It practically goes without saying that the smartest way to move workloads to a public cloud is to have them completely refactored to run as a SaaS based application. At that point you’re paying for the application and its data services, nothing more and nothing less.
Yes, you can lift-and-shift your virtual infrastructure. Taking an application running on a virtual machine that’s designed to basically soak resources (because you’ve already purchased the server, right?) and plonking it into IaaS is the fastest and most efficient way to blow a yearly IT budget in a quarter or less. It’s been done.
There’s a variety of different Cloud operating models of course, but the pinnacle in terms of simplicity, the alpha and the omega of the Cloud world, is Software as a Service. And it’s a looming headache of gargantuan proportions.
Simon Sharwood at CRN Australia reports:
Australia’s “cloud” market is mostly software-as-a-service, says analyst house IDC.
The firm’s new tracker of Australian cloud services revenue from 2016 to 2018 found that revenue in [sic] reached $4.01 billion in 2018, 30.6 percent year-on-year growth.
“Australian cloud is 66 percent SaaS: IDC”, Simon Sharwood, July 4 2019, CRN Australia
Simon goes on to describe that SaaS represented 65.8% of that spend – rounded to 66% for the headline.
Blissfully, which bills itself as providing tools to track and manage SaaS usage within organisations, provides reports on adoption rates (2018 Q1, 2019), which provide some interesting insights into SaaS utilisation. Nuggets from the 2019 annual report include:
- “In 2018, the average company spent $343,000 on SaaS, a 78% increase from the previous year”
- SaaS spend had increased year on year, every year over 5 years, for all tracked company sizes (0-50 employees, 51-100 employees, 101-200 employees, 201-500 employees, 501-1000 employees, 1000+ employees).
- The average cost per employee of SaaS subscriptions was $2,884 (presumably USD).
- On average almost regardless of numbers of employees, each employee used around 8 SaaS applications.
In their 2018 State of Enterprise Cloud Computing, Forbes noted (reporting data from an IDG study):
30% of all IT budgets are allocated to cloud computing this year, with the majority being SaaS (48%) … the average investment is soaring in cloud computing apps and platforms, with the average reaching $2.2M this year, up from $1.62M in 2016.
“State of Enterprise Cloud Computing, 2018”, Louis Columbus, 30 August 2018, Forbes
A listing of the biggest SaaS companies is like a who’s who of tech darlings, including Salesforce, Workday, ServiceNow, Tableau (now purchased by Salesforce), Zendesk, Mulesoft and of course, Office 365 services these days represent a huge SaaS footprint, and a common starting point for businesses as they look towards handing the back-end administration of email over to someone else.
Yet here’s the rub: every SaaS application you deploy adds to the complexity you’ll have when it comes to tracking and managing your data protection. There is no escaping this.
Whenever something is running on-premises, there’s always a way to provide data protection services for it. Somehow. For a start, you might accept for the fast RTO and short RPO the risk of crash-consistency and do snapshots and replication. For backups, even if there’s a database involved you’ll find a way to achieve that backup: if it’s a traditional big-name database vendor, there’s probably a database module or plugin for it, and if not, there’s other ways to deal with it such as pre/post processing, data dumps, and so on.
SaaS of course changes that picture. Your classic service model diagram looks like this:
I liken SaaS to NAS. NAS is practically ubiquitous within IT Infrastructure circles, making it easy to present enterprise grade storage and services, but coming with a data protection headache. In fact, SaaS is sticky like NAS, too. Returning to the CRN article, Simon Sharwood quoted IDC as saying:
“Organisations are also aware that deployed SaaS solutions can become sticky. SaaS applications often require complex integrations with on-premise [sic] software to avoid information silos across the cloud and on-premise [sic]. This means the organisation cannot quickly or cheaply switch even if a more innovative SaaS application appears.”
“Australian cloud is 66 percent SaaS: IDC”, Simon Sharwood, July 4 2019, CRN Australia
In short: SaaS makes things really simple, but there’s a high chance of you becoming a bit of a data hostage once you’ve got your workload converted to running in a SaaS.
There aren’t just hundreds of SaaS applications out there, there aren’t just thousands of SaaS applications out there — you’re looking at a minimum of tens of thousands, probably more again.
The old chestnut in on-premises IT would be that a new system or workload could be fully deployed and dropped into production before someone would say “What are you doing for backups?” To a degree, frameworks like ITIL managed to exert some control over this problem by inserting gates and controls — a requirement for instance that system and workload builders demonstrate they’ve met all the necessary considerations to migrate out of a build/development cycle into a production cycle.
But of course, ITIL-style controls were exactly what the business needed to prevent chaotic data risks within their environments, and they undoubtedly contributed to businesses seeking public cloud services because “IT makes it too hard to get things running”.
So here we are, on the raggedy edge (with a wink at Firefly). SaaS is cool, SaaS is popular, SaaS is the ultimate desirable state for a workload running in public Cloud and … SaaS has no common mechanism to allow a business to protect its data – to backup and recover, or extract. There’s no NDMP for SaaS.
It’s maddening. And it’s not something that you can peremptorily tell data protection vendors “this is your mess now, fix it”. Here’s the uncomfortable truth: it’s your mess.
Sorry to be preachy about it, but that’s the rub. Every time you adopt another SaaS application within your business without a comprehensive understanding of exactly how you’re going to protect the workload you’re moving into there, you’re creating risk. You own that risk, not your on-premises data protection vendors, whoever they might be.
That’s not to say that data protection vendors don’t care, they do. If someone works in data protection it’s because they’re passionate about making sure data is protected. Trust me, this is the truth: I’ve been working with IT groups, businesses and management of all levels for the past 20+ years to help them all undersatnd the need to have comprehensive data protection services, and I still have to regularly revisit the basic “but we don’t need to’s…” that should have been put to rest 20+ years ago, too. You can’t stay in this industry unless you care.
Decades ago, there was a recognition that NAS data protection would be impossible without some form of standard, and much as NDMP had its flaws, it did mean that there was at least some mechanism to backup and recover data residing in a storage appliance.
Yet given the sheer number of SaaS developers out there (and let’s face it, anyone with a laptop, a basic understanding of coding and a credit-card can start a SaaS business if they can get an anchor customer), the idea of getting a consensus that “SaaS providers will provide backup and restore APIs” is probably almost as difficult as getting Donald Trump to say something that is both coherent and truthful.
So here we remain, on the raggedy edge.
The solution isn’t going to come overnight, and it’s not going to come from data protection vendors jumping up and down and talking to every single SaaS provider in the market. There’s too many.
This is something that’s going to come from two sources, you, and them.
- Them, as the company offering a SaaS product, have a responsibility to provide some documented mechanism for subscriber-initiated backup and recovery
- You, as a subscriber of a SaaS product, have a responsibility to ensure that the SaaS products you subscribe to have that functionality, or demand it if it is not there.
If there’s a guaranteed backup and recovery mechanism there’s a solution that can be created – but again, that solution may require you to agitate for it, and educate your teams (business, IT, management) of the perils and risk that comes from choosing a SaaS product that doesn’t have backup and recovery functionality.
Hi Preston,
as SaaS is currently something which is heavily discussed within our organization, this was the right article published at the right time. Especially I liked your comparison with respect to NAS.
Well done.
Best regards, Carsten
Hi Preston,
Thank you very much for this article.