The shared responsibility model is misunderstood
This video explores the hypothesis that SaaS admins value expert backup support, especially when they lack expertise in diagnosing and resolving data emergencies.
[MUSIC]
Our first hypothesis that I want to share with you is this.
It was about the extent to which these SAS administrators,
decision makers are or are not aware of the responsibilities to
proactively protect the information that they're keeping in and
on these SAS applications and platforms.
We had some surprising and I have to say continuing to be
disappointing results, the question that first asked is there in the screen,
which party is ultimately responsible for backing up the information kept in
your SAS apps?
Respondents could pick one of the various options.
52 percent of the respondents said, "Hey,
it's not me, it's the SAS vendor.
They're responsible for this."
39 percent said, "Actually,
responsibility sits here."
9 percent said, "Hey, why are we even asking about this?"
Because SAS data cannot be lost or corrupted and then there was 1 percent said.
I'm not really sure and I don't know.
Now, what's so disappointing about this is that actually for
the vast majority of SAS applications,
responsibility does actually sit with the end customer, with the user.
So, SAS applications will have a shared responsibility model with
a vendor says that they will invest a huge amount of time and energy to ensure
that
the application is available.
It's 99.99 recurring percent uptime that the system,
the infrastructure is protected.
But they're clear that it's the customer's responsibility to take steps to
protect
the information that they're putting into the application,
such that if there's a data loss or corruption event,
it can be restored and recovered.
The fact that so many people with backup and
recovered responsibilities still don't really truly understand the extent of
those
responsibilities is alarming.
We asked another question that followed on from this one and we were upfront
with
our respondents this time saying, "Hey, most SAS denters do make it clear that
customers ultimately have responsibility for the protection of their
information.
How does that change your view?"
And this time, actually, there was a shift in opinion.
This is 40 percent said they are yet.
Yeah, absolutely.
Yes, we are aware that it sits with us in the further 37 percent.
Yes, we kind of get that too.
But that still means there is over 20 percent saying even despite this point
about it being their responsibility,
no, no, we're not entirely sure it sits with us.
Andrea, I'd love your thoughts and commentary on the extent to which this lack
of awareness of the shared responsibility model continues to persist in the
world of SAS.
Yeah, thank you, Graham.
So I personally think that the confusion around who's responsible for what when
we
talk about data protection in SAS environment is much broader than just the
backup recovery, right?
It's the protection as a whole, as you mentioned earlier.
But just to limit one second the attention to the backup and recovery,
I think and I believe that there's still a lot of confusion between
backup and recovery and this is the recovery.
Just to be clear, backup and recovery focus on protecting and restoring data.
Data can be lost, for example, because of an accidental human error.
This is the recovery under the site,
consider a broader scope that includes the restoration of the entire IT
infrastructure and business operations after a major destruction that can be
a natural disaster, for example.
So disaster recovery includes backup and recovery, but it's just broader.
So now if we just look at this definition, it's easy to think that because the
SAS
vendors are responsible of the infrastructural part,
if something happens, it's not worth the thing that they will be in charge
on fixing it.
But let's try to analyze this a little bit further.
If the vendor is able to restore from a natural disaster starting from the
whole
infrastructure, of course, they have the ability to restore the data.
But the key question here is how fast?
And here the ball goes to the business and company side of court,
because the fundamental questions here are, what is the maximum acceptable
downtime
that we can accept, we as companies can accept, or our RT or recovery time
objective?
Or what is the maximum acceptable data loss that we can afford, or RPO,
or recovery point objective?
So when we think about backup and recovery, we are assuming that a
infrastructure is up
and running, nothing happened to it.
So in that case, the RTO and RPO are usually measured in tens of hours or even
minutes to ensure the minimal destruction to ongoing operations.
In contrast, when we talk about disaster recovery, that involves longer RTO and
RPO,
because we need to think about recovering and restublishing the whole
of the infrastructure and resuming the business operations.
And that can even take days for some complex organizations.
So going back to the original point, if we just rely on vendors because they
have
a disaster recovery in place, we cannot guarantee that the RTO and RPO,
for backup and recovery, are within the limits that we consider acceptable for
our business.
And that not even contemplates what the SUS vendors are committed to deliver
contractually, right?
Because some of them offer backup recovery options, but some of them do not
offer that contractually.
And for those of the vendors that offer the backup recovery, the two questions
are,
is the vendor backing up the data with a frequency that satisfy my own RPO?
And so recovery point objective.
And do we have service level agreement in place to ensure that when we have to
restore data that is done within my own RTO recovery time objectives?
So just to sum it up, as you already mentioned, responsibility fall on each
side,
vendors and companies, and that can vary case by case, right?
And because of that, it's important to perform a proper due diligence to make
sure
that nothing is misunderstood and actions can be taken quickly with no
confusion
when it's time to restore data that are critical for our business operations.
[MUSIC]