This content is part of the Essential Guide: Cloud-based backup: Best strategies and practices

How providers can ease cloud backup security fears

Cloud backup may be the talk of the town, but according to one recent survey, it still has some ground to cover before it can win over the masses. What can cloud service providers do?

According to a recent Unitrends survey, 45% of companies do not use cloud-based backup, and they have no plans to do so in the next year. That seems contrary to the common belief that cloud backup providers have won the battle against tape-based storage. We continually hear how fast, cheap and convenient the cloud approach is compared with old tape systems but, obviously, strong resistance exists.

Most of the negative survey responses cite various cloud backup security issues, including the security of the data, loss of control and privacy. It's interesting that these issues have seen enormous attention from cloud service providers over the last five years and, at least from the perspective of cloud backup providers, the resulting public clouds are proving safer than in-house operations.

Some of the other statistics in the report go a long way to shedding light on this issue. Developers of software suites tend to look at their customers as being somewhat homogeneous; if they aren't running the latest code release, shame on them. That's a valid position, but it totally fails the real-world test.

Most IT shops fail when it comes to common-sense backup best practices. Let's look at some examples.

What data are you required to protect?

Where it goes wrong

Only 46% of survey respondents report being required to protect their in-house storage, while just 14% have to back up cloud servers. This should shock you. This is the point where any CEO would call the CTO because that number should be 100%. That's true of small businesses as much as large corporations. Without a backup, the doomsday clock is ticking down for your data.

In reality, backup, based on tape and unchanged for 60 years, is the backwater of IT. It's, at best, a necessary evil -- a cost of business. It's not the place to make a career. The report showing such shoddy cloud backup security practices proves that. One of these days, a commercially targeted Stuxnet will attack data centers, and the unprepared will have a day of reckoning.

How do we get the batting average up to par? The Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act cleaned up the backup mess in health care and financial systems. As bureaucratic fixes they aren't perfect, but proper data management is very high on the list of priorities for affected companies.

Do we need a general HIPAA law that demands all companies back up their data? It's a bit heavy-handed, but the exposure in our current industry is huge, given the lack of encryption of data, the use of 123456 as a password and other blunders. Maybe a published Generally Accepted Practices guideline or Federal Trade Commission edict could get things rolling.

Europeans could be more inclined to take a legislative approach. With GDPR coming into effect in May 2018, they will have to get used to regulation. In fact, GDPR mandates that companies have data management controls from creation to deletion of any personal data, and this includes best practices such as encryption, limited admin access and a meta library indicating where any copies are kept. Trying to read and understand the actual act can be so convoluted as to cause a nosebleed, but the constraints involved include the protection needs we've discussed for all data.

Perhaps the key to making life easier for an admin is to choose a potent cloud backup security approach. If Microsoft were to bundle a flat backup, or snapshot, system, including easy-to-use recovery in their OS as a default, we would see a lot of progress. Red Hat could easily add the same feature to Linux, and Microsoft already has options to back up to Azure.

The key to any OS-based solution is that it has to be low effort. There shouldn't be too many options. The idea is quick setup, low admin effort and totally reliable recovery.

The role of the cloud backup service provider

Do cloud backup providers play a part in this? Generally, the business proposition is, "If we are cheap enough, they will come." That has worked well for cloud service providers in the past, but growth in the backup sector will continue to slow unless they overcome certain resistance points.

In part, that includes the need for an active education program. It isn't enough to talk price. Remember what the roadblock is: security. First, cloud backup security providers have to boast how well their systems lock out hackers, coupled with where vulnerabilities still exist. Sure, you can compare systems with the typical in-house data center, but honesty is essential.

Data privacy has only one answer. Encryption with the keys controlled solely by the data owner, per HIPAA, is essential. In fact, encryption should be done at the server sourcing the backed up data to give protection in transit, as well as at rest.

Data privacy has only one answer.

To ease the admin burden, cloud backup providers should go the extra mile and offer a turnkey backup product, supporting flat continuous backups, as well as more traditional modes, but focused on a complete best practice offering that includes encryption.

Note that drive-based backup has a fishy odor about it, and is already well past its sell-by date. Also, recent revelations of vendors using a small, easily guessed set of encryption keys has left a lot of skepticism around this method.

Mentioning flat backup brings up an interesting point. Such a backup, based on a continuous snapshot, is impervious to data changing or deleting hacks, or even admin errors or software problems. Any changes increment the stored data, and nothing gets erased. There is one single glaring hole in this theory, though. A hacker can delete the whole archive space, since it's just a mounted file system.

Preventing this would necessitate some sort of offline manual intervention, such as a phone call to the cloud backup provider to permit the deletion, who would then mark the archive as deletable, leaving you to press the destruct switch -- all with proper identity controls, of course.

I'd limit the individual with delete authority very severely, too. Doing this would remove the single advantage tape has over any online system -- data can never be deleted online, and destruction requires a conscious, approved, manual intervention.

Next Steps

Don't compromise data protection in the public cloud

Are you ready to commit to cloud backup?

How to keep your cloud backup secure

Dig Deeper on Cloud backup