You can’t have an IT “modernization” discussion without bringing up the cloud. And in the realm of data protection, that comes in a few obvious flavors:
Backup as a Service (BaaS) – where your data is backed up either directly to a cloud provider or first to a local appliance and then to that provider. The latter gives you faster restore and other performance-related benefits, but the end result is the same.
Disaster Recovery as a Service (DRaaS) – where entire parts of your infrastructure, usually whole VMs, are replicated to a cloud provider, with the ability for you to bring those VMs online and resume business services from the provider’s infrastructure after a crisis. Some DRaaS solutions even provide BaaS as a side benefit.
Cloud-Storage for your On-Premises Backup – where your existing backup solution is working fine, but you’d like another copy of your data outside of the building – and cloud economics are interesting. Great, add cloud-based storage as a target to your on-premises backup server …or back up (BaaS) your backup server to the cloud. Either way is okay.
But instead of talking about data protection AS a service … what about data protection OF a service?
Many of us put our data into SaaS (software as a service) solutions today – e.g. SalesForce. We assume that SalesForce (or any other SaaS solution) has multiple points of presence on the Internet, and that they have resiliency between sites. The assumption is that if a site were to have a crisis, the other site(s) would still be available. For some large SaaS solutions, that may be enough – though it can still be hard to document (or test) when doing a BC/DR audit.
But what about if the SaaS provider goes dark?
Maybe out of business? Perhaps a victim of Denial of Service attacks or broad data corruption (that is then replicated between sites). What is your plan?
Do you back up the data from your SaaS provider?
In what format(s) is the backup in?
Is the data readable or importable into a platform that you own?
How would you bring the functionality back online for your local users? for your remote users?
Most importantly, have you tested that recovery?
This is not a blog post where I offer you answers, but one that I wanted to pose some questions for discussion.