Posted on

SaaS Backup: How Secure is Your Data in 3rd Party Apps?

Author:
Paul Gray
Product Portfolio Manager (Cloud), JT Enterprise

Software as a Service (SaaS) has revolutionised how we deliver and consume applications. Per-seat pricing and no installs make it easy for organisations of all sizes to access the best tools, without the complexity of running these systems in-house.

While SaaS has become ubiquitous in recent years, its true value was shown as many organisations started operating remotely. SaaS has enabled us to continue doing our jobs from any location and collaborate with our colleagues in the process. No wonder there’s been an uptick in adoption over the last year. But there’s an elephant in the room when it comes to SaaS that’s not being widely addressed – backup.

In this blog post, we look at the risk of data loss from within SaaS tools and what the future of backup could look like.

The Shared Responsibility Model

Data stored in the cloud is always available and accessible, creating a false sense of security. Data is backed up as part of a SaaS service, right?

Wrong. SaaS providers typically operate on a Shared Responsibility Model. They manage and maintain the software and supporting infrastructure while your business is responsible for any data stored on the platform. In the event of a catastrophic failure at the provider’s cloud data centre, their job is to get the platform up and running again. The provider will endeavour to restore operations and enable you to access the application. The data that resides within the application is your organisation's responsibility. SaaS providers will get it back to its last known working state but make no guarantees as to whether they can save your data.

Surely Our Data is Backed Up?

Do SaaS providers back up your data? Yes and no. SaaS backups are typically for the provider’s benefit, allowing them to restore operations as described above. Others offer very minimal recovery options as your last resort.

Take Microsoft Office 365 for instance. All data hosted in Exchange 365 or One Drive is backed up and recoverable. For 30 days, almost like a recycle bin. This gives you a very small window to recover lost information before it is deleted forever.

The trouble is that you may not realise an important email or file has been deleted until months after the event – at which point it is lost forever. This is a serious concern when most industries require data to be held for several years. For instance, seven years in healthcare and 25 in construction.

How Seriously Should I Take This Issue?

Any data loss is a serious matter. You may find that you are unable to fulfil a client order or that key project details go missing. You may be unable to defend against a contract dispute – or you could be heavily fined for GDPR breaches if personally identifiable information relating to individuals is permanently lost.

SaaS data loss isn’t just a theoretical event either. Research from Infosecurity Magazine found that 40% of SaaS users had permanently lost data from their hosted service. And 45% had never heard of the Shared Responsibility Model either, suggesting that a chunk of businesses are in danger of experiencing similar losses.

Do SaaS Vendors Offer Backup as an Add-on?

No, none of the major SaaS vendors offers backup as part of their services. The cost and complexity of providing backup at such a scale is just too great to be profitable, which is why providers rely on the Shared Responsibility Model.

The Problem Doesn’t Stop There

Shadow IT doesn't arise out of malicious intent. Users are just keen to get started as quickly as possible, which is another benefit of SaaS. But while IT teams want to perform due diligence and responsible analysis, end-users imagine obstruction and delay. By bypassing the IT department, they get what they want more quickly – while creating serious governance headaches for the business.

Often, it is only once data is lost that the IT department becomes aware of shadow IT applications, by which time it is far too late. The shift towards remote working is already forcing IT departments to increase their agility and responsiveness. Now it is time to make the rest of the business aware that you are here to facilitate and not obstruct, acting in the best interests of all stakeholders.

Building a Plan for the Future

Where possible, it makes sense to encourage users to maximise tools your organisation already has, that they may not know about, instead of adding new services.

If your business already subscribes to Microsoft 365 or Google Workspace, for instance, you can steer them towards OneDrive/Google Drive if they suggest using Dropbox. With M365 in particular, there is a whole ecosystem of tools that many users don't know exist. You can then use a specialist service like JT’s Cloud Backup – Microsoft 365 Backup to provide true recovery equivalent to those you use in your data centre.

Other applications may not be so easy to backup. For example, Marketers’ favourite Hubspot does not offer any simple backup method – nor are there any viable third-party solutions at present. Instead, you will need to script a manual data export that downloads data to a local system for backup.

