Table of Contents
Data remains a crucial asset for organizations of any size. Whether large or small, the data footprint keeps growing across many dimensions. The steady growth of structured data is overshadowed by massive unstructured data sets generated from new workloads and applications. Software as a service (SaaS) applications and replatforming and refactoring initiatives must also consider data protection requirements. Overall, there is no improvement in sight from an operational complexity perspective.
At this level of scale and complexity, managing regulatory requirements is impossible without software-based solutions. Although some organizations now have better experience with existing data privacy and sovereignty laws, there is still no harmonization at the US federal level, and each year, additional states introduce their own regulations. Large enterprises are particularly under scrutiny. To successfully manage this risk, organizations must rely on advanced, policy-based data management and governance capabilities that can handle the bulk of the work in an automated fashion.
The intensity and impact of ransomware attacks is now so high that cyber resiliency capabilities in data protection solutions are crucial and shouldn’t be considered optional. Data protection solutions are often the last line of defense against a ransomware attack, and enterprises are looking at ransomware protection capabilities with increased scrutiny.
The enterprise market continues to trend toward additional services built on top of data protection. These services are becoming instrumental in collecting and consolidating data across the entire organization to reuse it for other purposes.
Today, the modern workplace generally involves a combination of SaaS applications and virtual desktops, whether on-premises or in the cloud, with increasing demand for network-attached storage (NAS)—file—protection in both environments. Within this scenario, enterprises are building hybrid cloud infrastructures and need solutions that can adequately support their data-driven initiatives. Furthermore, a growing number of enterprises are taking advantage of Kubernetes to redo their business applications, and protecting these assets is becoming crucial.
This is why the market is so active, with both startups and incumbents looking at ways to disrupt traditional backup models, as well as increase the value of the protected data by adding data management and data reuse capabilities to their solutions.
This GigaOm Radar report highlights key hybrid cloud data protection vendors and equips IT decision-makers with the information to select the best fit for their business and use case requirements. In the corresponding GigaOm report, “Key Criteria for Evaluating Hybrid Cloud Data Protection Solutions,” we describe in more detail the key features and metrics used to evaluate vendors in this market.
How to Read this Report
This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:
Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.
GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.
2. Market Categories and Deployment Types
To better understand the market and vendor positioning (Table 1), we assess how well solutions for hybrid cloud data protection are positioned to serve specific market segments and deployment models.
This Radar focuses on solutions suited for large enterprises and cloud and managed service providers (CSPs/MSPs), and it also takes into account specialized use cases.
Some of the solutions evaluated in this Radar may also be suitable for small and medium-sized businesses (SMBs); however, that market segment is covered in a separate Radar report, “GigaOm Radar for Hybrid Cloud Data Protection for SMBs.”
For this report, we recognize the following market segments:
- Large enterprise: This includes organizations with 1,000 or more employees. These solutions can cover a majority of enterprise user needs with diverse and distributed infrastructures. Though sometimes less efficient, these solutions have extensive feature sets, multiple deployment options, vast scalability, and support for legacy systems and applications.
- CSP/MSP: In this category, we find solutions with features specifically designed for service providers. The backup infrastructure is not managed by the end user, who is usually subscribed to a service.
- Specialized: These solutions have particular feature sets that make it difficult to position them in traditional enterprise-size market segments. They can sometimes be considered niche players, but they usually offer innovative approaches and solutions to several challenges posed by modern infrastructure and application development cycles.
This report also covers two deployment models:
- Self-managed (on-premises or in the cloud): Deployed as software-defined or an appliance, these solutions focus on data center infrastructures, but can also support SaaS applications and virtual machine (VM) instances on the cloud. Though the primary backup repository is on-premises, it can usually extend to different clouds. The user still keeps full control of the infrastructure, and the licensing model is typically subscription-based, conforming to public cloud standards.
- Backup as a service (BaaS): Based on a cloud back end and usually provided as-a-service, these solutions work in a way that’s contrary to the products in the on-premises category. Backup data is stored in the cloud, but the solutions can cover a broad set of platforms, including on-premises, cloud workloads, and SaaS applications. Furthermore, they are optimized to handle on-premises workloads through local cache capabilities. Organizations do not manage the underlying infrastructure and do not need to be concerned about scalability. The service is consumed following a pay-as-you-go model.
Table 1. Vendor Positioning: Market Segment and Deployment Model
|Exceptional: Outstanding focus and execution|
|Capable: Good but with room for improvement|
|Limited: Lacking in execution and use cases|
|Not applicable or absent|
3. Key Criteria Comparison
Building on the findings from the GigaOm report, “Key Criteria for Evaluating Hybrid Cloud Data Protection Solutions,” Table 2 summarizes how each vendor included in this research performs in the areas we consider differentiating and critical in this sector. Table 3 follows this summary with insight into each product’s evaluation metrics—the top-line characteristics that define the impact each will have on the organization.
The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.
Table 2. Key Criteria Comparison
|Analytics||Disaster Recovery Orchestration||Cyber Resiliency||Data Management & Governance||Kubernetes Support||BaaS||Cloud-Native Workloads|
|Exceptional: Outstanding focus and execution|
|Capable: Good but with room for improvement|
|Limited: Lacking in execution and use cases|
|Not applicable or absent|
Table 3. Evaluation Metrics Comparison
|Solution Lifespan||Scalability||Flexibility||Efficiency||Security||Manageability & Ease of Use||Ecosystem|
|Exceptional: Outstanding focus and execution|
|Capable: Good but with room for improvement|
|Limited: Lacking in execution and use cases|
|Not applicable or absent|
By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.
4. GigaOm Radar
This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 1. The resulting chart is a forward-looking perspective on all the vendors in this report based on their products’ technical capabilities and feature sets.
The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation, and Feature Play versus Platform Play—while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.
Figure 1. GigaOm Radar for Hybrid Cloud Data Protection for Large Enterprises
Due to changes in key criteria and evaluation metrics, there are a few key differences in the 2023 edition of this Radar compared to last year’s report.
This year, there are three Outperformers in the Leaders circle of the Innovation/Platform Play quadrant: Cobalt Iron, Cohesity, and Commvault. Cobalt Iron impressed with a compelling SaaS offering based on a versatile and efficient architecture, strong cyber resiliency, and analytics. Disaster recovery (DR) and data management are, however, two areas in need of improvement. Cohesity proposes an excellent solution that offers balanced workload coverage in hybrid cloud scenarios, strongly differentiated cyber resiliency features, great data management capabilities, and DR, all under a single umbrella. Commvault offers a platform-driven approach with strong integration across the portfolio, a best-in-class BaaS experience, exceptional data management capabilities, and cyber resiliency features.
Also in the Leaders circle of Innovation/Platform Play quadrant, there are four Fast Movers: Dell Technologies, Druva, HYCU, and Veritas. Dell Technologies strikes a good balance among self-managed multicloud data protection (with PowerProtect), comprehensive cyber resiliency capabilities, and a great BaaS offering (APEX Backup Services), which is based on its partnership with Druva. Druva provides great value from an innovation perspective as well as a platform breadth of scope standpoint, offering strong data management and cyber resiliency capabilities. HYCU proposes an interesting approach that combines deep technological integrations for each supported platform and a unified, SaaS-based management experience. Veritas is also in an interesting position. The company has significantly improved its portfolio, introducing solid cyber resiliency capabilities. Due to these innovations, it has crossed from the Maturity half to the Innovation half of the Radar.
Rubrik and Veeam are in the Challengers circle but poised to enter the Leaders circle in the near future. Rubrik is actively repositioning itself as a security-focused data protection company and thus offers compelling cyber resiliency capabilities, but it is less scalable than some of its direct competitors. Veeam’s solution remains a popular and compelling option for large enterprises. The strong focus on cyber resiliency capabilities is a key criteria for the enterprise market. The absence of a direct BaaS offering might be off-putting to enterprise customers looking for cloud-like consumption options, but the company is steadily innovating and consolidating its portfolio.
Acronis and Asigra are the other Challengers in the Innovation/Platform Play area. While platform-oriented, these solutions need improvements in several areas. Acronis offers a great feature set for this market segment with a strong focus on cyber resiliency, but data management capabilities are currently limited, and Kubernetes support is still missing. Asigra’s solution proposes great value with strong cyber resiliency capabilities, ease of management, and good support for SaaS workloads. Some other areas, such as Kubernetes support, DR, and analytics remain underdeveloped and present opportunities for further improvement.
Arcserve, Bacula, IBM, and Unitrends offer a Platform Play approach that’s built on more mature architectures. Arcserve remains a mature solution that brings flexibility and scalability; however, new features are gradually implemented, with immutability options to combat ransomware. Bacula’s open source foundation and strong modularity are particularly appreciated by large organizations with in-house DevOps teams that require a high level of customization and security at the cost of a steeper learning curve. This is especially true within complex environments such as the defense industry. IBM increased the pace of its data protection portfolio with IBM Storage Protect adding multiple capabilities such as BaaS for cloud-native workloads (SaaS apps and cloud storage), great Kubernetes support, and a promising roadmap. Unitrends proposes a suite of products that offers disaster recovery as a service (DRaaS), SaaS application support, and BaaS capabilities; however, some capabilities, like Kubernetes support, are still missing.
