Next Generation Data Protection and Backup for the Cloud
The continued evolution of traditional on-premise applications to cloud-based applications has heralded in the next generation of data protection and backup. While the need to protect this SaaS data, in applications like Office 365, Google Apps and Salesforce, is as critical as the need to protect your on-premise data, many struggle to understand why and how to effectively keep SaaS data protected and recoverable when a data loss event occurs.
In this session featuring Steven Hill, Senior Analyst at 451 Research, you’ll learn:
- How your data protection plan needs to evolve as you move from on-prem to the cloud
- How to combat a Ransomware attack and other devastating data loss events
- How best-in-class organizations are protecting SaaS data with Spanning
Mat Hamlin: Good morning. Welcome, everybody, to today’s webinar by Spanning by Dell EMC. Today we’re going to talk about The Next Generation of Data Protection for Cloud Applications. Just a few housekeeping items before we get started. The webinar is being recorded and we will share that with all attendees via email after the event. Everyone is in listen-only mode. If you do have questions throughout the presentation, please use the Q&A feature in GoToWebinar and we will address those at the end of the presentation.
So it is my honor to welcome Steven Hill to our webinar discussion today. Steven is a Senior Analyst of Storage Technologies with 451 Research. He covers the latest generation of hyper-converged systems, cloud-based storage, business continuity, and disaster recovery technologies for enterprise customers. He has over a decade of experience as an analyst, writer, and speaker covering data center technologies. He’s also served as the technology editor of storage and servers for “Network Computing Magazine.” He’s authored a number of articles on enterprise cloud computing. He’s spoken throughout the U.S. as an advocate of sort of virtualization, converged systems, cloud delivery, [and] network convergence technologies as well. So, we’re lucky to have Steven here today.
I am Mat Hamlin. I am Director of Products at Spanning by Dell EMC. I’ve got 15 years of experience in enterprise software. Here at Spanning, I’m responsible for overall product direction and strategy as well as go-to-market. So, at this point, I’ll go ahead and hand it over to you, Steven, to get us started.
The Changing Role of Online Backup
Steven Hill: Well, good morning, everyone. Thank you very much for taking the time out of your undoubtedly busy day to talk with us or to listen to us, actually, about the new challenges and the new opportunities of backup in the cloud. Just to kind of start things out here, I’d like to talk about the fact that, really, the cloud hasn’t changed a lot in terms of the way that internet-based backup and storage has been utilized as a backup target. This is something that’s actually been going on since the turn of the century. You know, there was an obvious dip in it after the collapse — the internet bubble in 2000, 2001 — but then it picked up right away because online backup was an incredibly useful way of protecting data. I mean, the fact that you can manage protection on systems regardless of where they were, you could have a standardized policy, the fact that, you know, this was all about endpoints to your CEO, [or] your CTO that might be traveling around the world with a laptop full of important stuff. And, ultimately, the only way that you could get backups or you get protection or the ability to restore to those people all over the world is via some form of online service.
So again, around the mid-2000s, you started seeing all kinds of companies popping up providing capabilities to backup and restore over the internet rather than dealing with some kind of on-premise methodology. And again, the other need factor of online-based protection and backup is that it provided offsite protection so that if you had internal problems, there was a second place that your data resided. And that’s how it is one of the high tenets of protecting data is having it in more than one location and having it isolated via the internet – or now it’s the cloud is an ideal way of managing backup data. And it’s something that’s going to be used in the long term because more and more companies are focusing on cloud as a new destination for backup data.
Now, what’s really changed with the cloud is now data exists and it has the ability to exist in multiple locations, whether it’s multiple clouds, whether it’s clients that are spread out across an extended infrastructure. The challenge becomes the fact that instead of having to deal with just endpoints, you’re also dealing with a new set of locations where data can potentially exist. The number of clouds, they’re somewhat different and now we have the ability for common files to be shared across collaboration groups as well. This is something that has been around for a while via Box and other types of shared storage platforms, but ultimately that benefit — that amazing tool of being able to share data at multiple locations across multiple users — brings along with it some problems and this file synchronization that occurs in a lot of these types of environments can spread malware. Because if an endpoint gets corrupted and especially in the case of ransomware, which we’re going to talk about a little bit later on, it’s easy for that corrupted data to go back into the system, into the cloud or wherever the shared data resides and corrupt all of that data.
Also, there’s SaaS data that’s now generated in the cloud through applications that utilize a cloud-based infrastructure and it’s the smartest place to keep that data. But it also means that that data may not have a local counterpart, it may not reside on any of your systems, it may reside only in the cloud or it may only be shared to your systems at incremental levels. So, ultimately, it’s not only the fact that cloud provides a target for it, but data generated in the cloud sets up a new environment that you have to be able to address as part of your backup strategy.
Data Growth Patterns – 2016
So, we’re going to talk a little bit about the numbers first because, you know, it’s easy to say, “Well, the cloud is doing this, the cloud is doing that.” So, I’m going to use some polling data. We have what’s called “Voice of the Enterprise” at 451 or “VoTE,” and what VoTE does is we do continuous polling across a number of customers across vertical markets. This just gives you an outline of the pool of types of companies and customers that we pull. It’s spread across, and the goal is to spread it across a wide variety and be able to slice and dice that information based on the types of customers, the type of vertical markets, sales, employee counts, etc. And then when we do these large-scale polls, we’re trying to represent the best possible mix. Now, polls are always a challenge, but we do the best we can to find a spread across North America, across other parts of the world and to spread it across different tiers of management or your IT infrastructure, whether it’s administrators, engineers, IT management, etc.
