Consider the traditional IT environment - all of your data and applications reside on those dusty servers in the basement datacenter. You can literally walk downstairs and point to the hardware running your entire organization. All you need to do is backup those 20+ servers daily, both local and off-site, and your good! Seems straight forward. And it is. Mostly.
In a cloud or hybrid environment, implementing a backup solution dynamic enough to match the scale of the modern workforce can seem more challenging. And it is, if you don’t have the right understanding of WHO is in charge of your data.
The Uptime Fallacy
Most SaaS providers promise their clients 99.9999% uptime and anywhere access, and that’s awesome, but most people also assume their SaaS provider is responsible for maintaining their data – THEY AREN’T.
Let’s take Microsoft O365 as an example. According to the Office 365 Trust Center, “With Office 365, it’s your data. You own it. You control it.” Sounds empowering right? From a privacy and security perspective, it is. But consider the example of basement backups versus cloud backups. How long would you have kept your physical Exchange or SharePoint server running without a backup?
SaaS applications should be no different than the servers in your basement
Most people assume the 99.999% uptime guarantee extends to their data. It doesn’t. If data is permanently deleted, without an adequate backup solution, that data is gone forever.
Consider the limitations of Office 365:
- Microsoft has no way to retrieve user data that’s been deleted from the database permanently.
- Microsoft does not have a purpose built solution for long-term data retention nor can they determine an organizations retention policies.
- Microsoft has no way of knowing the difference between a regular employee and a terminated employee attempting to delete critical company data.
- Microsoft does not have phishing detection, prevention and account recovery tools in the event someone’s passwords are stolen.
Consider the Office 365 Shared Responsibility Model:
Now consider these scenarios:
- Human Error: If the HR Director accidentally deletes a shared file critical to payroll that she created and was stored in SharePoint or OneDrive, how do you retrieve this file if they’ve cleaned out their recycling bin?
- E-Discovery and Legal Inquiry: An employee leaves the company but is later determined to be central figure in a class action lawsuit against the firm. IT permanently deleted that user’s O365 account to reduce head count. If a FOI (Freedom of Information) request is submitted for the company to provide all communication from that employee, how would you retrieve this information after the users already been permanently deleted? What happens if your organization has a strict 10-year retention policy and you fail to comply with a subpoena?
- Internal Risks: An IT Admin accused of harassment by another employee is fired but deletes all communications with the accused before his account gets locked down by corporate, how can you ensure those communications are retained? What happens if a CFO being terminated deletes all company financial records on their way out? Or the lead Engineer makes copies of confidential blueprints and permanently deletes the originals before leaving and joining a competitor?
- Password Compromise: If the CEO is found to have provided his corporate credentials in response to a sophisticated phishing attack, and those credentials are found on the dark web, how can you identify the compromise and lock-down that users account before critical company information is deleted, encrypted, held ransom or sold to a competitor?
OK, so you get it. SaaS Backups like O365 are important. Point taken. So what next? Glad you asked! Here’s some guidance on where to start when designing a robust backup and DR solution:
- Consider your business
- Identify which applications, tools and data are most critical to business and protect those firsts
- Be sure to implement a retention policy that aligns with your specific industry
- Consider your fault tolerance
- Determine the impact of outage or data loss for each critical system identified above
- Quantify business disruption associated with outage or data loss for 1-day, 1-week, 1-month, forever and focus on protecting systems whose outage or data loss would have the most severe impact on business ($$, Time, Efficiency)
- Consider your environment
- Identify a backup solution that can scale to your environment
- Aggregate physical, virtual and SaaS backups wherever possible
Backups are a critical part of any business and cloud applications should be no different.
Interested in learning more about our approach to traditional and cloud-based backup solutions?
Sign-up for our monthly newsletter on Backup and DR Strategies below: