Dropbox. Google Workspaces (formerly G Suite). Microsoft Office 365. Salesforce. These software-as-a-service (SaaS) offerings represent some of the business-critical applications which organizations increasingly obtain from cloud providers.
As organizations adopt these cloud-based SaaS offerings, they must rethink how they protect and recover data stored in them. Using cloud-based SaaS applications organizations no longer control the hosting, backup, and recovery of these applications. Rather, SaaS providers assume these responsibilities. However, organizations do retain responsibility for the protection and recovery of the data they store in these applications.
This separation of responsibility of who protects and recovers data stored in cloud-based SaaS applications changes the DR model. Providers now control the recovery of the applications. This leaves organizations in the somewhat unfamiliar role of only needing to recover the data they store in them.
This division in recovery responsibilities creates a two-fold impact. It influences the procedures that organizations adopt to protect and recover data stored in these SaaS applications. It also impacts their choice of tools they use to perform these tasks.
SaaS Providers Change the Shared Responsibility Model
Many organizations may already know they retain responsibility for recovering the applications and data they host with infrastructure-as-a-service (IaaS) cloud providers. These providers offer the underlying infrastructure (networking, power, servers, storage, security, etc.) which organizations need to use these providers’ clouds.
As part of their service, IaaS providers assume responsibility for the availability, maintenance, and upkeep of the infrastructure. Organizations then assume responsibility for any applications or data they host in these clouds.
SaaS cloud providers change this shared responsibility model in one important way. SaaS providers assume responsibility for the availability, reliability, and maintenance of their application. This leaves organizations with the responsibility of protecting and recovering data they store in it.
This change influences how organizations should protect and recover data hosted in cloud-based SaaS applications. No longer responsible for application recovery, organizations must rethink how they recover their data if the SaaS application goes offline. Further, they must examine the data protection options available to them and how they facilitate recovering their data.
Recovering Cloud-based SaaS Applications
Organizations must first consider where providers host their cloud-based SaaS applications. Many, if not all, host their applications in infrastructure-as-a-service (IaaS) clouds that achieve annual uptimes rates of 99.95% or greater. These uptimes coupled with dedicated, trained support staff minimize application outages and facilitate faster recoveries should outages occur.
Unfortunately, as numerous Office 365 outages in the fall of 2020 revealed, SaaS applications may become unavailable for minutes, hours, or days. Outages, or even slowdowns, of business-critical SaaS applications can put organizations in a predicament. During an outage or slowdown, an organization’s business may come to a standstill or run in a degraded state.
In these situations, organizations must prioritize how or if they want to recover the SaaS application. Currently, their three best options include:
- Do nothing and wait for the provider to bring its SaaS application back online.
- Utilize an “offline” version of the application from a third-party SaaS provider.
- Set up their own on-premises version of the software.
Many organizations will opt to stay offline or run in a degraded state until the cloud-based SaaS application recovers. While SaaS applications may periodically slow down, organizations will rarely experience complete application outages. Even if the SaaS application goes offline, the provider will often recover it faster than an organization can by itself.
Organizations can opt to recover a SaaS application on-premises. However, many organizations will find this an untenable option. They must build the infrastructure, maintain it, and take responsibility for recovering the application. Due to the infrequency of SaaS cloud outages, few if any organizations will want to go down this path.
Organizations may find it more viable to examine the recovery options offered by providers that back up SaaS applications. Many providers of backup software for cloud-based SaaS applications deliver their backup service as a SaaS offering.
As part of this offering, they may include an offline version of the SaaS application in their cloud. Using this feature, organizations may recover their data in the backup provider’s cloud until the cloud-based SaaS application recovers.
Data Recovery Limitations
Taking steps to avoid recovering large amounts of data represents the other major shift in thinking that organizations must embrace. Restoring large amounts of data to cloud-based SaaS applications presents multiple hurdles that include
- Incomplete or suspect data backups. Many cloud-based SaaS applications such as Microsoft Office 365 and Google Workspace offer no formal backup APIs. Rather, the APIs they offer simply give programmers access to their application’s content. Further, some applications within these office suites have no APIs at all.
