Cloud backup is ready for the enterprise

Cloud backup services have seen increased adoption by SMBs, but with a choice of methods and tighter controls, cloud backup is now also a viable enterprise alternative.

Cloud backup services have seen increased adoption by SMBs, but with a choice of methods and tighter controls, cloud backup is now also a viable enterprise alternative.

Backup was one of the first services offered by cloud storage vendors, and it’s still the most popular way of using cloud storage. Once considered an option for only smaller companies, some enterprises are now using cloud backup for remote office and desktop/laptop data protection, archival and off-siting of backups to supplement existing in-house backup services.

The benefits of backing up to the cloud are compelling: no need for backup infrastructure, minimal IT resource requirements and usage-based pricing that becomes part of your monthly operational expenses. But the benefits are offset by security concerns and restore challenges, especially if a lot of data must be restored from the cloud. With accelerated adoption of cloud services, cloud-based backup options have substantially increased, giving companies several alternatives:

  • Backup managed service providers (MSPs)
  • Cloud-enabled backup applications
  • Cloud gateways

Cloud considerations

Regardless of the alternative your company opts for, this list of key features and considerations will help determine the right product for your environment.

Security. Security is still the main reason companies steer clear of cloud services. To address security concerns, cloud backup products must adhere to the minimum following best practices:

  • Data must be encrypted during transit, usually via a secure socket layer (SSL) connection if the Internet is the transport
  • Data must be stored encrypted in the cloud via a state-of-the-art encryption protocol, such as 256-bit AES encryption
  • The cloud service provider must support strong, enforceable authentication with features like password expiration and complexity

Encryption key management must be clearly understood; most cloud service providers defer key management to users with the benefit that encryption keys are unavailable within the cloud. But with encryption key management the responsibility of users, the cloud service provider won’t be able to help if the keys are mismanaged or lost, preventing access to the data. Because encryption keys are critical, some companies put them in an escrow account as protection against loss or corruption.


Compliance. There may also be compliance issues related to using cloud backup. For public companies or industries that are subject to additional regulatory requirements, only cloud service providers that adhere to SSAE 16/SOC 1 (formerly known as SAS 70) should be considered. SAS 70/SSAE 16 is an audit standard for service providers where an external auditor evaluates controls and processes, and prepares a report that’s shared with the service provider’s customers. Because there’s a Type I and Type II SAS 70/SSAE 16 examination, it’s crucial to confirm that the service provider performs the more stringent Type II audit. Only a Type II audit report expresses the auditor’s opinion on whether the controls tested operated effectively enough to provide reasonable assurance that the control objectives were achieved during the period specified. For instance, Sarbanes-Oxley (SOX) audits usually only rely on Type II audit reports.

You should also understand the scope of the audit report and what it covers. Many smaller MSPs are quick to declare SAS 70/SSAE 16 compliance by providing data center or Amazon (if the MSP uses Amazon on the back-end) SAS 70/SSAE 16 reports, which usually aren’t sufficient. While a data center SAS 70/SSAE 16 report addresses physical controls, it has no bearing on operational controls of the MSP in relation to change management, program development and access grants. Therefore, it’s highly recommended to request the latest SAS 70/SSAE 16 report from the cloud service provider prior to signing with the service, and to have the report reviewed by the internal and external auditors.


Hybrid vs. pure cloud backups. In a pure cloud backup scenario, agents on protected servers and desktops perform backups directly to the cloud. Quick setup and minimal maintenance are benefits of this service. A pure cloud backup product is best-suited for personal backups and backups for smaller firms with limited amounts of data to protect (typically a few terabytes). The drawbacks of backing up directly into the cloud are performance and bandwidth challenges because of latency and bandwidth limits of available Internet connections; these shortcomings are most important when restoring data.

Latency and limited bandwidth are mitigated by hybrid cloud backup products that use an on-premises disk or gateway as the initial backup target from which the data is replicated to the cloud. The on-premises intermediary usually caches the most recent backups for on-premises restores, minimizing tedious recoveries from the cloud; it also moves data into the cloud asynchronously. For a pure cloud backup solution without the on-premises intermediary for quick restores, it’s essential to understand all restore options, including the ability to have backups shipped to you on a disk or NAS device; restore options become more relevant as the amount of data stored in the cloud grows. Similarly, some MSPs accept the initial full backup on an external storage device (known as “seeding”) to avoid a time-consuming first backup over the Internet.

