G Suite Backup with Afi.ai

By Vincent Marino, Afi Technologies

This document describes how to set up an automated G Suite backup using Afi.ai and (optionally) connect customer-owned Cloud Storage accounts.

In order to install the application in your G Suite domain, System Administrators must have domain administrator rights. The initial setup takes approximately 5 minutes; up to 24 hours might be required in order for all settings to take full effect.

Objectives

  • Install and configure Afi G Suite Backup.
  • Add your Cloud Storage account to Afi G Suite Backup.
  • Configure Afi G Suite Backup.
  • Add your Afi G Suite Backup customer account to the Afi partner management portal.

Afi G Suite Backup and recovery options

The Afi G Suite Backup tools enable versioning of Google Docs files, recovery of permanently deleted items through the Admin console, and data retention as part of the Google Vault G Suite data retention and eDiscovery solution.

With the Afi G Suite Backup policy, you typically use third-party software in addition to the native Google capabilities in order to extend the timeframe and scope of protected G Suite data, and to automate the recovery process.

G Suite Admin console Google Vault Third-party G Suite Backup
Permanently deleted data Data deleted within 25 days can be restored. Link Google Vault doesn't restore data. However, administrators can access and download user-deleted data that's protected by Vault retention rules for existing, licensed user accounts. Link Yes, infinite data retention.
Deletion of user account Removes retained data in 20 days after account deletion. Link Removes retained data.
Link
Data is retained.
Folder structure Yes. No. Link Yes.
Gmail label structure Yes. No. Link Yes.
Metadata, rights, and permissions Authorship and created/modified dates are restored. Share permissions are not preserved. Link Export functionality allows downloading files with authorship and created/modified dates. Sharing permissions are not preserved. Link Document ID, authorship, created/modified dates are restored.
Individual emails and files No, only full G Suite account. Link Can be retained and downloaded using export functionality. Yes.
Email drafts and trash Cannot be restored. Link Can be retained and downloaded using export functionality. Yes.
Full user account Only the last state and within 20 days after deletion can be restored. Link No. Link Yes, point in time with infinite versions.
Contacts Only the full contact list within 30 days after deletion can be restored. Link No. Link Yes, granular G Suite Contacts backup, offline export and recovery.
Calendar events Events deleted within the last 30 days can be restored. Link No. Link Yes, granular G Suite Calendar backup, offline export, and recovery.
Point-in-time recovery No, only deleted files within the selected period. Link Partial data export for the selected period is available, no restore back to G Suite. Link Yes.
Real-time data preview No. Link Yes. Yes.
Admin involvement Data restore can only be performed by G Suite administrator. Export and data download can only be performed by G Suite administrator. Self-service recovery is available for end users.

Afi G Suite Backup capabilities

As one of the third-party G Suite backup solutions, Afi enables automated G Suite data backup to a secondary cloud storage location. In addition to doing scheduled backups, Afi uses AI technology to detect security events, perform preemptive backups, and accelerate recovery.

Cloud Storage backup

Afi G Suite Backup data is stored in the Cloud Storage location that you select during initial setup. The data is encrypted and stored in an immutable format. Any deletions, modifications, or other operations in the G Suite domain produce new versions of the data, but have no impact on the old recovery points.

AI backup engine

The AI backup engine monitors G Suite data changes and external data sources that include weather forecasts and major antivirus RSS feeds, in order to detect high-risk events (for example, massive changes to Google Drive files or outbreaks of new types of malware). The AI backup engine activates the protection by doing the following:

  • Performing high-frequency shared drives and G Suite user data backups to maximize the number of recovery points before the potential event.
  • Auto-labeling the recovery points. This feature indicates the changes between the versions and helps you recover to the latest unaffected version.

Backup access control

Afi relies on Identity Platform to authenticate administrators and users. Afi also implements role-based access control in order to limit access to backup contents within the application. Afi supports three types of roles:

  • G Suite Super Admin. Assigned by default to all G Suite Super Admin users in G Suite domains, granting them the right to view and export all domain users' data. You can configure and limit G Suite Super Admin access to users' data.
  • Backup Operator. Assigned to selected users to let them perform backup and restore operations for other users, without being able to view the backup content.
  • Self Service. Assigned to users who need to perform a limited set of recovery operations for their own accounts.

The following screenshot shows the Roles & Self-Service settings.

Roles and self-service settings.

Setting up Afi G Suite Backup

Install G Suite Marketplace

  1. Sign in to the Google Admin panel as a domain administrator and open the Afi G Suite Backup application in G Suite Marketplace.

    G Suite Marketplace.

  2. Click Domain install (Individual install is not supported). You can install the application to your entire domain or limit the installation to specific organizational units (OUs).

Initial configuration and storage selection

  1. Go to https://cp.afi.ai/ to access the application.
  2. Use your G Suite administrator account to sign in. Upon first signing in, you need to set the following:

    • Region to store data
    • Time zone, which affects the timing of automated backups

    Afi welcome screen.

  3. You can use your own Cloud Storage accounts to store backup data. In order to connect your storage account, submit the name of your Cloud Storage bucket to the Afi support ticketing system, and grant the Storage Object Admin role for the bucket to object-admin@afi-production.iam.gserviceaccount.com.

    After you confirm the settings, Afi will discover domain resources. For large domains, this process can take several seconds.