So, just in the roughest sense — the key trends that I looked at when we looked at data for both cloud and storage in 2016 — the key points are file and email data. Now, this is no surprise to you because most of you on this call, I’m assuming, are responsible for managing your data. So, file and email data are key growth areas. And the other thing that’s interesting is on-prem storage is declining in favor of cloud for a number of cases and it’s both cloud-generated data or it’s collaboration type data that’s easily distributed via the cloud. A lot of this stuff existed on-premises, but now you’re finding more and more companies are becoming comfortable with utilizing the cloud as a secure and an easy method for distributing that kind of storage.
On top of it, [there are] SaaS productivity suites. In the case, well, you see Microsoft Office 365, Google Docs, so there’s a number of them out there. They’re seeing increased adoption at both the SMB and enterprise level, again, because it gives you a document management calendar, email and collaboration capabilities that are always up-to-date that don’t require individual licensing, that are on on-demand basis and it’s always important to remember that that’s the feature. One of the key features of the cloud is this on-demand capability. So, ultimately, you’re only paying for what’s being used and by utilizing these cloud-based services, it gives you a lot of flexibility and a lot of easy ways to share this information. But it changes the model in which you have to back up data that is generated as part of a SaaS solution. Backup and recovery requires a solution that integrates with the platform because you’re utilizing the platform’s API, that’s not just files in your own environment. It may also require integration with the specific applications or sub-applications within an environment where — whether it’s email or dealing with calendar issues — these things all have to be integrated as part of a SaaS backup solution.
So, let’s look at the numbers. First, looking at workload distribution. This is to illustrate what I was talking about in terms of data growth. This just looks at, it has out of 721 polls, pollees, basically it shows almost 20% is still being dedicated to file storage — mostly unstructured data and email — and email can also include additional attachments and such. The next one, and this is obviously a growing market, is database and data warehousing because this is a very important trend. And eventually, I believe that there’s a lot of connectivity between the types of file storage you’re seeing — unstructured data and email — and the database of data warehousing that might a result of that information. So, here, those are the top two: file storage and email.
Email, Unified Collaboration, and Productivity Apps for Businesses Distribution
The next point here asks where they’re residing and now versus in the next two years. So, if you’re looking at, for email, unified collaboration productivity, at this point, it’s 43% is on-premise and it’s looking that it will drop to 24% in two years. And, again, polls are polls. But the interesting thing of it is that if you look at it, most of that growth goes back to the bottom in terms of software as a service. And again, I think this is illustrative of how useful software as a service can be for a number of customers. And again, this spans all different types of customers — enterprise, SMB, SME — so that they get a general idea of, and it’s just 138 participants. So, it represents a pretty good cross-section in terms of judging where these new applications of productivity, the email, office suites are going to reside or are increasingly moving to software as a service.
Now, this is the question of where that data is going to reside, what locations are you using for backup/DR, archive storage for all of these applications. And today it’s 55%, which is very, I mean, very realistic, in company-owned or third-party location facilities. And this is the way it’s going to change, out of 160 polls, it switches in that same two-year timeframe by dropping to 41% online and the growth of software as a service in public cloud have gone up in an equivalent amount. Let’s look at that again because I love the way this transitions. This is the way it is now and this is the way that it’s going to look in two years. Again, showing a similar trend that we’re seeing in terms of how it’s being adopted, where it’s residing, and then where is the data going to be stored in the long run.
New Challenges – Protecting SaaS Data
So, ultimately, it presents a new challenge because software as a service data is a different beast than just pure nonspecific data. Really, it covers a variety of different data that may be integrated within the suite itself or requires a number of different types of data be combined. So looking at it, it’s how it exposes data. Shared file access obviously requires protection because you have to protect the end user from themselves to the most part — so especially in the case of shared — the ability to protect against overwrites or at least allow for and be able to deal with overwrites or deletions. And that should also be managed from a self-service perspective because that’s a second tenet of what the cloud is, is a self-service capability so that ultimately, your storage administrators don’t have to spend a lot of time chasing down deleted or ruined files.
This is something that should be available to an end user to a certain extent. Mission-critical SaaS, this is data that may have compliance issues, needs to be addressed in a similar manner as it’s being managed in your existing infrastructure. And that leads into the consistent, policy-based management across platforms. If you have a specific set of requirements, and, of course, this is different for every vertical market. If you’re talking about medicine, if you’re talking about financials, if you’re talking about the military, if you’re talking about any kind of highly monitored and managed product production environments, you need to be able to meet the visibility and compliance issues that are most important for your particular business. Because, again, software as a service means that some of that data may not reside within your firewall. You need to be able to address that consistently, regardless of where that data resides.
