Brought to you by:
Enterprise Strategy Group  |  Getting to the Bigger Truth™


The Key Trends and Challenges for SaaS Data Protection in 2022

By Christophe Bertrand, Senior Analyst; and Monya Keane, Senior Research Analyst


SaaS applications now run a vast number of mission-critical services for organizations, and it’s creating a potentially damaging disconnect regarding the need for data backup and recovery. As ransomware attacks and other cyber threats increase, organizations must reevaluate their SaaS data protection strategies, in particular for Microsoft 365—one of the most popular mission-critical services. That’s where Keepit can save your data and business from downtime.

Market Trends

For mission-critical applications, RPOs and RTOs really matter. ESG research shows that 15% of surveyed organizations can tolerate no downtime at all for their mission-critical applications, and an additional 42% say their mission-critical applications must be back online in one hour or less.1
Meeting those SLAs becomes more difficult in an era of cybercrime, and cyber risks are intensifying. According to ESG research, ransomware attack frequency is now quite high, with 18% of organizations reporting daily attacks and 24% being attacked on a weekly basis.2 ESG research also shows that, among surveyed organizations, 47% saw fortifying cybersecurity as a business initiative that would drive their tech spending in 2021, with 25% highlighting investment in business continuity/disaster recovery programs.3

The Big SaaS Backup and Recovery Disconnect

Clearly, organizations value the importance of keeping their data safe. However, a big disconnect has arisen. Eighty-six percent of ESG survey respondents say they rely on a SaaS vendor for data protection. Of those respondents, 35% say they rely solely on a SaaS vendor, while 51% say they rely on both a SaaS vendor and a third-party data protection solution or service.4 Unfortunately, this reliance is based on a serious, risky misunderstanding. Cloud service providers will not back up organizations’ data for them. They tend to adhere to a shared responsibility model instead.
Many occurrences can put the safety of secondary data at risk (see Figure 1). Consider that 45% of surveyed organizations using SaaS attribute data losses they’ve experienced to deletion, whether accidental or malicious. Other data-loss contributors include data being corrupted or destroyed by the service itself.
Reliance on SaaS vendors for data protection is based on a serious, risky misunderstanding. Cloud service providers will not back up organizations’ data for them.
Figure 1. Causes of Data Loss in SaaS Environments
What is the top cause of data loss for the SaaS-based applications your organization uses? (Percent of respondents, N=344)

Source: Enterprise Strategy Group

Failing to understand SLAs and/or data-retention terms can also lead to an organization losing at least some of its cloud-based protection data. For example, 8% of organizations shut down a cloud backup service but don’t realize that the data is now gone as well. They misunderstood the SLA they agreed to. ESG research also shows that 81% of organizations using Microsoft Office 365 have had to recover data, but only 15% were able to recover 100% of that data.
That degree of risk should not be tolerated in a mission-critical environment. The situation appears to point to pervasive shortcomings in experience, process, and control. Although IT organizations should have a full understanding of their SLAs and be able to deliver on all RTOs and RPOs for their end-users, the reality is that they can’t fully—at least not without a solid backup and recovery solution in place for SaaS workloads in particular.

SaaS Data Is Protected Through a Shared Responsibility Model

In a SaaS paradigm, control of data and applications generating/using that data lies in someone else’s hands. Still, it is important that organizations remember their data is always theirs—not the service provider’s—be it a single SaaS application or all data stored with a hyper-scaler.
From a backup and recovery standpoint, that means organizations must have a solution in place for all their cloud workloads. They may elect to use a service provider to help them deliver backup and BC/DR as a function or service, but ultimately, it’s the organization’s responsibility (see Figure 2). After all, losing data is a business-level problem, not simply an IT headache. In a shared environment, it’s much harder to control recovery efforts without a strong solution in place.

Losing data is a business-level problem, not simply an IT headache.

Figure 2. The SaaS Shared Responsibility Model

Source: Enterprise Strategy Group

Fewer Organizations Can Recover All of Their Microsoft 365 Data Today

Microsoft 365 is ubiquitous across organizations of all sizes. It is unquestionably mission-critical as a business productivity tool. However, organizations aren’t achieving the recovery success rates one would expect for a mission-critical environment (i.e., close to 100%). While ESG has seen progress overall in terms of Microsoft O365 data recoveries, in 2021, fewer organizations actually reported 100% success rates compared with 2019 (see Figure 3).
Figure 3. Success Rate of Microsoft 365 Recoveries
What is your organization’s success rate with recovering Microsoft O365 data? (Percent of respondents)

Source: Enterprise Strategy Group

Across those businesses, only 22% use a third-party backup and recovery tool. Most leverage tools provided by SaaS cloud vendors, which may not be enough for most organizations to successfully meet their SLAs.

Salesforce and Other SaaS Workloads Present Similar Challenges

SaaS applications such as Salesforce are also mission-critical, and that data must be protected just as rigorously. Unfortunately, ESG research shows that the majority of surveyed companies (59%) report not having a protection solution at all for their Salesforce data, even though they are likely running critical business processes using Salesforce.6 Overall among Salesforce users, recovering data is the most-cited function that they’ve performed or issue that they’ve experienced with the platform, and it is one that has significantly accelerated in the past two years (reported as a challenge by 20% in 2019, and by 42% in 2021).7

Cyberattacks have a tight connection to cloud data loss, and it goes beyond ransomware.

Cyberattacks have a tight connection to cloud data loss, and it goes beyond ransomware. In an off-prem SaaS environment like Salesforce, it’s possible for an attacker to steal IT administrator rights, and then delete fields or even copy and take client and project records in order to sell that information to unethical competitors.

How Keepit Can Get Your SaaS Data Back in Seconds

To combat the problem, use of backup-as-a-service (BaaS) is currently the most widely adopted approach, with more than two-thirds of surveyed organizations using BaaS. That’s where Keepit comes in. Keepit offers a dedicated SaaS backup and recovery solution built from the ground up specifically for SaaS applications, including Microsoft Office 365, Azure AD, Salesforce, Google Workspace, and Microsoft Dynamics 365 (see Figure 4). Keepit protects and restores data and metadata for each application at various levels of granularity. Keepit stores these backup snapshots in its own dedicated facilities. Keepit’s solution is designed as an independent, proprietary cloud with a focus on data availability, cost-efficiency, simplicity, instant recovery, and security.
Figure 4. The Keepit Solution

Source: Enterprise Strategy Group

ESG has technically validated this solution and found that Keepit delivers on all these key needs for SaaS applications. With Keepit, an organization can restore data remotely for disaster recovery, free up IT staff so they can contribute more strategically, improve service levels, and reduce costs.

A clear and urgent need exists for organizations to adjust their data protection schemas to include their SaaS applications.

The Bigger Truth

Many IT organizations remain confused about the specifics of the exact data protection levels that SaaS solutions provide. This confusion can trigger a domino effect of data loss and compliance risk. Data is always an organization’s responsibility, including data in a SaaS environment.
A clear and urgent need exists for organizations to adjust their data protection schemas to include their SaaS applications. This isn’t about pointing fingers; it is just the way the world is. All the fundamentals still apply. Protect your cloud data assets, and ensure that secondary data sets are available remotely for disaster recovery as needed—particularly for mission-critical cloud services such as Microsoft 365 that are so central to keeping your business open. If your organization has, like so many others, found itself in this boat, consider checking out the links below.

This ESG Showcase was commissioned by Keepit and is distributed under license from ESG.

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.

Enterprise Strategy Group | Getting to the Bigger Truth™

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.