Google Cloud costs

By default, you can select one of the two Google Cloud regions during the initial configuration (step 2). There are no additional storage costs because all storage costs are already included in Afi subscription fees. The two default regions are the following:

  • eu-west1 (St. Ghislain, Belgium)
  • us-central1 (Council Bluffs, Iowa, USA)

If you elect to use your own Cloud Storage account, instead of the default Afi storage options, then you need to pay for storage capacity, data retrieval, and egress charges, in addition to the Afi service subscription. For more pricing information, see the Google Cloud documentation.

Backup and recovery operations

Customize protection policies

Afi protection is based on Service Level Agreement (SLA) policies, which define how often backups are performed and what G Suite applications are protected. By default, Afi provides 4 policies for user accounts and shared drives protection:

  • Gold (3x per day backups, all G Suite applications)
  • Sliver (2x per day backups, all G Suite applications)
  • Bronze (1x per day backups, all G Suite applications)
  • Manual (on-demand backups, no automated backups, all G Suite applications)

Each SLA policy can be customized to include the selected applications (or to exclude the unselected applications).

  1. Go to the Configuration screen and make sure the SLA tab is selected.
  2. Select or clear the required applications to include or exclude in the SLA.

    Selecting or clearing required applications in the SLA tab.

Assign protection policies

You can assign protection policies to individual resources, OUs, or entire domains.

To apply protection using the OU view, follow these steps:

  1. In the Protection section of the Afi application, click Organizational units.
  2. Select the OUs you want to protect.
  3. Click Assign SLA.
  4. In the pop-up window, select which SLA to apply.

    Applying protection to all resources in the domain.

  5. Click the checkbox in the top-left corner to apply protection to all resources in the domain.

Recover data

  • In the Protection section of the Afi application, select Recover to search, preview, and recover the data.

    Select Recover to search, preview, and recover the data.

    You can download or restore to G Suite from a selected recovery point:

    1. Under the Backup version label, browse the recovery points in the drop-down calendar.
    2. Click the selected recovery point.
    3. Use Search to find email messages or files.
    4. Click Download or Recover to export data offline or restore it to G Suite.

      Exporting data offline or restoring it to G Suite.

    You can perform restore operations for the following:

    • Whole user accounts or shared drives
    • Specific services (for example, restore user data only from G Suite email backup)
    • Separate items (for example, specific email messages, labels, or Google Drive folders)

Scope of ransomware protection

Ransomware can infect your users' machines and encrypt the information stored on their computers, including Google Drive files and other G Suite data. Afi has a built-in ransomware protection engine that helps detect G Suite ransomware attacks and initiates preemptive backup runs before ransomware spreads in your infrastructure. The recovery points resulting from the backup runs are immutable and cannot be encrypted or otherwise modified. This lets you recover G Suite data after an attack.

What Afi G Suite Backup can do

  • Detect ransomware and notify your G Suite administrator.
  • Take preemptive G Suite backups before the data is affected.
  • Add labels to recovery points to indicate changes between versions and to indicate the last unaffected version of G Suite data before encryption.
  • Recover G Suite data from existing recovery points before ransomware attacks.

What Afi G Suite Backup cannot do

  • Remove ransomware from infected machines.
  • Prevent ransomware from spreading.
  • Recover G Suite data if no recovery points exist (if backups were not running before the ransomware attack).
  • Recover non–G Suite data from your users' computers.

Protection status monitoring

In the Overview section of the Afi application, G Suite administrators can view the protection summary and activity log.

The most recent backup and restore operations are summarized in the Activity table at the bottom. Out-of-schedule backup operations triggered by AI in response to a security event have the preemptive backup activity type, while regular backup operations per SLA policies have the scheduled backup activity type.

Preemptive and scheduled backup activity types.

To view details for security events that triggered preemptive backups, and all other activities within the Afi application, go to the Audit section.

Afi G Suite Backup audit trail

System administrators can review the activity in the Audit section of the Afi application.

  1. Click Tasks to review backup and restore operations and their progress.

    Reviewing backup and restore operations and their progress.

  2. Go to the Audit tab to view the complete list of Afi G Suite backup events, including the following:

    1. User sign-in to Afi applications
    2. Backup data access operations
    3. Backup and restore operations
    4. Detected security threats

The Audit tab reflects all activity in the application, including actions performed by partners on behalf of their customers, licensing changes, and Afi configuration changes.

Partner management portal

Afi provides a partner management portal for managed service providers (MSPs) that manage G Suite backup on behalf of their customers. The portal enables MSPs to create Afi subscriptions, manage G Suite backup policies, and execute data recovery operations for multiple customers from a single management portal.

Adding customers to the partner management portal

  1. Install Afi G Suite Backup in your customer's domain.
  2. In the Configuration section, go to the Service tab, and copy your customer's Afi customer ID.

    Adding customers to the partner management portal.

  3. Sign in to the partner management portal.

  4. In the Customers section, click + Add customer.

    Adding a customer.

    The customer's name appears in the list of customers.

In the Billing section of the partner management portal, partners can activate Afi G Suite Backup licenses for their customers. Afi sends the invoices and payment receipts to the partner's email address.

Partner access revocation

Customers can configure and revoke partner access to their Afi G Suite Backup account at any time.

  1. Sign in to the Afi G Suite Backup application.
  2. In the Configuration section, go to the Roles & Self-Service tab.
  3. Select the required partner role privileges, or click Revoke partner access.

What's next

  • Sign up for an Afi G Suite Backup trial.
  • Install the Afi G Suite Backup application from G Suite Marketplace.
  • Review Afi G Suite Backup pricing.
  • Find out more about native G Suite recovery capabilities.
  • Try out other Google Cloud features for yourself. Have a look at our tutorials.