Data Resilience Solution Suites, 4Q22

This report, published on December 8, 2022, was written by Brent Ellis with Stephanie Balaouras, Faith Born, Diane Lynch, analysts, Forrester Research, Inc.

The Forrester Wave: Data Resilience Solution Suites, Q4 2022
The Nine Providers That Matter Most And How They Stack Up

Summary
In this 40-criterion evaluation of data resilience solution suite providers, was identified the 9 most significant ones – Cohesity, Commvault, Dell Technologies, Druva, IBM, Rubrik, Veeam Software, Veritas, and Zerto – and researched, analyzed, and scored the vendors’ solutions. This report shows how each provider measures up and helps technology professionals select the right one for their needs.

Modern Data Resilience Strategy Is More Than Just Infrastructure Backup
Today’s enterprises are transitioning to a hybrid cloud world. This means that they must not only backup data in diverse infrastructure environments but also secure that data (and the backup infrastructure) from cyberthreats, recover from failure faster, navigate shared-responsibility models for hosted services, and address data privacy and sovereignty concerns – all while expanding automation, increasing self-service capabilities, and streamlining management of backup-and-restore capabilities. Since
2019 Forrester Wave evaluation, we’ve seen rapid adoption of SaaS platforms for core business applications as well as modernization of core enterprise applications with container-based development. In this current evaluation, we specifically address the capability to backup data in those environments. Another market change is the growth and evolution of ransomware threats. Security, and especially the ability to protect backup infrastructure from compromise, has become a top priority for many organizations.

As a result of these trends, data resilience solution suite customers should look for providers that:

• Offer comprehensive support for diverse backup sources and restore targets. The most important feature of a backup solution is the ability to protect vital data. Modern technology stacks include on-premises, cloud, and SaaS-based workloads, each with specific backup needs. Customers should look for a tool that protects the data regardless of location or hosting model and has the capability to reliably make data and workloads available quickly in the face of a disaster or service outage, even if that means putting that information in a new production environment.
• Secure their backups and the backup infrastructure from cyberthreat. A key element of the National Institute of Standards and Technology (NIST) Cybersecurity Framework is the ability to recover from attack. The first step in making sure that your business can recover when cybercriminals attack with ransomware is ensuring that they don’t compromise your backup systems as well. The second step is ensuring that your backups are valid and that you can restore them when disaster strikes.
• Address evolving data protection needs, especially in SaaS and container environments. SaaS and container adoption has been on the rise. Modern backup systems should help enterprises protect data in those environments with the same fidelity for protection that other applications and data enjoy. Your strategy for protecting enterprise data should account for every new technology and system your business uses, even if the platform is hosted by another company.

Evaluation Summary
This evaluation highlights Leaders, Strong Performers, Contenders, and Challengers. It’s an assessment of the top vendors in the market; it doesn’t represent the entire vendor landscape. You’ll find more information about this market in our reports on data resilience.

Figure 1: Forrester Wave: Data Resilience Solution Suites, 4Q22

Figure 2: Forrester Wave: Data Resilience Solution Suites Scorecard, 4Q22

Vendor Offerings
Forrester included 9 vendors in this assessment: Cohesity, Commvault, Dell Technologies, Druva, IBM, Rubrik, Veeam Software, Veritas, and Zerto (see Figure 3).

Figure 3: Evaluated Vendors and Product Information

Vendor Profiles
This analysis uncovered the following strengths and weaknesses of individual vendors.

Leaders

Commvault
It leads with breadth of backup support and attention to enterprise needs. It has integrated the Metallic.io offering into its product line, resulting in a comprehensive data resiliency platform that addresses the heterogeneous backup-and-restore capabilities that enterprises straddling the line between traditional and cloud-enabled tech stacks will need. This product integration is part of delivering on a differentiated and compelling vision that the company refers to as Intelligent Data Services. The company isn’t the largest vendor we evaluated, but it has a commanding market presence. Additionally, it has comprehensive ransomware defense capabilities and has purchased a cyber deception company named TrapX and embedded it into its backup suite as ThreatWise, allowing organizations to deploy an early warning system for cyberintruders targeting backup infrastructure. It differentiated itself in 8 of the 13 different backup-and-restore criteria; the only criterion where its coverage was subpar was for mainframe applications and data, though it does offer data dumps to a VTL. Its API-driven automation differentiates because it exposes the custom API call for most operations in the GUI, allowing backup administrators to copy and paste the API call into scripts and other environments. Reference customers have warmed up to the subscription-based licensing but reported some annoyance at management differences between the appliance/software version of the software and workloads in Metallic. However, the company has been rapidly iterating on its management console to smooth out any inconsistencies. Large enterprises that want to protect traditional infrastructure as well as provide advanced data resilience capabilities for newer technologies should look at this vendor.

