Click Here

Introduction

If Software-As-A-Service (SaaS) data is lost and there’s nothing to protect it, did it ever really exist?  (i.e. — if a tree falls in a forest and no one is around to hear it, did it make a sound?)

The answer, for practical purposes, is no. Employees and customers won’t care that the data once existed, and neither will regulators. They will care, though, that it’s gone.

Businesses today are using more SaaS services for critical business functions (over 70% of apps used are SaaS based) and storing more vital and sensitive information in the cloud than ever before — without knowing the risks. Contrary to popular belief, SaaS vendors generally do not protect the data stored on their platforms. Additionally, backing up SaaS data is challenging, and recovering it from vendor backups is even harder. However, SaaS data is just as crucial as traditional enterprise data. 

That’s why Asigra introduced SaaSAssure, featuring innovative solutions to simplify secure SaaS data protection. This article will explain the risks to SaaS data, the necessity of a backup strategy for businesses, and how SaaSAssure can help. 

What is Data Backup for SaaS Applications?

A data backup for SaaS applications is any process that extracts the user data from a SaaS app for the purpose of data protection, archival, and/or recovery.

Some SaaS backup methods are better than others, and it helps to understand SaaS data’s unique characteristics to understand how to effectively protect it.

SaaS Data’s Unique Attributes Complicate Protection

How is information stored in SaaS apps different from data in a company owned and operated application? Who owns the data? Who is responsible for protecting the data? Who is liable for lost or missing data? These are important questions that almost never get asked before companies click “agree” to the terms and conditions of a SaaS service sign up form. However, these issues should be proactively addressed. Typically, they are only considered when data loss occurs, and the blame game begins.

Who Owns the Data?

This seemingly straightforward question is anything but. If a customer stores their data in their own application in their own data center, ownership of the data is clear. But in a SaaS environment, stored in another party’s application and data center, the question of ownership feels murkier. Ownership refers to the state or fact of legal possession and control over property. In a SaaS environment, the vendor does indeed have “possession” over the data, and to a great extent “control.”

The terms and conditions in most SaaS contracts make it clear that the client owns their data. That tees up some very important questions about protection and liability.
The terms and conditions in most SaaS contracts make it clear that the client owns their data. That tees up some very important questions about protection and liability.

Does that mean they own the customer’s data? In general no — the terms and conditions in most SaaS contracts make it clear that the client owns their data. That tees up some very important questions about protection and liability.

Who’s Responsible for Protecting the Data?

In a SaaS environment there is a principle known as The Shared Responsibility Model. Upon further review of the T’s and C’s of SaaS contracts, it’s made clear that most SaaS vendors only take responsibility for protecting and securing the shared infrastructure. They also make every effort to recover data in the event of a system-wide failure. However, they DO NOT take final responsibility for the organization’s data — that duty falls on the organization’s shoulders. In the event of any data loss, the client is ultimately responsible for having the foresight to protect their data and finding a way to recover it.

And this is where companies get into trouble — they don’t understand that their data is at risk, or understand what data they should be protecting.

Understanding the Real SaaS Data Footprint

Beyond the “Big Three” SaaS services (Microsoft 365, Google Workspace, and Salesforce), many IT leaders are uncertain how much data they have in SaaS applications, or its sensitivity. In one survey of IT leaders, 37% cited lack of visibility as a top concern. And that presents real operating risks.

According to BetterClouds’ State of SaaSOps survey, SaaS solutions will make up 85% of all business software in 2025. With SaaS applications’ annual revenue growth projected to reach $374 billion by 2028, the emergence of the SaaS-powered workplace is inevitable. While The Big Three are seen as having critical data worthy of protection, many other apps get overlooked by their customers and by 3rd party data protection services, leaving high-value data vulnerable.

There are critical SaaS services that cover every business function from finance, to HR, to marketing, and development. Data lost from any of these departments can impair normal business operations just as any lost data from the “Big 3.”

IT leaders can benefit from regularly surveying their organization’s departments to identify the SaaS services in use, the types of data stored in these services, and their importance to daily operations. It’s also crucial to verify the SaaS vendor's data shared responsibility policies and assess how many SaaS applications are covered by existing backup and recovery practices.

By prioritizing SaaS services by criticality, leaders can start to take ownership of their data to ensure their users are protected in the event of data loss.

It’s at the client level and user level where the greatest risk to SaaS data exists.