Among the Feature Play solutions, Barracuda takes a holistic approach, and its BaaS capabilities are now reflected in its Innovation/Feature Play position. The company has a promising roadmap that may gradually move it toward the Innovation/Platform Play quadrant once new features are released and offerings are integrated further. Clumio delivers strong data protection capabilities for Amazon Web Services (AWS) workloads but still offers limited support for other cloud workloads, making the solution less interesting for enterprises working outside the AWS realm.
Inside the GigaOm Radar
The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.
The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.
The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.
Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.
5. Vendor Insights
With Acronis Cyber Protect, Acronis provides a data protection solution that covers everything from cloud compute instances, edge infrastructures, and SaaS applications. It can be deployed on-premises or in the cloud, or it can be consumed as a SaaS application either directly or through partners. It proposes a modular approach with base features and additional feature packs that customers can choose to enable with an additional license. This approach is praised by MSPs, which constitute one of the key markets for Acronis. It’s worth noting that Acronis provides two versions of its data protection solution: Acronis Cyber Protect is geared toward SMBs and enterprises, and its management interface is located on-premises; Acronis Cyber Protect Cloud is best suited for MSPs and IT as a service enterprises, and it offers a SaaS management interface. The two versions should achieve feature parity by the end of 2023.
The solution includes a simple and easy-to-use management interface with the ability to configure all data protection features within a single protection plan. It also implements a complete and multitenant DR orchestration engine that takes advantage of Acronis’ continuous data protection capabilities and provides automated failover (including test failover), testing of DR runbooks, and universal restore capabilities. Acronis’ Universal Restore feature enables recovery in different target environments than the source and supports on-premises locations, AWS, and Azure. In addition, Acronis is capable of failing over to a malware- and ransomware-free restore point. Also, organizations can now track the recovery point objective (RPO) compliance of their data protection plans.
Acronis is intensely focused on cyber resilience across its entire product stack, delivering a multilayered security approach. Acronis’ data protection solution leverages an AI-driven engine that analyzes data in real-time, detects anomalies, and can determine whether data is being encrypted. This analytics engine is complemented by integrated anti-malware scanning, vulnerability assessment capabilities, and other features. On the remediation side, immutable backups can be used with previously highlighted DR orchestration capabilities to recover from a ransomware attack. Additional capabilities include an ML-assisted backup validation feature and Acronis CPOC alerts (which automatically adjust automated protection plans based on alerts from Acronis Cyber Protection Operation Center).
Data management capabilities are limited, although Acronis has developed an interesting blockchain-based data notarization solution that validates whether restored data is a 100% match with backed-up data. This can be useful in legal cases, and the competition may later develop similar features.
Acronis offers a cloud storage solution branded Acronis Cloud. Provided through a BaaS model, this solution allows organizations to perform direct-to-cloud backups to a growing number of cloud regions worldwide, either on Acronis Cloud DCs or on Microsoft Azure or Google Cloud Platform (GCP).
The solution offers more than 140 third-party integrations and supports Microsoft 365 Cloud-to-Cloud backup and Google Workspace backup. In addition, group management was added for Microsoft 365 and Google Workspace. Kubernetes support is currently lacking but on the roadmap.
Strengths: Acronis continues to improve its solution with new cyber resiliency capabilities, great DR orchestration options, and a broad set of integrations. SaaS backup capabilities and the company’s cloud data center footprint are continuously growing. This is a great solution for MSPs (due to multitenancy capacity and modular licensing).
Challenges: Data management capabilities are limited. Kubernetes support is currently absent but in the roadmap.
Arcserve Unified Data Protection (UDP) offers proven and robust capabilities with multiple deployment options. Arcserve’s UDP solid architecture enables fast backup and recovery operations, with two instant recovery methods: instant virtual machine (IVM) and virtual standby (VSB). IVM uses data reconstituted in real time from the data backup repository to create a VM, while VSB enables a fully formed image to be built as a warm standby in whatever environment the customer chooses. Global deduplication is another strength that provides value to distributed organizations with many data sources to protect.
The UDP software is delivered as an on-premises solution, managed through an on-premises console. The vendor’s cloud-based backup solution is called Arcserve Cloud Hybrid and delivered as a service with the same look and feel as the on-premises console.
Arcserve partners with security vendor Sophos to build a solution that integrates UDP with Sophos Intercept X Advanced for Server to protect against ransomware. This advanced security protection with UDP is provided for both the cloud hybrid and the on-premises appliance-based solution. Any Arcserve UDP software-only deployment acquired under the Arcserve Universal License also offers this integration.
Arcserve UDP integrates with AWS S3 buckets and uses its Object Lock facility to deliver a cloud-based immutable storage repository. In addition, organizations can use Arcserve OneXafe scale-out storage appliances for on-premises immutable storage capabilities. Arcserve now also offers the ability to write to S3-capable storage solutions and partners with Wasabi. Currently, there is no ability to backup S3-buckets.
As with other data protection players, new capabilities to handle cloud workloads and SaaS applications are available with a standalone Arcserve SaaS backup product that protects Microsoft 365, Google Workspace, and Microsoft Azure Active Directory.
BaaS capabilities are delivered through Arcserve Cloud Direct for direct-to-cloud backup under a BaaS model, and Arcserve Cloud Services, providing DRaaS capabilities to SMBs; however, the service has recently encountered prolonged service degradation issues with reported data loss. Some roadmap items will change the BaaS and DRaaS offerings of Arcserve, but this report comes too early to elaborate on them. There are no Kubernetes data protection capabilities currently.
Strengths: Arcserve is a mature solution with robust and flexible deployment options, which also benefits from the integration of StorageCraft products that are well-suited for the SMB market, and ransomware protection capabilities from Sophos Intercept X. OneXafe appliances also provide immutable storage, a foundational capability for recovering from ransomware attacks.
Challenges: Product integration needs to be better aligned following the StorageCraft merger. The products seem to be integrated better than they were originally, but there is still room for tighter integration.
Asigra Tigris is a platform that uses multiple components, including an agentless data collector (DS-Client) deployed on the local area network (LAN) at the source location (single deployment per LAN) and a data repository manager (DS-System). Users can store their data in the cloud, on-premises, or in a hybrid scenario. Additionally, the vendor offers an integrated Deep Six Security portfolio focused on protecting backup data from ransomware.
Asigra Tigris is an agentless, multitenant, hardware- and OS-agnostic data backup solution. It supports backing up physical servers, VMs, enterprise applications and databases, desktops, laptops, Microsoft 365, Google Workspace, and Salesforce.
The Asigra Management Console offers a single pane of glass so that MSPs or centralized IT departments can easily manage multiple customers or departments. It ensures backup operators have visibility of all customer backup data, including logs, reports, and notifications. MSPs can offer secure self-service capabilities to customers when needed, and multitenant and multitier architectures simplify deployment and management of an MSP’s customer. The MSP’s data repository is separated and uniquely encrypted for each customer.
Asigra Tigris doesn’t have a robust DR solution yet, but enhancements are planned on the roadmap to give customers a better DR solution.
Asigra Tigris offers comprehensive cyber resiliency capabilities by proactively hunting threats with bidirectional anti-malware scanning and advanced multifactor authentication (MFA). Asigra Cybersecurity module includes bidirectional malware scanning to detect advanced ransomware attacks that penetrate immutable and air-gapped backups. Deep MFA protects against credential theft and is a critical strategy used against ransomware 2.0 attacks. Users with MFA enabled must authenticate using a six-digit, time-based one-time password (TOTP) application, such as Google or Microsoft Authenticator when signing in or attempting to perform a potentially destructive action that can result in the loss of data. This protects against a potentially destructive action that can lead to a loss of data, like the deletion of backup repositories.
Asigra’s offerings include a multiperson approval (MPA) feature. MPA complements MFA by protecting a client’s backups from unauthorized acts due to credentials theft or accidental user error. Any potentially destructive actions that compromise the ability to recover, like deleting backup sets, can be configured to require the approval of up to three other administrators before proceeding.
Asigra’s content disarm and reconstruction (CDR) tool scans backups for potentially malicious or unauthorized content during the backup and restore process, then takes remediation actions based on predefined policies. This is an innovative feature that deconstructs documents and strips them of any potentially malicious code. The file is then reconstructed back into a functional file without the embedded threat. The Asigra Tigris solution also uses a “variable repository naming” feature to obfuscate backup location and names to foil potential attackers. Finally, a soft delete feature is also available to recover erroneously deleted backup jobs.
