Data Protection OF a Service

Today I read Jason Buffington’s blog entitled, “How do you backup SaaS?  I’d like to know” and was intrigued to see what response he has received from this very inquisitive blog post.  Much to my chagrin, none were publicly posted.  This, I thought was a great blog entry asking the very same questions I asked when I was in Jason’s position as Sr. Analyst at ESG.  What happens when you decide to move your backup to a cloud service provider – do you just accept blindly that “they have it all together”, pay your monthly or annual fee and hope you never really have to find out?

Back in the day

When I was with ESG, I wrote the first Market Landscape Report on Backup as a Service – truthfully this was a brand new space that was just beginning to get the attention of midsized and some enterprise customers but really no specific coverage.  So I set off to research this space in as much detail as I possibly could and ask as many deep probing questions of all the vendors as I could to fully understand how each one was positioning itself to the marketplace.  Where the market landscape report fell short was in answering the very question Jason has posed in his blog, but because each vendor would have a different and distinct answer – I had to leave it broad but with strong guidance to the customers to ask very specific questions about what to look for in a cloud service providing data protection.

Jason’s questions specifically are as follows:

Do you back up the data from your SaaS provider?

In what format(s) is the backup in?

Is the data readable or importable into a platform that you own?

How would you bring the functionality back online for your local users?  for your remote users?

Most importantly, have you tested that recovery?

And they are great questions that customers can and should ask of each provider.  As someone who has been in this industry for nearly 30 years, I would like to add some color commentary to these questions and hopefully answer how I’d propose a service such as this be managed. 

Do you backup the data from your SaaS provider?

This kind of defeats the purpose, doesn’t it?  I mean if you have paid a SaaS provider to protect your data or if you are paying a SaaS provider to host your software application, the assumption is (careful here) that your data should already be protected by virtue of your subscription.  Never assume – always ask the direct question of your SaaS provider and why not?  This is YOUR data.  There are many deployment types in cloud data protection today, one of which is known as a hybrid cloud model for data protection.  That means you have an appliance at your location to retain a certain number of data sets for fast and efficient recovery in the event of file loss, data corruption, or system failure.  The appliance is then connected via the internet to the cloud, which is simply a managed data center, so your data sets may be replicated to protect you against a full-on disaster.  In most cases, data is deduplicated and encrypted before leaving your site.

  • In what format(s) is the backup in?

All solutions are slightly different, but most backups are encrypted both at the on-premises appliance before being transmitted to the cloud.  This data should never be decrypted for any reason other than to recover the data as directed by the customer.  It is also important to note the “multi-tenant” solutions should ensure secure and truly separated data from other tenants.

  • Is the data readable or importable into a platform you own?

Another way of putting this is “do you have an exit strategy from your SaaS provider if you choose to move on?”  Well, unless you are using tar, you are pretty much locked into your cloud data protection provider.  HOWEVER, if you like the cloud data protection software but not happy with the MSP (managed service provider), some of the solutions will offer you this “exit strategy”, allowing you the choice to move.  You really should be in the driver’s seat and make your own decisions…and quite frankly that is the way it should be – no SaaS provider should strong-arm you into staying if you are unhappy.

  • How would you bring your functionality back online for your local users?  remote users?

The hybrid cloud model ensures you have your data available for local recovery – in the event your local environment is not accessible for whatever reason.  Some companies will offer a full-service DR offering to help you recover in the event of a full-on disaster.  This may come at a premium, but nonetheless, if your business depends on systems and data, perhaps it is worth your investment.

  • More importantly, have you tested the recovery?

This is a good question.  When you purchase a SaaS solution from a provider, do you validate you can recover, or should your provider?  Ask the hard question of your provider, and then ask to understand how they do it, and what impact it has on data access if you need a recovery while “validation” is taking place.  Never be afraid to ask a question, this is your business and your data after all.  I really liked Jason’s inquisitive blog questions – I know he was looking for customer thoughts but since I didn’t see any public comments – I thought I would add a few of my own.

The CTE bottom line

Here’s the bottom line, identify a service with a published SLA which includes at least one FULL disaster recovery test of ALL the systems EVERY year to ensure all systems are fully recoverable AND the terms of the SLA are met and compliant.  Make sure you ask your provider for a written SLA – and then ask them to PROVE IT.  Your data, your company is too important to risk it to a provider who cannot perform to YOUR expectations.

-Chapa signing off

One Comment Add yours

  1. this site giving information about data protection act

Leave a Reply