Backup Industry Veteran Reveals Data Protection Risks of SaaS Applications

his is part of a series of interviews with Asigra Partners. In this post we’re talking with William Bush from Tectrade about his experiences and thoughts surrounding SaaS backup for enterprises.

JL: Tell us a little about yourself.

WB: My name is William Bush, and I am the Technical Services Manager at Tectrade (@TectradeHQ). We are a UK-based MSP focused on designing cloud storage & data protection solutions for enterprises. Our client base includes FTSE 100 companies as well as smaller organizations. Many operate in sectors where IT compliance is especially important, such as financial services, education and government.

Our alliances include being an Asigra Partner and the only IBM Storage Specialty Elite Partner in Europe, with over 25 years of experience and 50 technical staff around the world.

JL: William, based on your experience working with various organizations, how quickly would you say IT departments are moving to the cloud?

WB: According to IDC, the market for cloud services is currently growing at 20% and set to exceed $37B this year alone. IT departments are migrating to cloud-based SaaS applications such as Office 365, Google Apps and Salesforce at an unprecedented pace.

The SaaS market is continuing to grow at a phenomenal rate due to a number of factors. The key factors from my perspective being, reduced time to benefit, the SaaS provider taking responsibility for the hardware and software upgrades and uptime and a lower cost of entry with predictable monthly costs.

SaaS enables businesses to focus more time and energy on their core objectives and removes the pain of architecting, installing, managing and maintaining on-premise software solutions.

JL: That’s an exciting trend. With everything happening so quickly, how well-thought out are the deployments you’ve seen?

WB: Moving to the cloud is a smart opportunity but undeniably, also presents some risks.

Most organizations I speak with are either in the process of migrating to Office 365, or worse, have been running Office 365 for months without a plan to revise their data protection strategy.

Their legacy backup systems often aren’t compatible with new data sources like SaaS apps. Even if there are workarounds to make their existing backup tools pull data from the cloud, it’s often not an ideal solution. For example, an admin who is looking to retrieve an individual file might need to spend hours restoring an entire volume from tape.

JL: What are the most common misconceptions about SaaS data protection?

WB: Many organizations falsely assume that the SaaS vendor’s backups are enough to protect their data. Yes, Microsoft will regularly back up Office 365 accounts but mainly to protect against hardware failure in their data center.

Hardware failure isn’t even the top cause of data loss, not even close. User error (64%) is the most common, followed by hacking (13%), account closure (10%) and malicious deletion (7%). Microsoft does not retain copies of your data for nearly long enough to mitigate these other risks.

By default, deleted files in Office 365 are purged from Microsoft’s servers in 15 days. Admins can update the setting to 30 days, but accidentally deleted or corrupted data often goes unnoticed beyond that timeframe, after which it is unrecoverable.

JL: What about other applications such as Salesforce or Google Apps?

WB: These SaaS applications are not much better.

Google Apps for Work purges deleted data after 25 days. There are add-ons for Google Apps like Postini (deprecated) and Google Apps Vault which allow you to set longer retention periods, but consider: Do you really want to manage a different point solution for every cloud? Also, going with Google Apps Vault isn’t a true off-site backup because it doesn’t isolate your data from Google’s environment.

Deleted Salesforce records stay in the Recycle Bin for up to 15 days, with “up to” being the emphasis here. If you are close to capacity in your Salesforce account, they may delete your Recycle Bin files in as few as 2 hours. Once a file is deleted from the Recycle Bin, Salesforce can only attempt a manual recovery, billed at $10,000 a pop.

JL: How responsible are SaaS providers in the event of a data loss?

WB: None of the three providers I mentioned provide an especially strong guarantee you will be able to successfully recover your data, even if the data loss stems from their own negligence. The maximum liability that Microsoft and Google have written into their Terms of Service (TOS) is the past 12 months of subscription fees paid.

Is this enough of a financial guarantee for most organizations? I think not. A single email could be the difference between winning or losing a lawsuit worth millions of dollars.

JL: What is the broader impact of data loss on organizations as a whole?

WB: A data loss event can cause major operational and legal headaches. Recently, a major US airline who had a datacenter outage suffered significant reputational harm and was forced to pay millions in passenger compensation for the incident. Unfortunately, I have seen businesses not recover from a catastrophic data loss.

In the UK, the legal ramifications could include up to a £500,000 fine under the Data Protection Act 1998. Similar laws in the US such as HIPAA and Sarbanes-Oxley (SOX) govern healthcare organizations and public-traded companies, with fines up to $10 million for neglecting to protect customer data. To stay in compliance, you need to be able to show auditors that you have a secure, off-site backup at all times.

JL: What should compliance driven organizations look out for when they engage a backup provider?

WB: Be wary if your storage and/or backup provider is scant on details but assures you “not to worry” that their solution is compliant.

The onus is on you to verify that the architecture your MSP uses is compliant from end-to-end. For example, section 8 of the Data Protection Act requires personal data not be transferred outside the European Economic Area (EEA), with a couple of exceptions.

To protect your organization from fines and reputational risk, make sure you have your MSP’s promises in writing when it comes to compliance. A blanket statement like “HIPAA Compliant” isn’t enough, you need to understand each component of the setup, especially if you are going with a public cloud.

JL: How can working with a managed service provider help organizations gain a competitive advantage from their data?

WB: With the growing volume of data in the enterprise from traditional and cloud sources such as Office 365, it can be difficult for IT departments to navigate the challenges alone. From embedding ourselves at client sites, we possess a depth of experience in working with different data architectures.

An end-to-end solution like Asigra Cloud Backup lets IT departments simply “check off” data protection and instead, spend their time focusing on strategic IT opportunities.

Organizations won’t incur the costs of training their employees on multiple, platform-specific solutions anymore, because Asigra backs up virtually any data source from laptops, servers, mobile devices to SaaS and IaaS clouds.

JL: What are the other benefits of using an end-to-end solution like Asigra?

WB: First, Asigra is an agentless solution. Most backup solutions require a piece of software to be installed on the client-side, but Asigra does not. Because there are no agents to install or update, you save even more valuable IT time, not to mention the improved security.

Asigra is also extremely flexible, letting you set separate recovery time and point objectives (RTO and RPO) for different datasets within your organization, based on the business impact of that data.

In addition, you have the choice of backing up data to a public, hybrid or private cloud. The hybrid or private cloud options are commonplace in industries like financial services or government which have heightened privacy and security concerns.

JL: Will, thanks for taking the time to share your insights about SaaS backup. What are the next steps IT professionals can take to learn more about cloud-to-cloud backup?

WB: We recently hosted a webinar about this topic, titled “Data Protection Considerations with utilizing SaaS.” We went over a few customer examples and showed the attendees how simple it is to retrieve an accidentally deleted record from Salesforce. You can download the recording here.

Topics Discussed

Related Posts

SaaS Applications Change the Rules of Traditional Data Protection This is part of a series of interviews with Asigra Partners. In this post we’re talking with Chad... 7 min read
7 Tips to Avoid Ransomware This is part of a series of interviews with Asigra Partners. In this post we’re talking with Greg... 6 min read
What’s the Best Way for Your Organization to Prevent Ransomware Attacks? This is part of a series of interviews with Asigra Partners. In this post we’re talking with Brent... 4 min read