The other thing is, this is interesting, is the metadata requirements for protecting these types of platforms is that there’s a lot of customization that goes on. Anybody who’s tried to restore an existing Outlook environment from a poor backup understands the challenges of trying to bring all of the preferences, all of the variables of a productivity suite back to the way that an end user had them set up because, again, that’s where all the productivity comes from. As people customize their environments, it makes them more productive in the long run and the ability to be able to restore that should there be an interruption of service or there should be a data loss requires the ability to be able to go and capture the metadata about that production environment and then be able to restore it in a reasonable manner. It also must have the ability to automate and document testing. I’m going to mention testing a couple of times today because anytime that you’re doing backup and recovery — and this is based on personal experience — if you don’t test it, there’s no guarantee that it actually works. You need to be able to ensure that a restore can actually happen, that your policies are, and it requires actually going in and doing it to a certain extent. Whether it means validating the entire platform and being able to log that or simply going in and doing a test restore to make sure that the data that you need to have is continually being backed up and available according to all of the automation. Anytime you hand something over to automation, you need to be able to be diligent and check back on that. You may need to have reporting requirements to meet the compliance issues of your industry. And because software as a service means that that data — that information may reside in multiple locations — you need to be able to address that regardless of where these applications are residing.
Ransomware – the Growing Scourge
And then this is the last — and I’m going to segue into ransomware because it’s a frightening environment— but automated files, synchronizations, and whether it’s via Dropbox or Box or any other type of shared storage environment, any particular endpoint can potentially affect all of the files in that particular environment. Let’s just take a look at it in more detail. I call it the “growing scourge” because it really is, it’s probably one of the most insidious threats that I’ve seen over the last 20 years in terms of how it affects end users. I’m sure that you’ve read reports. I know that the reports only highlight a tiny fraction of what’s actually going on here because nobody really wants to admit that they’ve been hacked like this. And the problem with this type of hacking, it’s not just exposing the data, it’s actually making the data completely inaccessible. And it affects customers and end users alike. Businesses are no less protected from it than consumers are because it’s easily spread through unprotected endpoints and end users, unfortunately, are the ones that typically get suckered into downloading payloads or, you know, clicking on email attachments or even in the terms of drive-by where they didn’t really do anything other than say yes or no to a prompt, that can introduce ransomware into the system.
And even…and this is funny, but it’s true that even experienced users can fall victim to this stuff because certainly the more experienced you are, the more that you can see these things. But the other side of that coin is that you also get jaded to all the prompts that come up. You see them, you’re used to seeing them and you say, “Sure, I want to do that,” because it’s just, you’re in the middle of thinking about other things and a prompt comes up and you’re used to saying, “Okay,” and that’s where they get you because, again, social engineering is probably the easiest way of introducing malware into an environment. Now the problem is once that malware comes in, it encrypts all of your files and this is something that’s now available as hacker kits. High-level tools are out there to develop this. So, script kiddies can go in and create these types of ransomware environments across the world. And once it’s introduced into your system, there’s very little you can do about it because there’s little or no possibility of decrypting that stuff without the key. And they’re talking about the same encryption basically that we use to protect our own data. However, they have the key rather than you. And even though you could argue, “Well, sure, that can be decrypted,” it’s typically beyond economic recovery because unless you’re good friends with somebody who’s got a spare supercomputer lying around or unless you’re involved in the government with a three-letter acronym for a name, you don’t have the computing power. You don’t have the skills, the tools or the time to be able to try and recover all of this data without the key itself.
And the other challenge is that these attacks are becoming more sophisticated. And some of these systems — excuse me — some of these malware, ransomware platforms are capable of doing stealth operations that are designed to mask what’s going on until your data moves outside, say, a typically set backup window. And once that happens, obviously, you could lose all of the data or any of the data that occurs between when that malware was initiated and when you actually discovered that you’ve been nailed by malware. So, again, and this is the worst part of it. This is the most insidious part of it, is that paying the ransom is no guarantee of recovery. You have to realize that these are criminals and scumbags, for the most part, to put it less than mildly. And you can’t trust them. You know, once they’ve got your money, regardless of how it’s delivered to them, because they’re really good at getting money that’s in an untraceable manner. And once you pay that off, there’s no guarantee they’re going to give you the key. Or even if they give you the key that it’s actually going to work. So, ultimately, you’re completely at their mercy when it comes to getting your data back. And from what I understand, about 20% of the time — even though the ransom was paid — you don’t get your data back.
Ultimately, the best protection is a granular and automated data backup environment where you have enough historical data backed up over the long run that you can go back to a specific point in time and minimize as best possible the impact of the data that you can’t recover. There’s a number of terms for doing this, but ultimately it comes down to the same insurance policy you have for any type of data protection is saying the amount of time, effort and cost you put into this is directly proportional to the importance of your data. How difficult is it to replace it? How embarrassing will it be if it’s discovered that you’ve lost the data because, again, data loss is, especially in high profile environments, say, medicine, you’ve read the reports about hospitals being held ransom, and ultimately it doesn’t seem like a lot of money. Fifteen-thousand dollars, I remember, was one of the numbers bandied about for how much it cost to get a hospital’s data back, which is great if they actually got it back, which I believe they did, but ultimately, you know, this is why they get away with it is because it’s a relatively small amount of money and it’s something that is, again, there’s no protection for it. Even the government and law enforcement are stymied by this problem.
So that being said, and forgive me for, and this is not, you know, to create hype about ransomware. This is based on personal experience. I have had friends and colleagues who have dealt with this and it’s just, it’s something that really needs to be addressed because I’m hearing more and more anecdotal evidence that this is happening all over the place. It’s not being publicized, but it’s something that’s occurring. So, there’s your scare for the day, Happy Halloween.
