Join Us at the Black Hat CISO Event at Mandalay Bay on August 5 RSVP Now.×
Home » Spin.AI Blog » SaaS Backup and Recovery » Expert Insights: SaaS Backup and Application Governance (Part 3)
July 5, 2024 | Reading time 8 minutes

Expert Insights: SaaS Backup and Application Governance (Part 3)

Author:
Avatar photo

Former Gartner Analyst, Backup & Recovery

Welcome back to our blog series on SaaS data protection. Part 1 focused on data protection fundamentals, part 2 focused on data protection solutions, and part 3 is focused on governance.

Magical thinking about the cloud will not protect data in SaaS applications. It only takes one mistake or malicious act to cause significant data loss and you cannot rely on the SaaS provider to protect you. If anybody needed a reminder that data in the cloud isn’t inherently safe, the recent incident at Google where an internal Google administration error led to a multi-billion dollar company’s data and backups being deleted should be a wake-up call. Fortunately, this company had their own backups outside Google’s control. Without that they would have suffered catastrophic loss.

With cloud IaaS deployments, backup is relatively simple with many mature tools that allow organizations to backup their application no matter where they’re hosted, but SaaS completely changes this due to the closed nature of the applications. That inability to simply backup data in SaaS applications means that organizations must put governance around SaaS adoption to ensure that the company’s data (it’s most critical asset) can be protected BEFORE the application is adopted. Failure to provide backups may mean you get the call to tell you that all the data they stored in a SaaS application is gone and that there are no backups!

Top Considerations for SaaS Application Governance 

Because of the risk associated with SaaS applications, companies considering the deployment of a new SaaS applications should address the following considerations:

  • How important is the application and the data stored in it
  • What backup capabilities come with the SaaS application
  • 3rd-party backup options

The Importance of the Application and the Data it Stores

The first step before adopting a SaaS application is to assess the importance of the application and what impact an outage or major data loss event would have on the organization. The evaluation should be a critical part of the process of adopting any SaaS application, and that requires organization-wide governance processes around that adoption. Key questions to ask include:

Application questions

Does the application provide critical support to major business processes?

A critical application would be one where loss of access to data would cripple an important business process such as processing customer orders.

Can the organization work around a situation where the application or data is unavailable?

Sometimes, organizations can put workarounds in place so that an application outage or severe data loss doesn’t make the business grind to a halt.

Can the data in the application be recreated from other sources?

If the data in the application is the sole source, then data loss is impossible to recover from unless there’s a backup of the application’s data.

Is the data in the application regulated in any way?

Applications that handle data that is subject to regulation present a higher risk. 

If made public would data loss from the application cause reputational damage or put the company in legal jeopardy?

Any public disclosure of data loss can cause customers to lose confidence or result in them taking legal action against the company.

Does the application use bidirectional synching of data between the customer and the SaaS provider?

SaaS File share and sync services such as Microsoft Onedrive are vulnerable to anything running on a client PC that can write data to the file store. This contrasts with SaaS applications where the data always resides on the provider’s systems.

Built-in Backup Capabilities of SaaS Applications

Some SaaS applications come with their own backup but these backup systems are often very limited in functionality and may be vulnerable to the same attack that breaches the application. Because of these factors it’s important to ask the SaaS application provider what they offer. Typical questions include:

SaaS Provider questions

Does the provider offer any guarantees around the safety of data?

There are many ways in which data can be lost, so it’s important to understand the extent to which the provider takes responsibility for safety of the data

Does the provider offer any compensation for data loss?

If the provider offers compensation, it’s important to compare the value of the compensation with likely costs for a significant data loss event.

If backup is offered, how are data restoration requests submitted and what’s the turnaround time?

Ideally, restoration should be controlled by the SaaS customer to enable rapid recovery from data loss. However, many SaaS vendors require customers to submit a request through the helpdesk and wait.

What level of granularity does the provider’s backup offer?

It’s important to understand whether you can restore individual records and files or must reset the entire application back to the most recent backup.

How frequently does the provider’s backup operate?

Frequency of operation will dictate how much data can be lost. For example, a daily backup means that up to a day of changes to data can be lost.

Availability of 3rd-party Backup Systems

3rd-party backup of SaaS applications is still quite rare, but where options do exist, they are generally preferable to any service provider by the vendor of the SaaS application because they offer a truly independent backup that can’t be compromised by a breach at the provider. Organizations looking at 3rd-party options should consider the following questions…

3rd Party Backup

Where is the backup data stored?

Options typically include storage in major cloud providers such as Amazon or Microsoft, storage on private infrastructure belonging to the backup provider, or storage at a location specified by the customer.

Is the backup vendor using official APIs or using non-approved methods to backup and restore data?

Supporting an application through unofficial APIs and workarounds is risky as the SaaS vendor can make changes that break the backup system without notice.

Is the backup data vulnerable to a breach in security of the SaaS application?

Customers should be wary of any backup system where a breach of security at the SaaS application level can allow the hackers to delete backups.

Can the backup provider proactively stop a malware attack from encrypting data?

Being able to recover data after an attack is nice. Stopping the attack before too much damage is done is even better.

Does the backup system also offer data leak prevention?

Sometimes cyber attackers want to steal data not just encrypt it. So, any ability of the backup system to detect data exfiltration or unusual data access patterns is a valuable additional feature.

Learn more about selecting backup vendors with these 3 questions to consider when evaluating backup solutions or by requesting a demo of SpinBackup.

Was this helpful?

Thanks for your feedback!
Avatar photo

Written by

Former Gartner Analyst, Backup & Recovery at Spin.AI

Recently retired from full-time work, Nik Simpson spent 40 years in the IT industry in a variety of roles with major IT vendors, startups, and IT Research companies. Most recently, Nik was VP of Research covering backup and disaster recovery at Gartner where he worked on signature documents such as the Backup & Recovery Magic Quadrant as well as leading research into Backup-as-a-Service and backup for SaaS applications such as Microsoft 365. In a 15 year stint at Gartner, Nik also covered a variety of topics including server technology, data center design, and storage platforms.

How Can You Maximize SaaS Security Benefits?

Let's get started with a live demo

Latest blog posts

Mastering Disaster Recovery – Best Practices in 2024

From natural calamities to cyber threats and system failures, organizations face numerous challenges that can...

Avatar photo

Product Manager

Read more

Protecting Your SaaS Environment: Insights from the Snowflake Incident

High-profile breaches are in the news more than ever before. However, data breaches are no...

Avatar photo

Product Manager

Read more
types of backup: incremental vs differential vs full

Top 10 Salesforce Backup Options in 2024

Salesforce is an indispensable software for businesses of all sizes, offering a robust platform for...

Avatar photo

Vice President of Product

Read more