Rubrik
It encapsulates a well-featured backup system with a security focus. Its Security Cloud puts security in the spotlight in regard to backup and integrates signals found in the backup process with leading SIEM and SOAR tools to make sure that security issues are handled appropriately. The firm has a well-known brand with moderate market presence. Workload support is on par, with differentiation in documented support for distributed file systems and the ability to restore to alternate infrastructure, including “clean rooms” for assessing potentially compromised restores before putting them in production. While other vendors have similar integrations, the company focuses on the data and infrastructure recovery workflows related to a cybersecurity incident and has augmented its capabilities with a secure cloud vault for highly sensitive data as well as with threat-hunting capabilities. Customers gravitate to Rubrik for use cases that take advantage of its security focus, especially on-premises workloads that have sensitive data or compliance needs. It’s worth noting that Rubrik is the only vendor with differentiated scores for all security and ransomware criteria in the evaluation. It was the first vendor in the industry to offer a ransomware recovery warranty, though eligibility requires working with the company’s customer success function on a regular basis to validate that components are set up and installed correctly. The company is best for customers seeking higher degrees of security for their backed-up data, whether for compliance reasons or for ransomware defense.

Cohesity
It bridges the divide between backup and data management. Its DataProtect solution is part of its Data Cloud and provides very good backup-and-restore functionality; this is one of the few vendors that offers an option to backup mainframe data using a marketplace plug-in to Model9. The firm stands out in the way it integrates customer needs into planned enhancements. Its market presence is smaller than that of long-standing competitors such as Commvault or Veeam Software, but recent growth shows significant inroads with enterprise customers. The company has reported strong growth and notable customer retention. It expands the value of data under protection by allowing organizations to clone backups into its SmartFiles solution in the event of a disaster, send highly sensitive data to a cloud vault, spin up zero-cost database instances for sandbox testing, and improve governance of data through analytics. Company’s SaaS-based management and reporting interface is excellent and offers an easy way to track backup success as well as the ability to search across all protected data. The firm leverages APIs to integrate with popular security information and event management (SIEM) and security orchestration automation and response (SOAR) tools such as Cisco SecureX and Palo Alto Cortex to help ensure that security incidents are handled properly. Reference customers mentioned that they spend more annually with Cohesity than on previous backup tools; however, they also commented on how easy the solution is to use (assisted with ransomware protection) and said that they’ve found far more value in the platform than they originally expected. These customers also liked the advanced customer support that the vendor provides by adding features to support specific backup needs. DataProtect is well suited for customers looking for an easy-to-use backup system that provides an option for leveraging backup data for additional use cases.

Strong Performers

Druva
It simplifies backup operations but mainly focuses on modern workloads. Druva uses its SaaS model to develop customer insights, iterate, and improve its capabilities and features. It has support for common on-premises workloads but chooses not to support legacy workloads in favor of using developer time on SaaS and cloud-native workloads. Enterprise market adoption is still relatively small, but its recent partnership with Dell Technologies has increased its exposure to large enterprise environments. The company is also the only evaluated vendor that offers a monetary guarantee related to its ability to recover from ransomware. Management is through a single web-first and API-driven interface that exposes metrics and data that matter most to customers. As a SaaS platform hosted in Amazon Web Services (AWS), the firm takes advantage of services in all AWS regions to support data sovereignty needs as well as resilience requirements. Some reference customers have used the vendor to provide backup for a remote site and then expanded its use after the product helped them through a ransomware event successfully. While its SaaS-native delivery may be an advantage for some, it means that the copany has chosen not to support some on-premises workloads and infrastructure, which might be limiting for enterprises that need to support a tech stack with a long tail of technology still in production. Druva is best for customers with few to no legacy workloads and significant cloud adoption; it’s also one of the best options for SaaS application data protection of the vendors that we evaluated.

