In the second part of Tom Gelson's advice series, he discusses up-to-date cloud security for high-growth businesses.
Do you know where your data lives?
A cloud-based online backup and recovery solution, provided by a reputable and tested vendor, can be the best insurance policy against catastrophic data failure or theft. But SMBs that leave security of their cloud storage providers to chance face far greater risk.
As a growing business, it should be essential to review a cloud storage provider’s security policies thoroughly before selecting a vendor. This is where a VAR or MSP would be helpful, serving as a trusted advisor for SMBs, since it’s difficult to truly understand a provider’s security policies and best practices. It’s important to know which questions are the right ones to ask. To begin, there are a few triggers or red flags that signify inadequate security:
Provider authorisation of or access to an encryption key
The encryption standards that cloud storage providers put in place are essentially ineffective if that provider can simply “reset” the key if a client loses or forgets it. A “back door” to encryption exposes the data to risk in the event that the cloud provider’s systems are hacked.
But what if a company does lose the key? Or, since many business IT departments are relatively small, what if an IT professional leaves the company with key information? These are common concerns. To use online backup and recovery while ensuring the security of data, cloud storage providers could offer encrypted, bio-metric removable storage devices for SMBs to store the encryption key. It’s recommended that no more than two company officials have access to the key.
Lack of datacentre standards
Cloud storage providers invest heavily in their own datacentres. Recognising the importance of security in the cloud, the EU has created data protection laws and data sovereignty laws, which may relate to where the data is stored or transferred, as well as how well this data is protected from a confidentiality aspect.
Data sent to and from the cloud must have built-in protections to ensure a successful journey from the client to the datacentre and back. Encryption is an essential component to data security. An ideal security policy would dictate that data is encrypted on-premise at a company’s site, en route to the cloud storage provider and at rest at the provider’s site.
In the case of using removable storage for initial cloud seeding, in addition to applying industry standard encryption, an SMB should ensure that the actual removable drive is packed properly or built for durability to withstand multiple shipments. Many storage vendors now provide removable hard disk drives that are rugged and built for transport.
The opportunity for the mid-market
As data volumes increase, so will the pressure for SMB IT departments to ensure backup and recovery of that data. Perhaps considering the expected growing business IT spending – as noted by Gartner in its January 2012 Forecast Analysis – online cloud-based backup vendors have taken steps to adopt a solid initial seeding practice for fast initial backups and rapid restores. If a cloud storage provider further passes the security test, SMBs can finally feel comfortable beginning to weave online backup into their data protection strategy to reduce costs and downtime.
Online backup provides a foray into the cloud, satisfying the c-level interest in yielding cost savings while optimising data protection. However, it's important that a business carefully considers the vendor, the MSP and the regulations before diving into the cloud.
Tom Gelson is cloud strategist at Imation Scalable Storage.