Raw S3 storage vs managed backup: what South African businesses need to know
Local S3 storage looks cheap — until something goes wrong. We break down what raw cloud storage can't do, and what the difference costs a South African business in a ransomware event.
A new wave of local cloud storage providers has arrived in South Africa, and the pricing is genuinely compelling. All-NVMe infrastructure, ZAR-denominated billing, no egress fees, and data that stays on South African soil. For cost-conscious IT teams, it looks like an easy win.
But there's a question most of these comparisons skip: what happens the morning after a ransomware attack?
This post breaks down exactly what raw cloud storage gives you, what it doesn't, and what the difference costs a South African business when something actually goes wrong.
What raw S3 storage actually is
S3-compatible object storage — whether from AWS, Azure, or a local South African provider — is fundamentally a durable bucket. You write files to it, it keeps them safe, and you can retrieve them later. That's it.
For archive storage, that's often exactly what you need. Long-term retention of cold data at low cost, with no surprise fees for leaving it there.
The problem starts when you use it as your only backup strategy — and treat the bucket as a synonym for data protection.
The five things a storage bucket cannot do
1. Verify that your backup is actually recoverable
A raw S3 bucket confirms that a file was written to it. It does not verify that the file is internally consistent, that the backup job completed without errors, or that restoring from that point will produce a working system. Backup verification — confirming that a restore test succeeds — requires active orchestration that object storage doesn't provide.
2. Configure your retention policies for POPIA compliance
The Protection of Personal Information Act (POPIA) requires that personal data is kept no longer than necessary for the purpose it was collected. A raw storage bucket has no concept of a data subject, a retention policy, or a deletion schedule. If you store email backups that contain personal information, and you keep them for seven years because "it's just storage," you are accumulating POPIA liability with every passing month.
3. Detect a ransomware attack before it encrypts your backups
Modern ransomware doesn't just encrypt your production systems — it targets your backups first. An attacker with access to your environment can write encrypted files to your S3 bucket and silently overwrite clean restore points over days or weeks, before triggering the visible encryption event. By the time you notice, your backup history is compromised.
Managed backup platforms with AI anomaly detection can identify unusual write patterns — sudden spikes in new files, unexpected changes to backup job behaviour, modifications to retention locks — and flag them before the damage is complete. A raw bucket has no anomaly detection. It stores whatever is written to it.
4. Tell you which restore point is clean after an attack
When a ransomware event occurs, the most time-critical question is: which backup is safe to restore from? Attackers frequently tamper with backup metadata to obscure the last clean copy. A raw S3 bucket cannot answer this question — it requires forensic analysis of every restore point, which can take days.
Managed platforms with immutable, air-gapped backup copies and integrity verification can identify the last guaranteed clean copy in minutes, not days. The difference between 6 hours and 23 days of recovery time frequently comes down to this single capability.
5. Reconstruct your environment — not just your files
Even if you have a clean backup, restoring it to a working state is a different problem. A server backup is not the same as a running server. Reconstructing Active Directory, remounting databases in the correct order, spinning up VMs against the right network configuration, and verifying that applications start cleanly after a restore — none of this happens automatically because you have an S3 bucket with your data in it.
This is where the "we have backups" assumption fails most often. The backup exists. The restore doesn't work. The business loses days.
What does 23 days of downtime actually cost?
The Veeam 2024 Data Protection Trends Report found that the average organisation takes 3.4 weeks to fully recover from a ransomware attack. South African-specific research from Liquid Intelligent Technologies put average ransomware recovery time for local SMEs at over 20 days.
At 20 working days of downtime, consider a business with:
- 50 employees at an average fully-loaded cost of R 25,000/month each: R 1.25M in unproductive labour costs
- R 500,000/day in revenue (modest for a mid-sized operation): R 10M in lost revenue
- POPIA regulatory exposure for a data breach: up to R 10M in fines per the Act
- Reputational damage to client relationships: unquantifiable, but frequently terminal for SMEs in legal, financial, and healthcare sectors
The total cost of a single unmanaged ransomware event routinely exceeds R 5–15M for a mid-sized South African business. The annual cost of managed backup with ransomware protection for the same business: typically R 24,000–R 96,000 per year depending on data volume and tier.
The real comparison: storage cost vs total cost of ownership
When a local S3 provider advertises R 600/month for 10TB of archive storage, that number is accurate and genuinely competitive. Here's what it doesn't include:
| What you get with raw storage (R 600/mo) | What you need but have to add separately |
|---|---|
| Durable object storage | Backup software licence (Veeam, Acronis, etc.) |
| S3-compatible API | Backup job configuration and scheduling |
| No egress fees | Backup verification and integrity testing |
| ZAR billing | Retention policy management (POPIA alignment) |
| Data on SA soil | Anomaly detection and ransomware early warning |
| Immutability (WORM) | Incident response and clean-copy identification |
| — | Application-level restore orchestration |
| — | DR testing and runbook management |
| — | Ongoing monitoring and alerting |
Each of the items in the right column requires either a software licence, a qualified engineer, or both. For a business with an internal IT team capable of managing all of the above, raw storage is the right choice. For most South African SMEs and mid-market organisations, the total cost of building and managing that capability exceeds the cost of a managed service — and the risk of doing it poorly is catastrophic.
When raw storage is the right answer
To be clear: raw local S3 storage is an excellent product for specific use cases.
- Long-term archive storage for data that doesn't change and doesn't need rapid recovery
- Secondary backup targets for organisations with a managed primary backup layer already in place
- Cost reduction for hyperscaler egress fees — if you're currently paying AWS or Azure for storage and data transfer, local S3 eliminates those costs meaningfully
- Organisations with dedicated IT capability to manage backup software, verify restores, and maintain POPIA-aligned retention policies internally
Montana Data Company can architect solutions that include local S3 as the underlying storage target, orchestrated by our managed backup layer. The two are not mutually exclusive — the question is which layer is doing the protection work.
The question to ask your IT team
Before your next backup review, ask one question:
"Who in our organisation is responsible for the restore working — not the backup running, but the data being usable again after an incident?"
If the answer is clear and that person has a tested runbook, verified restore history, and a documented DR plan — you may be well positioned regardless of your storage choice.
If the answer is unclear, or if the last restore test was more than six months ago, or if your backup verification is "we check that the job completed" rather than "we test that the data is recoverable" — the gap between your current posture and a managed service is worth understanding before an incident makes it visible.
What Montana Data Company provides
We provide managed backup, ransomware protection, and data governance for South African businesses that cannot afford to find out their backups don't work on the day they need them.
Our solutions include:
- SaaS & Endpoint Backup (Druva-powered) — M365, Google Workspace, Salesforce, and distributed endpoints. Includes anomaly detection, immutable air-gapped copies, and guaranteed clean-copy recovery. From R 57.50/month incl. VAT.
- Enterprise Backup — bespoke, consultative architecture for complex hybrid and multi-cloud environments with stringent RPO/RTO requirements.
- Ransomware Protection — immutable storage, AI anomaly detection, and managed incident response. Available as the premium tier within SaaS & Endpoint Backup.
- POPIA Compliance Consulting — data classification, retention policy design, and independent privacy audits.
All data is stored exclusively on South African soil. All pricing is in ZAR. No egress fees, no foreign currency invoices, no hidden retrieval penalties.
Build your solution → | Request a risk assessment →
Montana Data Company is an IBM Authorised Partner and Druva Authorised Partner, delivering enterprise-grade data resilience to South African businesses since 2013.