Data Protection Methodologies for the SaaS and PaaS Use Case
By Ian Perez Ponce VP, Product Management & Strategy
For decades, the practice of Business Continuity/Disaster Recovery (BC/DR) in the IT industry has been relegated to the domain of data center infrastructure, be it physical or virtual. More recently, developing trends have transformed IT Service Continuity technology solutions and operational best practices to extend into the world of hybrid and public clouds. Enterprise organizations around the globe continue to expand their adoption of virtualization, testing the waters with the hybrid cloud. Yet, for many of them the adoption of both mission-critical and business-essential applications running on third-party hosted SaaS and PaaS platforms began several years ago. The thought-provoking question we pose in this article is one of risk and exposure – does data (as a primitive) warrant any less safeguarding or protection by businesses when residing on SaaS or PaaS?
The answers to that question may be as numerous as the number of SaaS and PaaS providers that exist today. Some would argue that well-established (X-aaS) providers such as Salesforce, Google (Apps) and Microsoft (Office 365), are not only liable under contract to safeguard tenant data, but also have the means by which to guarantee that safeguarding. Others would argue that when reading the fine print of any given provider’s Service Level Agreement (SLA) and/or terms and conditions, there is rarely a clause under data assurance or data protection that guarantees the integrity and recoverability of customer data. Not to mention offering some form of indemnification if that data were inadvertently lost or corrupted.
Somewhere wedged between these views lie the virtues of security and compliance. Whether regulated by external authorities or otherwise, seasoned practitioners of security, compliance and IT Service Continuity Management acknowledge that an “out of sight, out of mind” mentality when it comes to corporate data assets does not bode well in the era of distributed everything. There has been increased M&A activity (e.g., the Datto acquisition of Backupify and the EMC acquisition of Spanning) as well as increased, regular analyst coverage by firms such as Gartner. By inductive logic, this would suggest a recognition by the IT industry as a whole of a gap in the market, and the need for a more robust approach to SaaS/PaaS-stored data.
To allow us to look at the challenge in more detail, first we should make an important distinction. Issues of data availability and access happen – caused due to service outages for example — and administrators should be savvy enough to choose those providers that have the best track record as well as the best performance feature set for their companies or teams, be it around offline caching, latency or other parameters. Data integrity is another issue altogether. In a 2013 report from The Aberdeen Group it was claimed that 32% of companies had experienced loss of critical data in the cloud, 64% of which was due to user errors. In summary, data integrity seems like a much larger problem, one that is potentially tougher-to-solve.
3 Examples: Salesforce, Office365 and Google Apps
How can this be addressed? In a recent research report, Gartner has gone on record to recommend third-party backup tools as good complements to the leading vendors’ own solutions – potentially solving both the data availability and data integrity challenges.
For Salesforce, for example, Gartner highlights additional functionality as a benefit of using third-party solutions, focusing on automation and simplicity. But this does not address an important finding: Salesforce claims a four-hour recovery point objective (RPO) and a 12-hour recovery time objective (RTO), which may be too long for some. Furthermore, each restore request sets customers back $10k, per Gartner.
For Office365, more control and flexibility is touted as the key feature. Gartner claims that Microsoft’s approach is a bit inconsistent between the different services, and so control and flexibility – specifically, the ability to set similar rules for different services – become useful features when offered by external solutions.
Finally, in the case of Google Apps for Work, robust backup/recovery and a longer retention period take center stage as something third-party solutions could provide.
Here are a few best practices when using third-party BC/DR solutions for PaaS/SaaS:
1) Ease and speed of use: Sounds obvious, right? But what if your PaaS/SaaS vendor quotes you hours or days for data recovery? Data is business-critical, and as such needs to be safely stored at only a few clicks away. Otherwise the business won’t run.
2) Customization: Whether you’re deciding on backup frequency, a pre-determined archival platform, or which users in your company require secured online data, customization is at the core of third-party solutions.
3) Safety and security: Trusting a provider with your data means looking out for providers that have ISO certifications, are HIPAA-compliant, and ideally also take regional or national data privacy laws into account when giving you a choice of backup locations.
4) Cost-effectiveness: By and large, the bulk of on-prem BC/DR costs lie in hardware and hardware maintenance. If your external provider uses large-scale public cloud resources for backup, it means that for once, you can rely on a pay-as-you-go, utility model and introduce significant efficiencies.
In summary, our recommendation is to avoid complacency regarding safeguarding and preservation of your business-critical data, whether you use PaaS/SaaS or not. It’s common-sense risk hedging – with an added layer of tangible technical benefits – to use a mix of models, such as on-prem and the public cloud, and PaaS/SaaS backup and third-party backup. At the end of the day, your business needs to keep running no matter the composition of your IT landscape and application services.