Given the pervasiveness of SaaS applications like Office 365 and Salesforce, you’d think we’d have a pretty good handle on SaaS data protection by now. But according to Jeff Erramouspe, we’d all probably be surprised by how many IT departments, users and executives have failed to fully understand the nuances of proper SaaS data backup and recovery.
Erramouspe is vice president and general manager of EMC’s Spanning unit, which provides data backup and recovery for cloud applications. In a recent email interview, Erramouspe shared some misconceptions about SaaS data protection, beginning with the notion that SaaS application data doesn’t need to be backed up:
While it is true that SaaS vendors do protect and replicate their customers’ data, they only do it to protect the customer from problems on the SaaS application infrastructure side, such as server failures or drive crashes. They don’t necessarily provide bullet-proof protection from user-driven data loss. You’d be surprised by how many experienced IT professionals don’t know this. While the cloud is a great place to cost-effectively run applications, accidental deletion and other mistakes can cause losses from which Google, Microsoft, and Salesforce.com can’t always help you easily recover. For Google, its policy states that if you permanently delete something, it’s not recoverable—it’s gone forever. Salesforce has a paid service to get data back, but it is expensive ($10,000 per incident), takes time (as much as up to three weeks to get started) and it only commits to best efforts—most data can’t be restored in full. And the Microsoft Office 365 SLA doesn’t include data recovery, despite the belief of many customers that it does.
So why don’t SaaS vendors like Google, Microsoft or Salesforce protect users from data loss? According to Erramouspe, the truth is that SaaS application vendors would be unable to fully protect their customers’ data, even if they wanted to:
The SaaS application vendor has a responsibility to take the action on their customer’s data as he or she instructs them to. As a customer, you have a right to delete your data if you so choose, and if you tell your vendor to delete something, they are required to comply. Unfortunately, the SaaS application vendor has no way of knowing if a delete request is legitimate. It’s not that the SaaS vendors don’t want to provide complete protection from user-driven errors—it’s that they fundamentally can’t. They are very good at reliability, availability, security and scalability of their application, and they will not lose your data. But you will.
Erramouspe provided a couple of examples of common user errors:
A Google Apps administrator will delete a user who has left the company in order to reuse his license with another employee. This happens all the time. But, if he does this before all of his data or email could be assigned to another user, that data will be gone forever, and Google can’t get it back. Or a sales person will attempt to “clean up” their Salesforce data by deleting duplicate accounts or sales opportunities, only to accidentally remove the versions they actually wanted to keep. These are common occurrences, and they frequently go unnoticed because the user who made the mistake is too embarrassed to mention it and tries to recreate the data themselves—spending hours, or even days, rebuilding data when they could be focused on other tasks. The bottom line is that the data that exists in the SaaS application is the customer’s responsibility to protect. It’s a corporate asset and needs to be treated as such. Solutions like Spanning Backup ensure that SaaS users will never suffer an unrecoverable data loss incident again.
Not everyone appears to be entirely clear on the difference between data backup and data restore, so Erramouspe explained the difference:
Backup tools that “recover” data by merely retrieving all versions of all your backed-up data for you to sort through are of little value when the priority is to have everything back the way it was before, as soon as possible. No one wants to find a needle in a data haystack. The true value is in a solution that retrieves data from any specific point in time, and then automatically restores it directly back into the application with no manual effort required. It should have the flexibility and granularity to restore the most recent version or any previous point-in-time version of a document, field or other item, such as a Google Apps file or folder, or a Salesforce record, with 100 percent accuracy. It should also be able to restore metadata—such as labels, file structures, and sharing settings—to ensure complete accuracy.
Erramouspe said organizations aren’t as worried as they need to be about data loss due to hackers, because they think they have the requisite security measures in place. What many are apparently forgetting, he said, is that the insider threat is a top cause of data breaches:
Whether it’s a case of intentional sabotage, or just someone unintentionally leaking sensitive data, it can cost a company plenty. A strong backup and recovery solution will help you address the insider threat in two ways: by helping you recover from a SaaS data breach due to an insider attack; and by providing early warning of compromised data—so you can do something about it before the damage is widespread. The right solution enables you to restore data to the last trusted version you have—such as the day before an attack, or even a week before. Your backup solution should also automatically notify you of any problems when you do data backup, because problems may indicate damage from an insider attack.
Finally, Erramouspe had this to say to organizations that maintain that they can’t justify the added cost of SaaS backup and restore:
If you look at EMC’s latest Global Data Protection Index report to illustrate the impact data loss can have, the results are alarming. According to EMC’s findings, data loss is proliferating with astronomical costs, and most organizations are ill-prepared to avoid the consequences. Sixty-four percent of enterprises experienced data loss or downtime in the last 12 months, according to the report, and companies on average lost 400 percent more data over the last two years. In terms of strictly monetary costs, data loss and downtime costs enterprises $1.7 trillion. That’s shocking. Whatever the cost of implementing a SaaS data protection solution is, it’s well worth it to avoid significant productivity loss and major financial implications.
A contributing writer on IT management and career topics with IT Business Edge since 2009, Don Tennant began his technology journalism career in 1990 in Hong Kong, where he served as editor of the Hong Kong edition of Computerworld. After returning to the U.S. in 2000, he became Editor in Chief of the U.S. edition of Computerworld, and later assumed the editorial directorship of Computerworld and InfoWorld. Don was presented with the 2007 Timothy White Award for Editorial Integrity by American Business Media, and he is a recipient of the Jesse H. Neal National Business Journalism Award for editorial excellence in news coverage. Follow him on Twitter @dontennant.