The ‘Set It and Forget It’ Era Is Ending: The Future of SaaS and Backups

Image credit: iStockphoto/AKodisinghe

When organizations started shifting core applications to Software-as-a-Service (SaaS), they took a cavalier approach to data backups. Most simply relied on their SaaS provider’s recycle bins to keep their data safe. Today, views are evolving. Surveys show that SaaS and backup admins believe programs like Microsoft 365 and Salesforce need more robust backups to protect data from cyber threats and accidental deletions. 

Still, many continue to follow a “set it and forget it” model. A large percentage of users are relying on more functional tools that SaaS providers have started to embed in their platforms to back data up. Many in that group haven’t necessarily ruled out more robust back-ups; they’re just proceeding with the assumption that they don’t need more protection.

That group is taking a chance. They haven’t experienced a situation where they urgently need to back up data. So whether it’s a data loss event, user administration failure, or automation failure, they’re playing a game of Russian roulette. They’re taking a gamble where they don’t know the odds. The event may not be catastrophic, but the ramifications could surprise them.

SaaS offers many benefits from an efficiency standpoint. The barrier of entry to getting started is low. Organizations can take advantage of OpEx models, allowing them to pay as they go. SaaS applications also can seamlessly integrate into existing mechanisms – such as multi-factor authentication for identity management – and SaaS providers often offer expertise in designing, configuring, optimizing, and managing a solution that the data center may not have.

But over-relying on them can have consequences. For one, organizations do not have as much control over the service delivery or the infrastructure it runs upon. While that can be seen as a benefit, it is a drawback if an incident arises. In fact, this speaks overall to the ability to influence the specifics of a service delivered in this manner. 

Common misconceptions

The biggest security/data protection misconception that companies have when moving to the cloud is that SaaS providers don’t do everything you want them to do. The best corollary is the shift to Microsoft 365 since many organizations moved from on-premises Exchange to SharePoint. Users of Microsoft 365 rightly assume that any outages involving applications, network controls, operating systems, and physical networks will be managed by the SaaS provider.

But the largest number of outages aren’t caused by SaaS providers themselves. It’s other humans causing the problems – either bad actors intent on doing harm or humans just making errors. The biggest issue by far is accidental deletion. Your data could be gone if you don’t have a robust backup. It’s like renting a car: SaaS providers make sure the car is gassed up and ready to go, but once you drive it off the road, you’re responsible for what happens. 

History has proven that people make wrong assumptions about how certain issues will play out whenever a new model becomes popular. That’s happening now when it comes to data backup. While IT decision makers understand the benefits of shifting responsibility for deployment, upgrades, and shifts in capacity, many don’t realize the actual responsibility of the data usually remains with the tenant. SaaS providers’ shared responsibility models spell it out clearly: The data will remain the customer's responsibility. It’s the only thing that’s consistent across the cloud. 

Formulating backup strategies

Here are several issues organizations should consider as they formulate backup strategies for SaaS:

  • Focus on preparation – It’s hard to prepare for a problem you don’t know you’re going to have. But if you have the data, you’ll be well suited to handle that type of incident. If you prepare your SaaS application for an incident you don’t know you’ll have, you’ll have control of your data. 
  • Assume the worst – Whether it’s on-prem or off, bad things can happen. It likely won’t involve equipment failure; the cloud is good at being resilient from an infrastructure perspective. But with data, mistakes happen. 
  • Keep compliance in mind – While regulatory agencies often require organizations to keep data for several years, SaaS backups often are set up for a maximum of 120 days. If you don’t consider that up front, you tend to find out after the fact. And it’s hard to restore what you haven’t backed up.
  • Check your responsibilities – Organizations should be very familiar with the shared responsibility models their SaaS providers offer. Know where your data is and be able to facilitate e-discovery situations.
  • Plan an exit strategy – The best time to negotiate exit strategy costs and methodologies are before you integrate a SaaS backup solution. It could be possible for the provider to hold your data hostage at a price point they determine at that time.


As organizations turn to SaaS to run mission-critical business functions, they’re paying more attention to the importance of data backups. But many are still underplaying the risks their data faces. Data is their lifeblood, and relying exclusively on SaaS backups could subject them to a rude awakening.

Dave Russell, vice president of enterprise strategy at Veeam Software, wrote this article. He is a 30-year storage industry veteran who was previously Gartner’s vice president and distinguished analyst at Gartner.

The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/AKodisinghe