As the risk of SaaS data loss becomes more publicised and cloud offerings continue to mature, we expect to see a move towards APIs for backing up data. For example, Asigra will begin providing backup solutions for third-party applications in the future, so there is movement in the market to solve this challenge.

This will allow SaaS providers to continue with the Shared Responsibility Model while providing subscribers with a viable way to extract and backup data according to their preferences and compliance requirements.

To learn more about using JT Cloud Backup for backing up data in popular SaaS platforms like Microsoft Office 365 get in touch with our team.



Posted on

5 Back-up and Disaster Recovery Myths to Avoid

Author:
Paul Gray
Portfolio Manager, JT Enterprise

Despite both being fundamental to business continuity, there is still a lot of confusion between back-up and Disaster Recovery (DR). Given the strategic importance of these technologies, clarity is essential.

Back-up and DR are mature concepts, so it’s surprising  that there’s confusion between the two. Perhaps it’s because back-up and DR solutions are often marketed as complete, one-size-fits-all solutions, blurring the lines between one another. Whatever the reason, the reality is these are two very distinct and different functions and so must be treated as such.

For effective recovery, you need to be able to retrieve files, or possibly complete systems, as quickly and efficiently as possible.

In this blog, we’re setting the record straight and busting five of the most common myths we regularly encounter when it comes to back-up and DR. 

Here are 5 common myths that have been believed as fact:

1. Backup is Enough

Put simply, backup and DR are not the same.

Back-up tools are used to take regular copies of files and folders for quick and easy restoration in the event of small-scale deletion, corruption or loss. You can think of it as “I’ve broken a file and I want to recover it from an hour ago.”

Disaster Recovery is far more in-depth; think of it as your lifeline when your entire company is down but needs to keep working. DR wraps up the technologies and processes required to bring one or all of your applications (including data) back online after a serious incident (literally a ‘disaster’ – outage, cyberattack, ransomware infection, fire, flood etc). Typically, this will include fail-over systems to a secondary data centre, another cloud platform or another region in the public cloud. Using an off-site location enables you to bring systems, applications and data back online quickly and efficiently while urgent repair work is conducted in your data centre.

Because these two functions restore at very different levels, back-up alone isn’t enough to bring company operations back online, for example in the event of a ransomware attack. Both DR and back-up need to be considered and implemented to ensure your organisation keeps moving forward.

2. Technology Will Save the Day

Effective DR provisioning is focused on minimising business risk. Any technical solution needs to be assessed and configured according to your priorities. This means prioritising operations first, allowing you to establish how fast you need your systems to be back up and running. Remember that not all applications have the same impact on your business if they go down – some must be recoverable within a minute; others could lose a day’s worth of data from your Active Directory, with far less operational impact.

Once you stop thinking about technology and focus on the applications and their relative operational importance, you can make clearer, better-informed recovery decisions.

In an ideal world, all your systems could be backed up and recovered in real-time – but the cost would be prohibitively expensive. Instead, by assessing the relative importance of each application, you can define a tiered strategy built around your priorities, using slower, more affordable recovery options for less critical systems.

3. Everything Just Works

The beauty of back-up and disaster recovery technology is that once configured, it should just work. Indeed, these technologies are designed to be reliable and resilient so your data is always available when you need it. However, recovery procedures need to be tested – regularly – to ensure everything is ready to go in an emergency.

Regular DR testing will not only confirm that your data is available and recoverable, it will also identify where your DR plan needs to be adjusted to align with the changing priorities of your business. Because the worst time to discover there’s a problem with your disaster recovery provisions is when you are using them for real.  

4. DIY is Cheaper

Every IT function managed in-house represents a saving – at least in terms of budgets. Maximising budgets is important, but there are other factors to consider that may affect the total cost of ownership (TCO). Without careful analysis, you may find that the TCO exceeds headline costs, eliminating savings over the service term.

First, you need the right blend of skills and resources to configure, maintain and execute the disaster recovery plan quickly. For mission-critical operations, this means having people available 24x7x365 to deal with any emergency the moment it happens. If you cannot sustain that level of coverage, downtime incidents will take longer to resolve – and therefore increase the cost to your business.

