Skip to content
SaaS Backup
Sanket ParlikarSep 26, 2022 9:00:00 AM12 min read

Why you need a SaaS backup strategy and solution

SaaS Backup

Courtesy: Atlassian

What is a SaaS application?

SaaS is an application that runs on a provider’s cloud (known as a SaaS provider) with the functionality delivered to users as a service via the internet. SaaS is a popular and less expensive alternative to purchasing and maintaining applications on on-premises systems. Instead of downloading or installing applications from CDs and running them on a system’s hard drive, many organizations prefer to use a SaaS application. Gartner forecasted that the SaaS market will grow to $151 billion by 2022 due to the scalability of subscription-based software.

Office 365, Jira, Confluence, Google Works, Salesforce, Workday, Okta, Slack and  Zoom are examples of popular SaaS applications. Users/organizations typically rely on a pay-as-you-go model for these services, with a monthly or annual fee for a SaaS subscription. The provider is held to a Service Level Agreement (SLA) to ensure uptime and application availability. In a recent Gartner survey, 97% of recent respondents indicated their organization uses at least one software as a service (SaaS) application.  

Some of the most popular SaaS applications used in the enterprise can be seen in the report from Okta - https://www.okta.com/businesses-at-work/

Why do you need a SaaS backup solution?

Losing critical data is a nightmare for businesses, especially when data is fueling so many companies. Many companies believe it is not necessary to have a SaaS backup strategy (software-as-a-service) in place, thinking that their data is protected by the SaaS provider. Unfortunately, this is not true. Data loss can occur when using SaaS – in fact, Gartner reports that 70% of organizations are likely to suffer business disruption by 2022 due to unrecoverable data loss in a SaaS application.  

Coming up with a robust SaaS backup strategy will help you be better prepared for the unexpected, and using the right data recovery solution will help you stay safe and secure.

What are the leading SaaS app vendor’s positions on backup?

Let's review the recommendation of two of the leading SaaS application companies in the world.

Microsoft

Microsoft recommends to every one of its Office 365 customers to backup their data in two contexts:

  1. As part of their Services Agreement - https://www.microsoft.com/en-us/servicesagreement
  2. As part of their Office 365 Security documentation and more specifically on how to recover from a Ransomware incident - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/recover-from-ransomware?view=o365-worldwide 

Services Agreement

Reference section #6 “Service Availability”

  • Service Availability.
  • a. The Services, Third-Party Apps and Services, or material or products offered through the Services may be unavailable from time to time, may be offered for a limited time, or may vary depending on your region or device. If you change the location associated with your Microsoft account, you may need to re-acquire the material or applications that were available to you and paid for in your previous region.
  • b. We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.

In this document Microsoft recommends that a customer use a SaaS backup product to backup the Office 365 data.

Recover from a ransomware attack in Microsoft 365

Step 1: Verify your backups

If you have offline backups, you can probably restore the encrypted data after you've removed the ransomware payload (malware) from your environment and after you've verified that there's no unauthorized access in your Microsoft 365 environments.

n this document Microsoft recommends that a customer use a SaaS backup product to backup the Office 365 data.

While buried in multiple documentation, Microsoft clearly recommends its customers to use a  SaaS backup to address any eventuality.

Atlassian

Atlassian recommends to every one of its cloud customers to backup their data in two contexts:

  1. Atlassian Security Practices - https://www.atlassian.com/trust/security/security-practices#service-availability
  2. Atlassian Shared Responsibility document - https://www.atlassian.com/dam/jcr:65400ebe-0cb6-478c-bdf0-e85052490cf2/Atlassian_Shared_Responsibilites_For_Security.pdf

Security Practices

Reference the Service availability section of the document

Service availability

In addition to the above measures, we also publish our service availability status in real-time for our customers using our own Statuspage product. If there are any issues with any of our products, our customers will know as soon as we do.

Backups

We operate a comprehensive backup program at Atlassian. This includes our internal systems, where our backup measures are designed in line with system recovery requirements. With respect to our Atlassian Cloud offerings, and specifically referring to customer and application data, we also have extensive backup measures in place. Atlassian uses the snapshot feature of Amazon RDS (Relational database service) to create automated daily backups of each RDS instance.

