APIs: A Bottleneck for SaaS Backup


Most enterprise IT has finally recognized that SaaS data has to be backed up. According to a 2021 report from ESGOpens a new window , nearly two-thirds (64%) of IT decision-makers said they are at least partially responsible for backing up the data they have in SaaS applications. Unfortunately, over one-third (35%) depend solely on their SaaS vendor to protect their data.  

That’s a problem because nearly all SaaS vendors operate on a shared responsibility model, where they secure and protect their infrastructure while the customer takes responsibility for the data they keep in their service. If SaaS data is accidentally or maliciously deleted, the customer has no recourse without backups. The data is gone.

There’s also the issue of outages. Atlassian suffered an outageOpens a new window in April that took two weeks to fully resolve, and those without backups could not access their data. Given that companies today take advantage of SaaS offerings for critical applications such as CRM and ERP, it’s critical to have backups of this SaaS data so they can function at least partially until service is restored. 

However, the techniques used to protect traditional, on-premises data are largely not applicable to SaaS. For the most part, SaaS was not designed so that customers could easily back their data up, and it’s evolved, which makes the process tricky and complex. And one of the top factors in creating complexity is that SaaS data protection relies on APIs, which are a constrained, finite resource. SaaS data resides in offsite services on equipment that the customer does not manage, which means a SaaS backup system will need to use APIs to get to it, and managing these APIs is a complex affair. 

Different APIs have different strengths and weaknesses, and other critical applications integrated into the SaaS application will also need to use them. So, IT has to balance its use of APIs for backup so that the enterprise doesn’t hit those caps while still providing the recovery point objectives (RPOs) and recovery time objectives (RTOs) that management expects. 

See More: The Future of SaaS and Backups: Is this the End of the Set-It-Forget-It Era?

Hard API caps 

Nearly all SaaS offerings are architected as multi-tenant services, which means multiple customers share resources, including the APIs. SaaS limits the number of API calls a customer can make in 24 hours to ensure that everyone has adequate resources. These caps must be considered when formulating a backup plan because SaaS APIs aren’t just used for data protection. They are also critical for connecting other applications to the SaaS service, and in the case of a mission-critical SaaS application like an ERP or Salesforce, an enterprise will have many other applications connected to them. If those caps are hit, it’s not just backup that will stop. All those integrations could also break.    

Selecting the right APIs is also important because different APIs operate at different speeds. Take Salesforce as an example. Their REST API can move up to 1 million records per hour, while the BULK API can move up to 10 million simultaneously. Making parallel API calls to multiplex data out of the app can increase the data rate by up to ten times. Choosing the right API can be the difference between making and missing an organization’s recovery point objectives (RPOs). 

Most organizations can only afford to lose about 30 minutes’ worth of Salesforce data, so if your solution is only able to back up once a day because of API limits, that means you could lose a full day’s worth of data, which, for many organizations, could be catastrophic. The faster IT can perform backups of the SaaS data, the more backups they can perform in a single day. 

Likewise, these APIs will need to be used to restore data, and often organizations do not consider recovery when planning for API capacity. As with backup, the faster you can move data back into the SaaS application via APIs, the lower your RTOs will be. 

But there is more to the choice of API than speed. In Salesforce, for example, to meet RPOs and recovery time objectives (RTOs), IT will need to leverage the full scope of its APIs, including REST, BULK, BULK V2, and SOAP. For instance, BULK APIs can’t access all objects. For example, you will need to use the REST API to access share objects. Additionally, BULK APIs aren’t just useful for backup. Other systems will likely use them heavily, so too much use for backup puts the organization in danger of hitting a cap. The takeaway is that IT has to balance API use and manage how much they use each. 

Another factor that complicates SaaS backup API management: not every API may be able to read AND edit data, which has implications for restoring data. Depending on the object, other types of API may have the capability to write, but in some cases, data may not be able to be restored due to limitations in the SaaS application’s architecture or for audit and security reasons. It’s important to communicate to the business which data set falls into this category to direct backup strategy, set expectations, and determine workarounds so that the company isn’t put into a bad spot should that data be lost.

See More: Are You Losing Customers Because Your SaaS Company Has Gone Remote?

Planning ahead

The good news is that API caps are not arbitrary but are instead based on the customer’s license agreement with the provider. As such, IT needs to accurately model how much it will need to use each API for backup, and other uses. Don’t forget to restore data, which can consume many API resources.. Hitting that API cap amid a  critical restore could seriously damage the business, not to mention their relationship with senior business managers. 

Finally, remember that APIs change. The SaaS backup system must identify and adapt to these changes, adding additional complexity to an already complex process.  

Enterprise IT is clearly concluding that it must back up SaaS data, but many do not fully comprehend the full complexity of building a SaaS backup system that will perform to expectations. IT must carefully plan, model, and manage API used as a critical part of any SaaS backup solution.  

Which best practices have you followed to overcome SaaS data backup challenges? Share with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to know!