Published: 12 Oct 2008
Backup services can save hardware and staffing costs, but beware of surprise fees.
ORGANIZATIONS GO TO great lengths to ensure there are no surprises in their operational environments. Even so, several well-publicized events involving backup storage as a service (SaaS) have exposed costly vulnerabilities in a number of shops. Given that SaaS is new to many firms, it's understandable that some possible scenarios simply weren't considered in the review process. When evaluating backup SaaS, it's important to know every detail of your current backup system and backup budget.
Caught up in the competitive frenzy to win new customers, some backup SaaS vendors have been dropping prices to new lows. A gigabyte of storage is a gigabyte of storage, right? Not really. The volume of storage required for a pair of socks and your great-grandmother's pearls might be comparable, but the more valued item might warrant improved security and storage conditions. Companies considering backup SaaS can't confuse basic file storage and recovery for PC data with the sort of storage and data recovery required for mission-critical apps. Some IT shops, perhaps blinded by the relatively low cost of using backup services rather than coordinating an in-house backup process, may have ignored initial concerns. But now that SaaS is growing up, with more mature storage vendors entering the space and many newcomers offering solid products, it's time to get serious about evaluating these products. When determining whether SaaS is right for you, it's also crucial to look beyond the initial price of the service.
In reviewing backup SaaS solutions, it's clear there are different classes of service with price points to match. The newest backup SaaS contenders, or those catering to a less-demanding user, lack administrative features to manage backup and recovery for a large set of users or more complex environments. These services are inexpensively priced and simple to understand and initiate. Veteran vendors, or those with customers who have higher level requirements, have applied the same level of standards in use for decades for traditional, on-site backup software. These more robust solutions may be accompanied by a higher premium and a more formal sales process.
If buying a home were based solely on size and cost per square foot, the process would be simple. But there are so many other factors to consider--location, school systems, tax rates and trash collection--that influence price. Similarly, backup SaaS decisions can't be based solely on cost per gigabyte. Several key factors must be considered to mitigate future risk and understand the overall value of backup SaaS.
A great example of this is the availability of administrative control. The service and its capabilities need to be sized for the environment. There are many consumer and small office/ home office (SOHO)-grade solutions that are attractively priced but not designed or packaged to fit the needs of larger companies. IT groups need to document minimum requirements. Some vendors won't offer capabilities such as departmental capacity limits, file/folder exclusions by user, advanced policy settings, centralized encryption key management or centralized admin. Here's a short list of factors to consider besides price when looking at SaaS options:
Retention settings and restores: Best practices suggest saving a copy of data for a specified period of time or for a specific number of versions. This way, data can be restored from any backup point within the period specified or from a previous version.
Backup SaaS solutions may provide one or both of these retention settings. Less-robust solutions don't offer a lot of flexibility, as they often retain data for only 30 days. More mature backup SaaS solutions may offer 30-day, one-year and seven-year retention period settings that allow organizations to conform to strict compliance guidelines. The most sophisticated services allow custom retention plans and/or archiving capabilities.
When it comes to online restores, some companies push files back to the original server online by default. Others allow you to choose the original location or an alternate one. On-demand restores allow administrators to have the ability to initiate restores at any time. These are all options to investigate and consider.
Recovery assurance: Service-level agreements (SLAs) should be of particular concern when an organization is handing over its data protection reins to a third party. SLAs, if available, will vary from one service to the next. Most vendors have fail-safe mechanisms in place to ensure access to the service to recover data--excluding factors that are beyond the vendor's control, such as sufficient bandwidth. More sophisticated vendors replicate data to geographically dispersed data centers to thwart service disruption in the event of a regional outage or disaster.
Because most recovery events involve only a few files at a time, the expected recovery-time service level is based on bandwidth and file size(s) for online restores. However, you should ask about expectations for full recoveries. Is there an expectation that the entire data set will be streamed over a WAN connection? And how quickly can the last full backup be assembled when using capacity optimization techniques such as data deduplication or redundancy techniques such as distributed RAID?
Sometimes you'll hear "We'll restore your data as fast as your Internet connection will allow," while more experienced providers will have computed the "speed of connection vs. volume of data to transfer" and may have realized that it's faster to drive the data cross-country than perform an online full restore. The latter typically offer some type of rapid-recovery service involving a portable disk device and third-party transportation. Turnaround time is dependent upon the amount of data recovered, the time of day the request is received and the method of shipment. Price can be affected by the cost of travel and staff time.
IT compliance and security: If your vendor isn't clear on the definition of an ediscovery request when you make inquiries about their capabilities to search for and produce items relevant to a litigation event, then it's clear they aren't catering to mature, established businesses. In addition, if a vendor defines compliance audit functions as their level of cooperation after being served with a search warrant, they may not be prepared to service a company grappling with state and federal regulations.
Vendors that can export or migrate data for ediscovery purposes, or provide archiving services that index data for faster and easier searches at a later time, might be a good fit for litigious organizations. Some will have staff that can assist with audit events or offer professional services for ediscovery or compliance readiness.
When it comes to backup SaaS, many companies are reluctant to consider it due to security concerns. As backup SaaS options proliferate and improve, so do security services from many vendors. You should find out how each SaaS vendor you're evaluating secures its data. Do they provide in-flight encryption? Who holds the encryption key? Can you leave the encryption key with them? You may decide to do that or you may choose to have a key that allows some access to various files for your in-house administrator. A few vendors previously focused on security have now broadened their portfolios to include backup SaaS offerings, knowing that security is on the minds of anyone deciding to store data outside of their own network or into a cloud. Compare and contrast security options from SaaS vendors and ask if they have any customer references with shops and data backup needs similar to yours. Those are good sources for answers to your security questions.
Then ask what happens if you decide to bring your backup back into your own shop. What if you decide to go with another vendor? Termination fees are used as a deterrent to early cancellation of many services. Most vendors require some notice of cancellation--30 days is typical--and may charge a service fee for early withdrawal. However, that fee may not cover packaging stored data for recovery via a portable disk device. If a rapid-recovery approach like that isn't available, vendors will offer a 30-day grace period for customers to recover data over a WAN link.
Exceeding capacity thresholds may also cost you unexpected fees. With standard PC backup SaaS solutions, it's difficult to exceed the plan because the size of the PC hard drive will determine the limits. More mature backup SaaS providers offer various capacity-based plans, sometimes with a higher rate for capacity that exceeds the basic plan. For organizations pooling capacity from many systems or protecting application servers where capacity growth is a definite, planned usage may be exceeded. Organizations should work through their capacity growth scenarios with backup SaaS providers and choose a plan that will fit their needs for the term of the agreement.
These are just a few of the details that could trip up a company seeking a SaaS model for backup and recovery. Make sure your service agreement exposes these and find out which ones might be applicable to your organization. That way, you can factor them into your budget and SLA agreements to avoid surprises later on. There are plenty of good reasons to opt for backup SaaS, but numerous questions must be asked before green lighting the project.