The Asigra management console offers basic data management capabilities, including GDPR certificates that can be generated when personally identifiable information (PII) data is deleted from the backup repository to comply with the end user’s “right to be forgotten.”
Asigra offers support for deploying the DS-Client data collector in Docker containers, but there’s no talk of Kubernetes support because its customers have not yet demanded it.
Asigra currently does not have its own BaaS offering, so the company’s secure multitenant capabilities are a perfect fit for MSPs that offer BaaS. Ease of management and a centralized console allow a service provider to handle multiple customers easily. Additionally, the advanced security features provide next-gen ransomware protection that can be offered easily to BaaS customers.
The solution supports backups of on-premises physical or VMs and multiple types of databases, application servers, and file storage servers. It also supports SaaS apps like Microsoft 365, Google Workspace, and Salesforce and can send backup data to any public or private cloud with the option of storing it on-premises.
The company is announcing a new service aimed at MSPs called SaaSBACKUP, which should leverage Augmentt’s Discover, a third-party solution with SaaS discovery capabilities. SaaSBACKUP will help organizations identify their SaaS workloads and propose connectors to protect SaaS application data. SaaSBACKUP is currently in beta testing and planned for launch in Q3 2023 in North America and in Q4 2023 for Europe and the UK.
Strengths: Asigra has a balanced and secure offering for MSPs and end users, with noteworthy cyber resiliency features such as MPA. The solution has been around for a long time and proven successful, especially in the MSP market, where multitenancy and ease of management are important elements.
Challenges: Kubernetes support and DR capabilities are still lacking.
Through its Miria solution, Atempo offers an efficient backup solution for large data sets ranging from 250 TB to multipetabyte scale. The solution offers hybrid, as well as multicloud, restore (point in time recovery). It is a vendor agnostic, any to any solution. A core capability is the Fastscan concept, which collects events coming from change logs, identifies snapshots differences, detects deleted files, and starts a backup job. This approach is currently compatible with vendors like Qumulo, Dell, IBM Storage Scale, Quantum, Lustre, DDN, Huawei, and Nutanix Files. The solution also has deep integration with file and object systems (SMB/NFS/S3), as well as Tape+Optical support (backup and archive).
Miria Backup offers an advanced capability called SnapStor that offers the possibility of using the back-end storage of the backup to support production in case of a major disaster happening on the primary storage. This option usually targets organizations with large storage platforms needing to maintain continuity of access to their data in case of disaster. To implement it requires using a smart platform like a general parallel file system (GPFS) as the back-end storage for Miria Backup and getting some Atempo professional services to configure the option and some training on how to activate it. Once configured, SnapStor can be activated in a few minutes and can provide read-only shares for DR or DR testing, as well as read-write shares to support user and application production. This allows plenty of time to address the issue with the primary storage and wait for replacement parts, for instance. Once the new storage is available, Miria can rebuild large scale data sets by synchronizing the new storage with the backup back end.
Miria includes an analytics component that explores, identifies, and classifies data, with the ability to order or sort files based on system metadata or extensions. It also includes reporting capabilities. The analytics layer is highly configurable and offers advanced filtering capabilities that can be saved in custom views to be reused later. These views also can provide reusable file lists for data movement operations. In 2023, the solution includes support for cloud storage as well as growth trend projections.
From a security perspective, Miria includes audit trails that can be provided to security information and event management (SIEM) platforms via application programming interface (API) calls. In addition, Miria can copy object lock configurations between source and destination object buckets to ensure data remains adequately protected. Finally, the management system offers a granular permission set to allow access for a variety of roles within an organization. Future security improvements may include anomaly detection features in its analytics service, an area that Miria is actively working on.
Compliance is currently supported through third-party integrations, and full indexing is not yet available, but Atempo plans to add this feature in a future release. The company’s research department is also evaluating ML techniques to detect personal information and assist with automated data classification.
Another Atempo offering called Lina is providing BaaS for laptops, workstations, and small file servers. Office 365 data protection is handled by Tina, another Atempo data protection solution that also supports virtual platforms. AWS workloads such as EC2 and EBS, Microsoft Azure, Google Cloud, Wasabi, and Storj DCS are also covered by Miria, whereas cloud database solutions are not currently within the Miria solution’s scope.
Strengths: Atempo offers a broad feature set with Miria and helps organizations protect, secure, and manage their data including via data orchestration. The solution offers a solid backup solution that is affordable and effective for many use cases.
Challenges: The products still lack a couple of features that are becoming more important. There is no support yet for Kubernetes or for cloud databases. BaaS is covered by Lina but still limited.
Bacula Systems offers a modular data protection solution tailored for the high-end enterprise segment. The solution is highly scalable, ranging from single-node systems to those consisting of thousands of nodes. Originally started as an open source solution heavily focused on the Linux ecosystem, Bacula gained popularity among large, Linux-focused organizations in verticals such as biotechnology, military, fintech, and research (particularly for high-performance computing, or HPC), as well as with CSPs and MSPs.
The solution is highly customizable and will meet flexibility requirements of large organizations. It is very Linux-centric and less suited for predominantly Microsoft-centric organizations, but it’s perfectly capable of protecting Windows environments.
Bacula offers a rich management console with detailed insights and reporting capabilities. Organizations can monitor backup effectiveness (including overall deduplication), backup storage usage and performance, information about protected objects, and so on. The same information can also be queried through a command-line interface (CLI). It also has integration modules for Graphite or ElasticSearch with Grafana.
DR orchestration is flexible and relies on scriptable recovery tools. It encompasses various recovery capabilities, including VM image and container levels, database and application levels, cabinet volume, and file levels. It also allows recovery on alternative infrastructures, including in the cloud. Image conversion is not yet available, but it is on the roadmap.
From a cyber resiliency perspective, Bacula currently offers an antivirus plug-in, in-flight and at-rest encryption, and comprehensive security hardening measures—including automated system checks, volume protection (both immutable and append-only), and tape encryption. Immutability features have been enhanced: the solution integrates with on-premises storage (NetApp SnapLock and Dell Technologies DataDomain RetentionLock) and also supports AWS S3 Object Lock and Azure Blob Storage immutability features.
Bacula implements powerful intrusion detection systems that can operate independently from backup and restore operations. This system can identify hostile modifications and track changes made on files. The solution now includes additional security capabilities such as SIEM integration, automated malware and ransomware scans during backup and restore operations, and new encryption techniques. Roadmap items planned for release by the end of 2023 include additional ransomware and anomaly detection and alerting capabilities and support for immutable storage on HPE StorOnce Catalyst.
The solution includes basic data management capabilities such as indexing, search, and data classification. It also provides an open API that external data management solutions can use.
Bacula supports both Kubernetes and Red Hat OpenShift. Besides persistent volume claims (PVCs), the solution can also back up other resources such as services, pods, and deployments, delivering comprehensive data protection and restore capabilities. It also offers native integration to Swift object storage.
Thanks to its modular, plug-in-based architecture, Bacula supports many operating systems, multiple hypervisors, SaaS applications (Microsoft 365 and Google Workspace), and databases, including mission-critical systems such as Oracle and SAP/SAP HANA. Cloud workloads are also supported with Azure VMs in agentless mode and object storage support across AWS, Azure, and Google Cloud. Support for Salesforce is on the roadmap, as is the ability to protect cloud database workloads. Protection of AWS EC2 instances with EBS is planned to be released in June 2023.
Although Bacula itself doesn’t offer its data protection solution through a BaaS model, it can be used by CSPs and MSPs to implement their own BaaS solutions.
Strengths: Bacula offers a modular and scalable data protection solution with extensive platform and application support. It’s highly flexible and will fit the needs of large, demanding organizations requiring an extremely customizable solution that can integrate seamlessly with complex environments. Great Kubernetes support is available.
Challenges: Bacula can deliver outstanding value, but organizations must take into account initial deployment complexity and the need for Linux expertise. SaaS support and data management capabilities are currently limited. Cyber resiliency currently lacks ransomware detection, but this should be improved in 2023.
Barracuda is a well-established data protection company with a mature solution that appeals primarily to SMBs and MSPs. Its two products are Barracuda Backup (for on-premises workloads) and Cloud-to-Cloud Backup (for SaaS workloads).
Barracuda Backup and Cloud-to-Cloud Backup provide analysis, including backup time, number of items, and the amount of data. Another thing Barracuda Backup provides is information about storage efficiency and utilization, cloud storage, and off-site replication performance.
Barracuda Backup includes a number of features that help orchestrate DR and get customers back up and running quickly, including instant local recovery for VMware vSphere VMs, physical-to-virtual (P2V) recovery, and the ability to access and download data directly from cloud storage.
Barracuda offers the flexibility of software-only or physical appliance deployment and provides cloud-based management for its Backup product. The solution also provides comprehensive data protection coverage for a broad range of use cases, with ample replication possibilities, instant VM recovery, and good data efficiency, thanks to in-line deduplication. Organizations also can use Barracuda cloud storage as a DR target, with six regions currently supported.
