hamlin: At this point in the maturity of the market, it gets better and better every quarter that I talk to customers. I think there's still a lot of education that needs to happen. Spanning has been doing data protection for SaaS applications since 2011, and we spent a lot of time in 2013, 2014 and 2015 educating the market, educating industry analysts. And very often, our conversations with prospects started with questions like, 'Why do I need to back up my SaaS data? Don't they do that for me?' But we've seen a shift in the last 12 to 18 months where a lot of prospects are coming in much more educated.

They realize that there is a risk of data loss in those environments, caused mainly by human behavior, whether that's internal or external. And they're starting to ask the questions among themselves in the organization and between departments. We've made a lot of progress over the last four to five years, but I still think there's room to go. I still have conversations with customers and prospects about why you'd want to protect data in a SaaS environment.

What are some key data protection tips for users of SaaS?

Hamlin: My No. 1 SaaS backup tip is to eliminate the problem. What happens a lot of times is that when a workload or an application moves from an on-premises environment to a SaaS environment … the team that was protecting the infrastructure and making sure the application was highly available, that team gets disengaged. They don't ask those hard questions about the application. There's no hardware network to manage anymore. So, the rigor IT puts around making sure that data was protected and that infrastructure and applications were always available isn't there anymore.

If you talk to the application owner, very often, they haven't historically spent a lot of time or thought around making sure that it was fully protected because it was somebody else's job. When you move from an on-premises to a cloud application, sometimes, there are security practices, like backup and recovery, that could get lost in that transition. So, if you're an application administrator, ask your core IT team or your backup team, 'Are you doing anything to protect the data?'

And vice versa if you're on an IT team or a compliance team: Be asking the other constituents in your organization, 'What are we doing as a company to protect the data that's in this SaaS environment?' The rules and the compliance controls don't change as you move between on-premises services and cloud. The responsibilities change a little bit, but ultimately, the data that's in this SaaS environment, it's still the company's responsibility to protect it and make sure you can always recover it very, very quickly. Ask lots of questions of your organization.

My second tip, as you are progressing with the project to protect your SaaS data, as you're evaluating solutions, absolutely spend lots of time during the testing cycle and proof of concept working with restores. We often say, 'Backup is one thing, but restore is everything.' There are a lot of products out there that can protect your data or back it up. There are features and functions in Salesforce and Office 365 that have some level of protection, like recycling bins and things like that. But when it comes down to recovering from a data disaster, it's all about the recovery.

Test the restore from a variety of different scenarios. Pretend you've been attacked by ransomware, and see if you can get your data back. Pretend somebody left the organization 60 days ago and now you need that person's data back, but it's been purged from Office 365 permanently. So, test out those restore scenarios, and cover quite a few of them to make sure it's going to actually perform when you really, really need it.

In terms of security issues, how big of a risk is ransomware with SaaS data?

Hamlin: There's definitely a risk to the organization as a whole. Very often, employees are syncing data down from the cloud through their laptop and vice versa, whether it's OneDrive for Business, SharePoint or Google Drive. The data that resides in the cloud typically also resides on the laptop. So, if a ransomware attack happens, it encrypts data on the endpoint, and that encrypted file now gets synchronized up to the cloud. Now, it's in Google Drive or OneDrive for Business, and worse, it gets propagated because of the strong collaboration aspects of those services.

If a file gets encrypted on your laptop and syncs to your OneDrive for Business account, then you share that file with people in your company -- or, worse, people outside of your company -- now that encrypted version has been pushed down to them as well. I truly believe that the next target for ransomware is the cloud itself. There are ways in Google and Microsoft Office 365 to execute code in those environments.

So, how can users best protect their SaaS data from ransomware?

Hamlin: There are a lot of things on the front end you can do. The mantra of the National Institute of Standards and Technology's Cybersecurity Framework is 'protect, detect, respond and recover.' When it comes to data protection, what we do at Spanning from a backup and recovery standpoint, we really fall in to that 'protect,' which means you should be backing up your data and have a second copy somewhere. If a data disaster caused by malicious outsiders does occur, you have, first and foremost, the data somewhere that's protected that you can recover from. Also on the 'protect' side, you have a lot of options, like two-factor authentication and ransomware malware scans.

Then, the last element is 'recover.' It's about business continuity and making sure that you can resume business operations to the way they were before the ransomware attack. The key piece of that is having that data in an environment where it's protected. And how quickly can you get the data from that environment back up and running in the system to recover quickly so your business can continue to move forward? So, you don't have days of downtime from that attack.

What else do you think will be main challenges in the SaaS backup market in the near future?

Hamlin: The services that we protect, such as Microsoft's Office 365, move really fast. In conjunction with that, they're releasing new APIs that we have to utilize to protect that data. They're making changes to those APIs. They're releasing new services quickly, and those services are being adopted quickly. So, Microsoft Teams, Microsoft Planner, a lot of these new services that they're bringing out provide a lot of value to their customers. But for us to properly protect all that data across all those services, we have to adapt very, very quickly as well.

Spanning has been pretty busy this year with enhancements to its Salesforce Backup and also an OEM partnership with Kaseya for its Office 365 Backup. What else is on the Spanning roadmap for the year ahead?

Hamlin: For this year, we'll continue to expand on both those fronts. We're definitely investing a lot in both our Office 365 and Salesforce products. In Office 365 specifically, our goal is to provide total coverage for the whole suite. Today, we protect the Exchange workload, SharePoint and OneDrive, but we want to move into the additional services that are being used, such as Teams and Planner. Those are all being considered and will probably be worked on some this year.

For Salesforce, we'll continue to work and move forward on more detailed restore scenarios. Salesforce, the way that they structure their relationships between the data elements, such as accounts, contacts, attachments and files, they're all really related to each other, and there's a lot of depth in some of the specific restore scenarios. We continue to spend time and effort on those. So, if a customer has destroyed thousands of records or a single record or if the customer needs to get back only certain fields on certain record types, we want to be able to cover any scenario. And the time to get data back up and running correctly has become shorter and shorter.

We're very excited about the partnership with Kaseya. Their focus is primarily that midmarket and managed service provider market that serves SMB clients. That's a market that we've had some success in but, honestly, haven't had a tremendous amount of investment in over the years. We primarily focused on midmarket and enterprise. Kaseya was a great opportunity and a great partner for us to bring our products down into that market. They've got a huge customer base, and the needs of their clients are the same as the needs for our midmarket and enterprise clients, for the most part.

We also recently announced a partnership with Unitrends to help bring Office 365, Salesforce and G Suite later this year into their offerings.

Are there SaaS elements or applications that you'd like to see Spanning tackle that it hasn't yet?

Hamlin: Our vision for the future is that we continue to add services to our SaaS backup portfolio as we grow. We, very often, get asked by our existing clients for protection for some of their other key services. We don't have specific plans yet. I do have a list that I keep in my back pocket of where we're going to invest and how we're going to grow. Often, we hear, especially from our midmarket and enterprise clients, that they're using services like NetSuite, ServiceNow and Workday, things that are much more business-critical. So, we'll probably pick up one of those over the next year or two.

We still occasionally have requests for Box or Dropbox. Those are fairly natural patterns for us since we could probably build a product for those much quicker just because we do Google Drive, Office 365 and OneDrive today.

Disaster Recovery