Technical Insight Report: Enterprise Backup-as-a-Service Products

This Technical Insight Report was written on August 2020 by Krista Macomber, senior analyst, data protection and multi-cloud data management, Evaluator Group, Inc.

Enterprise Backup-as-a-Service Product and Vendor Landscape
Enabling you to make the best technology decisions

Introduction
Backup-as-a-service (BUaaS) represents a fairly complex market in terms of its variety of deployment models. It can mean strictly the backup software procured as a subscription service through the cloud, as a partially managed service with protection infrastructure managed, or as a fully managed service, for example including long-term retention data. The base criteria for Evaluator Group’s taxonomy is the backup software purchase as a cloud-based subscription offering.

Actifio GO
Actifio launched its GO software-as-a-service (SaaS)-delivered copy data management (CDM) solution in March 2019. It provides backup, data migration, DR, and database cloning for data warehouse analytics, DevOps, and test and development use cases. It is available as SaaS from Actifio and its MSP partners. The company also offers GO offerings for Google Cloud Platform (GCP) and IBM Cloud, available through the respective cloud marketplaces.

Sources for protection include on-premises physical servers and VMs, cloud-based VMs, a number of applications, and a range of databases including DB2, SQL Server, MySQL, Oracle, PostgreSQL and SAP HANA. Actifio GO allows customers to set backup policies that are automatically executed based on pre-defined SLAs. Backups for VMs and databases alike are incremental forever to reduce backup windows as well as network bandwidth and cloud storage requirements. Data can be backed up directly to any public cloud-based object store, including Alibaba, Amazon Web Services (AWS), GCP, IBM, Microsoft Azure and Wasabi. Data is stored in its native format, and customers provide their own cloud storage account so that data can still be accessed if the customer migrates off of Actifio.
From a recovery standpoint, firm’s metadata tagging capabilities allow files and folders to be granularly searched for and recovered. Databases, file systems and VMs can be instantly mounted to an on-premises data center or to a different public cloud store for recovery and user access – delivering scale-out recoveries in minutes, according to the company. Meanwhile, the databases and VMs can be migrated to production storage via VMware Storage vMotion and Actifio’s Mount & Migrate capability. Additionally, Actifio provides cloud DR orchestration for databases, physical servers and VMs. The Actifio Sky Data Mover, which deploys as a VM within an on-premises data center or public cloud infrastructure-as-a-service (IaaS), performs the backup, cloning, recovery and replication. Customers may choose to deploy a local cache to accelerate backup and recovery performance for critical databases and resources.

Administration, management and monitoring of backup SLAs, recoveries and Actifio Sky data movers are handled through the cloud-based Actifio Global Manager. Key security capabilities include data encryption at rest and in flight, data immutability and role-based access control (RBAC). Actifio GO is licensed on a per-terabyte model for source data.

Amazon Web Services (AWS) Backup
It was launched in 2019 as a tool to centralize the management and oversight of backup and recovery activities for cloud-based and on-premises AWS resources. Today, it supports Amazon Aurora clusters, DynamoDB tables, EBS volumes, EC2 instances, EFS file systems, RDS databases, and AWS Storage Gateway volumes. The software is acquired as a service hosted by AWS, with customers charged based on retention of backup storage and their restore and data copy activities (pricing varies based on the source that is protected).

Backup schedules (including the backup window) and retention policies can be automated and configured through a central console, or a command line interface (CLI) using public APIs. Descriptive metadata tags (e.g. finance department) can be used to direct automated, policy-based data lifecycle management activities, including retention. Data is encrypted in flight and at rest, and logs describing backup activities are available for audit purposes. Backups created by AWS Backup can be copied across regions, and cross-account backups for isolation are on the product roadmap. AWS Backup can restore single files or folders as well as full systems to AWS-native file systems or, via the AWS Storage Gateway, on-premises systems. To streamline recoveries for EC2 instances running as applications, AWS Backup can protect all EBS volumes attached to the specific EC2 instance, along with the EC2 instance configuration (AMI).