The solution includes a cloud-based management interface branded Barracuda Cloud Control, which offers ease of use and an overview of all Barracuda Backup and Barracuda Cloud-to-Cloud Backup deployments. The user interfaces (UIs) are slightly different, but both solutions are managed from the same UI with a single login. Barracuda can perform a cloud live boot for DR, but orchestration capabilities are a work in progress.
Security is a strong focus for Barracuda. Beyond backup and recovery, the company has a holistic data protection strategy and a broad product portfolio covering multiple functional areas, notably in network and application security. Barracuda has built a very solid ransomware protection solution into its data protection products, which works well on its own and even better when integrated with other Barracuda security products, to provide a multilayered data protection approach.
Lately, Barracuda has focused on building a solid SaaS backup solution in Barracuda Cloud-to-Cloud Backup and adding ransomware protection features to its products. Currently, only Microsoft 365 is supported (across 13 regions worldwide), but the company is working on adding more SaaS capabilities soon. BaaS support is now available for Barracuda Backup and Barracuda Cloud-to-Cloud Backup and protects on-premises environments as well as Microsoft 365.
Data management capabilities are available through “Data Inspector,” Barracuda’s classification engine used to identify sensitive data, support regulatory compliance, and identify malware or ransomware. Kubernetes support is currently lacking.
Strengths: Barracuda offers a very good feature set with a strong focus on security and multilayered protection against ransomware across its product line. It is an appealing product for MSPs and SMBs.
Challenges: SaaS capabilities remain limited, DR orchestration capabilities need to be improved, and Kubernetes support is lacking.
Clumio is a true SaaS solution; it’s built on a serverless solution architecture and doesn’t require managing or deploying any AWS resources to start using it. It’s a consumption-based service with infinite scale built in: users can start small and then scale to protect massive amounts of data without planning or management. The onboarding process is also simple: users can start protecting their AWS, VMware Cloud on AWS (VMC), and Microsoft 365 assets in 15 minutes or less.
Clumio enables fast backup by automating the entire process through global policies across different AWS assets and accounts, managing these, plus Microsoft 365 accounts and VMC vCenters, from a single-pane-of-glass view. Using dynamically scalable serverless compute resources in parallel to run backup jobs and do incremental backups shrinks the backup window significantly. As important as fast backups, Clumio enables quick recovery to ensure business continuity. An intuitive calendar view provides a quick and simple way to find recoverable data (snapshots, instances, files, records, and so forth), and restoring the data takes just a few clicks. By enabling rapid and granular data recovery, Clumio reduces recovery times significantly to meet low RTO and RPO SLAs.
The Clumio platform is designed with a security-first mindset. Backups are saved to SecureVault, a Clumio service for ransomware protection of Tier 1 applications independent of and separated from the user’s AWS account. This method provides true turnkey air-gap functionality and protection against ransomware and other attacks, with indexing and granular file recovery features. Backups are immutable; to safeguard against bad actors, there’s no delete option, and all data processing and storage is handled with end-to-end encryption. The Clumio SecureVault Lite offering has a simpler feature set and a more compelling price-point for less critical workloads. The logical air-gap feature offers a “near” zero RTO and RPO on an exabyte scale. The platform also complies with the latest security certifications and standards, such as ISO, HIPAA, PCI, and SOC 2.
The Clumio Protection Group functionality provides comprehensive data protection coverage, filling gaps left by S3 versioning and replication. Now, users can selectively back up only important S3 objects within a bucket, providing much-needed data classification capabilities. This sorting results in a much more efficient and optimized backup, providing big TCO savings to users. This data classification feature proves to be a powerful advantage when recovering data. Using global search and browse functionalities, users can granularly recover S3 objects instead of recovering entire buckets and laboriously sorting through different objects to find the right ones. Faster recovery means business continuity remains undisrupted.
Clumio focuses heavily on AWS, Microsoft 365 datasets, and support for VMware Cloud on AWS is also included. Clumio’s strong bond with the AWS ecosystem makes the solution best suited for organizations with a cloud-first approach, in which AWS is the preferred cloud provider. At this time, the solution is suitable primarily for customers in the US market. The vendor is rapidly adding support for key data services with regular new features.
Now integrated to the Clumio platform, Clumio Discover allows users to analyze their entire environment, identify unprotected systems, and do an effective cost analysis on top of current and hypothetical backup policies. Users can see their ransomware risk profile through a dashboard and are presented with actionable insights to help reduce those risks.
Strengths: Clumio is specifically designed for cloud-native applications and workloads. It’s an easy-to-use SaaS application, and the company plans to build a data protection and data management platform.
Challenges: The lack of DR capabilities and Kubernetes support is a concern in the enterprise segment. As a cloud-first company, support for public cloud vendors other than AWS is lacking.
Compass—Cobalt Iron’s unified data protection platform—is implemented through one or more Cobalt Iron Accelerator physical, virtual, or cloud appliances that provide management and storage capabilities (from a few TBs to more than 4 PBs per Accelerator appliance, with no limit to the number of appliances) or via a new BaaS consumption model.
Because Accelerator appliances come as a service, sizing and deployment are included in the subscription fees. At edge locations, Accelerators can be deployed as virtual appliances to reduce the infrastructure footprint. In addition, Cobalt Iron supports AWS, Azure, Google Cloud, IBM Cloud, and Alibaba, with Compass Cloud Accelerators delivered as public cloud images.
The solution is managed through an intuitive cloud-based Commander interface that provides an overview of backup operations and environmental conditions. It’s also used to configure data protection policies and is backed by advanced analytics with extensive data collection and monitoring. The analytics engine also provides predictive analytics with trends, out-of-space projections, and future capacity modeling based on past growth rates.
From a DR orchestration perspective, Cobalt Iron takes a different approach from its competition. Instead of proposing a fully fledged DR solution, Cobalt Iron provides insights, analytics (including recommendations to recover from safe recovery points), and integrations that facilitate DR orchestration, but it leaves DR orchestration to third-party solutions. The company assists customers in integration activities with DR processes, as well as testing and recovery.
Cobalt Iron provides strong cyber resiliency features at both the predictive and remediation levels. These capabilities are regularly improved and made available to customers. Its Cobalt Iron Compass Zero Access architecture makes the data backed up into Compass inaccessible, read-only, and immutable; data can be deleted only if the action is based on strictly controlled and monitored data retention policies. Cyberattack detection includes monitoring multiple anomalies and abnormal behaviors, such as baselining the normal environmental behavior and observing deviations, with additional features slated for delivery by the end of 2023. Finally, Cobalt Iron also proposes a logical air gap solution and options for physical air-gapped copies of backups.
Compass integrates some data management features, primarily related to policy-based backup management. These can be used to enforce data locality requirements and generate reports about adherence to policies. The company has added a new enterprise object search feature that currently provides global index and search capabilities but focuses only on metadata at the moment. The solution also supports Kubernetes and Red Hat OpenShift through an integrated technology module.
BaaS capabilities are now available through Compass Cirrus Cloud BaaS, a cloud-delivered, Cobalt Iron hosted solution that offers elastic scalability under a pay-as-you-grow model. The solution is charged on a $/TB/month basis, delivers full Compass functionality, and includes storage consumption.
In addition to virtualization platforms and cloud systems, a broad set of platforms and applications is supported, including mission-critical databases (Oracle, DB2, Informix, SAP R3, SAP HANA, and others) and a very comprehensive range of operating systems, going beyond x86 operating systems to systems such as AIX, HP/UX Itanium, Solaris SPARC, and IBM i.
Strengths: Cobalt Iron proposes an optimized and strongly secure data protection solution delivered as a service. It has robust ransomware protection mechanisms, advanced analytics, and comprehensive workload support, including Kubernetes.
Challenges: DR orchestration is partial and requires custom integrations. Data management capabilities are expanding but remain limited compared to some of the competing offerings.
Cohesity offers the Cohesity Data Cloud Platform, a compelling solution that meets data protection, cyber resiliency, and data management challenges in hybrid cloud scenarios.
The solution offers a comprehensive analytics engine that delivers a unified view through self-managed and BaaS deployments. It provides anomaly detection and user activity alerting, and it warns of data ingest anomalies. It delivers predictive capacity modeling and alerting based on historical trends, plus the ability to perform simulations based on Cohesity learning models. This feature allows administrators to perform a fine-tuned what-if analysis that considers sensitivity factors for burstiness and workload seasonality. Other analytics capabilities include proactive fault isolation for sick or underperforming nodes and proactive support case opening.
DR orchestration is supported via Cohesity SiteContinuity, a fully fledged solution that converges backup, continuous data protection, and automated failover and failback orchestration with a unified policy engine. Failover can be performed either on self-managed data centers or to a Cohesity-managed environment in the cloud, effectively providing a DRaaS option.
