Establishing ownership over SaaS data protection

Rick Vanover

Senior Director of Product Strategy, Veeam

Data protection and matters around compliance with data regulation need clear ownership within an organisation. Ultimately, the buck stops with the CIO, but with businesses’ IT and data management needs growing ever more complex, ownership within the teams that report to the CIO can become fragmented and confused. Given the huge growth in Software-as-a-Service (SaaS) that has taken place in the past decade and was significantly accelerated during the Covid-19 pandemic, SaaS has become a great example of where these lines of ownership can become blurred.

The largest subset of broader public cloud services according to Gartner, SaaS is a key cog in an organisation’s ability to execute on their digital strategy. But Digital Transformation (DX), of which SaaS is a vital component, is underpinned by Modern Data Protection – the ability to back up, secure and restore data across physical, virtual, cloud, SaaS, and Kubernetes environments. Veeam’s Data Protection Report 2021 found that data protection challenges were hindering DX in the eyes of CXOs – with 58% of global organisations’ data potentially unprotected. It is therefore crucial that organizations establish clear ownership over who is backing up SaaS data, who is planning and stress testing Disaster Recovery, and who is enforcing regulation.

Big job: who’s is it?

Protecting SaaS data is a big job. Imagine the scale of the data produced by a large organization’s Microsoft 365 provision. Much of this data is likely to be confidential, sensitive and contain information that is vital to business operations. It is mission-critical data, which needs to be backed up and fully recoverable in the event of an unplanned outage or cyber-attack. Microsoft 365 is a good example of where poor assumptions about what data is protected and what isn’t can be made. The in-built data protection capabilities of Microsoft 365 can give businesses a certain amount of reassurance that the majority of their data is backed up and protected. However, the only way to truly have the peace of mind that Microsoft 365 data is fully protected and recoverable is via a third-party backup solution. Both SaaS and Backup admins are becoming wise to this fact, according to Veeam’s 2021 Cloud Protection Trends Report, citing reasons such as accidental deletion of data, preparation against cybersecurity attacks and insider threats for protecting Microsoft 365 data.

However, while SaaS and Backup admins are more or less aligned on the importance of backing up data from applications such as Microsoft 365, tensions do exist that point to a need for clearer demarcation of roles and responsibilities when it comes to data protection. Veeam’s research has unearthed confusion over issues such as backing up SaaS data in containers and using third party tools, for example. SaaS admins were more likely than Backup admins to store the stateful data of applications running on containers separately and back it up there, and more likely to back up container data using a third-party tool. Whereas a higher proportion of Backup admins wrongly believed that their containerized applications did not contain stateful data that needs to be backed up or that their container architecture is natively durable.

While greater education is needed across both SaaS and Backup admins when it comes to best practice for protecting Kubernetes data, it is encouraging to see that 14% of Backup Admins who do not currently back up data from containers are already looking for a solution. This will only increase as IT teams become more aware of the unique challenges posed by protecting containerized application data, which will in part be driven by continued growth in deploying SaaS applications. What is clear is that businesses must establish clear ownership over their data protection strategy.

Owning Modern Data Protection

The first part of this process is to define clear roles and responsibilities between SaaS and Backup admins to ensure that every stage of data protection has an owner. Given that SaaS admins’ roles will continue to expand at a fast pace given the emphasis organisations are placing on DX, there capacity for dedicating resource to data protection is likely to decrease. Therefore, there will always be a clear role for Backup admins with the sole purpose of ensuring data across physical, virtual, cloud, SaaS and Kubernetes is always protected. With SaaS growth accelerating and driving growth in Kubernetes deployment, businesses must not only establish clear lines of responsibility, but also work with a third-party backup specialist.

This will ensure organizations are taking full advantage of the expertise and automation available to them, putting them on the front foot when it comes to their Modern Data Protection strategy. This in turn means that organizations’ DX is not being held back by their data protection challenges and that they can continue to deploy SaaS with the confidence of knowing that their data is fully protected in the event of an outage or cyber-attack.