Veeam Software
It is powerful and flexible, but software-only delivery is double-edged. It has a significant market presence in all business segments. It sometimes garners criticism as an insecure solution or as the target of certain ransomware cartels; the truth is that the firm supports the creation of a highly secure environment but that customers can easily misconfigure it. To the company’s credit, it invests a lot of time in educating customers about backups and backup safety. Vendor’s vision and planned enhancements are unique in that they’re fueled by significant customer outreach and research related to how businesses protect data and workloads. It has a well-established partner network that extends its capabilities beyond the functionality we captured in this evaluation. Veeam’s overall workload support is very good, with excellent support for Kubernetes, databases, storage, alternate recovery locations, and secure staging. Management and reporting can be complex and focuses on the backup administrator role, and SaaS protection is currently limited to Microsoft 365. Some reference customers use Veeam for niche backup needs, while others have deployed multinational backup environments on its Availability Suite. Reference customers have commended firm’s ability to produce patches for bespoke needs that go beyond default functionality. Managed services providers find the vendor to be a great choice, as its broad capabilities and software-only delivery model allow it to sell Veeam-as-a-service to customers without direct competition from Veeam itself. Customers with complex environments and significant technical resources will find Veeam Software a flexible tool for many environments.

Dell Technologies
Its excellent customer relationships bolster its position in the market. It has an excellent self-reinforcing ecosystem that provides a large market base for PowerProtect Data Manager (PPDM) and has legacy backup tools acquired over time as well. It also has a large installed base of PowerProtect secondary storage targets, including Data Domain appliances. As a whole, firm’s data resilience portfolio makes it larger than any of the other vendors that we reviewed for this market. However, company’s challenge lies in driving customers toward future-focused platforms. PPDM aims to consolidate functionality from multiple backup products into a single experience, with additional IaaS and SaaS backup capabilities provided through a Druva partnership branded as APEX Backup Services. PPDM’s functionality is below par relative to the offerings of dedicated data resilience vendors in this evaluation. Dell has focused on supporting the technologies that its customers care about most, including enterprise application and database support, enterprise storage, public IaaS, core SaaS platforms, and ransomware recovery. The products we reviewed provide the technical capabilities required for core backup, restore, and cyber resilience but require improvements in management, automation enablement, and reporting. Reference customers found the company easy to work with, and the value they get from the relationship increases when combined with other elements of the its ecosystem, including service and support. APEX Backup Services and PPDM are attractive options for existing customers.

Veritas
It has strong backup capability, but its market growth has been tepid. It recently rearchitected its entire NetBackup product, adding support for more hybrid cloud workloads plus native Kubernetes support. It’s also adopting a subscription-based licensing model. It has a moderate market presence and immediate brand recognition. In the recent past, it didn’t focus on expanding its customer base. However, the acquisition and integration of HubStor as NetBackup SaaS Protection, coupled with a redesigned platform, has put Veritas in a better position to acquire new customers. Backup-and-restore functionality is strong, with NetBackup 10 differentiating itself in eight of the 13 criteria. The management and reporting platform is API driven, clear, and easy to use. Reference customers are avid fans of Veritas generally and trust NetBackup to protect their most critical data; however, none have transitioned to version 10, citing the ownership of perpetual licenses. This means that the vendor will need to work to convey the value of upgrading to the new platform and will have to address its current subscription terms to make it more attractive for existing customers to convert to it.  NetBackup is a great tool for large enterprises that are looking for a modern backup system from a company with a reputation for keeping data safe.