The solution offers a rich set of security-related capabilities. Ransomware protection leverages ML-based early detection of attacks by monitoring data changes against normal patterns (using several metrics) and measuring abnormal activity against the usual activity baseline. Built upon immutable snapshots, ransomware protection is extended with Fort Knox, a strongly secured, isolated, cloud air-gapped immutable storage solution that is delivered as a service. Another differentiator is a strong zero-trust MFA module with quorum-based approval for sensitive actions in the environment, such as changing protection policies. Finally, the user behavior analytics (UBA) capability makes it easy to detect risky user behaviors and indicators of data exfiltration, tampering, deletion, and more. It also audits user file activities with interactive log search.
This approach is further enhanced by Cohesity DataHawk (mentioned as DataGovern last year). This add-on provides automated threat intelligence by simplifying threat detection through a deep learning-based engine. DataHawk is highly curated and managed by Cohesity, includes indicator of compromise (IoC) threat feeds, and is extensible to third-party integrations with SIEM or security orchestration, automation, and response (SOAR) solutions. DataHawk also addresses compliance requirements by providing quick and simple access to finding, identifying, and classifying regulated data such as PII, HIPAA, and PCI, and it includes over 200 classifiers and more than 50 predefined policies with ML-based pattern matching and recognition. DataHawk quickly scans and automatically classifies data from VMs and file shares, simplifying security and compliance.
Kubernetes data protection is currently supported with VMware Tanzu and OpenShift, and more distributions are on the roadmap. The solution supports autodiscovery and protection through labels, which can also be used to include or exclude namespaces. It protects data and the application state, delivering flexibility in what the customer wants to protect, whether entire Kubernetes clusters or specific resources.
Organizations can consume Cohesity through a BaaS model, with broad workload support, including cloud workloads (Microsoft 365, AWS EC2, and AWS RDS), virtual environments (VMware), databases (Oracle and SQL), physical servers (Windows and Linux), and NAS systems (NetApp and Isilon). The solution is offered in 10 regions worldwide.
When running the self-managed version of Cohesity DataProtect, customers can protect a wide range of data sources that would be tedious to fully enumerate.
Strengths: Cohesity offers a comprehensive and coherent data platform with strong data protection features, remarkable cyber resiliency capabilities, and a growing set of data management features, all managed under a single umbrella.
Challenges: Kubernetes support is expected to grow but is currently limited.
Commvault offers an extensive hybrid cloud data protection portfolio that goes beyond data protection and extends into security and data management. Solutions include:
- Commvault Complete Data Protection (designed for large enterprises).
- Metallic SaaS (suitable for SMBs but also covers large enterprise needs).
- HyperScale X appliances or Commvault Distributed Storage (software-defined distributed storage) which provide storage capabilities and expand the number of addressable use cases.
- Commvault Disaster Recovery which provides DR orchestration.
- Commvault Data Security Intelligent Data Service which provides cyber resiliency capabilities.
- Commvault Data Insights Intelligent Data Service which provides comprehensive data management and analytics.
Commvault is one of a few providers whose data protection solutions can manage and protect a broad ecosystem of workloads across physical servers, VMs, the cloud, containers, SaaS, and more. Organizations can choose an on-premises, self-managed consumption model or a full BaaS approach with Metallic SaaS.
Management and analytics capabilities are delivered through the Commvault Command Center, providing a unified experience across the Commvault portfolio and full management of the Metallic SaaS offering. Commvault has improved automation capabilities with infrastructure as code (IaC) automation, a simplified installer, and centralized deployment. A new Terraform module also simplifies cross-cloud operations with agnostic scripting capabilities.
Commvault delivers a best-in-class BaaS experience with Metallic. The solution offers broad services, including excellent cyber resiliency features and regulatory compliance. It supports an extensive range of platforms, including multicloud, databases, unstructured data, Kubernetes, and SaaS applications, making it capable of replacing a traditional on-premises data protection solution for most use cases. Commvault Security IQ is bundled with every Metallic subscription to give customers insights and tools to offer security posture recommendations, spot malicious files and suspicious activities in datasets, suggest pre-infected recovery points for compromised files, and more.
DR is handled through Commvault Disaster Recovery, a product that delivers complete DR orchestration capabilities across platforms, locations, and clouds. This solution implements DR scripting, one-click failover and failback, and automated detection of outages. The DR solution now integrates malware scanning tools to ensure recovery points are malware-free, with the ability to perform these tests in an isolated environment. Commvault also partners with MSPs to deliver this capability through a DRaaS model. Finally, additional capabilities are included in MSP-focused Commvault solutions to build tiered services that offer flexible RPO and RTO options while keeping implementation costs low.
Cyber resiliency capabilities are delivered through the Data Security Intelligent Data Service, which includes AI/ML-based anomaly detection and alerting capabilities. In addition, Metallic SaaS includes Metallic ThreatWise for integrated cyber deception and ransomware detection, including AI/ML-based anomaly detection across the live file system and backup jobs. Alerting capabilities and honeypots further aid in the detection and neutralization of threats. On the remediation side of cyber resiliency, the solution implements immutable backups; it can also leverage immutable cloud-object repositories as a target for backups. Finally, organizations can leverage the Metallic SaaS solution to store immutable backups in the cloud, with Metallic Recovery Reserve, a BaaS-delivered immutable storage solution that also includes air-gap capabilities.
Comprehensive data management is delivered through Data Insights Intelligent Data Service. The solution takes advantage of Commvault’s 4D indexing technology and offers ML-driven insights to enable other services, such as data governance and compliance, which is oriented toward regulatory and privacy matters. The service can go beyond backup data to include production data in its analysis. Customers can proactively identify sensitive data (PII, for example) and act on it.
Another module allows relevant stakeholders to respond to disclosure and legal requests related to e-discovery and compliance with automated workflows for compliance tasks. The solution also includes an auditable chain of custody that demonstrates adherence to compliance processes. In addition, the File Storage Optimization service can leverage this data to enforce and automate policy-based data placement decisions.
Commvault supports all CNCF-certified distributions, including cloud services (Google Anthos, Azure AKS, Amazon EKS, Google, GKE, and Oracle OKE) and on-premises Kubernetes distributions (Red Hat OpenShift and VMware Tanzu). The solution offers comprehensive Kubernetes protection beyond the storage layer and autodiscovery for applications and containers. It also protects all buckets and components in case of changes in the application stack.
The company offers very comprehensive coverage of cloud workloads. SaaS workloads include Salesforce, Microsoft 365, Microsoft Dynamics 365, Azure DevOps, GitHub, and MongoDB Atlas. Support for cloud instances includes Amazon EC2, Azure VMs, Google VMs, Oracle OCI, Alibaba Cloud ECS, and the various VMware, cloud-based offerings. In addition, broad coverage of cloud storage, cloud databases, and object storage (as a source and target) is also supported.
Strengths: Commvault delivers a comprehensive hybrid cloud data protection portfolio with excellent cyber resiliency capabilities and a very broad workload support across clouds. The solution is well-suited for organizations with advanced data management requirements.
Challenges: Commvault’s comprehensive portfolio and feature set can be perceived as complex to implement; however, organizations with simpler requirements can quickly ramp up with the Metallic offering or roll out the solution starting with core capabilities.
Dell Technologies delivers data protection capabilities through PowerProtect Data Manager, a self-managed, next-gen hybrid cloud, data protection software solution, and APEX Backup Services (formerly PowerProtect Backup Service), Dell’s BaaS offering based on Druva technology. Both target a broad spectrum of customers and can cater effortlessly to the needs of SMBs as well as large enterprises—particularly when used with Dell PowerProtect DD appliances.
PowerProtect Data Manager and APEX Backup Services can be managed through a common management console that enables data protection orchestration and self-service backup and restore operations. The dashboard provides various insights into job status, assets and asset protection status, overall system health, SLA adherence, capacity consumption, and space optimization status. The solution can also configure alerts and generate reports.
DR is provided with PowerProtect Data Manager through Cloud Disaster Recovery, a solution that leverages public clouds as secondary DR sites for cost-effective DR operations with VMware environments, either on-premises or on public clouds. The solution supports AWS, Azure, and GCP, as well as their government-focused counterparts, and it offers DR orchestration capabilities.
Dell PowerProtect Cyber Recovery enhances PowerProtect Data Manager with a host of cyber resiliency capabilities to prevent and recover from ransomware attacks. The solution includes an ML detection engine called CyberSense, which identifies suspicious activity and monitors data integrity. It also provides data immutability with an additional layer of security and controls and creates an air-gapped backup vault. PowerProtect Cyber Recovery also implements other features, such as network time protocol (NTP) tamper protection, to prevent the premature expiration of immutability flags.
Organizations can use PowerProtect Data Manager to protect Kubernetes in AWS, Azure, and GCP, to protect Kubernetes clusters in multicloud environments, and to protect EKS, AKS, and GKE. PowerProtect Data Manager builds on top of the open source Velero platform to provide a data protection solution that enables application-consistent backups and restores and is always available for Kubernetes workloads, VMware hybrid cloud environments, and Tanzu modern applications.
