Managing and protecting all enterprise data

kras99 - Fotolia

Manage Learn to apply best practices and optimize your operations.

Take a hybrid approach to your data protection plan

The cloud can have major limitations when it comes to long-term retention. Learn why tape and disk should remain part of your data protection plan.

When developing a data protection plan, IT teams should take a hybrid approach to on-site and off-site protection that uses disk, cloud and tape in almost every scenario. Sure, some organizations can go without tape due to a lack of long-term retention requirements, while others will never be able to use the cloud for one security concern or another. But for the rest of us, a hybrid plan should likely include all three.

To be clear, I am a huge fan of cloud-based data protection, especially for endpoint devices and remote offices. I'm an even bigger fan of using it for disaster recovery as a service as a superset of backup as a service. Almost every data protection activity should start with disk, preferably deduplicated disk, but there are reasons why the tertiary copy should be on tape, as much as some cloud companies want to put the last nail in tape's coffin. One major reason is chain of custody.

If you are in an audited environment that requires long-term retention, it is important to be able to prove that data on a seven-year-old tape is, in fact, seven years old and has not been modified. There are some very compelling extended-hold capabilities in disk target systems, as well as tape cartridges, so you can be assured that the data was "written once" even if it is later "read many" times (WORM). If you have WORM-enabled tape cartridges or disk volumes, you can write to them all you want, but your options to modify the data are typically relegated to "delete volume."

How do you assure an auditor that the data within your cloud service has not been tampered with?

You can't, at least not today. Perhaps the closest thing to that is if your service provider offers a virtualized disk target system via their cloud service, and that target system has an extended-hold feature. Depending on the implementation and the amicability of the auditor, that might pass, but there is another problem.

Most folks, once they clear away fear, uncertainty and doubt about tapes being fragile and slow, just want out of the tape management (Opex) burden. If you don't want to manage your tape inventory, handle off-site tape storage or perform periodic maintenance on tape drives, there are some great services for that. And if you outsource the tape management for a few years and then decide to change managed services or bring the tapes back on-site, you can do that. The tapes, in their pristine original state, are returned to be stored however you like throughout their lifecycle.

What do you do if you want to switch clouds after three years, but your data has to be stored for seven?

You can't pull back three years of iterations from a cloud provider without an inordinate amount of effort and expense (with most products). So you will likely have "cloud lock-in," whereby if you are going to stop using tape for long-term retention, you must commit to that cloud provider for the seven-year term so the data is pristine within the cloud storage. If you later choose to change cloud providers, you will either be invalidating the older copies (no longer have seven defensible years of data) or you will have to leave the old data with the original cloud provider until it ages out, while protecting your newer data with the new cloud provider. Since much of the data set will be similar to what it was last week with the old provider, this will likely double your storage footprint until the older data ages out of the original provider.

There are some exceptions. If the service provider has the ability to export your entire data set into a secure disk appliance or other repository that can be assured to be unscathed, you have more options. If your cloud service provider stores your data on tapes for long-term retention, you have options when it comes to developing a data protection plan. If you believe your organization can store long-term data more effectively in the cloud than on tapes, be sure your auditors and legal department agree with your retention strategy before you throw those tape drives away.

Jason Buffington is a senior analyst at Enterprise Strategy Group. He focuses primarily on data protection, as well as Windows Server infrastructure, management and virtualization. He blogs at and tweets as @Jbuff.

Article 7 of 8

Next Steps

Tape's second life in the cloud

Cloud as an alternative to off-site tape storage

Cloud vs. tape: Archiving issues

Video: Use multiple data protection technologies

Dig Deeper on Cloud backup

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your data protection plan incorporate cloud, disk and tape? If not, which elements do you not include and why?
"How do you assure an auditor that the data within your cloud service has not been tampered with?"

That's the $64,000 question, especially with organizations like the NSA going around saying that modifying data -- not deleting it -- is going to be the next wave of hacker intrusion.
Sharon hits on a good point here. With the cloud,  we are effectively giving the job of backup and retention of data to other entities as part of their process. By doing so, we are both giving over a major process to another entity and we are open to possible tampering of data in ways we can't control. Having local backup capabilities and a way to archive data outside of the cloud certainly seems a prudent step, if for not other reason than to make sure we can see if anything fundamental has changed in our data as it is stored in the cloud.

Get More Storage

Access to all of our back issues View All