Customer Relationship Management (CRM) via SaaS
Let’s look at another technology that’s important via SaaS, which is CRM packages — customer relationship management. It’s a large market, $26 billion at the start of this year, with the key vendors being Salesforce, SAP, Oracle, the usual suspects. But Salesforce holds pretty much the lion’s share of the market. But the interesting part of this is that vendors have amazing customer loyalty once it’s been adopted. Now, I would contend that it may not be as much about the quality of a particular software, but the fact that once a company sets down the path of using a CRM vendor, the customization that they do and the way that they changed their business model to adopt to that CRM environment makes it really difficult to move on or to shift easily. But that’s a completely different discussion for a different call.
Let’s talk about how it changes the market because there’s no on-prem component to the production environment. I mean, if you’re, say, for example, let’s pick on Salesforce. If you’re using Salesforce, the entire infrastructure that exists at Salesforce, the data resides on Salesforce. And it’s a closed environment for the most part, so it requires a solution that integrates with the platform, that the backup environment is done with full cooperation of salesforce.com or whatever CRM technology that you’re utilizing. And in this case — a customization-configuration methodology — the metadata that we were talking about is even more important because realistically, this is where a lot of the investment in company time shows up, or the individual customer’s time is in the modification, creating frameworks and templates and reporting. And all of the details that go into that environment need to be protected separately than the data itself.
Now, these companies are very good about protecting their environment, no two ways about it, but ultimately, it’s more about protecting the functionality of their environment and less about protecting the data or the configuration information about your environment itself. So, because it’s not on-premise at all, you need to improve visibility, you need to be able to provide similar monitoring for compliance because, again, this data, depending upon what your vertical market is, is just as important as any other data or if not more so. And it may have privacy ramifications, it may have international ramifications, it may have a number of issues that your CRM data needs to be protected for and you need to be able to document that. And once again, I point to testing because if testing is complex, if testing doesn’t occur, you’re left twisting in the wind if something actually happens and your particular vertical market may require documentation, it may require validation. Ultimately automating it means that testing actually gets done because in a complex testing environment, that either impacts productivity or that is very difficult to do testing just doesn’t get done. This is where automation and simplicity are a real feature.
Customer Relationship Management (CRM) SaaS Provider – Cloud Familiar Respondents
Let’s look at the CRM market in general. Again, this is a smaller sample, it’s only 47 companies. But if you look at our polling information of this, this is based on our cloud polling, is that 55% made of Salesforce. I think the numbers are a little high in this case, but again, it’s representative of the polling information that we do.
Future Use of Customer Relationship Management (CRM) SaaS Provider – Cloud Familiar Respondents
But this is the intriguing number. 85% percent of them anticipate being a customer of that same company in two years. This kind of loyalty is not always common, it is in some cases, obviously, but I believe a lot of it has to do with the amount of investments and modifications you make to your business to adjust to using a specific CRM platform.
CRM in the Cloud
Also, where are these things existing? Currently, a certain percent, you get 24%, is now in an on-premises environment. But as you can see, that’s going to be decreasing by almost half over the next two years just in a poll of 80 customers or 80 end users. But ultimately it shows the similar patterns that we’re seeing across the board is that more and more companies are going to be adopting CRM in the cloud as a software as a service offering, and it means that it has extra validity moving into a much more hybrid cloud environment, which I believe everybody is looking to accomplish. It’s a very useful way of managing your CRM information and providing the collaboration capabilities that CRM enables.
So to wrap up my part of it, some final thoughts here is that increased cloud usage adds this new dimension to data. As we talked about earlier, it’s outside your firewall, it requires different types of visibility than you’re used to having. The second point is that you need to address those specific challenges yourself because there’s a gap and you need to mind that gap between what you’re doing on-premises and what may be occurring more and more off-premises. And the last point is it’s not safe to assume that sufficient data protection is part of your SaaS agreement. For the most part, these companies are more about delivering the SLAs that they promised than they are about protecting your data. It’s like the cloakroom at a fine restaurant. They’ll be happy to take your coat and give you a check for it, but there’s a little sign in the back that says, “We’re not responsible for items left in our care,” and they can’t be and I can understand why this is. I mean, obviously taking full responsibility for customers’ data is a tremendous risk that I don’t see how they could take in their business model.
Well, thank you for listening to my part. With that being said, we’re going to transfer control over to the folks at Spanning and I’d like to hand it back to the Director of Products at Spanning and he’s the master of avoiding disaster, Mr. Mat Hamlin.
Mat: Thank you. That was a fantastic introduction there. And I definitely appreciate all the research that 451 has done and your insights here as well. So, coming out of the discussion that Steven just completed around how things are changing, what the new threat vectors are as your data moves into cloud environments, cloud infrastructure and SaaS environments, I want to focus a little bit narrower on the data itself, and the responsibility that organizations have as they start utilizing these new technologies in these SaaS environments. So, we’ll start off talking about who is responsible for data in a SaaS application. And this is something that I’ve had many conversations with customers, analysts, service partners that we have, which all roads there lead to the fact that data integrity, data security, data protection in a SaaS environment is a shared responsibility.
