Keepit – and some thoughts on SaaS data recovery

To ASSUME is to make an ASS out of U and ME. Perhaps the biggest danger to most companies using IT is the assumption that their vendors are their altruistic friends; and, in particular, that once you’ve put your data on the cloud, it is automatically protected by the Cloud Fairies.

OK, most good software companies want to have happy customers (you do check existing customer relations before acquiring software, I hope) but most public-quoted companies are even more interested in happy shareholders. So, read the small print in your SLAs before it becomes an issue, not when you are in the middle of a service interruption. You will find that your data can be as safe and secure as you want it to be, but probably not by default. You will need to buy extra services, duplicate information for resilience (check possible egress charges), specify storage locations etc. You will need to take responsibility for the resilience of your services – and perhaps you’ll think that relying on one company for the entire service (including resilience) delivers a single point of failure. Not good. And check your compliance rules: generally, you can outsource execution but not accountability. If, for example, your cloud service provider loses private data or stores it in the wrong place (a backup of EU data in the USA, perhaps), the data protection regulators will come after you, for lack of due care and attention in choosing your service partners (as well as, possibly, going after the cloud service provider).

Enter Keepit, a dedicated cloud data protection platform for all SaaS applications, which I met at a recent A3 Technology Live event in Munich. Other third-party data protection solutions are available, and won’t be reviewed here, but the key features of Keepit are a good indication of what you should be looking for:

1. Independence from the vendor you depend on for operational workloads. Keepit owns its own tech stack, operating on a vendor-independent, cloud-native infrastructure, which means that you can be using Keepit to assist recovery even while your SaaS environment is unavailable.
2. “Out of band” security: Keepit doesn’t claim to be more secure than vendor products such as Azure and so on but it claims to be differently secure, so an attack against your SaaS environment is unlikely to also work against Keepit. It provides certificated security that should mitigate against data loss from human errors, cyberattacks, and malicious deletion.
3. Flexible and effective recovery features, not just backup (having a good backup is necessary, but not sufficient) – having a backup won’t help you if you can’t recover from your backup in a timescale appropriate to the business. Fortunately, Keepit offers a rich set of recovery features, so that fast and intelligent recovery of either individual files or all the data associated with an app should only take a few clicks. Loss of just a file or two due to human error is probably the most likely threat to your SaaS data, but you will also need to design – and test – recovery from more serious contingencies.
4. Regulatory Compliance: Keepit provides tamper-proof data storage, which helps to ensure that data is available even during an attack. It helps you comply with even the strictest data policies like GDPR (the EU data Protection Regulation) and the NIS2 Directive (the EU-wide legislation on cybersecurity). You can pick a geographic region for the data center storing your data and be assured that your data will never leave that region. Keepit is also a European (Danish) company which really understands GDPR; which is good because some American companies, for example, don’t seem to fully understand the ethos behind the EU and GDPR; and many countries around the world are basing their own data protection law on the EU GDPR.
5. Value for Money, which you should look at in terms of your own needs. Keepit seems to be affordable, but you should do your own analysis. There is no reason to disbelieve any impressive ROI figures quoted in the press, but there is also no guarantee that your specific company will achieve the same results. Another thing to watch out for (not a Keepit problem, I think) is low entry cost for a recovery solution followed by rapid cost escalations when you install enterprise-wide.
6. Application scope. Keepit supports data protection for many SaaS applications including Microsoft Office 365, Azure AD, Salesforce, Google Workspace, and Microsoft Dynamics 3652. It says that it is a leader in SaaS data protection, especially for companies that need both Microsoft 365 protection and GDPR expertise. It is not a data migration product particularly, but it does have features that could be useful for migration. Nevertheless, again, you should be checking its capabilities against your own needs specifically.

Keepit installations seem to start small and grow with success, which is a low-risk approach. Perhaps mitigating the Ransomware threat could be a useful initial project, exploiting tamper-proof storage. Keepit is only sold through a partner channel, which makes help and advice available – there is always more to implementing an effective solution than just buying software.

So, are there any caveats? Well, yes, just one obvious one. It matters how Keepit integrates with your security infrastructure generally. Security silos destroy security – you cannot have a role considered to be highly trusted, with considerable data and service access, in one part of the organisation, if that role is untrusted in another part of the organisation (the risk is that information that shouldn’t be available to a person in one context as easily accessed in another; with a single person in the role, change the context and information becomes available where it shouldn’t be). Security must be built-in, not bolted on, and is as much a function of people and procedures as it is of technology

Without doing an exhaustive analysis, Keepit seems to have good integration with other security products, although it doesn’t, for example, use Active Directory. This is because its USP is its independence from other vendor solutions – its philosophy is to be out-of-band, so failure of any other vendor’s products won’t affect Keepit (and vice versa). This places a responsibility on Keepit’s customers, of making sure that it is integrated with security policy generally. Don’t forget that SaaS alone may encompass only a small part of the data your organisation depends on.

And, one final point. Whatever situation you think Keepit is protecting you from (a proper threat analysis is not optional, in my opinion) you must test out various failure scenarios (with workshops, role-playing games etc.) and make sure that you know what you are doing and have covered all bases – before you have an actual disaster. For instance, it would be a pity if Keepit works exactly as promised after some contingency, but all your best customers are busily checking out your competition, simply because you forget to tell them that you’d survived a well-publicised attack unscathed.