By Vincent Marino, Afi Technologies
This document describes how to set up an automated G Suite backup using Afi.ai and (optionally) connect customer-owned Cloud Storage accounts.
In order to install the application in your G Suite domain, System Administrators must have domain administrator rights. The initial setup takes approximately 5 minutes; up to 24 hours might be required in order for all settings to take full effect.
- Install and configure Afi G Suite Backup.
- Add your Cloud Storage account to Afi G Suite Backup.
- Configure Afi G Suite Backup.
- Add your Afi G Suite Backup customer account to the Afi partner management portal.
Afi G Suite Backup and recovery options
The Afi G Suite Backup tools enable versioning of Google Docs files, recovery of permanently deleted items through the Admin console, and data retention as part of the Google Vault G Suite data retention and eDiscovery solution.
With the Afi G Suite Backup policy, you typically use third-party software in addition to the native Google capabilities in order to extend the timeframe and scope of protected G Suite data, and to automate the recovery process.
|G Suite Admin console||Google Vault||Third-party G Suite Backup|
|Permanently deleted data||Data deleted within 25 days can be restored. Link||Google Vault doesn't restore data. However, administrators can access and download user-deleted data that's protected by Vault retention rules for existing, licensed user accounts. Link||Yes, infinite data retention.|
|Deletion of user account||Removes retained data in 20 days after account deletion. Link||Removes retained data.
|Data is retained.|
|Folder structure||Yes.||No. Link||Yes.|
|Gmail label structure||Yes.||No. Link||Yes.|
|Metadata, rights, and permissions||Authorship and created/modified dates are restored. Share permissions are not preserved. Link||Export functionality allows downloading files with authorship and created/modified dates. Sharing permissions are not preserved. Link||Document ID, authorship, created/modified dates are restored.|
|Individual emails and files||No, only full G Suite account. Link||Can be retained and downloaded using export functionality.||Yes.|
|Email drafts and trash||Cannot be restored. Link||Can be retained and downloaded using export functionality.||Yes.|
|Full user account||Only the last state and within 20 days after deletion can be restored. Link||No. Link||Yes, point in time with infinite versions.|
|Contacts||Only the full contact list within 30 days after deletion can be restored. Link||No. Link||Yes, granular G Suite Contacts backup, offline export and recovery.|
|Calendar events||Events deleted within the last 30 days can be restored. Link||No. Link||Yes, granular G Suite Calendar backup, offline export, and recovery.|
|Point-in-time recovery||No, only deleted files within the selected period. Link||Partial data export for the selected period is available, no restore back to G Suite. Link||Yes.|
|Real-time data preview||No. Link||Yes.||Yes.|
|Admin involvement||Data restore can only be performed by a G Suite administrator.||Export and data download can only be performed by a G Suite administrator.||Self-service recovery is available for end users.|
Afi G Suite Backup capabilities
As one of the third-party G Suite backup solutions, Afi enables automated G Suite data backup to a secondary cloud storage location. In addition to doing scheduled backups, Afi uses AI technology to detect security events, perform preemptive backups, and accelerate recovery.
Cloud Storage backup
Afi G Suite Backup data is stored in the Cloud Storage location that you select during initial setup. The data is encrypted and stored in an immutable format. Any deletions, modifications, or other operations in the G Suite domain produce new versions of the data, but have no impact on the old recovery points.
AI backup engine
The AI backup engine monitors G Suite data changes and external data sources that include weather forecasts and major antivirus RSS feeds, in order to detect high-risk events (for example, massive changes to Google Drive files or outbreaks of new types of malware). The AI backup engine activates the protection by doing the following:
- Performing high-frequency shared drives and G Suite user data backups to maximize the number of recovery points before the potential event.
- Auto-labeling the recovery points. This feature indicates the changes between the versions and helps you recover to the latest unaffected version.
Backup access control
Afi relies on Identity Platform to authenticate administrators and users. Afi also implements role-based access control in order to limit access to backup contents within the application. Afi supports three types of roles:
- G Suite Super Admin. Assigned by default to all G Suite Super Admin users in G Suite domains, granting them the right to view and export all domain users' data. You can configure and limit G Suite Super Admin access to users' data.
- Backup Operator. Assigned to selected users to let them perform backup and restore operations for other users, without being able to view the backup content.
- Self Service. Assigned to users who need to perform a limited set of recovery operations for their own accounts.
The following screenshot shows the Roles & Self-Service settings.
Setting up Afi G Suite Backup
Install G Suite Marketplace
Sign in to the Google Admin panel as a domain administrator and open the Afi G Suite Backup application in G Suite Marketplace.
Click Domain install (Individual install is not supported). You can install the application to your entire domain or limit the installation to specific organizational units (OUs).
Initial configuration and storage selection
- Go to https://cp.afi.ai/ to access the application.
Use your G Suite administrator account to sign in. Upon first signing in, you need to set the following:
- Region to store data
- Time zone, which affects the timing of automated backups
You can use your own Cloud Storage accounts to store backup data. In order to connect your storage account, submit the name of your Cloud Storage bucket to the Afi support ticketing system, and grant the Storage Object Admin role for the bucket to
After you confirm the settings, Afi will discover domain resources. For large domains, this process can take several seconds.