Contenders

Zerto
It is known for supporting aggressive RPOs but has limited backup functionality. Its overall support for basic backup functions is below par compared with that of the competition. However, its addition of one-to-many Kubernetes replication and its partnership with Keepit, a Leader in The Forrester New Wave: SaaS Application Data Protection, Q4 2021, bring capabilities to the enterprise that other vendors can’t claim. Firm’s market presence is small, but its recent acquisition by Hewlett Packard Enterprise will open the company to a new set of buyers. While its market vision is aspirational, its vision doesn’t seem to connect to its product capabilities, and it won’t achieve that vision without significant resources, possibly from HPE. But Zerto is a vendor worth watching as HPE integrates Zerto’s technology into its own backup portfolio. While some aspects of Zerto’s history in DR give it strengths, such as automation and orchestration, the product isn’t designed to handle backups. It has limited support for most backup sources and falls down when addressing retention policies and long-term archiving. Zerto’s SaaS application protection, however, differentiates based on its Keepit partnership. The company also has strengths in converting between different virtual and cloud platforms as part of the ability to rehome workloads in a DR context. While large businesses may not choose the vendor as the backbone of their overall data resilience strategies, the technology is a perfect fit for use cases where customers need to protect workloads that have very aggressive RPOs and RTOs.

IBM
Its Spectrum Protect suite provides core functionality with piecemeal integration. IBM’s data resilience solution comprises Spectrum Protect, Protect Plus, and Protect Plus Online; IBM’s market presence is driven by the bundled sales and support options that many enterprises use when working with this vendor. The firm designed the 3 tools to address physical infrastructure and storage, virtualized infrastructure, and cloud workloads, respectively. On its own, the current offering is below par relative to competitors in this evaluation that focus on data resilience, but customers tend to leverage the solution with other products in IBM’s ecosystem, such as Predatar or QRadar, to address their needs. Big Blue’s vision for the Protect lineup includes a growing focus on security, cloud-native, and SaaS workloads as well as improving ease of use for its products. Together, the 3 products in the Protect suite can address most backup needs, but they’re not currently integrated from a management perspective. They don’t share a back-end storage repository, and backup security needs require other products and services in the IBM ecosystem. Compared with other dedicated data resilience vendors in this evaluation, functionality isn’t on par, though reference customers found the solution to be cost-effective and a fit for current needs. Those customers also noted the lack of consolidated management and reporting across the different products. Existing company’s customers get the best value from the Spectrum Protect product line when they couple it with other IBM ecosystem products, combined with firm’s service and support expertise.

Evaluation Overview
Here are evaluated vendors vs. 40 criteria, which we grouped into 3 high-level categories:

• Current offering. Each vendor’s position on the vertical axis of the Forrester Wave graphic indicates the strength of its current offering. Key criteria for these solutions include backup-and-restore functionality, SaaS application data protection support, automation and orchestration, reporting and management, security integration and awareness, ransomware defense, and business needs awareness.
• Strategy. Placement on the horizontal axis indicates the strength of the vendors’ strategies. We evaluated product vision, market approach, performance, planned enhancements, supporting products and services, delivery model, and commercial model.
• Market presence. Represented by the size of the markers on the graphic, our market presence scores reflect each vendor’s revenue related to data resilience, number of enterprise customers, and average enterprise deal size.

Vendor Inclusion Criteria
Forrester included nine vendors in the assessment: Cohesity, Commvault, Dell Technologies, Druva, IBM, Rubrik, Veeam Software, Veritas, and Zerto.

Each of these vendors has:

• Comprehensive backup-and-restore functionality for both legacy and modern workloads. This includes backup-and-restore capabilities for traditional on-premises applications and infrastructure, cloud-hosted applications and infrastructure (IaaS), containers and cloud-native applications and infrastructure, and SaaS application data (e.g., data hosted in Microsoft 365, Salesforce, or other SaaS platforms).
• Ransomware recovery capabilities. This includes capabilities such as WORM storage and immutable file system support; anomaly detection; multifactor and/or multiperson authentication support; and some form of air gapping, vaulting, or backup isolation.
• Comprehensive reporting resilience and consolidated management interface. This includes the ability to manage backups, restores, and policies in an efficient way as well as to report on those functions and the overall resilience stance of the organization, both for C-suite-level conversations and day-to-day operations.
• Significant product revenue. Required is data resilience product revenue of $100 million or more during the vendor’s last complete annual fiscal period.
• Relevance to Forrester clients. Vendors evaluated must be relevant to analyst’s firm clients, as demonstrated through inquiries, consulting engagements, and search queries.
• Availability. It is required that the solution and its considered features be available as of August 1, 2022.