ESG Validation

ESG Technical Review - Odaseva: Trusted Data Protection, Data Management, and Data Governance for Salesforce Environments

Abstract

This ESG Technical Review documents hands-on validation designed to demonstrate how Odaseva can help its customers address the complex challenges of data management in their Salesforce environments. The report focuses on the enterprise-class features of the Odaseva solution, its Salesforce data protection and data management functionality, and its Salesforce data governance and GDPR compliance capabilities.

The Challenges

In order to understand the business impacts of downtime and data loss, ESG surveyed 320 IT professionals at midmarket (100 to 999 employees) and enterprise (1,000 or more employees) organizations in North America. These respondents were responsible for and/or familiar with the data protection technology decisions being made at their organizations. As shown in Figure 1, the five impacts that could result from application downtime or lost data most reported by survey participants are those that have a direct impact on the business as a whole, and often on customers, not just IT or internal constituents.1 These results show the importance of data protection in terms of risk mitigation for internal users, but more importantly, the operational and business results of the company. These impacts drive the need for data protection to be discussed and advocated for at a corporate level, as a risk to the entire business, not simply an issue in the IT domain only.

The Solution: Odaseva

Odaseva is a cloud backup/recovery, data ops, and data governance/GDPR solution for Salesforce environments. With more than 2 million users and extreme data volumes under management—hundreds of billions of records per year—the platform has proven its usability with Salesforce organizations worldwide. Built on both Salesforce and Amazon Web Services, the platform is designed to provide maximum backup availability and uptime, thanks to a highly redundant architecture. As shown in Figure 2, Odaseva enables Salesforce customers to manage their data like it was being run as an onsite application on a dedicated environment. Odaseva enables customers to pull their unique strands of CRM DNA from a multi-tenant public cloud environment and manage them with unparalleled granularity. The solution supports end-to-end encryption for enhanced security and the REST and BULK Salesforce APIs with full, incremental, and partial backups with parallel streaming to address performance challenges for large Salesforce environments.

Odaseva data governance/GDPR features enable the targeting of specific personal data from Salesforce to automate personal data erasure—via a set of deletion strategies such as anonymization and pseudonymization—or to make it accessible to data subjects. With Odaseva, you can extract personal data in CSV files, excluding business records or fields belonging to your company, and make it portable. This approach is essential in order to segregate personal data management from business data management within Salesforce environments, streamlining new personal data regulations such as GDPR.

Key benefits include:

Simplified and secured deployments: with a multi-organization, enterprise-ready, out-of-the box cloud platform for Salesforce. Odaseva protects with three levels of security, including client encryption keys, multiple user access, and segregation of duties.

Automated backups: 100% of your data, files, and metadata, with manual or automated backup schedules. Leverage highly customizable backup plans that support full, incremental, partial, or differential backups.

Advanced recovery: with advanced Salesforce restore algorithms and options that support single, partial, incremental, and full restores, while maintaining more than 10 depth levels of parent-child object relationships.

Accelerated Salesforce GDPR compliance: with a personal data targeting technology enabling the right of access, the right to portability, and the right to be forgotten.

ESG Validated

ESG performed an in-depth evaluation of the Odaseva data management solution for Salesforce from our corporate office in Milford, MA by leveraging multiple remote demo environments. We conducted a review of the platform’s architecture, enterprise feature set, data governance/GDPR features, data management features, and data protection capabilities.

Enterprise-class Solution Features

ESG began its validation of Odaseva by exploring the secure login capabilities of the solution. At a high level, the Odaseva management component is installed as its own service in the Force.com framework, not as a managed package on the Salesforce instance itself. The Odaseva UI runs as a web application on the Odaseva service infrastructure within the framework. This allows Odaseva to inherit the security features of the Salesforce environment while keeping the two applications separate.

ESG leveraged this schema to do a two-factor single sign-on connection to a customer instance of Odaseva with data residency in Europe. First, we initiated a VPN connection to a customer environment using a valid Salesforce account. Then, we browsed to the Odaseva single sign-on service landing page and simply selected the customer instance we wanted to connect to—the two options for this demo were US or Europe. To complete the process, a confirmation was sent to our mobile device. Once we accepted the mobile confirmation request, we were able to access the Odaseva management interface. ESG tested the login security features by terminating the VPN connection while still connected to the web UI. We quickly received notification that we had connected to a restricted location and no longer had access.

ESG then reestablished the VPN connection and continued the validation process with a review of the solution’s organization access management capabilities. As shown in Figure 3, we clicked on the Org Access Management tab to display a list of the different Salesforce environments under management.