AWS Backup is targeted for enterprises looking for a way to simplify how they are protecting a multitude of AWS services (for example, compared to using a variety of scripts). As a product less than two years in the market, the service has yet to build out additional functionality, including tiering to long-term retention for resource types other than EFS sources and guaranteed SLAs for recovery. Additionally, the pricing model should be evaluated as compression and deduplication are not available today, and as costs will vary depending on recovery requirements (movement of data is a chargeable item).

Clumio
It wa s launched in August 2019 as a dedicated BUaaS offering hosted on AWS. Today, its Cloud Data Fabric product provides incremental forever backups for the following sources:
• Apps running natively on AWS EBS and EC2
• AWS RDS
• On-premises vSphere VMs
• Microsoft 365

Clumio is sold as a stand-alone service. The company’s pricing options, which include per-VM and retention time-based pricing, are among its key differentiators. These options can be more predictable, for instance than charging based on the size of the VMs, and include egress fees and EC2 instances required for protection processes. Additionally, resources are scaled automatically, on demand.

Clumio offers centralized control over backup and retention policies across the environments covered. Data is transferred directly into S3 object storage without requiring conversion. The product provides a number of recovery capabilities – including for emails, files, folders, EBS volumes, full VMs, databases and individual records, tables columns and rows within databases. Reverse changed-block tracking is applied, as is serverless compute cycles to rehydrate backup images, to accelerate recovery times. Clumio employs automated monitoring and proactive human support to identify and triage issues with protection workflows. From a security perspective, Clumio’s approach to air gapping is largely to store data in separate cloud accounts. It also employs immutability and end-to-end encryption with dedicated key management per customer.

Cohesity Cloud Backup Service for Google Cloud
It is a stand-alone BUaaS offering available for purchase from the Google Cloud Platform Marketplace or through a Cohesity service provider partner. The offering is based on firm’s SpanFS distributed file system and includes key protection capabilities, such as granular search and recovery (including for files and VMs), and the ability to conduct recoveries instantly (per Cohesity) at scale. Specifically, the service integrates with Google’s snapshot APIs; per Cohesity, RPOs of up to one hour are possible. Centralized, policy-based management of data lifecycle tasks is possible, with access facilitated through the Helios SaaS-delivered global dashboard. Security capabilities include encryption, role-based access control and support for Google Cloud Platform Identity and Access Management. Customers receive a single bill from Google Cloud and are charged based on consumption (which global, variable-length deduplication and compression help to reduce).

Dell EMC PowerProtect Cloud Snapshot Manager
It is a SaaS solution designed to simplify protection of workloads across multiple cloud environments. Specifically, it automates discovery, management and orchestration AWS and Microsoft Azure native snapshots. It also facilitates recoveries from those snapshots.

It includes a policy engine as well as a robust set of REST APIs for tag-based assignment of resources to policies, at scale. Among the product’s notable differentiators for enterprises, it can apply custom SLAs to specific resources – for example, to address compliance requirements for sensitive data.

Data protection activities for both AWS and Azure cloud environments are managed from a centralized portal for single-pane-of-glass visibility into and control over backups. Snapshot discovery, creation, and deletion, copying of snapshots, and orchestration of snapshots across regions can be automated. Mass, group restores of multiple VMs are possible, as are granular file-level recoveries. To protect vs. regional disasters or meltdowns in the public cloud, Dell EMC PowerProtect Cloud Snapshot Manager allows snapshots to be replicated from one region to another. It also enables replication and recovery from one AWS account to a secure account to protect from malicious attacks or security breaches – complementing audit logging, multi-tenancy and RBAC capabilities. Additionally, the health and recoverability of backup files is analyzed.

In being SaaS-delivered, the product does not require any installation or infrastructure. It is available directly from Dell EMC as a stand-alone service, or bundled with Dell EMC PowerProtect Data Manager.

Druva Cloud Platform
It is a SaaS-based backup and recovery offering that runs on AWS.