PowerProtect Data Manager protects traditional workloads, including Oracle, Exchange, SQL, SAP HANA, AIX, and file systems, as well as Kubernetes containers and virtual environments.
Dell Technologies also offers a BaaS solution to its customers with APEX Backup Services (formerly PowerProtect Backup Service). The solution is based on Druva’s technology and supports a diverse set of workloads, including SaaS applications (Microsoft 365, Google Workspace, and Salesforce), desktops, laptops, mobile devices, and hybrid workloads (virtualized environments, databases, file servers, and network attached storage, or NAS). It also includes several compliance and governance capabilities, such as federated search, automated compliance, legal hold, long-term retention, and reporting capabilities.
Strengths: Dell Technologies delivers a modern data protection experience with PowerProtect Data Manager and APEX Backup Services. PowerProtect Data Manager, combined with PowerProtect Cyber Recovery, delivers comprehensive multicloud data protection and cyber resilience capabilities, while APEX Backup Services provides SaaS data protection and a strong set of compliance and governance features, thanks to the partnership with Druva.
Challenges: There are no particular data management capabilities in PowerProtect Data Manager. Although Dell Technologies offers two compelling data protection solutions, they are based on different technologies. This can challenge growing organizations and large enterprises hoping to unify their data plane, particularly for advanced data management use cases. This is less of an issue for SMBs (because they will likely standardize on one of the two solutions), but large enterprises will likely use both BaaS and on-premises data protection, and some level of standardization and integration is expected.
The Druva Data Resiliency Cloud provides centralized protection and management across end-user and enterprise data sources and is offered under a BaaS model. By unifying distributed data across endpoints, data center workloads, AWS workloads, and SaaS applications, organizations have a single place to manage backup and recovery, DR, archiving, cyber resilience, legal hold, and compliance monitoring. This unification minimizes data risks and ensures continuity for employee productivity.
The solution offers an easy-to-use, feature-rich management console with useful metrics and statistics. Druva’s dashboards give users summary-level information and federated search capabilities, including e-discovery and legal hold queries, but they also provide storage insights and recommendations.
Cloud DR is provided for VMware vSphere, VMware Cloud, and AWS workloads. Druva allows organizations to orchestrate DR in the cloud with “one-click,” policy-driven failover, and failback. The feature is available in all AWS regions, offering an RPO of up to an hour and RTO in minutes. For AWS workloads, EC2 and RDS resources, along with their associated VCP settings, can be recovered across AWS regions or accounts for improved business continuity. Druva also makes validating and testing DR plans easy and offers an end-to-end, automated, non-disruptive testing capability for AWS workloads.
Druva’s SaaS platform offers a broad set of cyber resiliency features. Alongside monitoring unusual data activity to detect potential ransomware attacks, the solution implements an accelerated ransomware recovery feature that performs quarantine and orchestrated recovery based on curated snapshots. This is a unique way of automatically selecting files in their last known good state to ensure they are not encrypted or infected when recovered. Besides access insights on data usage, Druva can also inform about potential anomalies and integrate with a rich ecosystem of security, monitoring, and logging solutions. Additional security capabilities include a one-week retention period for deleted backups and the ability to implement 100% immutability on backups. That means there’s no possibility to delete them even if the retention policies are deleted or altered.
The solution includes support for legal hold, e-discovery, and compliance features (GDPR, CCPA, and others). Druva helps legal teams save on cost and time on legal hold and e-discovery by collecting and preserving data in place as part of the backup process. Pre-culling, audit trails, and API integrations with third-party solutions like Exterro make preparing and presenting data during litigation proceedings easy. Administrative, security, legal, and forensic teams can conduct global metadata searches across workloads, including Microsoft 365, Salesforce, Google Workspace, and endpoint devices. Various attributes, such as email-related information, can be used to search.
The solution also delivers application-centric Kubernetes data protection for AWS-based cloud-native applications on Amazon EC2 or EKS. Druva supports application discovery, allowing it to back up application groups and namespaces while also protecting underlying storage on Amazon EBS. It also offers customizable long-term retention options and provides granular recovery options, application mobility across regions, and centralized, policy-based Kubernetes data protection management.
Druva was one of the first data protection solutions built with a BaaS mindset. The service is 100% cloud native, with a user-centered design and a microservices architecture that provides a simple experience with infinite scale. The outcome is a straightforward cloud consumption model with different service tiers.
Besides traditional on-premises workloads (virtualization, databases, and edge endpoints) and SaaS applications (Microsoft 365, Google Workspace, and Salesforce), the company protects one of the most comprehensive sets of AWS services. This coverage, combined with Druva’s consumption model, makes Druva ideal for organizations with a cloud-first and OpEx-oriented IT infrastructure spend strategy.
Strengths: As a very well-designed platform with innovative features, Druva provides strong data management capabilities and ease of use under a BaaS consumption model. Druva is ideally suited to organizations with a cloud-first approach to the AWS ecosystem. It has excellent e-discovery and compliance features, and it offers strong cyber resiliency capabilities.
Challenges: The solution is not ideal for customers with large amounts of data that must be maintained on-premises (over 100 TB) or legacy workloads (such as Solaris, DB2, and others). While Druva supports protecting files and databases across multiple clouds, the lack of native VM support for Microsoft Azure and GCP is a concern.
HYCU offers data protection capabilities through HYCU Protégé. The solution provides deep integration with every platform it supports, whether on-premises or in the cloud. It does so using architecture native to each supported platform, such as Nutanix, Google Cloud, Azure, VMware, and AWS, t implements an agentless, application-aware, and multitenant solution that offers elastic scalability.
HYCU has an intuitive management interface providing a dashboard that summarizes the environment and compliance with the SLAs that were set. HYCU leverages analytics to provide a guaranteed RTO. The solution also leverages analytics to detect anomalous behavior and ransomware. It can inform users if applications and resources are unprotected and generates reports on metrics for further analysis, such as capacity consumption and showback of departmental usage of resources.
An orchestrated and automated DRaaS solution that can failover a single instance or an entire site is provided by HYCU. Whether planned or unplanned, HYCU enables business continuity, providing minimal downtime and ensuring that business operations can continue as planned. DR testing is an important part of a solid DR strategy, and HYCU allows users to conduct these tests with just a few clicks, without impacting production operations. Organizations can also define their desired SLAs and be alerted if they fall out of compliance with required RPOs and RTOs.
From a cyber resiliency standpoint, HYCU ensures data integrity is maintained through end-to-end AES-256-level encryption for data in flight and at rest. Data can also be stored securely in air-gapped, immutable write once, ready many (WORM) storage. HYCU Protégé has built-in anomaly detection to identify suspicious activity, trigger alerts, and initiate backups to protect against further threats. HYCU does cross-project backup to protect against administrator deletions.
HYCU also supports Kubernetes workloads with application-aware protection, including storage resources and application dependencies. This protection can be consumed either through a subscription or as a service.
HYCU offers a BaaS solution that supports three workload types: Kubernetes environments such as those seen above, public clouds such as AWS, Azure, and GCP, and SaaS solutions such as Microsoft 365, Jira, SalesForce, and Okta. These can be managed from a single pane-of-glass, and the service comes without egress fees. The Microsoft 365 offering also includes Microsoft Teams support. It allows granular recovery of objects and supports data compliance requirements by providing e-discovery features such as audit trails, retention policies, legal holds, and data analytics around email correspondence. In addition, the solution protects Microsoft 365 data in the same native Microsoft 365 regions, enforcing and respecting data sovereignty laws.
HYCU Protégé protects a broad scope of workloads including VMware ESX, Nutanix, and file servers. It also has specific integrations with Dell PowerScale (Isilon), NetApp, SAP HANA, Microsoft Active Directory, physical servers running Windows and Linux, and more. HYCU also supports many on-premises and cloud database services.
Strengths: Native, deep integration with the supported platforms and extensive data protection implementation are strong points. The solution offers a BaaS consumption model that includes SaaS applications and cloud workloads.
Challenges: Although HYCU offers a comprehensive solution, there is still room for improvement on certain capabilities such as cyber resiliency and data management.
IBM offers multiple data protection products under its portfolio. Among them, IBM Storage Protect (previously known as IBM Spectrum Protect Plus) provides a flexible solution for enterprises, particularly when used with other IBM storage and data protection components.
At the analytics level, IBM Storage Protect provides a simple and intuitive management interface. However, advanced data insights are available through IBM Storage Sentinel or IBM Spectrum Discover.
Although there’s no native DR orchestration capability in IBM Storage Protect, customers can license IBM Storage Protect Extended Edition to add DR management, node replication, and other advanced capabilities. Another option is to leverage IBM Storage Copy Data Management (CDM), a solution that automates snapshot replication and offers control over testing and cloning use cases, instant recovery, and full DR. The solution also leverages native snapshot capabilities from IBM FlashSystem arrays to accelerate data copy and replication operations. CDM supports IBM SVC, IBM Spectrum Virtualize, Pure Storage, and NetApp storage systems.
