ESG Survey Reveals Disconnect Between SaaS Availability and Data Protection

Vasu Subbiah, Sr. Director, Product Management

To better understand how the shift to cloud applications is impacting organizations’ approach to data protection, Enterprise Strategy Group (ESG) recently surveyed 347 organizations about their approach to SaaS backup and recovery and depth of knowledge regarding the capabilities of their existing SaaS service providers. The survey results revealed a disconnect between what IT teams believe SaaS application providers support for data protection, and what kind of data protection SaaS application providers actually support as part of their service offerings.

Misconception that SaaS data is automatically backed up and protected

The survey measured a misconception amongst some IT teams that data resident on cloud applications are inherently protected. In fact, 68% of ESG survey respondents felt that SaaS applications didn’t need to be backed up (33%) or that SaaS providers already include “good enough” capabilities (35%).

SaaS and Data Protection the BIG Disconnect

When asked about their organizations’ approach to protecting SaaS-resident application data, only 16% of organizations felt they were solely responsible for protecting all of their organizations’ SaaS-resident application data and use a 3rd party data protection solution. Of the remainder, 45% of respondents felt that they were partially responsible for protecting their organizations’ SaaS-resident application data and relied on both the SaaS provider and a 3rd party solution for data protection. This leaves 37% who solely relied on the SaaS vendor for protecting their organizations’ SaaS-resident application data.  I am not sure about you but these results surely raise a red flag for me.

The big takeaway is that clearly understanding your SaaS providers’ SLAs is important. Many IT teams expect their SaaS vendors to ensure always-on availability. But availability cannot be conflated with data protection. In fact, most SaaS providers’ SLAs offer limited to no data protection services. It is typically the customer’s responsibility to protect their own data, not the vendor’s.

Difficulty finding assistance to solve problems with data recovery

When asked what data protection and recovery service and support challenges their organization experienced with their SaaS providers, the most popular response was “difficulty finding the right person to solve the problem at hand” (31%), closely followed by “misunderstanding of what is covered in data recovery SLAs” (28%), and “inexperienced support staff” (26%). These indicators, along with other reasons such as “inability to recover all their data” (24%) and “missed service level agreements” (23%) are key indicators that data protection of SaaS applications and associated data is not an easy problem to solve.

SaaS Providers Struggle with Support and SLAs

Many ways to lose SaaS data

The reason that recoverability is both an opportunity and a concern is because there are so many ways to lose your organization’s data. The leading cause of data loss is a service outage (22%), closely followed by accidental deletion (20%), and malicious deletion (12%). No organization is immune to data loss but with the help of a third-party data protection solution, it can protect your SaaS applications from common data loss scenarios. IT teams must take into account that even with SaaS applications, the data within those applications  is at risk.

Many Ways to Lose SaaS Date, Led by Accidental and Malicious Deletion

Majority of Office 365 users have challenges recovering data

One of the most popular SaaS applications is Microsoft Office 365. Outlook, Word, Excel, Powerpoint, SharePoint, are all commonly used as a SaaS service. What organizations do not realize is that again, service availability should not be equated with application-resident data being backed up. Sometimes SaaS providers will offer data backup for a limited period of time. But if data is accidentally deleted after the stated retention period, the lost data may not be recoverable. There is also the compliance exposure that goes beyond the loss of the data itself. Under most circumstances, relying on native data protection capabilities of the SaaS provider is insufficient.

When ESG survey respondents were asked about their Office 365 recovery choices, 54% relied on Office 365’s native recovery functionality and 27% did not have any recovery capabilities. This means a large majority of organizations are not taking extra steps to protect their business-critical data beyond Microsoft’s standard 30-93 day data retention period and potentially not meeting their organizations’ data retention and compliance policies.

1 in 4 Do Note Protect Office 365 Data

The survey results also found that for respondents who did recover their Office 365 data, only 21% were successful in recovering all their data, 30% could recover 76% to 99% of their data, and 14% were only able to recover 25%-50% of their data.  However, success rates were higher when using a third-party backup solution, with a recovery rate of more than 75%. The key question here to consider is – “If your Office 365 applications were hosted on-premises, would it be acceptable to recover 75% or less of your data? Should the standards for business continuity be different if the data is stored on-premises or in the cloud? “

Recovering Office 365 Data is Not a Sure Thing...


The popularity of SaaS apps is here to stay. It is important to understand your SaaS providers’ SLAs to avoid a false sense of security. And specific to data protection, many top SaaS providers, including Microsoft, recommend that you backup your data with a third party solution to prevent potential data loss and to comply with data governance requirements.

To learn more about the ESG survey results, watch this 10-minute video with Christophe Bertrand, Senior Analyst of ESG.

To learn the top 5 reasons to backup your Office 365 data, please click here.