Sources for protection include:
• AWS-native IaaS and database offerings
• A number of third-party databases hosted in the cloud
• NAS devices
• Applications: Microsoft 365, Salesforce, Slack
• Workloads that run on premises and in the VMware cloud on AWS
• Endpoints

The platform is comprised of the vendor’s Phoenix server backup product (the first it launched), its acquired CloudRanger capabilities for AWS backup and recovery, and its inSync endpoint protection product. Enterprise IT professionals should be aware that Druva is in the process of phasing out the individual product names in favor of emphasizing workload coverage (endpoints, cloud resources, on-premises data center resources). Pricing varies based on the product; CloudRanger is available through the AWS marketplace, and Phoenix and inSync are available directly through the storage software vendor.

Backups are snapshot-based and policies can be applied globally across the resources under management. Recoveries can occur to an on-premises system or to the AWS cloud. The company describes the recovery process as “one-click,” and asserts that it can deliver one-hour RPOs and RTOs of minutes. Automated DR testing is possible through runbooks. Deduplication and a number of security capabilities including encryption are included. Metadata is indexed, so that data can be found for recoveries, audits compliance. Typically a fit for smaller organizations, the firm is bolstering enterprise-grade capabilities in areas such as recovery performance and compliance oversight.

HYCU
It first entered the BUaaS market with its service for Google Cloud Platform (GCP), which is available on the GCP Marketplace, directly from HYCU, and from Google partners. The company has since also introduced its DPaaS for Microsoft Azure offering, available through the Microsoft Azure Marketplace and integrated with the customer’s Azure billing, as well as from Microsoft partners. Customers choose desired protection service levels, including recovery points and times, and HYCU manages the protection jobs from there.

The offerings are built natively on the respective cloud platforms, leveraging native snapshots. Both services provide centralized oversight and policy-driven control over backup and lifecycle management for apps and VMs, including tiering to lower-cost cloud storage tiers for long-term retention. They also can granularly recover specific disks, files, or folders in addition to the entire VM. In addition, the Azure DPaaS offering offers failover capabilities and can serve as an on-premises-to-cloud migration tool. Application consistency is a hallmark of both services. Centralized management across cloud environments is possible with Protegé, HYCU’s tool for centralized management of on-premises and cloud-based resources. The late 2019 launch of Protegé as well as ongoing BUaaS enhancements such as support for SAP HANA for GCP reflect HYCU’s ongoing maturity into a provider of enterprise-grade backup capabilities delivered through the cloud.

Igneous DataProtect Backup-as-a-Service
The company offers a variety of deployment options for its DataProtect scale-out data protection software. This research focuses on Igneous’ BUaaS offering sold by authorized VARS and available on the AWS and Azure Marketplaces.

DataProtect BUaaS provides policy-driven backup for up files living on any SMB or NFS enterprise NAS file system (with native API integration for NetApp, Isilon, Pure, and Qumulo). Among the product’s key differentiators, files may be backed up to and recovered from any cloud provider, including AWS, Azure and GCP. The firm leverages highly parallel streams to efficiently move large volumes of data, and it also manages the solution, including proactively monitoring latency to maximize application performance. Both are key value-adds of the service, as is Igenous’ heavy investment in large-scale metadata indexing, which makes files searchable for faster recoveries. The product additionally supports data lifecycle management use cases as well through integration with Igneous’ optional Archive and Cloud Tiering capabilities. Several security functionalities including encryption, RBAC and WORM are included.

Metallic, A Commvault Venture
Commvault’s data protection capabilities are offered as standalone SaaS offerings through its Metallic division, launched in 2019.

The three currently available services include:
• Core Backup and Recovery, which protects Hyper-V, Linux and Windows VMs, both physical and virtual, on-premises and in the cloud. It also protects file servers and SQL environments, as well as Azure Blob and Azure file cloud storage.
• Office 365 Backup and Recovery, which includes protection for Exchange Online, OneDrive Backup and Recovery, Project Online, SharePoint Online, and Teams.
• Endpoint Backup and Recovery, which includes protection for desktops and laptops.