Cyber resiliency capabilities include a layered approach that is balanced among proactive detection capabilities, basic security features, and ransomware recovery. For advanced use cases, the company offers a broad set of solutions in its portfolio and also proposes IBM Storage Defender, a unified data resiliency solution that incorporates the functionality of multiple IBM products into a single pane of glass, including IBM Storage Protect, IBM Storage Sentinel, and more.
Data management capabilities are currently provided through another product of the IBM solutions portfolio, IBM Spectrum Discover. This solution can be used to identify, organize, and classify IBM Storage Protect backup data.
IBM Storage Protect implements a mature Kubernetes data protection feature that supports vanilla Kubernetes environments and Red Hat OpenShift. It includes automated discovery of resources, policy-based snapshot management for PVCs, the ability to protect etcd and Kubernetes metadata, and has centralized or policy-based SLA management with DR capabilities.
A native IBM BaaS solution branded IBM Storage Protect for Cloud (previously IBM Spectrum Protect Plus Online Services) is currently available, and it focuses on Microsoft products (Microsoft 365, including Microsoft Teams, Microsoft Dynamics 365, and Azure Active Directory) and Salesforce. It also reports and monitors the data protection status for the various Microsoft 365 components. The service runs on Microsoft Azure data centers and allows customers to leverage self-managed storage, on-premises or in public clouds. IBM’s roadmap includes support for Google Workspace. The company is also planning to expand geographic coverage of its BaaS solution.
Organizations seeking more comprehensive BaaS capabilities can take advantage of a partnership with IBM and Cobalt Iron, although Cobalt Iron’s Compass solution is tailored more for the enterprise market. Alternatively, IBM partners with third-party MSPs to deliver its solution through a BaaS model.
In addition to BaaS support for Microsoft 365, IBM Storage Protect also protects common workloads (including physical, virtualized, AIX, and containerized environments), as well as cloud workloads on AWS, Azure, and IBM Cloud.
Strengths: IBM Storage Protect offers a robust data protection solution with a modular approach, allowing organizations to start small and grow their feature set as needed. Kubernetes support is a strong differentiator, while other features are being actively developed and/or expanded. The roadmap is promising for SaaS solutions support and cyber resiliency.
Challenges: Although IBM offers a comprehensive data protection suite, integrating the various components remains challenging. IBM Storage Defender marks a positive step in this direction.
Initially focused on traditional data protection over a modern architecture, Rubrik has gradually evolved into the Rubrik Security Cloud, a security-focused data protection solution capable of protecting a broad spectrum of workloads. The platform is built around a policy engine that orchestrates data protection, retention policies, long-term retention (including long-term storage to public clouds), monitors SLA compliance, and more.
The solution offers a comprehensive analytics platform with a strong emphasis on security metrics and anomaly detection. The management interface is well-designed and provides immediate actionable insights to its users.
Rubrik supports automated DR orchestration with cross-cloud support for VMware workloads. It also includes failover/failback and testing capabilities, as well as SLA compliance reporting. Organizations can leverage predefined DR blueprints, and the DR solution integrates with Rubrik Ransomware Investigation to intelligently select a recent clean recovery point for use following a ransomware attack.
The solution has a comprehensive set of cyber resiliency features, including data risk assessments, anomaly detection, a zero trust architecture, native immutability, encryption, and access controls. Among these, Rubrik Ransomware Investigation performs ML-assisted anomaly detection, and the solution can discover the point of malware infection, subsequently assisting in reverting to a clean state. In addition, Rubrik Cloud Vault, a cloud-based, logically air gap solution that offers account-isolated, immutable copies of the data to be retained off-site as a last resort recovery option against cyber attacks and natural disasters. The solution is offered through a pay-as-you-go model, which includes storage and egress charges.
Rubrik also offers a sensitive data discovery feature that assesses data risk and exfiltration via an automated classification engine and pre-built analyzers.
The solution supports Kubernetes workloads through its policy-driven protection engine. It supports persistent volumes and application-related Kubernetes objects, allowing the recovery of the entire application. Self-service and integration with automation frameworks and CI/CD pipelines is also supported to empower DevOps and DevSecOps teams.
Rubrik Security Cloud supports AWS, Azure, and Google Cloud workloads. It also includes Microsoft 365 support (E-mail, Onedrive, SharePoint, and Teams) with automated discovery of new users, sites, and teams, as well as flexible protection policies.
Although the solution is based on modern architecture, Rubrik does not propose a BaaS offering at the moment. However, the company actively supports MSPs and CSPs, offering BaaS solutions based on Rubrik’s data protection platform.
Strengths: Rubrik offers a security-centric data protection solution that implements a host of features to prevent or limit the impact of ransomware attacks and facilitate recovery activities. The solution supports Kubernetes and cloud-native workloads.
Challenges: With the exception of sensitive data discovery, data management capabilities are an area for improvement.
Unitrends offers a suite of data protection solutions delivered either through backup appliances (Recovery Series) or software-based solutions, such as Unitrends Backup Software and a portfolio of complementary solutions for DRaaS, SaaS backup, ransomware recovery, and more.
These solutions are managed by UniView, a centralized platform that can manage backup and recovery solutions for an organization’s data centers and endpoints, as well as Microsoft 365 and Google Workspace. UniView is a SaaS-based management platform that provides UI and API integration across three best-of-breed approaches to backup and recovery. With UniView, enterprises can easily manage these backup and recovery solutions from one elegant portal.
From a DR perspective, Unitrends DRaaS delivers rapid spin-up of critical systems and applications in the secure Unitrends Cloud at a significantly lower cost than that of building and managing self-owned, off-site DR locations. It also protects AWS or Azure cloud workloads with automated failover, failback, and integrated VM conversion.
Cyber resiliency capabilities combine proactive detection on Unitrends backup appliances with an AI engine that runs during every backup and analyzes the randomness of file changes to identify backups infected by ransomware. Upon detection, email and dashboard alerts are provided, and suspect backups are flagged. The solution also supports immutable backups when Unitrends Cloud is used to offload backups in the cloud.
Unitrends offers its own BaaS solution, which relies on geo-redundant cloud data centers built for resilience with cutting-edge, self-healing hardware and software that detects and corrects issues even before they arise. Automated application-level recovery testing and proactive monitoring by cloud experts keep Forever Cloud (off-site backup to Unitrends Cloud) running at optimal efficiency and availability. Alternatively, customers can use MSP partners for this purpose, and with DRaaS Unitrends, they can eliminate the need for a second data center.
At the moment, Unitrends doesn’t offer support for Kubernetes, nor does it provide any data management capabilities.
Strengths: Unitrends offers a capable suite of products in its data protection portfolio with noteworthy cyber resiliency features, DRaaS, and a BaaS offering that includes support for SaaS workloads. The solution also provides options for MSPs.
Challenges: Ransomware detection is currently available only on physical appliances. Several capabilities such as Kubernetes and data management are lacking. Although managed centrally by Uniview, Unitrends’ approach is more like a portfolio of solutions than a platform.
Veeam continues to improve its robust, flexible, and scalable Veeam Data Platform data protection solution that includes broad workload support and allows organizations to use a wide range of backup targets and tiers. With its solution running primarily on top of Microsoft Windows, the company is now making a strong push to replatform the various data protection components on Linux, in addition to providing new Linux workload support, such as PostgreSQL.
The data protection suite consists of multiple products aimed at protecting various workloads. Its modular architecture provides ample customization opportunities, making it easy for large enterprises and MSPs/CSPs (a key market for Veeam) to integrate Veeam with their infrastructure and security environments. The company has innovated in this area with deeper AWS, Azure, and Google Cloud integration, Microsoft 365 support, remote deployment and upgrades, and a massive multicluster scale.
Analytics capabilities are delivered through various Veeam management consoles for data protection and Veeam ONE for infrastructure monitoring. Veeam ONE can also be used to monitor data protection alongside other workloads under a single view. Organizations can take advantage of Veeam ONE’s API to integrate the solution into their automation workflows. In addition, tasks can be automated based on alarms, enabling orchestration of certain activities.
DR capabilities are delivered through Veeam Recovery Orchestrator. This comprehensive platform provides ample customization options and a graphical workflow designer, and it is suitable even for the most complex DR scenarios. This feature was enriched to include automated rollback following a ransomware attack, recovery orchestration for physical workloads, and cloud recovery orchestration.
From a cyber resiliency standpoint, Veeam provides a comprehensive set of ransomware remediation features, immutable image-based backups, and the ability to leverage immutability features on AWS S3 or on-premises object repositories. Veeam Backup for AWS v6, and Veeam Backup for Azure v5 now support immutable backups as well, and the Veeam Backup Repository (Veeam now offers a direct backup to object storage capability) can now implement double immutability (at the local repository level as well as in the cloud). In addition, Veeam provides recovery verification through its secure restore feature, with support for third-party security products.