The Shared Responsibility for SaaS Data
The SaaS provider, as Steven mentioned, does a lot to ensure the platform security to ensure that the application itself, which has access to your data that you put there, is highly available in line with their published SLAs. They are very reliable. In a lot of cases, the uptime and reliability of the SaaS application is better than what you had on-prem. I think the SaaS providers such as Microsoft, Google, Salesforce do a great job at that. They’ve got multiple levels of failover, multiple data centers to protect you from a lot of infrastructure causes for downtime or data loss as well.
Lastly, resiliency. They do a great job around resiliency and this is proven to be the case in things like ransomware attacks when they do happen, and once they are isolated and identified, if there’s a new strain, if it’s something that the SaaS provider can do to help their customers, they will and they do that on the platform as a whole, and so that benefits everyone who is a subscriber. I think recently there was a new ransomware attack, a new script written by a script kiddie, I guess, as Steven mentioned, where it was a little bit different than one in the past. It did have an effect on some data in Microsoft environments and therefore was synchronized to Office 365. Microsoft identified and isolated it fairly quickly. I think it was multiple hours before it was identified as something that was malicious, but they did put in protections in place across the entire platform to prevent additional customers from being affected.
But those things, you know, on the left side of the slide here, the SaaS providers are very, very good at, but that’s where they see their responsibility. That’s where they sign up to provide SLAs around that responsibility. But your responsibility is for your data. The data you put into their platforms, into their applications is still under your control and it is still your responsibility. And so that spans a few things that they allow you to do in their environment, managing an account and access, who has access to what, making sure that you’re properly granting and removing access as people move in and through and out of your organization, configuring the application, you know, your administrators for Salesforce or Office 365 still maintain a lot of power or control over the data and the policies and the security policies and retention policies that might affect that data.
Firstly, Salesforce, in particular, a great example is being able to inject code into that platform that can go massage and change data either for, to benefit the business, but any mistakes there can have a dramatic impact on the data you’re putting there and it can destroy data at compute speed. Data security policy, they do give you some control over that, I kind of mentioned that. And lastly, data protection, backup, you are still responsible for the data you put into the applications. If you instruct a SaaS application to change your data, change the version and its content, sharing settings, delete that data, if you tell them to delete that data, they will and they promise to. That’s actually part of their service level agreement. “We will do with your data what you tell us to do.” So, the factor in all of this that is still the one that can lead to the problems is the human factor, right? All of the things on the right are related to human behavior. A lot of them are about controlling your internal employees and the data, but they’re going to make mistakes.
The other big risk here is malicious insiders or malicious outsiders. In the case of ransomware, a lot of the encryption that happens, that might happen on a laptop that gets synchronized into a SaaS platform if you have a sync tool. Those things can still occur. In two of the platforms, as Steven mentioned, it looks like a legitimate encryption of data because there are many, many encryption services that you can install on your laptop for legitimate security reasons, so it looks the same. So, because the SaaS providers can’t tell the difference in whether it’s something good or something bad, they carry it out and do what you tell them to do. So, those things still occur and leads to this notion that data, your data in these environments, the responsibility for that is a shared responsibility.
SaaS Vendors Agree
If you look at the vendors themselves, they say the same thing. Office 365. Most of these comments are on the trust pages for these vendors. Microsoft says, “With Office 365, it’s your data. You own it, you control it.” Salesforce says something very similar on their trust page, they also go a step further, there’s a knowledge-based article which is linked in here. It says that they recommend using a partner backup solution that can be found on the AppExchange. So, they take one step further and say, “It really is a good idea to be able to have backup and recovery for the data in your data running in our platform.” Actually, Google, very similar. “To put it simply, Google does not own your data.” It’s your data. You control it, you manage it.
Who in Your Organization is Responsible?
So, the next question I want to discuss is the fact that you are responsible for your data, right? The question then becomes who in your organization is responsible for the data? This is another discussion that I have often with organizations because as you move to a SaaS environment, the individual or department in your company who’s responsible can change. And so, the way I often talk about that is with the different cloud deployment models, and if you are running Siebel CRM or Oracle CRM on-premises, your organization was fully responsible, top to bottom, right? Your IT infrastructure team had servers in place or virtualization, they ran the network and operating system, installed and configured and administered Siebel, the data was there, user management, it was all there, right? It’s all on-premises, all under your control, all responsible. So, your IT department had a lot of responsibility in that stack. If you move to infrastructure as a service and you run an application like a CRM application in a public compute environment, the IT organization still is probably responsible for the virtualization layer on up, managing the OS, patching it potentially, making sure the application is running.
If you move to platform as a service, something like you decide to run the infrastructure application and then you decide to use a database as a service in the back end, again, there’s a little bit less and less that your traditional IT organization has control over. What we’ve seen time and time again is that when you move to a SaaS application like Salesforce, a lot of times, the traditional IT organization becomes somewhat disengaged in that process. There’s no more servers or network or operating system, right, for them to manage control. None of the tools that they used in the past apply anymore, and so the responsibility for protecting that data is whose responsibility? I always flip that question over and I say, “Well, when your sales leadership loses data in Salesforce, whose desk are they going to walk to?” Salesforce administrator, director of IT who has done backups for the last 20 years for them, right? You don’t want to be in a situation where both of them are pointing at each other. So, are you prepared? Have you thought about this? Have you had discussions with your organization and with these two departments in your company to identify if there are any gaps or not?