Metallic handles data protection infrastructure management and maintenance, while the customer manages the daily operations. Among its differentiators are the fact that unlimited storage and retention are included for endpoints and Microsoft 365, and that there are no egress fees for recovery or other utilization costs. For Metallic Core Backup and Recovery, users have the option to purchase Metallic storage or to use their own cloud-based or on-premises storage – allowing for the option to keep an active local copy for faster recovery times. Services are available through Commvault partners. Additionally, in June 2020 Commvault announced a strategic, multi-year partnership with Microsoft that includes joint engineering for Metallic and Azure. The partnership also includes joint go-to-market initiatives selling the services through channel, the Azure Marketplace and from Commvault directly.

Metallic can meet a range of SLAs and compliance and security requirements. Backups can occur to the customer’s on-premises system, to AWS or Azure public clouds, to Metallic’s public cloud, or a mixture of both. The product includes flexible and granular recovery capabilities. To accelerate recoveries, mailboxes can be searched via metadata and the product includes self-service restores. Backup jobs and VM conversions and migrations are automated, as is the application of retention policies. Deduplication, compression and network bandwidth optimization are applied to control costs. Data is encrypted in flight and at rest, and anomaly detection for ransomware risk mitigation.

Microsoft Azure Backup
It is offered as a stand-alone service by Microsoft Azure. Accessed through the Azure console, it facilitates centralized oversight and management of backup and recovery activities. Not covered in this research is the separate and complementary Azure Site Recovery service, which offers DRaaS capabilities including replication and failover, recovery orchestration and workload migration.

Microsoft Azure Backup can backup and offers granular (e.g. of specific files and folders or individual SQL databases on Azure), application-consistent restores for a number of sources including:
• Azure File Shares
• Azure VMs
• SQL Server in Azure VMs
• SAP HANA in Azure VMs
• On-premises – bare metal, VMware and Hyper-V VMs
• On-premises – file storage, SWL servers, SharePoint and Exchange servers

Customers can restore to an on-premises system or in the Azure cloud. The product also can maintain policies for long-term data retention and apply them on demand. For security purposes, data at rest is encrypted and multi-factor authentication is used. Soft delete, with a retention of 14 days is enabled free of charge to protect backup data from accidental and malicious deletes. Dynamic reporting, including alerting of suspicious behavior, is included. The service is managed to 99.9% of availability with remedial actions including credits outlined by Microsoft. Front and back end resources are included. The customer is responsible for managing backup and restore activities. Though limited in the scope of resources it can protect, Microsoft Azure Backup can be a fit for enterprises looking for an easy way to protect their Azure resources, and to get their feet wet in leveraging the cloud for backup. This is especially true as usage of Azure increases among enterprises.

NetApp SaaS Backup
NetApp has several SaaS-delivered offerings including its Cloud Manager and Cloud Tiering services. This research focuses on NetApp SaaS Backup, which is sold as a standalone service. NetApp SaaS Backup for Microsoft 365 and Salesforce is available through cloud and MSP partners via NetApp’s Partner Central, as well as through the AWS and Azure Marketplaces.

NetApp SaaS Backup for Office 365 protects Exchange Online, SharePoint Online, OneDrive for Business, Office 365 Groups, OneNote, and Microsoft Teams. The counterpart offering for Salesforce protects Sales, Service and Marketing Cloud (both Production and Sandbox) data, including customer data and customer relationship management (CRM) leads.

Both offerings are cloud-native and allow for automated or manually triggered backups to Amazon S3 or Microsoft Azure Blob Storage. The services also provide search, granular recoveries and point-in-time restores. Activity logging and job histories are available to track and monitor service usage. For security, SaaS Backup applies TLS v1.2 and 256-bit AES object-level encryption and uses a unique encryption key for each customer that is stored and managed with Amazon Key Management Service. The use of a unique Amazon S3 folder for each customer further isolates customers’ data. SaaS Backup has completed ISO 27001, ISO 27017, ISO 27018 certification and SOC 2 compliance audits to help customers meet their regulatory compliance.