Veeam ONE provides out-of-the-box alarms capable of signaling potential ransomware activity. It also allows use of custom alarms based on metrics that can highlight potential ransomware activity. Veeam has most of the building blocks needed to create a fully-fledged proactive ransomware detection solution, a capability that is now on the roadmap.
Kubernetes support is delivered through Kasten, offering one of the most comprehensive cloud-native data protection solutions currently available, including backup and restore, DR, and mobility of Kubernetes applications.
The solution supports multiple cloud workloads; besides SaaS workloads such as Microsoft 365 and Salesforce, it also provides dedicated backup solutions for AWS, Azure, and Google Cloud.
Even though BaaS consumption models are gaining traction, and Veeam has all it takes to create its own BaaS offering, the company currently focuses on enabling its MSP and CSP partners to deliver their own Veeam-powered BaaS offerings. Considering the strong competition and popularity of BaaS, it is reasonable to expect that Veeam might make a move in this direction in the near future.
Strengths: Veeam offers a flexible data protection platform delivered through a modular suite of products, making it capable of covering a very broad set of workloads, including public clouds and Kubernetes. Outstanding support for MSPs and CSPs and a strong roadmap ahead are also strengths.
Challenges: Data management and governance capabilities are limited. Currently no first-party BaaS offering is available.
Veritas has comprehensive data protection solutions for the enterprise market, covering many platforms and applications. In addition to its traditional NetBackup data protection solution, the company has recently launched Veritas Alta, the focus of this report, a cloud data protection platform that includes cyber resiliency, data management capabilities, and SaaS workload protection.
The solution supports a broad set of deployment models and includes support for multiple clouds and locations as well as modern workloads. With Veritas Alta’s Intelligent Cloud Policy Engine, organizations can automate snapshot data storage in low-cost public cloud storage tiers for their AWS, Azure, or GCP workloads. In addition, a feature called Elastic Cloud Autoscaling (for AWS, Azure, and GCP) ensures that organizations pay only for the data they consume.
The solution provides a cloud-based management console that covers the entire organization’s environment. It comes with an analytics engine that provides actionable insights and a view of the organization’s cybersecurity posture, with reporting capabilities. The solution also leverages AI and ML capabilities to drive autonomous data management actions.
DR capabilities are included in the solution and allow automation and orchestration of DR at scale with single-click recovery. Organizations can build their own custom scripts to tailor DR activities with their requirements. The solution also enables DR testing and allows the migration of workloads from on-premises to cloud, as well as across clouds.
Veritas Alta includes cyber resiliency ransomware detection capabilities such as ML-based anomaly detection, malware scanning, and data immutability. Resiliency is augmented by Veritas Alta Recovery Vault, a fully managed, cloud-based data retention service that can act as an alternative to on-premises storage of backup data. Veritas Alta Recovery Vault provides end-to-end deduplication, ransomware protection with immutability, unlimited restore with no caps, and integrated bare metal and granular recovery options. Recovery Vault is available on Azure and AWS.
The solution also implements several data management capabilities. These include automated content classification, e-discovery, and dark data detection. Veritas Alta SaaS Protection further expands these capabilities with content scanning, e-discovery, automated data residency controls (for data sovereignty regulation compliance), and the possibility of applying legal holds.
Veritas Alta can be consumed under a BaaS model and includes additional services such as Veritas Alta Recovery Vault (covered above). Worth noting, Veritas also offers its own cloud storage as a service offering, Veritas Shared Storage, which includes encryption and WORM capabilities for cloud-native block storage. This offering includes support for Kubernetes workloads via CSI plug-ins and additional integrations related to databases and snapshot consistency.
The solution supports cloud instances on AWS, Azure, and GCP. Multiple cloud database services on AWS, Azure, and GCP are supported. From a SaaS perspective, Alta SaaS Protection includes support for a variety of workloads, including comprehensive coverage of Microsoft 365. It also supports Salesforce, Google Workspace, Box, and Slack.
Strengths: Veritas Alta marks a turning point for the company. The solution has taken into account modern data protection requirements and proposes a very promising platform. Cyber resiliency and data management capabilities, combined with a BaaS consumption model, a SaaS-based management console, and first-party storage offerings are noteworthy.
Challenges: The platform was launched recently and is not yet fully proven in the field.
6. Analysts’ Take
As the collection point toward which all of an organization’s data flows, data protection infrastructures create data lakes that become a critical aspect of an organization’s security and regulatory posture. Besides the fundamental requirement to protect these data assets, large enterprises must address the challenges posed by cybersecurity threats, regulatory compliance, and infrastructure complexity.
The challenges listed above often overlap: data protection vendors acknowledge the convergence between data protection, cyber resiliency, and data management. In fact, some companies have anticipated these trends and built comprehensive platforms that combine data protection, cyber resiliency, and data management capabilities under a single umbrella. This approach defines the next generation of data protection solutions, for which data protection becomes, in a way, a subset of data management.
In addition, organizations need to protect swaths of applications and infrastructure components across technology stacks and locations, often with different delivery and consumption models. This complexity requires modular and scalable solutions that offer a comprehensive breadth of scope, ranging from traditional workloads to Kubernetes and cloud-native services, even in multicloud contexts, yet with the ability to comply with data protection and sovereignty laws.
Finally, with infrastructure spending under close scrutiny, customers want the benefits of flexible consumption models. Instead of capital investments in data protection infrastructure, some are increasingly opting for BaaS, shifting data protection spending from CapEx to operational expenses, which may better suit some CFOs’ investment and budgeting cycles that have shortened from multiple-year horizons to 12 to 24 months at most.
Customer demand for BaaS is driving more vendors to develop their own BaaS solutions. Although the MSP/CSP market remains a huge opportunity for many data protection vendors, the lack of BaaS capabilities is perceived by customers as a lack of innovation and a challenge for their infrastructure spending expectations. Vendors must thus find the right balance between satisfying existing and prospective customers without alienating their MSP/CSP partners.
All these changes are profoundly transforming the enterprise data protection market. The expected outcome remains the same: protection of data. But increased complexity and new challenges make data protection a much more interesting and demanding discipline.
There is a clear separation between vendors that have understood these challenges and are designing products around a comprehensive, innovative approach and those that continue to focus on data protection as an isolated discipline. Without significant investments, pure data protection players are poised to lose momentum and become less relevant unless they operate in highly customized environments or organizations with less stringent requirements.
7. About Max Mortillaro
Max Mortillaro is an independent industry analyst with a focus on storage, multi-cloud and hybrid cloud, data management, and data protection.
Max carries over 20 years of experience in the IT industry, having worked for organizations across various verticals, such as the French Ministry of Foreign Affairs, HSBC, Dimension Data, and Novartis, to cite the most prominent ones. Max remains a technology practitioner at heart and currently provides technological advice and management support, driving the qualification and release to production of new IT infrastructure initiatives in the heavily regulated pharmaceutical sector.
Besides publishing content/research on the TECHunplugged.io blog, Gestalt IT, Amazic World, and other outlets, Max is also regularly participating in podcasts or discussion panels. He has been a long-time Tech Field Day Alumni, former VMUG leader, and active member of the IT infrastructure community. He has also continuously been running his own technology blog kamshin.com since 2008, where his passion for content creation started.
Max is an advocate for online security, privacy, encryption, and digital rights. When not working on projects or creating content, Max loves to spend time with his wife and two sons, either busy cooking delicious meals or trekking/mountain biking.
8. About Arjan Timmerman
Arjan Timmerman is an independent industry analyst and consultant with a focus on helping enterprises on their road to the cloud (multi/hybrid and on-prem), data management, storage, data protection, network, and security. Arjan has over 23 years of experience in the IT industry and worked for organizations across various verticals such as the Shared Service Center for the Dutch Government, ASML, NXP, Euroclear, and the European Patent Office to just name a few.
Growing up as an engineer and utilizing that knowledge, Arjan currently provides both technical and business architectural insight and management advice by creating High-Level and Low-Level Architecture advice and documentation. As a blogger and analyst at TECHunplugged.io blog, Gestalt IT, Amazic World, and other outlets, Arjan is also from time to time participating in podcasts, discussion panels, webinars, and videos. Starting at Storage Field Day 1 Arjan is a long-time Tech Field Day Alumni, former NLVMUG leader, and active member of multiple communities such as Tech Field Day and vExpert.
Arjan is a tech geek and even more important he loves to spend time with his wife Willy, his daughters Rhodé and Loïs and his son Thomas sharing precious memories on this amazing planet.
9. About GigaOm
GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.
GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.
GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.
© Knowingly, Inc. 2023 "GigaOm Radar for Hybrid Cloud Data Protection for Large Enterprises" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact email@example.com.