Most organisations have an obligation to maintain backed up data and systems for a period of time (e.g. for tax purposes, record-keeping purposes, and other regulatory compliance purposes) and in a particular geographic place (e.g. for privacy law data sovereignty purposes). Organisations assume that their cloud service providers retain their backups for the required periods.
However a recent study found only 34 percent of enterprises know their SaaS providers’ backup and recovery processes in detail, and only 32 percent know their IaaS providers’.
Similarly, despite the fact that three-quarters of enterprises have to ensure that their back-ups are stored in a specific geographic region, only 32 percent of enterprises know the precise location of their SaaS providers’ backups – and only 30 percent know the same for IaaS.
Perhaps most worrying, enterprises are not clear on how long the cloud services they use retain backed-up data under their standard terms. In the majority of cases, enterprises assume that their providers keep backups for much longer than they actually do. As a result, many enterprises will be using services under the impression that they can still access back-ups, when that is not the case.
Only 27% of interviewed organisations realise that Microsoft keeps O365 Exchange (email) data for only 14 days;
Only 29% of interviewed organisations realise that AWS does not keep backups;
Only 27% of interviewed organisations realise that Microsoft keeps O365 (non Exchange/Sharepoint/Teams) data for only 14 days.
This does not need to be an issue. If organisations have put specific processes into place to ensure that their data is backed up regardless of the specific policies of the cloud service providers, or have paid for additional backup services from providers, then their data will not be at risk. However, 52 percent of enterprises rely on “standard” backup services from their IaaS providers, and 54 percent do the same for SaaS applications. As a result, there is a significant proportion of enterprises whose backups may be at risk because they incorrectly believe that their cloud service provider is retaining their backups for longer than it is. These enterprises are at risk not only of data loss, but of failing to meet their compliance obligations.
There is a clear need for education on the level of backup cloud service providers offer. Organisations need to carefully evaluate their services, ensure that they have not made inaccurate assumptions when provisioning backup, and ensure that risks are mitigated. This might mean purchasing additional backup services from cloud providers, or it might mean taking over control of backups to ensure that they are performed and stored to the organisation’s needs.