Regulatory Compliance Requires SaaS Backup
The other reason it’s vitally important to have this conversation is that regulatory compliance requires SaaS backup. You can drop the “SaaS” there and say “backup” and everyone understands that. You have to be backing up your data, right? Putting in “SaaS” doesn’t change the equation at all. Your responsibilities for protecting your data based off of regulatory oversight, compliance regulations, those don’t change at all, right? If you’re required to have backup and be able to ensure business continuity, if you’re using Salesforce or if you’re using CRM, Siebel on-premises, your responsibilities to prove that you can do that haven’t really changed, right? So, again, your responsibilities for protecting data in the cloud are no different than your responsibilities for protecting on-premises data.
A lot of times, if you do have internal or external compliance and audit scrutiny in your organization, whether it’s for SOX 404 or whether it’s for HIPAA or FISMA or whatever regulations are imposed upon your organization based off of your company’s vertical, a lot of times, the auditors will use frameworks that are common across those. You know, ISACA has a framework called COBIT, COBIT 5. In that framework, under DSS04, under “Managing Business Continuity,” there’s a statement which is, if you have to, “establish and maintain a plan to enable the business and IT to respond to incidents and disruptions in order to continue operation of critical business processes.” Now, “incidents and disruptions,” I think a lot of times in the past, people, especially like the traditional IT organization, they think natural disaster, hardware failure, “We need failover in place if it’s a true traditional disaster recovery.”
But what about ransomware? That’s an incident, that’s a disruption to access to critical data to run your business. It’s not, doesn’t have anything to do with hardware, honestly, right? Or natural disasters. And so, the last thing here, I think, that’s vitally important is the way that your auditors are going to measure this is that is by your percent of successful and timely restoration from backup and acceptance by the enterprise, is it okay? Will your sales leadership accept the fact that, you know, the Salesforce data that he needs at the end of the quarter is unavailable for two days and when you do get it restored back, if you are using some of the tools from Salesforce, like the Weekly Export, the data you put back is six days old. Is that okay? Right. Those are the kinds of questions that you need to be asking yourself, to be asking your executive leadership, your audit team and your Salesforce team and the IT organization traditionally responsible for backup and recovery.
When You Lose Data, How Will You Get it Back?
So, when you lose, and this is another question I often ask, which is when you lose data, how will you get it back? In the SaaS applications that we provide data protection for, in Office 365, Google Apps and Salesforce, there are some inherent functionality there that might be good enough or you may consider them to be good enough to put you in a position to recover data or when necessary. And there’s recycling bins in all the different services. Some of them can be wiped out by the users. Some of them keep data for 7 days, some for 90 days, right? They’re all different. Most of them are not easy to use and most of them do not have global administrative oversight where an administrator can go in and look at the data that might be in somebody’s recycling bin and help them get it back.
So, you know, I did a webinar a few weeks ago related to cybersecurity and ransomware and one of are the topics we discussed there was pretend you’ve been hacked. Don’t go down a list and think about what we need to be doing and how we need to be doing it. Start the other way. Flip it over to say, “Pretend we just got hacked. Now what would happen in our environment? Right, who’s responsible? What’s our incident response plan? Do we even have those things?” That’s a great way to test this, right? The same way in data protection and backup recovery for SaaS data. Pretend you’ve lost data and go through the steps, figure out if you can get it back or not. Is it fast enough? Is it with the same fidelity that it had before? Right. If you can get data back into Google Drive, it’s critical to your company, that’s great, but can you get it back and put it back with the same metadata that it had before? How are you sure that’s shared with the same people who needed access to it to do their job? Right, so those are great questions to go down.
Spanning Product Line
So, a little bit about Spanning. Spanning Backup provides enterprise-grade backup and recovery for SaaS applications and we focus there, only on SaaS applications. We’ve got…backup and recovery on Google Apps are new, these were renamed to G Suite and so we back up Gmail, Drive, Contacts, Calendars, and Sites. Backup and recovery for Salesforce. In that product, we pull and protect as much data as we possibly can. That includes objects, custom objects, files and attachments, and those customizations that Steven mentioned earlier. We pull, what they call metadata, we kind of call customization, so any FX code that had been written or dashboards that your sales team has constructed or financial reports that your finance team depends on at the end of every quarter, the definitions of those things are also protected with our solution.
And then we also have backup for Office 365, which covers Mail, Calendars, and OneDrive for Business. All those services are also offered as SaaS offerings, so our backup and recovery is a cloud-to-cloud backup, it’s subscription-based. It’s priced per user per year. We provide unlimited storage, unlimited retention, and there’s a 14-day free trial for all of these and they literally install in just a few minutes, so I heavily encourage you to go try them if you’re interested.
Complete, Point-in-Time Backup
A little bit about the product real quick. One of the important factors when you’re looking at the data protection for SaaS is the restore process, right? You back up so that you can restore and restore quickly and correctly. Our products across the board have complete point in time backup, meaning that you can go and see what somebody’s OneDrive for Business account looked like exactly on September 23rd of this year. You can select a single file, a single folder or all the data and restore it directly back into OneDrive for Business. So, that point in time snapshot or synthetic, full backup if you’re a backup professional, it is very important, especially in cases like ransomware where you need to put back a thousand files the way they were four days ago and trying to do that with either the native tools in the products or with some other products to do those things one at a time, a thousand files times five clicks is a lot of time. So, having this tool, synthetic full backup, which you can look at and identify exactly what the customer, the end user’s data looked like at a point in time it was filed.