ESG selected the Users tab in the UI and created a test user. With the sharing setting set to public for the PRODUCTION environment, as shown on the left side of Figure 3, we navigated the user interface as the test user. All the different Odaseva management options were accessible to the new user. Then, as shown on the right side of Figure 3, we set the sharing setting for PRODUCTION to private to further explore the user access capabilities. Odaseva offers very granular user access control. For instance, a user can be restricted at the task level, such that they have the ability to run a backup but not a restore. They can also be restricted by view, meaning that different tabs or views within the UI will not even be exposed to a specific user. This level of access control is a very powerful extension of the security capabilities of the solution.

It should be noted that Odaseva provides an easy-to-read audit log that records all user activity. This makes it easy to sort and search all user activity. Odaseva also provides detailed log files for each task, such as backups and restore, carried out by the Odaseva engine.

Next, ESG explored the encryption capabilities of the Odaseva solution. By default, Odaseva encrypts all data in transit. Any data transferred between the Salesforce cloud and the Odaseva cloud for tasks such as backup or restore will be automatically encrypted. The solution leverages HTTPS/TLS 1.2 for cloud-to-cloud data transfers.

ESG also reviewed the at-rest AES-256 file-level encrypting capabilities of the solution. Odaseva is not an encryption key management application but it does allow customer-generated keys to be stored and managed. As shown in Figure 4, we selected an encrypted backup and downloaded the zip file with the backup content to our laptop. Because the backup was encrypted, it required a key to access the CSV files stored within.

Another enterprise feature of Odaseva is shown in Figure 5. This is the ability to monitor Salesforce system resources by leveraging the Odaseva Cockpit utility. Figure 5 shows a detailed view of the total daily REST and BULK API calls. This is an important resource to monitor because processes like backup and recovery rely on these API calls, and when the limit is reached, API calls will fail. This is why Odaseva allows for the configuration of a maximum of API calls per time period and optimizes all API calls down to a strict necessary minimum. Many other Salesforce resources such as Data Storage and File Storage can be monitored with Cockpit. These can be very useful metrics for developing procedures like a data archive strategy. It is very important to note that, in some cases, reaching a Salesforce resource limit will actually stop the Salesforce application from working.

Finally, ESG investigated the data governance/GPDR capabilities of the Odaseva solution. This feature allows the granular management of customer personal data. These capabilities can be managed from the Odaseva UI or its API. It has the following three modules: the right to data access, the right to data portability, and the right to be forgotten. The data access module allows an end-user to understand what personal data a Salesforce environment contains. The data portability module enables the extraction and download of personal data into a zip file that contains only that personal data in readable CSV format. The file can be leveraged to migrate personal data to another content management application or simply used as a copy that can be kept as a record for the end-user. The third module is the right to be forgotten. This module allows personal data to be removed not only from an Odaseva backup but also from the Salesforce environment itself.

As shown in Figure 6, ESG used the right to be forgotten module to remove specific contact information from our demo Salesforce environment. The left side of the figure shows a Salesforce module that we installed to trigger the feature for a specific contact via the Odaseva API. The upper right side of the figure shows the contact with personal data, such as a picture, a phone number, email address, and date of birth. The bottom right side of the figure shows the results of GDPR data removal. The blue GDPR icon indicates that this is a contact we want to manage according to GDPR guidelines. Notice that the personal data has been removed or anonymized, yet the contact still exists and business data, like the general revenue number, is unaltered.

Why This Matters

Many organizations leverage cloud infrastructures—private and public—for the agility and flexibility benefits they provide. However, ESG research confirms that security, sensitivity of data, availability, and protection also play a major role when deciding what application data can move to the public cloud. Organizations want to be sure that the enterprise-class features of their data center extend to their cloud environments.2

ESG confirmed that, because Odaseva is deployed within the Force.com framework, it inherits the same security features of the Salesforce application itself. It leverages single sign-on two-factor authentication and has feature-rich enterprise-class organizational access management capabilities that can be set up to restrict access to sensitive information. In addition, Odaseva encrypts all data in transit and provides its customers the ability to granularly encrypt data at rest with an encryption key of their choice. In fact, Odaseva has elected to not only encrypt at the disk-level and OS-level like other solutions on the market but has also applied AES-256 encryption with the customer-provided key at the file/field/column level, thus removing data visibility from its support or admin employees, and even infrastructure engineers. Other enterprise-class features include system resource visibility and the ability to granularly manage personal data contained within the Salesforce production environment and the Odaseva backup storage repository.


Comprehensive Data Management Capabilities

This section of the report explores the advanced data protection capabilities of the Odaseva solution and how those capabilities deliver extensive protection against data loss or corruption and how the same data protection engine supports workflows such as data ops. As shown in Figure 7, Odaseva protects both object data, or content stored in the Salesforce environment, and the Salesforce metadata structure itself. The left side of the figure shows the Backup Now configuration view. Backup configuration includes options such as environment, frequency, schedule, and retention and the ability to create very granular backup and exclude lists. The right side of the figure shows the Retrieve Metadata configuration view. Metadata configuration includes choices such as environment, options, schedule, and the ability to create very granular definitions of the metadata scope, or which metadata components you want to protect.

