This article can also be found in the Premium Editorial Download "Storage magazine: FC, iSCSI, NAS: How to choose storage for virtual servers."
Download it now to read this article plus other related content.
Cloud backup services have seen increased adoption by SMBs, but with a choice of methods and tighter controls, cloud backup is now also a viable enterprise alternative.
Backup was one of the first services offered by cloud storage vendors, and it’s still the most popular way of using cloud storage. Once considered an option for only smaller companies, some enterprises are now using cloud backup for remote office and desktop/laptop data protection, archival and off-siting of backups to supplement existing in-house backup services.
The benefits of backing up to the cloud are compelling: no need for backup infrastructure, minimal IT resource requirements and usage-based pricing that becomes part of your monthly operational expenses. But the benefits are offset by security concerns and restore challenges, especially if a lot of data must be restored from the cloud. With accelerated adoption of cloud services, cloud-based backup options have substantially increased, giving companies several alternatives:
- Backup managed service providers (MSPs)
- Cloud-enabled backup applications
- Cloud gateways
Regardless of the alternative your company opts for, this list of key features and considerations will help determine the right product for your environment.
Security. Security is still the main reason companies steer clear of cloud services. To address
- Data must be encrypted during transit, usually via a secure socket layer (SSL) connection if the Internet is the transport
- Data must be stored encrypted in the cloud via a state-of-the-art encryption protocol, such as 256-bit AES encryption
- The cloud service provider must support strong, enforceable authentication with features like password expiration and complexity
Encryption key management must be clearly understood; most cloud service providers defer key management to users with the benefit that encryption keys are unavailable within the cloud. But with encryption key management the responsibility of users, the cloud service provider won’t be able to help if the keys are mismanaged or lost, preventing access to the data. Because encryption keys are critical, some companies put them in an escrow account as protection against loss or corruption.
CLOUD BACKUP OPTIONS: THE PROS AND CONS
Enlarge CLOUD BACKUP OPTIONS: THE PROS AND CONS diagram.
Compliance. There may also be compliance issues related to using cloud backup. For public companies or industries that are subject to additional regulatory requirements, only cloud service providers that adhere to SSAE 16/SOC 1 (formerly known as SAS 70) should be considered. SAS 70/SSAE 16 is an audit standard for service providers where an external auditor evaluates controls and processes, and prepares a report that’s shared with the service provider’s customers. Because there’s a Type I and Type II SAS 70/SSAE 16 examination, it’s crucial to confirm that the service provider performs the more stringent Type II audit. Only a Type II audit report expresses the auditor’s opinion on whether the controls tested operated effectively enough to provide reasonable assurance that the control objectives were achieved during the period specified. For instance, Sarbanes-Oxley (SOX) audits usually only rely on Type II audit reports.
You should also understand the scope of the audit report and what it covers. Many smaller MSPs are quick to declare SAS 70/SSAE 16 compliance by providing data center or Amazon (if the MSP uses Amazon on the back-end) SAS 70/SSAE 16 reports, which usually aren’t sufficient. While a data center SAS 70/SSAE 16 report addresses physical controls, it has no bearing on operational controls of the MSP in relation to change management, program development and access grants. Therefore, it’s highly recommended to request the latest SAS 70/SSAE 16 report from the cloud service provider prior to signing with the service, and to have the report reviewed by the internal and external auditors.
This was first published in September 2011