Software as a service (SaaS) is one of the possible cloud models and has become more and more used also from the enterprises.
For example, most of the companies are using a SaaS solution for email, intead of build and manage their own mail servers.
According the the report 2023 State of SaaSOps, BetterCloud, the number of SaaS apps by organization size (2022) is very huge.
But in each cloud models, data protection is still one responsability of the consumer, also if the provider can/may have specific backup options.
But which criterias should be use to select a proper SaaS backup solution?
Multi-application vs. siloed
Each company is probably using several SaaS applications, that means more complexity in the backup operations if you choose one vertical product for each application.
One backup solution for all (or most of all) SaaS application could be easiest to manage and control!
And some SaaS application have correlation between them, for example a backup of Microsoft 365 objects without the ability to perform also the backup of EntraID objects could be less effective!
SaaS vs. on-prem
In order to backup SaaS application is better have a on-prem solution or a SaaS offer? In my option, it could be nice have the possibility to choose between both options.
Of course, a SaaS approach could be faster, easier, and potentially more secure.
But the data must be stored to a different cloud (from the origin) otherwise you cannot guarantee a good level of separation, security and recoverability.
And still data sovereignty must be managed, at least with the option of having the SaaS backup in a region of your choice.
RPO and throttling
One issue of the way to backup SaaS data is the throttling mechanism that the cloud provider is implement to protect its services from DoS or from high usage.
To achive the desiderated RPO, different techniques must be implemented by the backup product to increase (but also control) the parallelism of the backup process. And where is possible to backup object once or implement incremental backup, this can reduce the network traffic, increase the backup speed, and reduce the RPO.
RTO and restore options
Each backup solutions is useless if does not provide the proper restore option that you need in the time (RTO) that you need!
How fast is the restore, how easy, how you can perform a granular restore, how you can compare what is changed… all aspect to be considered.
But can be also important the ability to restore on a different cloud: I don’t mean data/service migration, but for example restore on-prem instead that on cloud.
For mail service, it should be possible export data as PST (for example) or on an internal mail server (if existing).
For Saleforce, some backup solutions have to ability to restore on a local Postgres server.
All type of restore scenarios that can be very important, in case of the original cloud is not working!
Testing the backup
Make manual restore to test the backup is quite impossible in large environments… so automatic tests (in a protected bubble) are necessary to be sure that data are effective recoverable.
But if it can easy for a service or a system, test the data is much more complicated and lot of backup products do not have this feature!
Security
Each data protection should become a security product or, at least, have all the different security features (like encryption, immutability, …) needed to protect the data.
And have also the proper security certifications/compliances.
Cost and licensing model
Of course the cost is important, but you should consider the Total Cost of Ownership (TCO), because usually there are a lot of hidden costs (bandwith, consumed storage space, …)
A price model per user and per application could be a fair and clear approach… but be sure to verify is there is also a cost in storage space and network traffic.
Not all users use the same SaaS application, but some users may have a lot of applications, so also a discount for multiple application can be appreciated.
