Where Data Protection-as-a-Service Wins and Loses: Protecting Cloud Data with DPaaS

By on

Click to learn more about author Mat Hamlin.

As organizations move more data to cloud services, they must actively adapt their backup and recovery processes and solutions to maintain compliance to their defined governance policies and be able to prove so, when asked by internal and external auditors.  Too few organizations understand that data protection in the cloud is a shared responsibility between the cloud provider and them, as the subscribing organization.  Ultimately, when asked by auditors to prove rapid data recovery operations, it is the organization that must comply, not the cloud provider.

This introduces a few key challenges when it comes to backing up and recovering data in the cloud:


The only way to get data in and out of SaaS applications like G Suite, Salesforce and Office 365 is by using their public APIs and downloading individual items at very high scale, which can prove challenging to the enterprise.

There is no available access to the underlying infrastructure, storage or databases. This means that many traditional backup and recovery solutions will not work, which is why you see new entrants into the backup and recovery market and traditional backup vendors trying to adapt their current products to support cloud architectures. To effectively backup cloud data, solutions must horizontally scale and perform backup and recovery operations in parallel.

The Rate of Change

Today’s SaaS vendors release product updates in continuous release cycles, launching new functionality, new services and updated APIs constantly. This makes it difficult for organizations and data protection vendors to keep pace. To ensure the highest success rate for keeping up with the changes, organizations must frequently review and adapt their processes and backup and recovery solutions should be able to match the rapid, continuous release cycles of the SaaS application provider.  Otherwise, backup and restore operations may not work, or new data types or metadata will not be properly captured.

Shift in Responsibility

When organizations move their applications and data to the cloud to better enable collaboration and mobility, the responsibilities for backup and recovery become shared between the cloud provider and the organization. The needs for core backup and recovery services that were handled by the backup team on-premises, like disaster recovery, fail-over and application uptime are now handled by the cloud provider, however, each organization is still responsible for being able to recover from data disasters caused by human behavior.

Google, Microsoft, and Salesforce are focused on fixing their own mistakes. But they’re not responsible when you make a mistake — or when a malicious act stops your business cold. Data loss caused by human error or ransomware and other malware is still the responsibility of the organization, and organizations are faced with determining which internal team is responsible – the application team or the traditional backup and recovery team.  Often times, this question is not asked and each team assumes the other is able to recover data when lost.

The most effective way to overcome these challenges is to proactively address them by educating your organization and ensuring there are clearly identified responsible parties. Enterprise IT should ask the cloud provider to describe their complete capabilities for backup and recovery and compare that to the defined policies and compliance controls of your organization. Specifically, the following questions must be answered to the satisfaction of the organization:

  • Please describe the backup and recovery procedures for your service.
  • What are the defined service levels for RPO and RTO?
  • How has your service performed against the defined services levels over the past 24 months?
  • As a customer, what access, if any, do I have to the backup and recovery services within your product?
  • Do you provide backup and recovery options or features to recover from data loss caused by human factors such as mistakes, malicious insiders, external threats or misconfigurations?
  • If so, do you offer a defined SLA for recovery?
  • What limitations do these capabilities have, for example, what are the applicable time frames?  Are there mass recovery options or just single item restore?

One approach to cloud data protection is Data-Protection-as-a-Service (DPaaS). The pros with this approach include ease of acquisition, management and maintenance with little to no requirement for on-premises hardware, software or storage. DPaaS allows for scaling up and down of usage as the organization changes over time and cloud-to-cloud data transfer removes the need for data center network consumption.

Before moving forward with DPaaS, it’s critical to understand what this approach can and cannot do for the security of your cloud data. First, understand the challenges SaaS adoption can present when it comes to data protection. Second, comprehend what your cloud service provider does and doesn’t provide in terms of SaaS data backup and recovery. And third, evaluate whether or not your data and policies are a fit for a DPaaS solution. When it comes to data protection, knowledge is power.

Leave a Reply