Efficiency. Backup processes that are OK for on-premises backups may be unacceptable for cloud backups. For instance, the ability to perform sub-file backups of changes to files is an indispensable feature in a cloud backup product. With email personal folder files (.PST files) that can grow beyond gigabytes, and large Excel spreadsheets and PowerPoint presentations spanning tens of megabytes, being able to only back up file changes to the cloud rather than complete files is a non-negotiable feature for a cloud backup product. Similarly, the ability to perform continuous incremental backups minimizes the amount of traffic for each backup. The traditional weekly full and daily incremental backup discipline frequently used for on-premises backups doesn’t work for backing up data into the cloud. Limited network bandwidth makes efficiency one of the primary virtues in a cloud backup product. So anything that can help reduce the amount of data to be moved into the cloud is critical.

Compression and source-side deduplication are two technologies that help minimize the amount of traffic sent into the cloud. Data deduplication reduces bandwidth usage and also helps cut the cost of backing up to the cloud. Because cloud storage pricing is usually based on gigabytes stored, compression and dedupe are instrumental in lowering monthly fees. To maximize data reduction, some MSPs deduplicate on the source side and one more time in the cloud. While the scope of source-side dedupe may be limited to a single or few hosts, dedupe in the cloud can be performed against all data, resulting in significant additional data reduction.


“We deduplicate and compress before we send data across, and we deduplicate one more time once data is in the cloud,” said Karen Jaworski, senior director of product marketing at i365, a Seagate company and backup MSP.

Transport. Besides source-side dedupe, cloud backup products differ in the way they manage available bandwidth. The ability to limit and throttle bandwidth while backups are in progress helps minimize the impact on users and other apps sharing the Internet connection. Moreover, being able to configure multiple bandwidth limits for different times of the day helps optimize the balance between backup performance and the impact on other users. Some cloud service providers, such as AT&T, give customers the option to use a multiprotocol label switching (MPLS) circuit instead of the Internet; this option is relatively cost-effective for customers who already use MPLS. The quality of service (QoS) feature of MPLS lets users label backup data as low-priority traffic, eliminating the impact on other users and applications altogether. This is especially attractive for midsized and large companies with many users and a lot of protected data.


Backup managed service providers

Handing off backups to a managed service provider is the quickest way of getting backups into the cloud and the method with the fewest internal IT requirements. MSP offerings are available as pure cloud backup products where the user installs agents on desktops and servers that directly back up data into the cloud; they’re also available as hybrid cloud backup products where the cloud service vendor provides a managed on-premises gateway to store backup data locally before replication into the cloud.

MSP offerings range from consumer, small office/home office (SOHO) and small- and medium-sized business (SMB) products to cloud backup services targeted at the enterprise. “While the sweet spot for cloud-based backup is still the small to midsized company, larger enterprises have started leveraging the cloud to supplement internal backups, especially for DR [disaster recovery], remote office and end-user data protection,” said David Chapa, senior analyst at Milford, Mass.-based Enterprise Strategy Group (ESG).

Consumer backup services were popularized by Mozy (now part of EMC Corp.) and Carbonite. They’re pure cloud backup products, licensed to protect a single desktop or laptop, and may not have all the features expected in a business backup product. For instance, the Carbonite service doesn’t offer deduplication. “Deduplication is less required in our target market where the average amount of protected data is less than 50 GB,” said Pete Lamson, general manager of Carbonite’s Small Business Group. Both Carbonite (with Carbonite Business) and Mozy (with MozyPro) have expanded their offerings into businesses. While Carbonite targets small businesses with a simple and highly affordable backup service, MozyPro is aimed at small and large businesses alike.

Joining Carbonite with a focus on small companies with up to 50 users is Symantec Corp. with Backup, which is now in beta in North America with general availability slated for this fall. “Backup has centralized management and provides global visibility to protected hosts, and we try to make backup as simple as possible,” said David Mitchell, product manager for Symantec’s hosted endpoint protection.

For enterprises, IBM has rebranded and renamed its managed backup service offerings with a focus on resilience: SmartCloud Resilience. The IBM product spans the data protection spectrum from backup and recovery to archival and DR.