Depending on your business activities, one additional hour of downtime could mean losses by tens of thousands of pounds – far more than the cost of outsourcing DR to JT's Cloud Backup solution, delivered in partnership with Ekco.

5. If It’s in the Cloud, It’s Safe

Microsoft 365 does offer safeguards to prevent data loss within tools and applications, helping secure the bulk of your data short term. However, you must understand how to use these tools because shorter data retention periods can lead to data unknowingly being deleted.

JT’s Cloud Backup solution improves on this by offering unlimited back-up retention for data, backing up as often as every five minutes — company-wide and without interruption. Meaning the window for data to be permanently lost is vastly reduced.

These Myths are Dangerous

Any one of these myths poses a serious risk to your operations because they create a false sense of security. Now you understand the pitfalls, you can begin to see how they could affect your business, increasing downtime and costs and affecting the service you provide to customers.

JT Cloud Backup, delivered in partnership with Ekco, offers integration with a range of DR and back-up solution providers – including Zerto, Veeam, StorageCraft, Ahsay and Asigra – so we can mix and match technologies to build a bespoke solution that fits requirements across your entire business. We can also help you balance operational priorities with budget constraints depending on the data or application, who needs it and what it means for your business to be without it.

By carefully analysing your current infrastructure, we will identify and resolve problems with your business continuity provisions before disaster strikes. We can also audit your needs to deliver a plan that aligns compliance, risk, user experience and cost. We’ll also help you test your DR plans regularly to ensure they remain fit for purpose.

To learn more about using JT Cloud Backup for backing up your data, get in touch with our team.

 



Posted on

Digital Risk Protection – reputational and data-based risks on the rise

As businesses have transitioned into alternative methods of working, they have faced one of the worst years ever seen for cyber-attacks.

This threat has affected many companies including huge entities such as: Microsoft, Google, SolarWinds and NASA which have become victims of serious data breaches. Capitalising on these attacks, perpetrators have sold this data, but there is a growing number of instances where data has been made available for free on the dark web and ‘dump sites’ on the clear web (the ‘surface web’ – commonly accessed publicly indexed pages we all use day to day).

This presents a risk that your personal and corporate data has already been made available without your knowledge. While you may follow all of the best practices in securing your data within your network, it remains at risk – data breaches often originate from third parties or other companies involved in the supply chain.

It is now imperative that businesses run third-party risk assessments on their supply chain, as well as monitoring the deep, dark and clear web for their data.

 What is the dark web?

The dark web refers to the non-indexed area of the Internet which does not appear in search engine results and can only be accessed by certain web browsers.

While the dark web is infamous for its link to illicit material and services, a lot of these offerings are often fraudulent, and a large number of marketplaces are heavily monitored by law enforcement agencies from around the globe.

Despite this, many legitimate dark web marketplaces still exist, often using escrow services and invite-only with reputation-based rating systems in order to ‘ensure’ legitimacy in the proposed transactions. As we often see in TV shows and movies, the dark web contains nearly anything imaginable for purchase. On these marketplaces, buyers could obtain a wide range of illicit goods, ranging from Malware as a Service, stolen bank account details, forged passports plus so much more.

How can accessing the dark web help your business?

JT’s analysts are seeing an increasing amount of leaked data appearing in data dumps that concern Channel Islands-based people and businesses. Due to the Channel Islands’ unique position and reputation, the potential targeting of high-profile and high-net-worth individuals and businesses suggests that the amount of leaked data will only continue to rise.

The most successful strategies we observe have clear requirements, such as early fraud detection, threat monitoring, and finding exposed credentials.

What steps can you take to protect your business?

These sources are vast and locating and accessing them, or even having the capabilities to access them ‘in-house’ can be a real challenge.

In order to protect your business, JT’s Cyber Consulting and Risk Advisory team can offer cyber assessments of your company, as well as third-party risk assessments to identify potential risks throughout your supply chain. On top of this, the team also offers a Digital Risk Protection service that constantly monitors for data breaches that appear on both the dark and clear web.

If you would like to learn more about JT’s bespoke Digital Risk Protection service, or any other business services, please contact one of JT’s friendly Enterprise team today to review your business needs.

Contact the team today >