If a client’s SaaS data is lost, there's often little the SaaS vendor can do other than recommend the client reenter data from a backup.

It’s at the client level and user level where the greatest risk to SaaS data exists.

If a client’s SaaS data is lost, there's often little the SaaS vendor can do other than recommend the client reenter data from a backup.

What’s the Risk to SaaS Data Anyway?

Let’s be honest, given the incredible size of the SaaS market, the number of incidents of wide-scale data loss among all of a SaaS vendor’s customers is incredibly low. If system wide outages and data loss were common, the business model for SaaS would quickly fall apart. However, when outages occur it’s possible to lose a few hours or a day of data, depending on the SaaS vendor’s backup practices. 

It’s at the client level and user level where the greatest risk to SaaS data exists, and it’s here that the Shared Responsibility really comes into play. If a client’s SaaS data is lost, there's often little the SaaS vendor can do other than recommend the client reenter data from a backup.

What client level risks exist? The same risks to internal data: Human error, malicious actors, security breaches, ransomware attacks, system misconfigurations, and data integration errors. Simple human error cannot be overlooked as it accounts for almost ⅓ of data loss incidents in SaaS alone. (Read — 3 ways to prevent human error in SaaS Applications)

Data loss can be as simple as a single record or data field, to an entire user’s data set (a Jira Users entire task card list, for example), to a company’s customer contact list. 

Security issues in SaaS are on the rise, as attackers have adapted their tactics in response to businesses locking down their internal infrastructure and protecting them with highly resilient backups. SaaS services are now the weakest link. With admin access to a SaaS service, an attacker can export all the data, then delete it to extort a ransom payment. 

It’s important to understand that SaaS services can have complicated security risks. By their nature they are designed to be integrated with other services as this creates an enhanced value proposition. But a compromised integration can lead to a SaaS service security breach. SaaS services are also potentially at risk if their underlying software infrastructure or codebase has an unknown security vulnerability. 

How AI Puts SaaS Data at Risk

2023 was the year that generative AI exploded onto the scene. Unfortunately so have AI driven cybersecurity attacks. AI puts SaaS security in greater peril as it allows attackers to create more sophisticated phishing attacks that are highly personalized and persuasive at scale.

Other types of envisioned attacks include subtly changing data to the point that the data is unreliable, to using machine learning algorithms to identify and exploit previously unknown vulnerabilities. Organizations should follow all SaaS Security Best Practices and use a SaaS Security Checklist to make sure they are following them. 

The Economic Value of SaaS Data is Underestimated

There’s no arguing that SaaS data has value. But how to value it has been challenging. Earlier this year we authored a whitepaper on how to estimate the value of SaaS data, and a few key points are worth repeating. First, there’s a direct value of the data itself to the teams using it. An example is CRM data, which has been valued at 7x the cost of the underlying subscription cost. The value of each sales person’s data may be worth $1000 (the value of making the sales person more efficient at doing their job). Really, any application has economic value to an organization. That’s why software is used in the first place, because it helps us do something better than we could without it. 

Data also has a “loss” value, meaning there’s a cost related to recovering the data should it be lost. Even data fully protected by a backup solution has a cost to recover it, in terms of the time and effort of the IT team, and the cost of the recovery software. There’s also the cost of the associated downtime, should the data not be available for a period of time. The hourly cost of downtime for an SMB is about $450, and $9000 for an enterprise! Regardless of where data exists, if it’s important to business operations it should be protected, and easily recoverable. 

Regardless of where data exists, if it’s important to business operations it should be protected, and easily recoverable.
Regardless of where data exists, if it’s important to business operations it should be protected, and easily recoverable.

The Benefits of SaaS Backup

There are quite a few reasons to go to the effort of backing up SaaS data, beyond simple data recovery. These include:  

  • Compliance: Many regulations require organizations to ensure retention of data for defined periods of time. SaaS data that's lost without a backup can’t be recovered easily.
  • Migration to other services: Regular backups of data ensures that businesses can migrate their data to new services, without worrying about their existing vendor holding their data hostage. 
  • Business continuity: In the event of a service outage, a SaaS backup allows the data to be imported into another service for continuity of business efforts until the outage is resolved. 
SaaS Backup and Recovery Challenges

If SaaS data is so valuable, why don’t SaaS vendors simply provide an internal backup service and make it easy for customers to restore their data? It’s a complicated question that boils down to a few factors: liability, stickiness, and complexity. 

