By Doug O’Flaherty
Cloud backup and disaster recovery (BDR) has a wealth of benefits. It provides geographically redundant data protection on elastic storage with virtual machines on-demand. For most companies, the cloud BDR environment is vastly superior to any other option.
Cloud data centers are certified for their preparedness, physical security, process, and controls. World class tier III and IV data centers are built to achieve more than 99.98% availability. SAS70/SSAE16 certification ensures they are following the industry’s best practices for security. The infrastructure is highly redundant and they have additional resources standing by in the event of a catastrophe. Being in the cloud, companies benefit from multiple high-speed data links for more bandwidth and lower latency. Backups can be faster and the users of remote systems will have the best experience possible.
Cloud BDR providers specialize in copying, moving, verifying, and securing customer data. With petabytes of data under stewardship, they invest in technology and security at a level beyond which their customers can. The leaders in cloud BDR have multiple independent strategies to secure their service. Isolated networks, firewalls, encrypted connections, and 24×7 security monitoring follow SOC2 guidelines and are regularly audited. Providing HIPAA assentation requires the service audit their data encryption, authentication, authorization and administrative access controls. It is a business imperative to safeguard customer data.
So why are we still talking about security concerns in Cloud BDR?
As Bruce Schneier has said, “Security is both a feeling and reality.” In reality, backing up data to the cloud is probably more secure than it is on most company servers. It is also a leap of faith for the IT leader who is outsourcing a highly visible, business-critical function to a third party.
Cloud BDR is a collection of multiple functions, each of which must be properly secured. Best practices may be well known to the IT administrator and closely followed by the cloud BDR vendor. However, the limited experience with cloud BDR by IT professionals prevents this from being a simple checklist to feel secure.
Backup data should always encrypted with a passphrase that is independently secured. Options to encrypt customer data at backup with a user-specified key provides an additional layer of data protection. Connections between on-premise and the cloud are secured with TLS (transport layer security) using protected certificates to authenticate the connections. Cloud storage should limit access by any administrator with audit controls in place.
Cloud BDR services provide multiple options for restoration that require additional levels of authentication and authorization. Self-service restore may be the most convenient for end-users. These should have specific authorization schemes with time or access limits to properly destroy the cloud copy after it has been restored on-site. Spinning up virtual machines for disaster recovery should include secure access and the ability to isolate the new systems from the Internet.
Despite diligence and regular testing, everyone knows a story of a backup that failed to run, an image that failed to boot, or a file that isn’t where the business thought it was. Active monitoring for the complete backup process, including cloud redundancy, is important. Problems are easier to resolve when they are caught early. In the event of an issue, administrators from both the cloud BDR vendor and the customer may need to work together to solve the problem. Secure support channels and well-documented escalation processes are part of the security profile of cloud BDR.
There is no doubt that cloud BDR can be cost-effective, scalable, and secure. Moving data to a secure, geographically redundant data center with dedicated staff to manage and monitor the infrastructure and service should be an easy decision to make. However, Cloud BDR is not merely a storage service. There are many elements in the service to be evaluated before making the long-term commitment of copying business-critical data to a third party. As real as security of a leading cloud BDR service is, it takes time for IT professionals to feel it.
About the author: Doug O’Flaherty is Cloud Product Director at Continuum Managed IT Services, responsible for the direction, development, and go-to-market strategy for its cloud portfolio of products, including C3. He has held senior management roles at Red Hat, AMD, and several start-ups. He has a bachelor’s degree in physics from Yale University and has done coursework in entrepreneurship and leadership at Harvard Business School Executive Education. Connect with him on LinkedIn and follow him on Twitter.