We also focus a lot on user experience. Our products have been built for administrators of these applications, so Salesforce administrators, Google Apps, Office 365 administrators as well as end users. We fundamentally believe that if your organization is interested in doing so, enabling your end users to find and restore their own data, the fastest way to get data back and get somebody operational in your organization is to allow the person who lost the data to find it and restore it themselves in just a few minutes. Our applications are available on the web, tablet and in mobile apps as well, as you can see here. And again, it’s one of those factors that, I think, separates us, giving organizations the ability to empower the end users to find and restore data. There’s a few things, right? It gives them the confidence to work in these environments without a fear of making huge mistakes. You know, if somebody’s working in Salesforce, you know, I’ve heard this story many times where a Salesforce administrator or a developer may have come from a different business line in the past. We see a lot of Salesforce administrators who were business analysts or tend to be not extremely technical. And so that’s the person in the organization, though, that is responsible for uploading data, right? If you get a thousand leads from a conference and all the data you pushed into Salesforce, there’s an import process. And it’s scary, you know, if you’re going to import 2,000 or 3,000 new leads and it’s going to overwrite data or change things, it can be very stressful. So, having them aware that that protection is in place in case something goes wrong, they can recover, can be valuable. Same thing down to the end user level, all the way down there, which is giving them the confidence that if mistakes happen, they can recover from that, which is very empowering for a lot of our customers.
One thing we do is, again, try to cater to the user who we are supporting. So, for example, our Salesforce application is delivered within the Salesforce user interface. The Salesforce administrators, that’s where they live and breathe and just about 100% of their work week is at that platform. So, this allows them to stay in that platform and have a good understanding of what’s going on. It also allows them to control who has access to different functions related to backup and recovery by using the inherent Salesforce user access models and policy models. So, again, that gives them the power to enable administrators, multiple levels of administrators or end users to find and restore data without having this separate list of access rights to corporate data.
How Can Spanning Help?
So, to wrap up this section here, how can Spanning help and how we helped thousands of customers, it’s really related to being able to help your organization protect against data loss scenarios not covered by SaaS providers that also will enable you to meet your compliance and audit requirements related to backup and recovery, and prove that those processes are in place, if you were so asked, will help empower end users to recover from their own data loss events. And that leads to a reduction in time and effort needed by the administrators or your support organization or to your IT organization to find and restore that data that’s lost.
Lastly, we have a functionality where you can actually move data from one account to another. So, if we’re backing up data from Office 365 for one of your employees and that employee leaves the organization, we can actually restore data from that person’s account into a different person’s account — maybe hire somebody a few quarters later to replace that person or you shift the project to a different individual in the organization — we can restore that data to different accounts in some of the use cases like that.
So, real quickly, I wanted to go through a few case studies across three articles and all three of our products, first being Clark Construction. They highly leveraged Google Apps for their productivity suite. One of the reasons that they came to us, and we’ve had discussions about this, is that they have requirements to. They are very large, a multi-billion-dollar construction company and so they oftentimes have contracts with state and local or federal government or other companies that have those contracts. And part of those agreements is that they have to have data protection in place as dictated in the contract. So, there was a clear requirement for them to have control and data protection and recovery availability for the day they were putting it into whatever system they were using. They chose to use Google Apps for its ability to scale up and scale down, and as Steven said, you can add or remove services as your employee base grows, especially if you have seasonal or contractual workers, that is very, very valuable. But they also had to continue to serve these demands on them around data protection and compliance.
Well, the next one is Millar. They’re a medical device company and their requirements for data protection stem from some responsibility they have being a medical device supplier that they have a requirement to maintain and archive data about their product lines for many, many years after it’s retired — I believe it’s 20 or 25 years after the device is no longer in service. The other thing that was a huge driver for them for backup and recovery is that they have cybersecurity insurance that they have leveraged internally as many, many organizations are starting to do with this increased threat from ransomware. And part of the requirements for the cybersecurity insurance to pay out a claim if anything ever happened was that they had to have backup and recovery for the data that was at risk. So, that’s something that you should look into and work with other departments in your organization if you have taken the effort to get cybersecurity insurance to protect your organization, read through there and make sure that you’re meeting all the requirements necessary that if something did happen, it would properly pay out as you expect.
Lastly, we’ve got a company, SThree, and they are focused on recruitment. Their need for backup and recovery, in this case, for Salesforce, stems from the fact that their company highly leverages Salesforce. Their business processes, their core business relies on Salesforce, the customizations they’ve made to that platform. The integration of third-party applications they have constructed to run the business operation to many, many departments. So, as you can see here, the first priority was to find a cloud application and we feel confident we can get our data back in a dire situation. The other thing that was vitally important to them was that they can comply with and meet the data sovereignty requirements they had. Being a European-based organization, they wanted to make sure that all the data resided within the European Union economic region where they operate. So, Spanning has the ability to enable customers to choose where the service, where our service runs, where the data resides, gets processed and gets stored. And so, we have options in North America as well as in Europe and the Asia Pacific next year.
All right. So, that’s it for me. So, let’s go ahead and switch over to Q&A here. The first question I got here is related to Spanning Backup for Office 365 and Google Suite where we run the services. If you look at our website, it’s fairly clear we do leverage Amazon’s infrastructure for offering some of our services. The question is related to whether that will remain the case or will change in the future. I anticipate that it will remain the same for the foreseeable future. We don’t have any immediate plans to do so.
