Is your data securely stored in the cloud? It should be!
Cloud backup is experiencing increased adoption as organisations now more readily accept these services as viable alternatives to traditional onsite solutions. The psychological barriers of sending critical data outside of the company are coming down as the services have matured. It is early days for online storage but the services are starting to gain traction and are growing fast. A lot of the growth can be attributed to the ‘Consumerisation of IT’. The lines between corporate IT and consumer technology are now blurred as we see a huge uptake in consumer services within the corporate environment. Many services such as Google Docs, Microsoft SkyDrive, YouTube and DropBox are in now use in the corporate environment and there is no end of online services targeting the consumer, many of these services are free and are not typically backed by a comprehensive service level agreement (SLA) and give no guidance to how data is stored, protected, secured nor where it is located.
Combined with the fast rise in the number of service providers offering online backup services, the options available are increasing but it is important to note that all services are far from equal, especially in terms of security.
It is important to evaluate the security characteristics of a cloud backup service along with its provider before signing up. If you are not looking after the data yourself, security needs to be your primary concern. Most organisations place a big emphasis on securing the physical assets such as servers and storage, as well as securing their data from unauthorised access. This needs to continue online too. Data security breaches are now subject to compliance and regulatory penalties and the protection of intellectual property and reputation are paramount in today’s competitive business environment. It is therefore extremely important that customers understand how data is secured when using cloud backup services.
What security aspects should you consider when considering cloud backup?
The software used by the service provider should use secure communications to transmit data, encrypt data prior to transmission and store data in an encrypted form. You need to ensure that as you send your data over the internet to the service provider that there is encryption on that connection. That would normally be through an SSL connection where no one is able to see your data. As an added layer of security, more secure services enable the end user to encrypt data using their own encryption keys prior to transmission. If data is not encrypted prior to transmission, whilst secure communications are effective for their intended purpose, they offer no protection for the data once received by the service provider. You should ensure that the service provider encrypts your data as it is stored and it is important to know what level of encryption that is. You need to be sure that your data can not be accessed by the service provider and that it is protected against unauthorised access to systems and through disposition of failed or old equipment. The service provider should be able to offer dedicated links and VPN connections if additional security is required.
The customer must be in control of their own encryption keys. While storing the data in an encrypted form is important, there is one additional level of security that is needed to properly secure offsite data. The data must be encrypted with an encryption key that is known only to the end user. This is accomplished when the data is encrypted prior to transmission on the local computer using a key that is never sent to the online backup platform. Only the end user knows the encryption keys and only the end user can restore the data.
Datacentre facilities and their location
It is important that the service is offered from highly secure data centres, located and operated in the UK. Data centres should offer resilient UPS systems, full fire protection and high levels availability. Look for service providers that operate from certified data centres, look for ISO 9001:2008 and ISO 27001. These certifications mean the data centre is operated to strict information security standards. Data centres in the UK mean that you can you get to them should you need to and you can get your data back in a hurry if you need to.
Make sure that the service provider is using a reliable and resilient infrastructure to store customer data. An online service needs to be available at all times and it must not lose data. Online backup or storage providers should use an infrastructure that is as at least as good as, if not better than the customer has in their data centre. Make sure enterprise class environments are used with technology from respectable manufacturers. The environment needs to be able to recover from software or hardware failures. Make sure the network is secure with resilient firewalls.
Disaster Recovery Strategy
Can the service provider can recover from a disaster. Service providers must operate a dual data centre policy and replicate your data to a geographically remote site that can be used to recover data should anything catastrophic happen to the primary data centre. In the event of a failover, you need to ensure the Service Provider can offer full continuity of recovery and continued backup.
People Behind the Service
Who is offering the service, are there people behind the service with experience and what authorisation practices are in place? Check the heritage of the service provider, the number of customers and ask about procedures for safeguarding customer data and systems it is stored on. You need to ensure your data is in safe and experienced hands. Access to datacentres should be restricted to authorised staff and there should be a multiple levels of authorisation for data centres and systems. For example, first line support staff should have limited access to systems and data and access becomes less restricted as you move up the hierarchy to senior members of the operations team. Ask the service Provider, what happens in the event of data corruption? How many copies of your data does the Service Provider have and how long are they retained for?
There are many advantages to online backup, inexpensive capacity, reduced capital expenditures, simplified data management and reduced risk to name a few. Online services allow you to get started quickly and inexpensively but it is important that due diligence is performed – if you are sending important data outside of your company walls and relying on a third party, data security should be your number one concern. You can never ask too many questions.