How to protect data against disaster in the cloud

The customer, and not the service provider, is primarily responsible for protecting their data in the cloud, and CIOs should not assume cloud providers are secure.
Read time 4min 40sec

There is a common misconception among cloud customers that their data is safe and disaster-free.

For example, Gartner notes that many cloud providers invest significantly in security in the knowledge that their businesses would be at risk without doing so; however, that does not mean that security is guaranteed in the cloud.

The research house emphasises that cloud security is a shared responsibility between the provider and consumer, and notes that CIOs should not just assume that cloud providers are, or are not, secure.

The emphasis here is on the word ‘shared’ − this is a fact to which many cloud customers seem oblivious. The security levels of cloud providers vary, and CIOs would be well-advised to assess their capabilities and that of the potential provider and hold both to reasonable standards.

Cloud services are now so prevalent and easy to use but many businesses still think that if their data is in the cloud, it's backed up and protected by their cloud provider.

A recent global study found that 44% of respondents believe protection and recovery of data stored in public clouds is the cloud provider's responsibility. This is not the case, which is why companies need to ask if and how their data is safe when moving to the cloud.

How do you keep data safe, even when disaster strikes the cloud provider? Start by reading the small print.

In other words, do not rely solely on the cloud provider to protect data − it must also be your responsibility. For example, if signing up for a service such as Office 365, Microsoft clearly states in its terms and conditions that it does not take responsibility for the data. It's your responsibility to manage and protect your data.

Many businesses still think that if their data is in the cloud, it's backed up and protected by their cloud provider.

Typically, Microsoft will back up the data for 30 days. After that, it cedes responsibility. Therefore, it recommends companies use third-party software to protect their data in the long-term.

When moving to the cloud, business leaders need to get their heads around the concept of shared responsibility and that the sharing is not entirely equal. The customer, and not the service provider, is primarily responsible for protecting their data in the cloud.

Leading providers like AWS, Microsoft Azure and Google Cloud Platform typically secure the core infrastructure and services as part of their responsibility. But when it comes to securing operating systems, platforms and data, that responsibility lies squarely in the customers' hands.

Organisations that overlook this fact will do so at their peril and face a much higher likelihood of suffering data loss.

Business owners need to be aware of their responsibility and ensure they have protection solutions in place, and regularly test how data can be recovered if a loss happens.

Backup copies

A sound data protection strategy should follow the 3-2-1-1 data-protection model. This directs that companies should have three backup copies of data on two different media types, such as disk and tape, with one of those copies located offsite for disaster recovery. The final 1 in the equation is immutable object storage.

Companies should look for a cloud storage solution that safeguards information continuously by taking snapshots every 90 seconds. This means that even if disaster strikes, organisations can quickly recover data. There will always be a series of recovery points with immutable cloud storage, ensuring data remains protected.

Make sure the company understands the security capabilities of the cloud provider. Do this by asking the right questions. Start by asking the provider what procedures it follows for business continuity and disaster recovery.

Also understand its service-level standards. Query if the service is designed to stay up 99% of the time or 99.999%? The difference between these two figures is not as obvious as you may think. Just one or two 9s can be the difference between three full days of downtime per year for the business versus 27 minutes of downtime per annum.

That difference can have a significant impact on the bottom line. Also be sure to determine if the cloud provider offers the additional data backup that lets you back up data to various geographic locations. Ensure it is part of the contract, and if it is not, the company may need to subscribe to a third-party data-protection partner to ensure the proper data backup and disaster recovery plan is in place.

Lastly, ensure you are clear on how easy or difficult it is to move to a different cloud provider. Moving from one provider to another is often easier said than done.

Do you have a backup and recovery plan? If not, put one together. Having the correct backup and recovery plan enables data to be protected when disaster strikes. The plan should include a simulation of business disruption to assess the disaster recovery plan. It should also include the regular testing of backup images so any issues can be resolved before they occur.

The most important piece of advice: at the end of the day, businesses should hope for the best and prepare for the worst when it comes to data protection. 

Byron Horn-Botha

Lead: Arcserve Southern Africa channel and partnerships.

Byron Horn-Botha is lead: Arcserve Southern Africa channel and partnerships. He has been involved in the technology sector in sales and management roles since he commenced his working career eight years ago. He moved from his first position at Pastel in 2012 to work for a SAP partner specialising in the SAP budgeting planning, consolidation solution and enterprise play oriented solution. In this role, he was focused on new business expansion within and outside the SAP user community. In 2014, he joined CA Southern Africa in a business development role. In 2015, Horn-Botha moved into the Arcserve arena, fulfilling the role of new business development, as an Arcserve partner, followed by the move to the 2018 Arcserve corporate position. Throughout his career, he has worked with channel partners, giving him in-depth insight into the challenges faced by the sector.

See also