The first is liability. If SaaS vendors provide measures for customers to backup and restore their data, they are also taking on some implied liability for those measures being effective. If the backup and / or restore fails, then the service provider is at risk of being responsible for the financial value of the lost data. Not all SaaS vendors are big enough to take on that risk, and it’s easier to pass the liability on to their customers. 

The next is stickiness. A SaaS provider needs to retain customers in order to recoup enough revenue to offset the cost of providing and marketing the service. If they have a high churn rate, then their stock value goes down. The harder it is for a customer to take their data and move it to another service, the easier it is to keep them. Most SaaS vendors will allow clients to export data, but they have no incentive to make it easy, or make the data standard enough to move over to another provider without headaches. 

The third factor is complexity. There are some technical challenges to overcome in properly backing up data from a SaaS service and restoring it to a known good state. If thousands of users are acting on the system and making changes continuously it becomes hard to make a crash resistant backup at a “client” level. So, most vendors don’t put in the effort, again, as there is no incentive for them to do so. 

How Hard is it for Businesses to Back Up their Own SaaS Data?  

The act of simply extracting SaaS data for a “backup” is easy enough. An admin can usually find their way around the SaaS management console to find the data management tab and the export feature with a few minutes of hunting. 

The reason that it’s challenging from a backup admin’s point of view is that it lacks automated features. An export can’t be scheduled to run automatically. It’s done manually, when the admin can get to it.  If an admin wants to backup SaaS data during the slowest part of the day, say after midnight, they must be available in the middle of the night to run it.  Then they have to manually store and categorize the exported data. 

Also, the exported data usually isn’t delivered as a single recoverable file, but dozens of .CSV files. And because of that they present a security risk, as they are unencrypted in-flight and at-rest.

Another technical challenge is Application Program Interface (API) call limits. As a shared resource, SaaS providers have to balance performance needs among all of their clients. Mass exports (and imports) of data are very resource intensive, so vendors will limit the number of transactions that can be performed at any given time period. An admin can request an export and find that they actually can’t complete it because the data set is too large. When this happens, they have to make a support request to the SaaS vendor, or possibly be asked to upgrade to a higher paid tier of the service. 

It’s Harder to Restore

As hard as it is to try and consistently backup SaaS services, it’s harder to restore. A full restore requires the importing of the .CSV files that were previously exported. For an admin to do a full restore, they first have to locate the correct files. That means they have to make sure that they saved the exports in the right folders or naming convention for date and time, otherwise they might upload the wrong data.

The exported files might have to be imported in a specific sequence. For example, a CRM might want contact records to be imported first in order for relationships with other tables to connect properly. But admins won’t know that as there usually isn’t documentation on how to restore data in a SaaS environment. They’ll likely just run into a data error and find out through the SaaS vendor’s support team what the problem is. 

Also — depending on how the SaaS vendor’s import function works, it may just overwrite existing records with the current date as the “new record” create date. Or create duplicate records. There’s so many possibilities for data corruption errors during a “restore.” And they can run into API call limits in reverse, preventing a full upload from occurring all in one day. The desired Recovery Time Objective may be hard to meet. 

Most SaaS vendors will allow clients to export data, but they have no incentive to make it easy, or make the data standard enough to move over to another provider without headaches.
Most SaaS vendors will allow clients to export data, but they have no incentive to make it easy, or make the data standard enough to move over to another provider without headaches.

Most recoveries though will be of single records, or the data of a single user’s account. However, SaaS services import functions make it hard to import a single set of records. The admins will have to import ALL the data and manage the process the whole time it’s happening.

It’s the lack of automation that will destroy the backup admin’s productivity, if not their sanity. 

The History of SaaS Backup

The right way to backup and restore ANY data is to use a specialized backup product. There are many products on the market today that attempt to solve the problems associated with protecting SaaS data. It’s important to note that the first generation of SaaS backup solutions were extensions or add-ons of existing enterprise tools. Most of these first-generation products were simply file-level backups covering Microsoft 365 products. They were ok at handling backups they were already familiar with, like Sharepoint documents and Exchange emails, but had a much harder time with more sophisticated services like Teams.

