Disaster Recovery Journal Spring 2024

problem for their software can solve? ” After all, most if not all providers of cloud-based applications already: n Host their customers’ data in highly available and resilient data centers. n Limit physical access to these data centers. n Utilize multiple cyber security offerings such as anti-virus software, firewalls, identity management, and multi factor authentication, among other security measures. n Organizations may rightfully argue these cloud-based app providers do protect their data. To understand this issue requires putting the problem associated with protecting data in cloud-based applications in context. The Need to Protect Data in Cloud-based Applications Cloud-based application providers do offer data protec tion primarily in the form of high availability and secure perimeters – both cyber and physical. Their data protection does not, however, extend to protecting their customers’ data from every type of threat. Here are just a few scenarios that illustrate why organiza tions need data protection above and beyond what their provider offers: The provider’s data center unexpectedly goes offline . This happened to DCIG with a SaaS-based application it uses. In this case, there was a fire near the data center where DCIG’s

responsibility for their data. Google does the same. Other providers may not be so forthcoming. Regardless of a cloud-based app provider openly disclosing this state ment, organizations should assume they have responsibil ity for their data. This holds true for any cloud-based app used by an organization in which it stores data. The Growth of Cloud-based Apps Unfortunately, many organizations fail to grasp just how many cloud-based applications they already use. According to Statista, in 2022 each organization already uses 130 SaaS applications on aver age. Further, year-over-year, the percentage of SaaS apps used by organizations grew by at least 15% per year. One data protection pro vider of cloud-based applica tions has found that more than 65% of data in these cloud based applications remains unprotected. The provider also points out it gathers this data from organizations which acknowledge they should protect this data. Organizations that have not formally begun to protect their data stored in cloud-based applications likely have higher percentages. They may find most or all their data in cloud based applications remains unprotected. Data Protection Provided by Cloud-based App Providers Organizations may wonder, “ Is this just a case of data pro tection providers looking for a

provider runs its cloud-based app and hosts its data. This fire prompted the city to shut down utility services to the entire area around where the fire occurred as a precaution. This included the data center where the cloud-based app provider was based. Thankfully, the cloud based application provider’s data center was unaffected by the fire. However, it took a few days for the data center to fully come back online. Until it did, DCIG had no access to either the application or its data. Further, had the data center remained offline indefinitely, it remains unclear if DCIG could have recovered or retrieved its data. A ransomware attack occurs inside the cloud app provider’s data center . Ransomware can attack any organization, including cloud based application providers. In this real-world scenario, ransomware got inside a data center where a provider hosted its accounting application. As part of the attack, the ransomware encrypted customer data stored in the cloud-based app. The provider eventually restored its applica tion after the attack. However, its customers had to restore or re-enter their data into the application. The provider could not perform this task since it could not assume the customer data it possessed was ransomware-free. User error . Users who accidentally delete or over write data still represent the most common reason orga

nizations must restore data. Organizations may find they can perform some restores with the basic tools cloud based application providers offer. For instance, individu als can potentially go to their deleted items folder in Outlook and recover an inadvertently deleted email. However, organizations should not rely either on this option or the provider if they need to recover large amounts of data. In these circumstances, organizations must perform their own data protection and recovery. So Many Cloud-based Apps, So Few Data Protection Choices Organizations might assume they would have mul tiple data protection providers from which to choose. After all, the average organization already uses more than 130 SaaS applications so surely someone offers software to protect them. Unfortunately, organiza tions will find almost no data protection software available to protect data stored in these cloud-based applications. The only notable exceptions where organizations may find multiple available products to protect data in cloud-based applications include these: u DropBox u Google Workspaces u Microsoft 365 u QuickBooks Online u Salesforce u Slack

DISASTER RECOVERY JOURNAL | SPRING 2024 29