CIOs eye SaaS backup plans post-CrowdStrike

If the CrowdStrike outage underscored anything for CIOs, it’s that modern enterprises are dependent on a growing number of interconnected systems, any one of which can cripple business operations beyond CIOs’ control.

As a result, software supply chains and vendor risk management are becoming ever more vital (and frequent) conversations in the C-suite today, as companies seek to reduce their exposure to outages and the business continuity issues of key vendors their businesses depend on.

One such area that’s getting more thought today is SaaS backup and recovery, something many CIOs have to date taken for granted, leaving it to their SaaS vendors to not only deliver better than five-nines uptime but also be the sole entities backing up and recovering SaaS-siloed data that is increasingly vital to companies’ data-driven operations.

“We experienced the impact of one of our SaaS providers, OpCon, not having a solid DR [disaster recovery] plan during the MS Azure Central Region outage,” says Gary Jeter, CTO of TruStone Financial. “The nightly processing jobs were significantly delayed, which has a large impact on our credit union and our members. This happened the same evening as the CrowdStrike incident.”

Jeter, like many IT leaders, is getting more serious about protecting against SaaS mishaps impacting their business.

“We now are paying much more attention to it,” he says. “Although not implemented yet, we will be making it part of our vendor management and selection processes. We also plan on expanding our ERM [enterprise risk management] evaluations to include a more comprehensive SaaS vendor’s DR to determine which platforms we need to ensure have a mitigation strategy.”

Research firm Gartner predicts that, within three years, more than 75% of enterprises will prioritize backup for SaaS applications and the data stored with SaaS providers, up from 15% today.

Increasing demand for SaaS backup insurance — deemed critical for business continuity — comes in the aftermath of the CrowdStrike-Microsoft outage that impacted business globally this summer.

It also reflects the increasing amount of enterprise data stored in SaaS solutions: Enterprise customer SaaS spending globally is projected to grow 20% to total $247.2 billion in 2024 and is forecast to reach nearly $300 billion in 2025, according to Gartner.

Vendor risk management takes center stage

For CIOs concerned about protecting SaaS data, Gartner suggests vetting their vendors to ensure data protection and recovery is incorporated into the governance aspect of the SaaS vendor’s operations. CIOs should also verify their SaaS vendors’ ability to recover data from all loss scenarios.

“Many SaaS solutions have some capabilities for backing up customer data, but its primary purpose is not for the direct benefit of the client to restore data from customer-related or -inflicted issues. The vendor backup is for use in resolving vendor-related issues, not necessarily those generated by the customer,” says Michael Hoeck, Gartner analyst and senior director. “A general principal of SaaS applications is the shared data responsibility.”

While data analytics company Mathematica was not directly impacted by the CrowdStrike outage, several of its SaaS providers were affected, including one that is a critical system for Mathematica’s business, says CIO Akira Bell, who was a finalist for MIT’s CIO Leadership Award for 2023.

“We have not started doing our own backups outside of what the SaaS provider is contracted to do, although I would say it is a growing consideration,” Bell says. “As I look at our recovery capabilities, one area of growing concern is our critical SaaS applications. In a supply-chain scenario, our third parties may be the reason we aren’t backed up. An extra layer of redundancy may become critical.”

Integrating backup-as-a-service solutions is necessary for protecting workloads stored on the cloud and ensuring operational continuity, Gartner maintains. Although some SaaS providers offer basic backup services at no to little cost, CIOs are exploring more comprehensive ways to protect their data assets in SaaS and ensure they have a disaster recovery method ready to go should their SaaS solutions fail, Gartner analysts claim.

“Not every SaaS has backup capabilities for their own product, and with many of the ones that do, those native backup capabilities are rudimentary,” says Johnny Yu, who leads IDC’s SaaS backup research. “Salesforce has some sort of rudimentary backup feature as well, though I don’t believe they charge extra for it.”

Microsoft 365, for example, natively backs up data on a regular basis and users can roll back to these backups, but there are limitations. For example, they can’t restore individual files, emails, or Teams conversations, Yu explains. 

“The main takeaway is every SaaS [vendor] handles customer data protection differently, and whether that data is even protected at all is never a given,” Yu says. “The only guarantees SaaS vendors are generally responsible for have to do with the uptime and accessibility of their software.”

Backup-as-a-service gains traction

IDC’s Yu backs up Gartner’s assertion that enterprise customers are now exploring vendors that offer “backup-as-a-service,” in which the solution providers package data protection in such a way that customers don’t have to buy or manage their own backup infrastructure. 

Most data protection vendors sell a BaaS version of their product, including Veeam, Commvault, and Cohesity, Yu says, while others such as Druva, Backblaze, and Carbonite could be considered more “specialized” in BaaS.

CIOs who expect this protection out of the box are at risk. 

Tom Barnett, CIDO at Baptist Memorial Health Care in Memphis, knows well the risks but he — like other IT leaders who hear business executives ask, “Why do we need backup if data is in the cloud” — is in a bind.

“This is something that has been on our radar and is somewhat difficult to make the case for funding with,” says Barnett. “It takes a lot of education and an executive-level discussion to align this with enterprise risk management, leveraging audit findings, and matching those up against data retention policies — all of which can be tedious and time consuming.”

Patty Patria, CIO at Babson College, which uses Microsoft Copilot for administrative tasks and efficiencies for students, is comfortable she has what she needs at the present time.

“It depends on the SaaS app and level of risk around that content and or any regulatory requirements that organization might have,” Patria says. “Most SaaS apps are already backed up by the vendor, and most CIOs don’t engage in additional backups, but there are some use cases for it.”

To put organizations like Babson’s reliance on Microsoft into perspective, IDC’s Yu says Microsoft offers Microsoft 365 Backup as a service, with a retention period of up to 1 year, restore points as small as every 10 minutes (instead of every 12 hours), and granular restore of mail, contact info, calendar items, as well as a handful of other features for $0.15 per GB per month for all data it protects.