Amazon RDS snapshots are retained for 30 days with support for point-in time recovery and are encrypted using AES-256 encryption. Backup data is not stored offsite but is replicated to multiple data centers within a particular AWS region. We also perform quarterly testing of our backups.

For Bitbucket, data is replicated to a different AWS region, and independent backups are taken daily within each region.

We do not use these backups to revert customer-initiated destructive changes, such as fields overwritten using scripts, or deleted issues, projects, or sites. To avoid data loss, we recommend making regular backups. Learn more about creating backups in the support documentation for your product.

In this document Atlassian recommends that a customer use a SaaS backup product to backup their Atlassian data.

Atlassian Shared Responsibility

Reference the table listing the responsibilities that Atlassian has and customers have.

 

Atlassian Responsibility

Customer Responsibility

Policy and compliance

  • Consider the risk profile of our customers when assessing the need for security controls
  • Have a comprehensive security risk management program in place and effectively implement the controls detailed in our CSA STAR response
  • Be clear about our compliance state and what we can’t yet support (e.g., HIPAA)
  • Make available the information you need to make your decisions about our platforms
  • Help you to respond to cyber security incidents
  • Ensure our system has failover and redundancy built in
  • Receive and manage vulnerability reports related to our products
  • Operate within the law of the various jurisdictions we operate in
  • Understand your risk profile and the sensitivity of your data
  • Assess the suitability of our cloud-based platforms based on the information we provide
  • Ensure the platform is sufficient to meet your compliance needs
  • Meet your data breach disclosure and notification requirements when relevant
  • Protect your endpoints through good security practices
  • Only host permitted data on our platforms (e.g., Not HIPAA-related or personally identifiable information)
  • Operate within the law of the jurisdictions in which you operate

Users

  • Develop and roll out security controls that empower you to manage your users effectively (e.g., https://www.atlassian.com/enterprise/cloud/identity-manager)
  • Monitor our platforms for bad or malicious use
  • Verify your domain (https://confluence.atlassian.com/cloud/domain-verification-873871234.html) if you want to centrally manage your accounts
  • Approve user access to your data
  • Periodically review the list of users with access to your data and remove access from anyone who shouldn’t have it
  • If you have a verified domain:
  • Implement strong user access management controls such as federated identity management (SAML), two-step verification and password policies as needed based on your risk (https://www.atlassian.com/enterprise/cloud/identity-manager)
  • Monitor your organization’s user accounts for bad or malicious use
  • Force password changes when needed
  • Notify Atlassian of any unauthorized use of your organization’s accounts
  • If you don’t have a verified domain, or if you grant access to users outside your domain:
  • Communicate the importance of good password management to all users with access to your data
  • Notify Atlassian of any unauthorized use of your account
  • Be aware of the risks of Social Login (see Credential re-use’ below)

Information

  • Access your data only if there is a specific support need to do so
  • Notify you of any breach we become aware of that affects your data
  • Maintain system-level back-ups (which includes your information)
  • Set up your Atlassian products to reflect the information accessibility you want (e.g., anonymous access, public/private repositories)
  • Create backups of your data

Marketplace Apps

  • Verify the developers of Marketplace Apps
  • Receive and manage vulnerability reports related to Marketplace Apps
  • Assess the suitability of any Marketplace Apps you want to use based on the information they provide
  • Notify Atlassian of any malicious behavior identified in a Marketplace App

In this document Atlassian recommends that a customer use a SaaS backup product to backup their Atlassian data.

While buried in multiple documentation, Atlassian clearly recommends its customers to use a  SaaS backup to address any eventuality.

How can data associated with a SaaS app get lost?

When using a SaaS application, there are many reasons why data can be lost. 

Internal threats

  • Human error – Accidentally deleting or overwriting files or folders caused 25% of data loss in 2019. Let’s face it: accidents happen. 
  • Departing employees – Sometimes, when an employee leaves the company, their accounts are closed. The data on those accounts can be lost as well.
  • Insider misuse – Disgruntled employees may wreak havoc with data. A SaaS application lets a user delete or modify data without knowing the human intent behind the action.