Hewlett-Packard (HP) Co.’s enterprise Electronic Vaulting Service is a managed server backup product powered by Asigra Software; HP’s Mobile Information Protection uses Autonomy Connected Backup, which HP has just made available as PC Backup Services for the SOHO and SMB markets, and is available through channel partners.

i365 has been offering managed backups since 1997, and the company has one of the most complete and feature-rich cloud backup offerings addressing the needs of small and large companies. Available as pure service, software, and physical and virtual appliances, it can be deployed on-premises, in a hybrid arrangement or as a pure cloud backup product.


Iron Mountain Inc. has one of the strongest brands in the backup world but its cloud message changed with the sale of its Connected Backup and LiveVault backup software to Autonomy. Iron Mountain is currently focusing on backup services rather than software development.

“We continue to offer cloud backup services for businesses,” said Ken Rubin, senior vice president and general manager of the Iron Mountain healthcare service. “For the healthcare and financial services sectors, we provide advanced solutions; for instance, for hospitals we offer a managed backup product with tight integration with all major PACS [picture and archival communication system] systems.”

Cloud-enabled backup apps and gateways

While small companies are more likely to opt for the MSP approach, larger companies are more apt to extend their existing backup infrastructure into the cloud using either their existing backup software or a cloud gateway. The incentives to expand the backup infrastructure into the cloud range from replacing off-site tapes with backups in the cloud to leveraging the cloud for backup jobs that can be performed more cost-effectively.

Cloud support in commercial backup applications varies considerably. CommVault Systems Inc. has added extensive cloud support and supports a wide range of cloud service providers (AT&T, Amazon, Microsoft, Nirvanix and Rackspace). Supported cloud providers appear as additional backup media and all backup features, such as deduplication, are available when backing up to the cloud. Archival into the cloud with stub support for on-demand retrieval of archived data and block-based replication of changes into the cloud for recovery into a compute cloud service such as Amazon Elastic Compute Cloud (EC2) are just a couple of features that distinguish CommVault Simpana. Similar to CommVault, both Symantec Backup Exec and NetBackup support backing up into the cloud, but they currently only support Nirvanix. Arkeia Network Backup supports replication of backup sets into Amazon and Nirvanix.

EMC Avamar and NetWorker currently don’t have out-of-the-box integration with cloud service providers. Instead, EMC is selling Avamar to MSPs. “We decided on Avamar to power our enterprise backup service because of its efficient source-side deduplication and scalable Avamar Data Store grid,” said Dick Mulvihill, co-founder and managing partner at Hexistor Data Protection Service LLC, a Chicago-based backup MSP.

IBM Tivoli Storage Manager (TSM) doesn’t currently support direct backups into the cloud. “We’re working with cloud gateway manufacturers such as Riverbed for cloud backup support; cloud backup gateways are simple and quick to set up and have the advantage of locally cached backups for quick restores,” said Steve Wojtowecz, vice president of storage software development at Tivoli.

Cloud gateways that move data into cloud storage are available from Nasuni Corp., Panzura Inc., Riverbed Technology Inc., StorSimple Inc., TwinStrata Inc. and others. While some gateways are touted as hybrid cloud storage products to extend on-premises storage into the cloud, Riverbed Whitewater’s focus is exclusively on cloud backup. Available in different configurations for small businesses to large enterprises, traditional backup applications back up to the Whitewater gateway appliance, which then deduplicates, compresses, encrypts and asynchronously moves data into supported cloud providers (which currently include AT&T, Amazon and Nirvanix). The StorSimple gateway stands out because of its extensive support of Microsoft SharePoint.

Cloud backup goes mainstream

Backup to the cloud is moving from a niche application into the mainstream, especially in the SOHO and SMB sectors, and it’s being used increasingly by larger companies to supplement their existing backup infrastructure. The increased adoption of cloud services by public companies and even government agencies suggests that security concerns with cloud services are slowly abating. However, proper due diligence must be taken when evaluating cloud backup, such as implementing solid backup processes and strong controls, to avoid unpleasant surprises.

BIO: Jacob Gsoedl is a freelance writer and a corporate director for business systems. He can be reached at [email protected].

Dig Deeper on Remote data protection