It should also be noted that Odaseva supports the Salesforce command line interface (CLI). In fact, we leveraged the CLI with JSON data and queries to quickly and easily create a sandbox Salesforce environment with anonymized data. This sandboxing capability can be leveraged for different workloads, such as test, development, training, and analytics.

Next, ESG explored the recovery options of the Odaseva solution. Odaseva supports multiple types of recovery, from a single object to full application. As shown in Figure 8, we navigated the single object restore process. A common use type of restore is to roll back individual data fields from data entry mistakes.

As shown in the red callout box on the upper right side of Figure 8, an account number was overwritten with incorrect data. To correct this, we simply clicked on the restore tab from this field and, as shown on the left side of Figure 8, we were presented with a history of that data in that specific field. We were able to select a recovery point from a number of time-stamped backup images, and then restore the correct account number to the original location.

For larger bulk, or even full, application restores, Odaseva provides detailed insight into the Salesforce environment. As shown in Figure 9, Odaseva provides a view within the application to do detailed compares of both data and metadata. This option can be used to compare current production data to a point-in-time backup image. Figure 9 shows the results of a comparison of contact data. The utility will show data matches versus missing, excluded, and mismatched data. Any data in question can be downloaded in CSV format to reconcile discrepancies before a restore is initiated. The same process can be used to conduct a bulk delete of stale data in a Salesforce environment or even to migrate specific data to a new Salesforce instance. It should also be noted that an Odaseva backup can be replicated to other environments such as any data lake able to receive SFTP connections or with native connectors to Azure Blob, AWS S3, Salesforce Einstein Analytics, or even Odaseva’s own Salesforce emulator for high availability.

Why This Matters

Software-as-a-service (SaaS) is often seen as an accelerator to IT transformation. It can eliminate complex onsite infrastructure, reduce CapEx costs, and provide unparalleled application agility. However, it does not guarantee all your associated business processes, such as development, test, analytics, and quality assurance, will automatically be transformed as well. In fact, a process as essential as data protection can often lack the expected functionality.

ESG confirmed that, for Salesforce environments, Odaseva can help its customers eliminate data management gaps. We validated the solution from a single object restore to a point-in-time advanced restore and even the creation of an anonymized sandbox environment. Odaseva provided all the functionality and options required to make sure the right data is in the right place when it is needed.

 


The Bigger Truth

Salesforce is an industry-leading customer relationship management (CRM) solution. It lets you store and manage prospect and customer information, like contact info, accounts, leads, and sales opportunities, in one central location. It is delivered from an enterprise-class, highly available cloud infrastructure. However, it is not designed with the features of a dedicated data protection application that protects against common data loss scenarios at the content-recovery-level. Remember, Salesforce is a multi-tenant environment, and RPOs are likely to be very different for each tenant on a Salesforce instance. And a rollback/recovery, even for a simple infrastructure issue, one that lands well within their uptime SLAs, does not guarantee the integrity of your data after such an event. That’s your responsibility.

If you consider Salesforce a critical part of your enterprise, it is probably wise to review your recovery expectations to make sure what you have in place can meet your business requirements. Even Salesforce recommends leveraging a business partner from their AppExchange to enhance overall data protection capabilities. It’s also worth noting that, because of the nature of the Salesforce application, it is quite common to have data that is considered personal information in your environment. If you are in a regulated industry, you might have to look beyond backup when selecting a business partner.

That is where Odaseva comes into the picture. Data loss can happen quite easily, even when the supporting infrastructure is running flawlessly. That is why Odaseva has been working on Salesforce data protection and management for over six years now. They take a customer-centric approach to their solutions and build in features based on solving the difficult data protection and data management challenges for their customers. ESG attributes this customer-centric approach to the fact that Odaseva was incorporated by a Salesforce certified technical architect (CTA) and that there are several CTAs behind the development of the Odaseva architecture. During our validation, ESG was very impressed with how comprehensive each component was. From data protection to governance/GDPR offerings, we tested important data management features that far too often are only seen in legacy solutions that have been on the market for decades.

ESG believes that Odaseva has a very bright future in Salesforce data management. In fact, we would love to see them extend their framework to other SaaS applications. The biggest challenge they face is educating the customer base on the protection inadequacies often inherent with cloud/SaaS applications and how a mature SaaS data protection/data management solution should really work.



1. Source: ESG Master Survey Results, Real-world SLAs, and Availability Requirements, May 2018.
2. Source: ESG Master Survey Results, The Emergence of Multi-cloud Strategies, April 2018.
Topics: Data Management Data Protection