External threats

  • Cyberattacks – The statistics are staggering. IDC reports that 93% of businesses experienced attacks within the past three years. Criminal and malicious attacks were the leading cause of data breaches in 2019 at 51%. SaaS applications can be accessed if even one employee's machine is compromised. Attacks can happen quite quickly when employees have weak passwords, fall for phishing scams, or click on malicious links.
  • Misaligned retention settings – A SaaS provider's data retention policy may not align with the organization using the software. In regulated industries where compliance may require storing data for seven years, a SaaS provider that stores data for a lesser time can result in data being hard-deleted and lost forever.

Why SaaS backup?

Using a SaaS backup service takes away the worries and costs associated with having to maintain in-house infrastructure, but it also means that businesses are responsible for backing up their own data. And in an age when data is king, businesses can’t afford to get this wrong. Finding a trustworthy partner to provide SaaS backup and restore services needs to be top of mind for every IT leader.

Advantages to a SaaS backup solution

Your SaaS is only as secure as your SaaS backup. With the right backup solution, you can:

  • Safeguard data and recover granular items
  • Ensure business continuity and preparedness 
  • Avoid legal and regulatory compliance fees 
  • Verify authenticity to ensure data is authentic, original, and unchanged
  • Plan for migration to another SaaS provider or in-house system  

Bottom Line: Your organization is responsible for backup and recovery of data on these services, while the SaaS provider’s responsibility is to make sure the software infrastructure is available. 

Seven steps to evaluate your backup strategy

Here are some key metrics and points that organizations should evaluate and consider in order to create a robust SaaS backup strategy and keep their SaaS data safe in the cloud.

What is your Recovery Point Objective (RPO)?

How much data are you willing to lose? Remember – there’s no way to recover data that’s been changed since the last backup, so consider leveraging high-frequency backups, or at least backing up daily.

What is your Recovery Time Objective (RTO)?

How quickly do you need your data recovered? Cloud data protection platforms can recover your data in minutes, as opposed to the days or weeks that some out-of-the-box solutions require. Your RTO will go a long way towards determining what SaaS backup solution is right for you.

Does your current strategy enable you to recover data from any point in time?

The best data recovery solutions allow businesses to put their data back together exactly how it was before a problem occurred, whether that was yesterday or six months ago. In order to recover the precise data required, you need to be able to quickly compare data to historical data. Using an automated service with full daily backups is the best way to do this.

Are you able to recover data and corresponding attachments and metadata?

Data recovery from your SaaS backup is great, but don’t forget to back-up attachments and metadata as well to your SaaS backup. Without metadata, trying to rebuild the relationships between certain types of data objects can be a painstaking and time-consuming process. And without the ability to maintain these relationships, you’ll only have partial restore capabilities. Try to find SaaS backup tools that can recover both attachments and metadata.

SaaS backup tool having the necessary security controls

Here are some controls you’ll want to include:

  • Role-based access controls (RBAC) for managing who can access backups
  • IP whitelisting for controlling domain access
  • Two-factor authentication for ensuring access is limited to authorized users
  • Single sign-on for reducing threat surfaces 

Is your SaaS backup strategy automated?

SaaS backup tools should be as pain-free and user-friendly as possible. Look for dynamic solutions that offer automated backups, proactive monitoring, and first-class support.

Is your data accessible outside of your primary SaaS application platform?

Being able to access information through a user-friendly, controlled interface outside of the primary SaaS application platform is important as in occasions the primary application may not be available.



Blogs from Revyz

Atlassian Data Protection - Challenges in the Cloud

7 Reasons Why A Jira Backup & Restore Solution Is A Must Have

Pro’s and Con’s of using Jira Cloud Database Backup & Restore

Mystery of Incorrect Sprint Reports

Jira - Restoring Issue Family Hierarchy

SaaS Backup: An Antidote to Ransomware

Data Backup - A Key Pillar of Insider Risk Management

What’s your Atlassian Cloud Migration & Data Protection Strategy?

A Guide to SaaS Shared Responsibility Model

Why you need a SaaS backup strategy and solution

Why we built Revyz

avatar

Sanket Parlikar

Sanket is the CTO and Co-founder of Revyz Inc and has had an extensive career in technology and enterprise data protection companies. Sanket leads the growing technical and development team at Revyz Pune offices and is also an Atlassian ACE Leader of the Pune ACE. Vish speaks at a variety of industry meetups on topics such as software developmet, data resiliency, security and business startups.

RELATED ARTICLES