Data protection for SaaS-based apps is a work in progress

Organizations with SaaS-based applications are still relying on the providers for data protection, even though the vendors are rarely responsible for SaaS data backups.

TechTarget's Enterprise Strategy Group recently conducted an in-depth survey on SaaS data protection, and the findings should give IT professionals pause.

Survey participants were personally familiar with and/or responsible for SaaS data protection technology decisions, specifically around those data protection and production technologies that use cloud services. Participants were from midmarket and enterprise organizations in the Unites States and Canada. (This research data and report are available on the ESG portal for subscribers.)

According to the survey findings, there is a significant disconnect when it comes to backup and recovery for SaaS applications. We identified this issue before, and it continues to manifest with one third of IT professionals who don't do anything to protect their SaaS-resident application data. Organizations that decline to protect this data often believe it is the responsibility of the vendor.

Let me be clear: There are no magic backup people in the cloud who will do your data backups for you.

ESG survey results on protecting SaaS data

SaaS providers are not responsible for protecting your data

What SaaS application providers do to protect themselves does not change the fact that you need to have your own backup. In my opinion, SaaS application vendors must revisit how they educate end users on service levels and clearly delineate what is their responsibility versus what is the end user's responsibility. Putting it in a contract is clearly not enough to grab the attention of the end user. More market education on the topic of recovery is needed. This may also be an opportunity to promote alliances and an ecosystem of partners who can deliver backup and recovery.

Let me be clear: There are no magic backup people in the cloud who will do your data backups for you.

Many enterprises now rely heavily on SaaS applications for business-critical functions, making these applications mission-critical. This comes with many consequences from a service-level and data protection standpoint.

Most organizations report having lost SaaS-resident data in the last year. Even worse, more than a third of organizations report that the service itself is the primary cause of data loss or corruption -- the most common issue cited. There are many ways to lose SaaS data, including malicious and voluntary data destruction, whether external with cyber attacks or internal with malicious deletions by employees.

If you are an IT professional reading this, you may think, "Wait, it is a shared responsibility model. So I may have some work to do, but so does the vendor." That is true. However, off the top of your head, can you identify the key metrics, service-level agreements (SLAs) and responsibilities for each of your top 20 or so SaaS applications? Do not confuse service uptime with your ability to recover data that has been corrupted. Based on our research, it is obvious that many IT professionals do not really understand what the roles and responsibilities actually are. There is a clear market education problem.

What can you do about SaaS-based apps now?

End users must consider and classify all their applications and their interdependence to confirm desired recovery SLAs and identify gaps. This is not new; it's a good practice for business continuity and disaster recovery as well as data management. A simple rule is to consider what would happen should the service be unavailable or the data in it, unusable. What business processes does it break? What compliance risks does it open the business up to?

Now, let me ask you a few more questions: Where is the backup for each of your top 10 SaaS-based mission-critical applications? When was it run last? Who owns it? Is it a "real" backup, not just a CSV or XML export of sorts? Can you recover all of your data, automations, structure, etc.? Can you do anything with it?

Backup and recovery vendors must cover more workloads, faster. Establishing standards with SaaS vendors may be a path, but IT history shows us that these initiatives take time and often fall short. Building and marketing an open API model may be a viable option to enable SaaS vendors to use backup and recovery expertise and services. Adding just one or two SaaS workloads a year seems unlikely to satisfy the market.

While I typically remain agnostic in terms of which vendors to select, I will just point to a recent announcement from backup provider HYCU on the very topic of SaaS protection that got my attention. It's early days, and execution will be key, but this is an interesting approach to start making a larger dent in the problem.

The good news is that many organizations have identified this issue and are prioritizing efforts to improve their SaaS data protection capabilities. Protecting SaaS applications is a top IT priority for more than four in 10 organizations, and another 45% report it is in their top five priorities. Is it in yours?

Keep an eye out for future posts, in which I will zoom in on some key applications and other salient findings.

Dig Deeper on Cloud backup