The next question is around Spanning Backup for Office 355 and our ability to protect Office 365 SharePoint Online. We do have plans to do that… That’s our primary focus on our Office 365 product. We are actively working on backup and recovery for SharePoint Online as well as, you know, it includes the team sites and groups and I anticipate that will be available within the first half of next year. Feel free to caveat supply to that, of course.
Then, another question about that as well. There is a question, “How does a cloud backup tool protect us from ransomware?” So, in the ransomware scenario, most often, that occurs because of a phishing attack or some malicious behavior that derives on an endpoint — a laptop, a desktop — some environment that has the ability to execute code that can then go and encrypt that data. Well, what ends up happening is if, in your organization, people are using Google Drive or OneDrive for Business or Salesforce Files Sync, those files reside on your input, on the laptop. At that point, the ransomware has access to those and can fully encrypt that data. Then guess what happens? That’s Files Sync and Share, so it takes those changes to those files, that encrypted file now, and it syncs it to OneDrive for Business, Google Drive or Salesforce files. If anyone else in your organization or were outside of your organization also has access to those and then that file’s been shared with them and they’re syncing it, now you’ve got to think that file has been encrypted down to those other laptops, and those other desktops, right? So, there’s definitely a large risk of propagation of ransomware based on files that have been shared.
So, the way that can we can help is, though, it gives you the confidence at an administrative level that you always will have access to previous versions of that file that is hosted in the cloud. And if you roll back, if you put that file back to an appropriate version prior to the ransomware attack, then it will be synced down to all the people who had access to that and was syncing it down to their laptops.
Steven: Just out of curiosity, how do you guide your customers in terms of what the appropriate granularity is for their backups? Because, again, it all depends on how often it’s being backed up and that was really what determines the amount of loss that occurs in the event of some kind of ransomware.
Mat: Sure. Yeah, absolutely. I mean, we have different requirements from different customers, you know, today, our product line will do automated backup once a day, so every day across our three products and the customer base, we reach out to the SaaS applications and ask what’s changed since the last back and pull that information down and marry it with the data we have to create those synthetic full backups. We also provide the ability to perform on-demand, as you see fit, backups. So, it really just depends on the customers’ requirements as well as what’s going on. We often times see people perform manual backups, for example, for Salesforce before they roll out a new code, or before they do have a large upload of data, or new data or before they integrate with the third party application to get that nice snapshot before they know that that changes are going to happen to their environment.
Steven: Right, but just a hard and fast rule that you can follow. Thank you.
Mat: Yeah. Okay. Let’s see here. We’ve got a question. There are a few questions about SharePoint, I want to think I’ve covered those, hopefully. This says, “Will you be opening a UK-based offering now that the Brexit is happening? We don’t have immediate plans to do so. Our European data center is located in Dublin, Ireland, which happens to be outside of, of course, the UK, but within the EU, so no plans as of yet. All right. Let’s see here. Here’s a question about, “Does ransomware affect Salesforce or other sales platforms where the data files aren’t directly accessible by the end user?” I think I’ve covered that description about the endpoints access and the synchronization there. Let’s see here. I did want to ask Steven real quick. You know, obviously as an analyst, you speak with many, many customers across many organizations. Do you feel like the awareness for this problem has increased, gotten better or are you still asking the question of — are you getting asked the question more or are you asking your customers more about what they’re doing for that?
Steve: It’s always a combination of both, right? Because if every organization has a different set of constraints, a different set of requirements, different set of legal ramifications. And, you know, ultimately this is still relatively a new thought process. I mean, Office 365 offers all kinds of different potential uses, but like you say, it’s very easy to overlook the fact that this has always been taken care of in the past. We’re going to the cloud, the cloud is promised to be secure, so what do we need to worry about? So, it’s very easy to look at that because, again, it’s this gap between, you know, what’s being done on-premise and is being addressed by those people on-premise and what’s now suddenly occurring in the cloud. And the smart organizations are, including their storage administrators or, you know, their security people as part of the cloud process. But it’s surprising how often cloud initiatives actually come from different locations. And the challenge is improving that communication throughout the entire organization to address cloud as part of the larger infrastructure question and to be able to include it as part of the long-term data protection process.
Mat: Yep. Okay. That makes sense. It looks like we are at the top of the hour. I’m going to take just one more because it’s a quick one here. If you have any other questions or we didn’t get to your question, we’ll be happy to answer. You can email it to firstname.lastname@example.org. That’s the way to get those answered. The question is that, “I can delete a user on Office 365 or G Suite,” thank you for using the new terminology there. “Can you still access users’ data on Spanning?” The answer is yes. If you are backing up an account in Office 365 or Spanning, I’m sorry, Office 365 or G Suite and you remove that account from those environments, as long as you continue to have a Spanning license assigned to that account, we will maintain and hold onto that data for as long as you would like us to. That data will remain in a restorable format. So, if you ever want to restore it back into G Suite or Office 365 to a different user’s account, that can absolutely happen. Absolutely.
Well, with that, I will close out the webinar. Steven, thank you very, very much for your contributions today. I much appreciate it. And then thank you to everyone else in the audience. We know your time is valuable and we appreciate you spending some of it with us today.