These factors force backup providers to improvise and use whatever APIs the providers do make available. Absent any APIs, backup providers may use proprietary methods to back up data. These techniques make it difficult for organizations to ascertain the completeness of the backups or how much data they can restore.
- Restore limits imposed by the cloud-based SaaS provider. Even should an organization attempt to restore data, they may find they cannot restore all their data. For example, Microsoft imposes limits on how many API requests a user can make in a 24-hour period. Other cloud-based SaaS providers have similar limitations. These limits will not impact the restoration of a few user messages or mailboxes. However, organizations needing to perform restores for hundreds of users may find it takes days or weeks to perform this task.
- Prepare to pay egress fees. Many backup providers store backup data in clouds offered by IaaS providers. In these circumstances, they may need to pay egress fees when performing large restores.
In response to these limitations, organizations should minimally consider pursuing the following two courses of action:
- Use the cloud-based SaaS application’s native tools whenever possible.
- Select backup software that helps prevent data loss.
Utilize the Cloud-based SaaS Application’s Native Tools
Using the Recycle Bin to recover data may sound simplistic. However, backup providers themselves will often advise organizations to first use this tool to recover deleted or lost messages. It provides the fastest, easiest means to recover data plus users can often perform this task themselves.
Turning on the SaaS application’s multi-factor authentication (MFA) feature represents another simple yet practical policy that organizations can implement. Hackers often compromise user accounts and passwords to access an organization’s cloud-based SaaS application. Further, if a hacker compromises an administrator’s account, a hacker can wreak havoc in the environment. Turning on MFA does not eliminate the possibility of an account being compromised but it does decrease the odds.
Finally, implement retention policies in the applications that support them. Granted, the SaaS application’s native retention policies and features may not satisfy regulatory requirements as some top out at 30 days. However, they can provide organizations with a means to recover data that gets deleted or encrypted without using a third-party solution.
Backup Software Becomes Data Protection Software
Backup software has always fallen under the data protection umbrella. In protecting data stored in cloud-based SaaS applications, the best backup software solutions assume more data protection responsibilities. These new roles include
- Anti-ransomware features. Email represents one of the primary ways ransomware enters organizations. The best backup software solutions for Office 365 and Google Workspaces will include features that detect and alert to ransomware’s presence. One solution proactively stops it and recovers compromised data if it discovers an attack.
- Artificial intelligence and machine learning technologies. Backup providers use these technologies to detect for abnormal changes to data in the environment. While they can monitor for ransomware, they can also help detect, prevent, or recover from other errors. For example, a user or administrator may inadvertently change a policy or delete large amounts of data. In this case, they can help identify and stop that action which, in turn, mitigates or eliminates the need for a large data recovery.
- Data loss prevention. More hackers now employ a new tactic to extract ransoms from organizations. Rather than only encrypting data, they first attempt to copy data out of the organization to the hacker’s location. The hackers then threaten to publicly release the data unless the organization pays a ransom. Backup software can help here by proactively monitoring who, how, and what is accessing data in these SaaS applications and alerting on suspicious activity.
The Aha Moments
Organizations examining how to best proceed with the back up and recovery of their cloud-based SaaS applications will likely have two “Aha” moments.
One will be the realization they no longer need to recover the SaaS application itself. They are far better served to leave that responsibility to the SaaS provider. Alternatively, if they do need or want that option, they should engage a third-party provider which offers this service.
The other Aha moment occurs when they recognize they should focus on data loss prevention as opposed to data recovery. While they still need to assume responsibility for the back up and recovery of their data, they can no longer practically perform data restores at scale. Rather, they should identify and employ solutions that prioritize mitigating data loss over data recovery.