Cloud providers’ default retention policies are not enough: You better back your SaaS up

If there’s one thing that recent earnings reports from Microsoft, Google and Amazon made clear, it’s that their cloud businesses are booming.

While the shift to the cloud is well underway, many companies aren’t paying attention to a critical aspect of this growth: the dramatic increase in data generated by SaaS that is not adequately protected. This exposure can put companies at greater risk for ransomware attacks, breaches, compliance woes and much more.

The growth of enterprise SaaS is rapid and inevitable. Gartner expects end-user spending on SaaS to rise over 18% to $171.9 billion in 2022 from $145.5 billion in 2021 — and it’s easy to see why.

The SaaS model offers significant value to both service providers and customers, ranging from reduced costs to simplified management and maintenance. The benefits of SaaS are many: It eliminates the need to install and configure software; it gives the customer greater financial flexibility by moving from licensing fees to subscriptions; there is no need to purchase and maintain hardware; and new releases and upgrades are automatically deployed.

But despite its rapid growth and countless benefits, there are significant challenges associated with managing and protecting SaaS data. That’s a problem that can only get worse, as for many organizations, SaaS is the fastest-growing segment of their data.

Cloud providers’ default retention policies are not enough

Each cloud service provider (CSP) and SaaS provider has its own data retention policy, and once that policy expires, the customer is responsible for backing up, protecting, and, if needed, restoring the data in the event of a cyber attack.

Not only is the customer responsible, but data retention policies can differ based on the provider and the type of SaaS data. In the current world of rampant ransomware attacks and stringent privacy and compliance regulations, leaving data unmanaged and unprotected is a risk few organizations can take.

Let’s look at Microsoft 365 as an example. Microsoft 365 adoption has been phenomenal, with nearly 300 million users and over 50% subscriber growth over the past two years. It is one of the most popular enterprise SaaS applications, and yet backup options are limited in terms of data stored on Azure.

The default options for the product suite are retention policies with little consideration for recovery SLAs — meaning data management and protection largely becomes the sole responsibility of the customer. Add to these the different data retention policies for Microsoft 365 Exchange Online, OneDrive and Teams, and assuring your Microsoft SaaS data is sufficiently secured and managed becomes even more challenging.

A recent Enterprise Strategy Group survey, “The evolution of data protection cloud strategies” queried found that of the 78% of the IT professional respondents using Microsoft 365, 74% rely on native Microsoft 365 default services for backup. However, 81% reported having to recover their Microsoft 365 data, and only 15% were able to recover all of their data.

These numbers are a red flag signaling that too many organizations are leaving data unprotected and vulnerable to cyber attacks including malware, ransomware and data exfiltration.

In addition, each provider has its own retention policies. This can all quickly become overwhelming and undermine the reason SaaS is so attractive: its simplicity in management and administration.

How to move forward

Relying on providers’ default retention and recovery policies is just not enough. Without the right policies in place, organizations often have little visibility into what SaaS data they actually have; whether that data is in compliance, protected or compromised.

What happens if I’m hit by a ransomware attack? Can I recover my SaaS data quickly so I don’t have to pay the ransom and can continue my operations? What happens if I need to back up that SaaS data beyond 30 days? What happens if ransomware hits more than one site at once? These are all questions you have to be prepared to address when a crisis occurs.

The good news is there are several ways to protect your SaaS data from the impact of cyber attacks, which can disrupt business, solicit ransom payments, expose customer data and damage your brand and reputation.

Some best practices include:

• Take control of your data. Data is an organization’s greatest competitive asset, and it’s best to have your own data backup, protection and recovery service in place.
• Simplify data management and bring your SaaS data into your core data management system, with one set of policies for all your data.
• Add SaaS data protection to your existing backup and recovery system if you can. If not, consider a next-gen data management platform that is extensible to address current and future data management needs.
• Try a proof of concept with a data management as a service (DMaaS) solution that allows you to add SaaS data backup and protection without adding infrastructure, letting you spend more time taking care of other business-critical tasks.
• Protect your data as you move to the cloud in a way that works for you — on-premises, in the cloud, as a service or a combination of these options — as you navigate and leverage a hybrid, multicloud world.
• Plan ahead. Given all the SaaS apps you use today and how they will evolve, you need to get ahead of the curve and plan for a data management strategy that will serve your needs for the next five years and beyond.

Whatever path you choose, make sure you back your SaaS up. The amount of information and data generated via SaaS is only going to increase in the coming years, and having a plan to backup and protect all your data should be a critical part of any organization’s data and risk management strategy.

It’s the only way to answer those tough questions when a ransomware attack hits, operations grind to a halt and the board wants to know why you weren’t prepared.