There are many things to like about cloud backup solutions, such as inexpensive capacity, reduced capital expenditures and simplified data management. The
But that architecture and delivery model makes some administrators nervous. They are uncomfortable sending important data outside their organization's walls and relying on third parties for backup performance, data privacy, security and restoration. Robb Bryn, co-owner and director of operations for CFWebmasters.com, had some of those concerns. CFWebmasters is a Wilmington, N.C.-based Web development and design shop with 16 employees and 400 to 500 customers. The company's managed hosting provider, Raleigh, N.C.,-based Hosted Solutions Acquisition, proposed the idea of using a cloud backup solution to help alleviate Bryn's capacity shortage.
CFWebmasters leases a half-rack from Hosted Solutions. A few months ago, Bryn was at a crossroads. He was using a Dell Inc. PowerVault 220S with 2 TB of capacity set aside for backup, but his daily backups were amounting to nearly 1.5 TB every week, so he was able to retain less than two weeks of data backups. "We needed to make a decision," Bryn said. "We either were going to use the last 3Us [in the rack] for backup space, move to a full rack, or get a SAN or NAS." What he really wanted to do was use the last 3Us in the rack for additional processing power for his VMware Inc. ESX server that runs his company's critical applications.
Hosted Solutions was in the process of implementing its Stratus Cloud Storage service with a TwinStrata CloudArray virtual appliance on the front end and EMC Corp. Atmos on the back. This would be the hosting provider's first foray into full-streaming cloud backup services. Hosted Solutions showed Bryn how the cloud backup service would be his most economical option, and would save him from having to fill his remaining rack space with additional devices for storage capacity.
Bryn had two main concerns. First, he worried about possible performance issues that would keep him from completing his nightly backups, which were taking about six hours at the time. "I know Fibre-attached storage," he said. "I know how that works. I know how direct-attached storage works. We're already in that environment. Online backups to us was a scary thing because of the timing involved. Our biggest concern was can we keep with our existing backup routines and still achieve our backups." Second, Bryn was concerned about having to purchase additional bandwidth from Hosted Solutions to accommodate the additional backup traffic. So, Bryn opted to perform daily backups using the Stratus Cloud Storage service and monthly backups to the Dell PowerVault. "I would like to get to the point where I am doing at least one full backup to the cloud a month, because that is the one thing that's my one weakness right now," he said.
One issue Bryn didn't have was security, which is unusual for organizations considering moving to cloud backup. He uses Symantec Corp.'s Backup Exec, which has encryption, and the link between the TwinStrata virtual appliance and Hosted Solutions servers is also compressed with password protection and encrypted.
Cloud backup security a big concern for users
According to Lauren Whitehouse, a senior analyst with the Enterprise Strategy Group, her research has shown that security is a big concern for businesses considering cloud data backup services. Both IT
The only way to get insight into the security of the application and its supporting systems is to ask for the results of a penetration test or vulnerability assessment.
founder and consultantPrinciple Logic LLC
and management have concerns that third-party providers won't have the same strict physical and digital security and privacy measures in place as the corporate IT department. "Is my data comingling with other people's data?" Whitehouse said is a typical question. "Could someone accidently gain access to my stuff? Those are the questions where people just aren't quite comfortable yet."
To alleviate those concerns with cloud solutions, Whitehouse suggests asking for documentation of the service provider's internal controls and researching the providers' data center ratings. Also, Kevin Beaver, CISSP, founder and consultant with Principle Logic LLC, an independent information security firm, suggests finding out if a Statement on Auditing Standards (SAS) No. 70 Type II audit has been performed on the data center, which can show that the service provider has adequate controls and safeguards for hosting customer data. However, that SAS Type II audit reports likely won't reveal technical vulnerabilities around specific applications. "The only way to get insight into the security of the application and its supporting systems is to ask for the results of a penetration test or vulnerability assessment," Beaver said.
Initial cloud backup performance issues
When Bryn agreed to be Hosted Solutions cloud backup guinea pig and they first implemented the service, Bryn's performance concerns became reality. His backups took 12 to 18 hours to complete. But as he discovered, it wasn't due to the cloud backup solution. "Most of our issues were either in the internal network design or in his collocated hardware," he explained." It ended up not being cloud performance at all." Hosted Solutions tweaked the virtual appliance; they replaced the RAID 5 configuration with a mirrored array, and replaced an older Dell 1850 server with a faster 1950 model. Now his backup window is down to 5.5 hours. "So the performance is relatively the same," he said. While Bryn had to pay for his own hardware replacements, Hosted Solutions provided all of its tweaks for free.
Whitehouse recommends organizations considering cloud backup solutions that are concerned about performance issues should ask if the provider uses advanced data services such as compression and deduplication. While the provider may not have much control over bandwidth connections between the organization and the back-end cloud storage, they can control how much data is sent over the wire.
Another strategy is to request a service-level agreement (SLA), but be prepared for some resistance. "With few exceptions, third-party providers don't like to put that stuff in writing," Whitehouse said. "They don't like to map that out because there are so many variables."
It's important to remember that SLAs aren't just about recovery time, although that is usually what companies focus on.
Rachel Dines, an analyst with Forrester Research Inc., wrote in an email to SearchDataBackup.com that she is seeing more cloud service providers agree to recovery time objectives (RTOs) and recovery point objectives (RPOs) when customers ask for them. When negotiating an SLA with a cloud service provider, Dines also recommends addressing other concerns as well. "It's important to remember that SLAs aren't just about recovery time," Dines wrote, "although that is usually what companies focus on." In addition to performance, include terms that address security, resiliency, and privacy.
Whitehouse said Iron Mountain Inc. is one of the few service providers that offer cloud backup and storage SLAs because they've been doing off-site data storage for so long.
Bryn's bandwidth concerns were also justified when he began the service. "We were billed at the 95th percentile," he said. "That went really quick when we started pumping that much data across the wire." So Hosted Solutions switched CFWebmasters billing from 95th percentile to total volume and excluded the cloud backup traffic. Bryn has a 100 Mbps drop and currently runs at about 50 Mbps.
As for his half rack in Hosted Solutions' Raleigh data center, Bryn has added a PowerVault MD3000 with 8 TB of capacity and another Dell 1950 server. He plans to use the extra processing power in the next six months for a planned web server deployment entirely in the cloud. He's also now able to keep two months of full backups in addition to his three months of daily cloud-based backups.
While security, performance, and additional bandwidth costs are big concerns for organizations considering a move to cloud backup, according to Whitehouse, the No. 1 concern is resistance to moving critical data outside the company walls. "The biggest hurdle that people have to overcome is the whole cultural or organizational resistance to doing something in this fashion," she said. "It's something that people resist." And that's not something any vendor has control over. Whitehouse compared it to the first time a parent puts a child on a school bus. It's the loss of control.