Google Cloud costs
By default, you can select one of the two Google Cloud regions during the initial configuration (step 2). There are no additional storage costs because all storage costs are already included in Afi subscription fees. The two default regions are the following:
eu-west1(St. Ghislain, Belgium)
us-central1(Council Bluffs, Iowa, USA)
If you elect to use your own Cloud Storage account, instead of the default Afi storage options, then you need to pay for storage capacity, data retrieval, and egress charges, in addition to the Afi service subscription. For more pricing information, see the Google Cloud documentation.
Backup and recovery operations
Customize protection policies
Afi protection is based on Service Level Agreement (SLA) policies, which define how often backups are performed and what G Suite applications are protected. By default, Afi provides 4 policies for user accounts and shared drives protection:
- Gold (3x per day backups, all G Suite applications)
- Sliver (2x per day backups, all G Suite applications)
- Bronze (1x per day backups, all G Suite applications)
- Manual (on-demand backups, no automated backups, all G Suite applications)
Each SLA policy can be customized to include the selected applications (or to exclude the unselected applications).
- Go to the Configuration screen and make sure the SLA tab is selected.
Select or clear the required applications to include or exclude in the SLA.
Assign protection policies
You can assign protection policies to individual resources, OUs, or entire domains.
To apply protection using the OU view, follow these steps:
- In the Protection section of the Afi application, click Organizational units.
- Select the OUs you want to protect.
- Click Assign SLA.
In the pop-up window, select which SLA to apply.
Click the checkbox in the top-left corner to apply protection to all resources in the domain.
In the Protection section of the Afi application, select Recover to search, preview, and recover the data.
You can download or restore to G Suite from a selected recovery point:
- Under the Backup version label, browse the recovery points in the drop-down calendar.
- Click the selected recovery point.
- Use Search to find email messages or files.
Click Download or Recover to export data offline or restore it to G Suite.
You can perform restore operations for the following:
- Whole user accounts or shared drives
- Specific services (for example, restore user data only from G Suite email backup)
- Separate items (for example, specific email messages, labels, or Google Drive folders)
Scope of ransomware protection
Ransomware can infect your users' machines and encrypt the information stored on their computers, including Google Drive files and other G Suite data. Afi has a built-in ransomware protection engine that helps detect G Suite ransomware attacks and initiates preemptive backup runs before ransomware spreads in your infrastructure. The recovery points resulting from the backup runs are immutable and cannot be encrypted or otherwise modified. This lets you recover G Suite data after an attack.
What Afi G Suite Backup can do
- Detect ransomware and notify your G Suite administrator.
- Take preemptive G Suite backups before the data is affected.
- Add labels to recovery points to indicate changes between versions and to indicate the last unaffected version of G Suite data before encryption.
- Recover G Suite data from existing recovery points before ransomware attacks.
What Afi G Suite Backup cannot do
- Remove ransomware from infected machines.
- Prevent ransomware from spreading.
- Recover G Suite data if no recovery points exist (if backups were not running before the ransomware attack).
- Recover non–G Suite data from your users' computers.
Protection status monitoring
In the Overview section of the Afi application, G Suite administrators can view the protection summary and activity log.
The most recent backup and restore operations are summarized in the Activity table at the bottom. Out-of-schedule backup operations triggered by AI in response to a security event have the preemptive backup activity type, while regular backup operations per SLA policies have the scheduled backup activity type.
To view details for security events that triggered preemptive backups, and all other activities within the Afi application, go to the Audit section.
Afi G Suite Backup audit trail
System administrators can review the activity in the Audit section of the Afi application.
Click Tasks to review backup and restore operations and their progress.
Go to the Audit tab to view the complete list of Afi G Suite backup events, including the following:
- User sign-in to Afi applications
- Backup data access operations
- Backup and restore operations
- Detected security threats
The Audit tab reflects all activity in the application, including actions performed by partners on behalf of their customers, licensing changes, and Afi configuration changes.
Partner management portal
Afi provides a partner management portal for managed service providers (MSPs) that manage G Suite backup on behalf of their customers. The portal enables MSPs to create Afi subscriptions, manage G Suite backup policies, and execute data recovery operations for multiple customers from a single management portal.
- To access the portal, sign up at https://portal.afi.ai.
Adding customers to the partner management portal
- Install Afi G Suite Backup in your customer's domain.
In the Configuration section, go to the Service tab, and copy your customer's Afi customer ID.
Sign in to the partner management portal.
In the Customers section, click + Add customer.
The customer's name appears in the list of customers.
In the Billing section of the partner management portal, partners can activate Afi G Suite Backup licenses for their customers. Afi sends the invoices and payment receipts to the partner's email address.
Partner access revocation
Customers can configure and revoke partner access to their Afi G Suite Backup account at any time.
- Sign in to the Afi G Suite Backup application.
- In the Configuration section, go to the Roles & Self-Service tab.
- Select the required partner role privileges, or click Revoke partner access.