What is a SaaS application?
SaaS is an application that runs on a provider’s cloud (known as a SaaS provider) with the functionality delivered to users as a service via the internet. SaaS is a popular and less expensive alternative to purchasing and maintaining applications on on-premises systems. Instead of downloading or installing applications from CDs and running them on a system’s hard drive, many organizations prefer to use a SaaS application. Gartner forecasted that the SaaS market will grow to $151 billion by 2022 due to the scalability of subscription-based software.
Office 365, Jira, Confluence, Google Works, Salesforce, Workday, Okta, Slack and Zoom are examples of popular SaaS applications. Users/organizations typically rely on a pay-as-you-go model for these services, with a monthly or annual fee for a SaaS subscription. The provider is held to a Service Level Agreement (SLA) to ensure uptime and application availability. In a recent Gartner survey, 97% of recent respondents indicated their organization uses at least one software as a service (SaaS) application.
Some of the most popular SaaS applications used in the enterprise can be seen in the report from Okta - https://www.okta.com/businesses-at-work/
Why do you need a SaaS backup solution?
Losing critical data is a nightmare for businesses, especially when data is fueling so many companies. Many companies believe it is not necessary to have a SaaS backup strategy (software-as-a-service) in place, thinking that their data is protected by the SaaS provider. Unfortunately, this is not true. Data loss can occur when using SaaS – in fact, Gartner reports that 70% of organizations are likely to suffer business disruption by 2022 due to unrecoverable data loss in a SaaS application.
Coming up with a robust SaaS backup strategy will help you be better prepared for the unexpected, and using the right data recovery solution will help you stay safe and secure.
What are the leading SaaS app vendor’s positions on backup?
Let's review the recommendation of two of the leading SaaS application companies in the world.
Microsoft recommends to every one of its Office 365 customers to backup their data in two contexts:
- As part of their Services Agreement - https://www.microsoft.com/en-us/servicesagreement
- As part of their Office 365 Security documentation and more specifically on how to recover from a Ransomware incident - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/recover-from-ransomware?view=o365-worldwide
Reference section #6 “Service Availability”
- Service Availability.
- a. The Services, Third-Party Apps and Services, or material or products offered through the Services may be unavailable from time to time, may be offered for a limited time, or may vary depending on your region or device. If you change the location associated with your Microsoft account, you may need to re-acquire the material or applications that were available to you and paid for in your previous region.
- b. We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.
In this document Microsoft recommends that a customer use a SaaS backup product to backup the Office 365 data.
Recover from a ransomware attack in Microsoft 365
Step 1: Verify your backups
If you have offline backups, you can probably restore the encrypted data after you've removed the ransomware payload (malware) from your environment and after you've verified that there's no unauthorized access in your Microsoft 365 environments.
n this document Microsoft recommends that a customer use a SaaS backup product to backup the Office 365 data.
While buried in multiple documentation, Microsoft clearly recommends its customers to use a SaaS backup to address any eventuality.
Atlassian recommends to every one of its cloud customers to backup their data in two contexts:
- Atlassian Security Practices - https://www.atlassian.com/trust/security/security-practices#service-availability
- Atlassian Shared Responsibility document - https://www.atlassian.com/dam/jcr:65400ebe-0cb6-478c-bdf0-e85052490cf2/Atlassian_Shared_Responsibilites_For_Security.pdf
Reference the Service availability section of the document
In addition to the above measures, we also publish our service availability status in real-time for our customers using our own Statuspage product. If there are any issues with any of our products, our customers will know as soon as we do.
We operate a comprehensive backup program at Atlassian. This includes our internal systems, where our backup measures are designed in line with system recovery requirements. With respect to our Atlassian Cloud offerings, and specifically referring to customer and application data, we also have extensive backup measures in place. Atlassian uses the snapshot feature of Amazon RDS (Relational database service) to create automated daily backups of each RDS instance.
Amazon RDS snapshots are retained for 30 days with support for point-in time recovery and are encrypted using AES-256 encryption. Backup data is not stored offsite but is replicated to multiple data centers within a particular AWS region. We also perform quarterly testing of our backups.
For Bitbucket, data is replicated to a different AWS region, and independent backups are taken daily within each region.
We do not use these backups to revert customer-initiated destructive changes, such as fields overwritten using scripts, or deleted issues, projects, or sites. To avoid data loss, we recommend making regular backups. Learn more about creating backups in the support documentation for your product.
