Are You Protecting Your SaaS Applications?
ESG recently completed a large survey — and one of the things that survey revealed is the increasing interest in SaaS applications (Office 365 is one prominent example). Unfortunately, people don’t seem to be protecting the SaaS applications they use. Why is that the case?
ESG’s survey revealed security and protection complacency among those going for SaaS applications. Christophe Bertrand says, “About a third of them say, ‘Look, I don't back up O365’ or ‘I actually don’t back up my SaaS apps.’ And then, there's a big third or half, depending on the application you're looking at, that say, ‘Well, I use the native tools.’ And of course we know there are very few native tools, if any.” (Bertrand says that among the few native tools available, there aren’t many that people want to use.)
Bertrand says that one critical point needs to be faced: People aren’t really protecting SaaS environments.
On a positive note, Bertrand says that some do make the effort to back up and protect, “which is good news.” But why isn’t everyone?
Bertrand says, “I'm not 100 percent sure, but I think there may be a confusion that they don't need to because they may think that it's covered by the service. They're thinking, Well, look, now it's off-premises, it's in the cloud. It's their job. I've just pawned that off. And that's great. Let's just roll. And I don't have to worry about it. It could also be that what was protected on-premises by a certain part of the organization in IT … You know, the data protection people, well, all of a sudden they see this going to the cloud and maybe it's going to the cloud through other parts of IT.”
There’s a big assumption that data protection is included in cloud services. Many times, Bertrand says, unfortunately, that isn’t the case. Stephen Manley brings up one point that came up in the survey data — and it goes to the issue of mindset and backups: “The people who best knew their SLAs were the ones who are most likely to just trust the vendor.”
The survey also found that younger, cloud-native companies are more confident that their data is protected, but that isn’t necessarily wise.
Bertrand responds: “If you know the SLAs, and the SLAs do not specifically state, I will back up your data for X amount of retention, and whatever condition there is, then you don't have backup and recovery SLAs. Let’s face it. And I doubt that anybody has. There is maybe a data retention period, and that could be where people get confused — where, “Hey we can retain, your data for X amount of time” or, you know, ‘For an extra price, we could potentially give you a recovery copy, provided certain things are met.’ And those will not meet RPOs and RTOs in most modern enterprises. Now, again, the services really work on the basis of them being available almost all the time, and that's really what's in the SLA … and providing great protection against potential ransomware or cyberattacks because they have a very hardened security type of environment or infrastructure … So there are a bunch of SLAs around that, for sure. But when it comes to backup and recovery, typically that's not covered.
Bertrand then goes to the heart of the issue. He says: “… At the end of the day, it's always your data, right? Nobody else's. And not just for backup and recovery, which is really an operational question, but also for legal reasons, for compliance — It's your data. And someone in legal, someone who is auditing your infrastructure, for compliance reasons, will need to know where the data is, and what security it has and how recoverable it is. That's not gonna change. So you're always responsible for your data. I think people have just somehow forgotten that. I feel like, they went on a cruise and it's a big vacation. Oh, we don't need to back up anymore. Now let's go have another cocktail. Well, no, that's not the case, right? You're responsible for your data.”
Manley and Bertrand point out that changes in the sector often come by force — and many times, something negative has to occur to create needed change. One change underway is auditing, and it’s become a necessity with the new wave of privacy regulations, like the GDPR, and the CCPA from California. Bertrand says, “You're going to have to be able to demonstrate you're doing certain things with the data or not. […] If you don't back up and recover, it's all in the cloud and it goes away. Well, for sure you're not going to be compliant, because all these regulations have a data protection mandate, for sure.”
Manley says that the survey also points out that a third of people are using third-party applications for backup, and they are getting better recovery statistics. What are the characteristics of those organizations? What is it that's making them successful? Why have they chosen a third-party backup and how could others follow in their footsteps?
Bertrand replies: “I think it goes back to best practices, better enforcement of best practices, maybe earlier adopters that have actually experienced some issues, organizations that really go through a thorough audit of their processes for any application. […] I don't have a specific data point on this, but I'm guessing with a high level of confidence that it's organizations that have a good sort of centralized decision-making power around protection of data, whether it's on-premises or in a cloud. I would say the other thing that could be happening is there are some solutions out there, some early solutions, early adopters of those backup and recovery solutions — and they have influenced the vendors, have influenced the end users, too, to actually get it done.”
And, Bertrand adds, “not to be negative, but it happens — is services becoming unavailable. And the minute you become unavailable, and you feel you can't access that email, that application, whatever the case may be, all of a sudden you start thinking, Well, OK, how do I recover? Where's my backup? And I think some of that is also creating maybe a higher frequency of realization amongst people.”
Once you’ve established proper data protection and compliance, Bertrand says, “The benefit is that you can now start thinking about how you better leverage the data. And we have other research that just came out around what I call ‘intelligent data management,’ which is: How do you sort of cross that chasm between sort of dumb data backup to, Well, now I want to do data reuse intelligently so I can do other things with it.”
Protected data, machine learning and AI offer up multiple possibilities. For those who resist SaaS backup, Manley says, “Think of what you could do.”
Manley and Bertrand’s interview is full of thoughtful discussion on data backup, recovery, compliance, and how culture ties into those issues. To find out more beyond this summary, check out the complete interview. To learn more about the latest backup methodologies make sure to check out Truth in IT's "Truth in Data Protection" channel from the menu above.