The next version of backup products added support for Google Workspace files, and eventually Salesforce databases, (the “Big Three”). But as we’ve seen, these aren’t sufficient to cover the breadth of applications that most organizations use today. It’s been challenging for traditional backup vendors to maintain support for existing enterprise products AND build an expanding catalog of SaaS products to protect.

The second generation of SaaS backup products have been attempting to build support for a broader range of services. However, their catalogs to date have been quite limited, and they’ve lacked the enterprise features that backup administrators have come to expect, like advanced scheduling, enhanced security, and support for multitenant environments

Innovations in SaaS Data Protection 

SaaSAssure leads the third generation of SaaS recovery solutions by providing broad support for an extensive and growing portfolio of SaaS Services, enhanced security features to ensure that backups are protected from attackers, and multitenant management features enabling management of separate business units or MSP clients.  

SaaSAssure leads the third generation of SaaS recovery solutions by providing broad support for an extensive and growing portfolio of SaaS services.
SaaSAssure leads the third generation of SaaS recovery solutions by providing broad support for an extensive and growing portfolio of SaaS services.
Extensive SaaS Protection

To protect organizations most important data, SaaSAssure supports apps across a wide array of business functions including:

  • Accounting
  • Collaboration
  • CRM & ERP
  • DevOps
  • E-Commerce
  • File Storage
  • Human Resources
  • ITSM

Many of the well-known brand names across these categories include Quickbooks, Jira, Confluence, Hubspot, along with support for Microsoft 365 and Salesforce, with support for ADP, Bamboo, Box, Trello, and more coming soon. And this is just to start. Our ambition is to eventually cover hundreds if not thousands of SaaS services through a single portal. Most importantly, SaaSAssure will make backup and recovery easy with the advanced automation backup admins expect from an enterprise level backup solution.

Enhanced Security

Backups are one of the first areas that attackers target today, as they are a rich source of data and can hamper ransomware recovery efforts. SaaSAssure includes strong security features like multifactor authentication and AES 256-bit encryption in-flight and at-rest, but also adds an industry first feature — Multiperson Approvals (MPA).

With MPA enabled, actions that would be “destructive” to backup data like deleting job files or changing a backup schedule cannot be executed without 2 or 3 admins agreeing on the action. This is, in our opinion, a necessity as sophisticated attacks can involve compromised admin credentials.

Multitenant Management

It seems that most SaaS backup products on the market today are targeted at SMB customers — those who are likely protecting small groups of users themselves. However, larger enterprises and managed service providers also need to ensure protection for their larger groups of users and clients.

SaaSAssure is designed to be used in multi-tenanted environments, allowing admins to set up discrete groups of users or clients, set up role-based access where needed, and enable built-in billing functionality. Advanced dashboards and reporting allow admin groups to quickly view the health of their user groups backups.

Key Features to Look for in a SaaS Backup Solution

When evaluating a solution for data backup for SaaS applications, backup teams should consider the following: 

  • Automated Backup Schedule: The service should allow for automated backups on a daily basis at a time frame of the admin’s choosing and allow for scheduling flexibility and granularity. 
  • On-Demand Backups: Admins should be able to initiate a backup on demand when required. 
  • Point-in-time Restore: Admins should be able to choose a date and time of a backup and restore the data automatically with as few clicks as possible. 
  • Broad Platform Support: The service should support a wide range of SaaS applications, beyond Microsoft, Google, and Salesforce and cover most business function areas.
  • Easy Setup: Setup of the service and addition of SaaS apps into a backup schedule should take less than 5 minutes.
  • Ease of Use: The console should be simple to use while providing the flexibility needed to ensure proper protection of the data. A single console experience should be unified across all apps being protected.
  • Flexible Storage Options: The service should provide backup cloud storage or allow the admins to choose their own cloud storage for data sovereignty, and compliance requirements. 
  • Security: The backup solution should be protected from attackers with enterprise level security including strong encryption, multifactor authentication, and multiperson approvals. 
  • Simplified & Fair Pricing: Pricing should be straightforward and clearly articulated, ideally a per user or per storage tiering with no hidden fees. 

See SaaSAssure in Action — It’s Magnificent

SaaS data is not like on-premise data, and yet, it still requires a data protection solution just like any other data. The data is at risk from internal and external threats, and without protection can lead to business disruptions. An effective solution takes into account the broad range of services in use today, includes enterprise backup and recovery features, and maintains security and compliance. SaaSAssure meets and exceeds these requirements.

Schedule a demo to see it in action.