Why SaaS explosion won’t last without resilient backup

image of office

Investing in Software-as-a-Service (SaaS) has become fairly standard practice within the business world. The subscription format of SaaS naturally appeals to enterprise customers due to its affordability and flexibility. And being based in the cloud has also made it ideal for the multitudes of businesses that pivoted their operations away from being office-only.

Plus, the convenience of SaaS – the vendor’s responsibility to provide software updates and bug fixes and maintain system availability has given IT leaders one less thing to think about. These tools have been critical to supporting organizations’ wider digital transformation efforts by making applications and data accessible from anywhere.

However, IT leaders can’t rest on their laurels become complacent and assume that just because they’re using SaaS tools, their data will always remain available and protected. While SaaS providers may have service level agreements in place around maintaining availability and uptime, the responsibilities around data protection, backup and what happens if a breach happens can be less clear. Administrators are not always aware of the need to take responsibility for their own third-party backup, or even simply ensuring that their data is adequately protected.

Build-in backup is proving a false sense of security

Today, many businesses are operating under the misconception that built-in backup is enough to sustain long-term data security. This view has been formed from the perception that backup systems don’t go down – and even if they did, it would be the vendor’s responsibility not the businesses.

For example, users of Microsoft 365 rightly assume that any outages involving applications, network controls, operating systems and physical networks will be managed by the SaaS provider. But the largest number of outages don’t come from SaaS providers themselves – instead accidental deletions, misconfigurations or bad actors gaining access can all deliver the same unfortunate end result – data goes missing.

Without a robust backup, your data could be gone. In some ways, SaaS tools are like using a rental car – the provider makes sure the car is fueled, clean and ready to go, but once driven off the forecourt, it is the customer’s responsibility.

Have a clear plan in place with your vendor

There’s sometimes a feeling of passing the reigns of responsibility to a vendor once business leaders have signed on the dotted line of a SaaS subscription deal. It’s true, the vendor will probably have a greater ongoing input into your SaaS solution’s performance. However, you need to view this relationship as a collaboration rather than purely outsourcing.

While IT decision-makers understand the benefits of shifting responsibility for deployment, upgrades and shifts incapacity, many don’t realize the actual responsibility of the data usually remains with the tenant. SaaS vendors typically leverage a shared responsibility model that spells this out clearly.As a business begins to invest in

SaaS tools, it needs to keep the channels of communication wide open with their vendor. Roles
and responsibilities need to be clearly defined by providers, so nothing falls through the gaps
due to misunderstandings or miscommunication.

These conversations should also cover disaster planning – not because of a need to assign blame – but to have a well-honed system to respond to a data protection incident. Regardless of how good your security is, falling victim to an outage, data breach or other cybersecurity incident is usually a case of when, not if. This risk extends to the backup data an organization might keep themselves. Veeam’s 2022 Ransomware Trends Report, for example, has found 72% of organizations surveyed globally had partial or complete attacks on their backup repositories.

Formulate a backup strategy

Here are the considerations all organizations must consider in developing best practice data protection strategies:

  1. Prepare your systems for
    a data breach. This will entail strategizing with your vendor and disaster planning by assessing where the weak points lie, and bringing those up to standard wherever possible.
  2. Keep in mind that businesses are only able to recover 64% of their data on average following a ransomware attack, according to Veeam’s 2022 Data Protection Trends report. So, assume the worst, and plan accordingly.
  3. Check your storage and backup measures against any relevant compliance regulations because some SaaS tools may not automatically comply with what’s required within your region. For instance, SaaS tools usually back up data for 120 days which is insufficient in areas where regulatory boards require businesses to hold onto data for several years. If you haven’t backed it up, it’s too late to restore it once it is deleted.
  4. Be clear on who is doing what. What’s your vendor’s shared responsibility model? You must be able to know where your data is always, and who is actively overseeing it.
  5. Before you begin integrating a SaaS backup solution, first determine how you would leave that vendor by negotiating exit strategies upfront. You don’t want to end up in a scenario where your data is being held hostage at a price point they suddenly determine after you inform them you want to leave. SaaS’ continued growth means that it is likely to remain a significant way organizations of all kinds manage and run their IT, and
    by extension, their critical day-to-day operations. As such, it’s worth businesses dedicating time to understanding how to keep their data protected – as well as adjust processes accordingly. Thankfully it does seem this is starting to happen in the UK, with the 82% of UK businesses who say they’re planning to increase data protection budgets over the next 12 months, according to Veeam’s Data Protection Trends Report 2022.
  6. The ongoing support of vendors is probably one of the biggest benefits of SaaS. However, don’t get caught up in the positives of SaaS by forgetting that accountability for data security will always lie with your business. So, relying on built-in backup is not enough – back up your built-in solutions and save yourself a headache further down the line. Your business-critical information deserves no less than Modern Data Protection to keep it backed up, recoverable and secure – regardless of the environment, it lives in.

By: Dan Middleton, Regional VP UK&I, Veeam Software