In this document Atlassian recommends that a customer use a SaaS backup product to backup their Atlassian data.
Atlassian Shared Responsibility
Reference the table listing the responsibilities that Atlassian has and customers have.
Policy and compliance
In this document Atlassian recommends that a customer use a SaaS backup product to backup their Atlassian data.
While buried in multiple documentation, Atlassian clearly recommends its customers to use a SaaS backup to address any eventuality.
How can data associated with a SaaS app get lost?
When using a SaaS application, there are many reasons why data can be lost.
- Human error – Accidentally deleting or overwriting files or folders caused 25% of data loss in 2019. Let’s face it: accidents happen.
- Departing employees – Sometimes, when an employee leaves the company, their accounts are closed. The data on those accounts can be lost as well.
- Insider misuse – Disgruntled employees may wreak havoc with data. A SaaS application lets a user delete or modify data without knowing the human intent behind the action.
- Cyberattacks – The statistics are staggering. IDC reports that 93% of businesses experienced attacks within the past three years. Criminal and malicious attacks were the leading cause of data breaches in 2019 at 51%. SaaS applications can be accessed if even one employee's machine is compromised. Attacks can happen quite quickly when employees have weak passwords, fall for phishing scams, or click on malicious links.
- Misaligned retention settings – A SaaS provider's data retention policy may not align with the organization using the software. In regulated industries where compliance may require storing data for seven years, a SaaS provider that stores data for a lesser time can result in data being hard-deleted and lost forever.
Why SaaS backup?
Using a SaaS backup service takes away the worries and costs associated with having to maintain in-house infrastructure, but it also means that businesses are responsible for backing up their own data. And in an age when data is king, businesses can’t afford to get this wrong. Finding a trustworthy partner to provide SaaS backup and restore services needs to be top of mind for every IT leader.
Advantages to a SaaS backup solution
Your SaaS is only as secure as your SaaS backup. With the right backup solution, you can:
- Safeguard data and recover granular items
- Ensure business continuity and preparedness
- Avoid legal and regulatory compliance fees
- Verify authenticity to ensure data is authentic, original, and unchanged
- Plan for migration to another SaaS provider or in-house system
Bottom Line: Your organization is responsible for backup and recovery of data on these services, while the SaaS provider’s responsibility is to make sure the software infrastructure is available.
Seven steps to evaluate your backup strategy
Here are some key metrics and points that organizations should evaluate and consider in order to create a robust SaaS backup strategy and keep their SaaS data safe in the cloud.
What is your Recovery Point Objective (RPO)?
How much data are you willing to lose? Remember – there’s no way to recover data that’s been changed since the last backup, so consider leveraging high-frequency backups, or at least backing up daily.
What is your Recovery Time Objective (RTO)?
How quickly do you need your data recovered? Cloud data protection platforms can recover your data in minutes, as opposed to the days or weeks that some out-of-the-box solutions require. Your RTO will go a long way towards determining what SaaS backup solution is right for you.
Does your current strategy enable you to recover data from any point in time?
The best data recovery solutions allow businesses to put their data back together exactly how it was before a problem occurred, whether that was yesterday or six months ago. In order to recover the precise data required, you need to be able to quickly compare data to historical data. Using an automated service with full daily backups is the best way to do this.
Are you able to recover data and corresponding attachments and metadata?
Data recovery from your SaaS backup is great, but don’t forget to back-up attachments and metadata as well to your SaaS backup. Without metadata, trying to rebuild the relationships between certain types of data objects can be a painstaking and time-consuming process. And without the ability to maintain these relationships, you’ll only have partial restore capabilities. Try to find SaaS backup tools that can recover both attachments and metadata.
SaaS backup tool having the necessary security controls
Here are some controls you’ll want to include:
- Role-based access controls (RBAC) for managing who can access backups
- IP whitelisting for controlling domain access
- Two-factor authentication for ensuring access is limited to authorized users
- Single sign-on for reducing threat surfaces
Is your SaaS backup strategy automated?
SaaS backup tools should be as pain-free and user-friendly as possible. Look for dynamic solutions that offer automated backups, proactive monitoring, and first-class support.
Is your data accessible outside of your primary SaaS application platform?
Being able to access information through a user-friendly, controlled interface outside of the primary SaaS application platform is important as in occasions the primary application may not be available.