NetApp SaaS Backup includes unlimited backup retention and can be managed to specific SLAs including service uptime and availability. It is especially a viable option for NetApp shops looking to build a common data management fabric using firm’s technologies.

StorageCraft
For nearly two decades, it has delivered data protection and management solutions, including converged primary and secondary scale-out storage platforms and cloud-delivered backup and DR services. It supports on-premises, cloud-based and hybrid IT deployments and environments. The firm focuses delivers its data protection software through channel partners including MSPs and value-added resellers.

This research focuses on two specific StorageCraft services:
• Cloud Backup for Google G Suite, which provides protection for Gmail, Google Calendars and Contacts, Google Drive, and public shared folders.
• Cloud Backup for Microsoft 365, which provides protection for:
o Exchange calendars, contacts and emails with unlimited retention.
o OneDrive for Business data, with support for multiple revisions and versions.
o SharePoint document libraries.
o Teams chats, conversations, and documents.

The service is customizable per service level requirements. Backups can be scheduled to occur automatically every eight hours, with data stored in Amazon S3 or Microsoft Azure and encrypted at rest. Individual files or folders can be downloaded and recovered immediately, without overwriting the original content. An overview screen provides a centralized view into all protection activities and services. Reporting on adherence to service levels and BC is available – as is metadata-based searching for eDiscovery and to prove compliance.

Veeam Backup
Veeam sells BUaaS through a variety of service provider partners, supported by its Cloud Connect for Service Providers and Service Provider Console offerings. This document focuses on Veeam’s SaaS offerings for protecting:
• AWS IaaS, available through the AWS Marketplace exclusively.
• Microsoft Azure IaaS, available through the Microsoft Azure Marketplace exclusively.
• Microsoft 365, available through the AWS and Azure Marketplaces, through Veeam Cloud and Service Providers, and as an on-premises deployment.

The products include important enterprise-grade features including granular search and recovery, encryption, and multi-factor authentication. Enhancements introduced in the summer of 2020 further harden the products for enterprise usage. Notably, the company strengthened the Office 365 product’s ability to backup and recover Microsoft Teams data. For the AWS product, it added replication between availability zones for enhanced DR, changed block tracking for faster backups, and a centralized management console for moving data between on-premises data centers and AWS cloud storage resources. Offering a built-in backup cost estimator is among firm’s differentiators, especially for enterprises trying to navigate using the cloud for backup and recovery for the first time. These services can be purchased standalone or as an add-on by using a Veeam Universal License (which allows customers to translate on-premises licenses to the cloud for workloads being reallocated).

Veritas SaaS Backup
It was added to the vendor’s portfolio in 2019 to specifically address cloud-to-cloud backup and recovery.

Currently, protection for the following applications is available:
• Google Suite (G Suite), including protection for calendars, Gmail emails, Google Docs, Google Drive, Google Sites, tasks, and Team Drive.
• Microsoft Dynamics 365, including protection for customer service, field service, project service automation, sales, and marketing data.
• Microsoft 365, including protection for Exchange Online, Groups, OneDrive for Business, SharePoint Online, and Teams. Calendars, contacts, emails, and tasks are among the items covered.
• Salesforce, including protection for accounts, activities, campaigns, cases, contacts, custom fields, leads, notes, opportunities.

Protection and data lifecycle management capabilities include oversight of automated backup jobs (up to 2 per day), job monitoring, and control over data retention policies. Audit logging and email alerts are also included. The product can conduct both full and granular recoveries, and it offers metadata search and file previews as well as multiple recovery options (including direct download, in-place, and shared links to a file). Security capabilities include single-sign on (SSO) and role-based access control (RBAC). Veritas offers added managed services including unlimited retention storage, with customers remaining responsible for backup and recovery activities. It is upfront regarding SLA commitments, and the service credits that customers will receive if SLAs are not met. The offerings can be purchased as standalone services directly from the company, or from a its service provider or reseller partner.