Article contributed by Sergei Serdyuk, Vice President of Product Management, NAKIVO
As corporations continue to embrace hybrid cloud approaches, moving more of their operations to disparate cloud environments, many are under the impression that data stored in the cloud is impervious to loss. However, cloud providers offer no guarantees of data protection, and organisations would do best to create a solid data protection strategy especially for the cloud.
The truth about data protection in the cloud
Cloud architecture provides excellent protection capabilities, yet it is not immune to threats such as ransomware attacks, leakage and even accidental deletion of data. Assuming that your cloud provider will handle the production or recovery of cloud data could be a costly mistake. While many cloud service providers use the ‘shared responsibility’ model, this explicitly states that only availability is covered. Therefore, ensuring data protection is in fact the responsibility of the customer. So it is vital that organisations think carefully about how they will ensure the protection, as well as the availability of their workloads.
Key concerns about data security in the cloud
There are at least three main reasons why workloads in the cloud need extra protection. Firstly, as already stated, the degree of protection offered by cloud service providers does not cover all eventualities and offers no guarantees. Secondly, industry specific requirements for data retention are not included as standard. Data protection needs vary depending upon the organisation. In certain industries such as healthcare and financial services, companies are required to comply with data protection laws and regulations that are quite specific as what should be preserved and for how long. Not all cloud service providers offer the flexibility and the degree of data management control that can cover existing regulations, making compliance problematic for businesses in certain industries.
Another factor to consider is the type of data stored in the cloud. Companies collect massive amounts of data on daily basis, ranging from highly confidential to relatively unimportant information. So as the most secure cloud is still not 100% failsafe, for critical data, even a fairly low risk is still unacceptable. Given the importance of data to an organisation's operations, should data loss occur with no extra protection or failsafe in place, the consequences could be devastating to the business.
Read more about cybersecurity on our dedicated Business Continuity page
While the high level of accessibility provided by the cloud delivers many benefits, it also has its drawbacks. Even if data loss seems unlikely, with the looming threat of cyber attacks, such as ransomware, the chance of a data breach is unfortunately a very real possibility.
Creating a solid strategy for cloud data protection
An effective cloud data protection strategy should include the classification of data according to type, sensitivity and business value, in case it is stolen, altered or destroyed. Data classification enables the pinpointing of data that is essential to the company, so it is at hand for fast recovery in case of a disaster. It also helps to determine whether data is at risk so that threats can be mitigated.
Different approaches are required for different types of data. For example, a particular governance policy might have restrictions regarding keeping data with personal information off-site. Data that is not critical but important enough to retain might be stored in a cloud environment. Therefore, the identity of critical assets is vital, as it enables organisations to manage data in a way that reflects its value, rather than treating all data the same way. This approach will greatly help cut operational and maintenance costs down the line and instead allow the company to focus its strategy on the right assets.
Once the priorities are set, procedures for data backup should be deployed. Backing up data should be at the centre of the strategy as it is not only a requirement for compliance, but also the key to avoiding unexpected data loss though system operation errors or failures. Backups should be done on a regular basis, as a disaster can occur at any time.
The next step would be to allocate storage for backups and configure data backup activities, starting with assigning tiers to backups based on their importance. Critical backup data is usually assigned to the highest tier, while data that is not critical to business operations can be moved to ‘cold’ data storage, or to less expensive backup storage. In complex infrastructures, workflows and backup activities can automated so the entire process is as streamlined and error free as possible. Scheduling pre-planned backups tasks makes it easier to set up and manage data tiering from on premise to and across clouds.
The importance of backup data protection
Data backups are a necessary precaution. However, being also a target for cybercrime, data backups themselves require protection. This can be achieved by adding ‘true immutability’ to backups, which effectively prevents any changes to backup data for a set period of time. This will protect the backup data from any new ransomware infections, accidental or deliberate modifications and deletions, while leaving backups available should data recovery be required.
One crucial and often overlooked aspect of any cloud data protection strategy is encryption. Allowing your cloud service providers to encrypt your data is like locking your house up and giving someone else the keys. When it comes to data encryption, controlling your encryption keys is crucial. It would be wise to add another layer of protection by encrypting data before storing it in the cloud.
Your cloud data protection strategy should also cover data access. Insider threats can be as severe as external incidents, with employees misusing their permissions to leak or delete critical data. Here the ‘zero trust’ model can be utilised to protect the critical data process in the company without disrupting operations.
Preparation for data recovery
Part of your strategy must include ways to recover data in case of an incident or disaster. Depending on the incident nature, the scale of recovery can vary from urgently restoring critical workflows, retrieving a specific list of items, or even the rebuild of the entire infrastructure. The configuration of recovery procedures for probable scenarios allows you to decide on the best recovery type, be it granular recovery for a single file, or cross-platform recovery to migrate the infrastructure to a different environment. The data recovery process should use available resources efficiently and be cost effective.
Once the data protection strategy is complete, mock data recoveries should be run to check there are no bottlenecks and that set objectives are attained. The same goes for data integrity, so backups should also be verified. Finally and most importantly, making this an iterative process will ensure data is protected and the organisation is prepared to take on the latest challenges.
EM360, as you know it is about to change. CIA hackers, Google visionaries and some of the other biggest influencers from the tech industry are waiting to engage with you on the technologies that will define the future of enterprise tech. All you have to do is sign up as a premium EM360 Tech Community Member.
Features You Can Unlock As An EM360 Tech Community Member:
- Engage with the leading influencers of Cyber Security, Data Management, Enterprise AI and more.
- Gain access to our expanding library of exclusive content and resources.
- Get insights and opinions from industry leaders on the latest trending topics.
- Rise through the ranks to become an Industry Guru and GET PAID to express your opinion.
If you are a tech enthusiast, this is the place you need to be. Find out more about the EM360 Tech Community.