Data Protection in the Cloud

As I was flying home recently, the gentleman beside me was talking about his need to do the “cloud thing” as a means to backup his data. He recently experienced a multi-retail shop backup failure where the local backup disk was corrupted and the backups failed to happen. I also experienced a backup failure, when my backup software was upgraded. In both cases, the backup software did not mail out, or alert the appropriate people of the failure. Even if the backups did work, the data was still corrupted. So the question is, how can cloud based backups help with either of these scenarios?
There are several crucial questions to answer:

  • How often does the data need to be backed up?
  • What type of data will be backed up?
  • How is a restore to be accomplished?
  • How sensitive is the data?
  • Is there any regulatory compliance about the data?

The last one is one of the more important questions as it will dictate the answer to the previous question about sensitivity. If the data is sensitive then that data needs to be encrypted using keys or certificates in the control of the user, not controlled by any cloud storage vendor. The other questions will help you to choose software to do cloud backups or replication, depending on the time to be taken between backups of the data.  Even so, the more important question is about the restoration process for the data. These questions ultimately lead to a different type of questions regarding contracts, service level agreements, and technology.

  • Can I trust the cloud backup provider?

Trust is very important, but often overlooked. If you cannot trust the cloud provider to:

  • Protect your data
  • Make the data available as often as it is needed
  • Make a good backup

Then you need to revisit your cloud backup provider. Even if your cloud backup provider is just another place to store data, security of that data must be considered. The ultimate question though is who owns the keys to your data in the cloud?
Let’s take some popular cloud backup and storage providers into consideration:
Apple iCloud
Apple iCloud provides cross device sync mechanisms for all Apple devices that can connect to iTunes as well as some document storage. For a rundown on how Apple encrypts data in motion and at rest check out their Knowledge Base Article on the subject. Apple iCloud uses standard SSL to transfer your data and then encrypt the data in the iCloud, hopefully using your own keys, but that is unclear. All we know is you use a login token. It does not look like a Time Machine backup can readily be made to iCloud, so you have to copy some files by hand?
Dropbox
Dropbox seems to be ubiquitous storage in the cloud. It is everywhere, but it is not seen as super secure. That is because Dropbox owns the keys. They reduce overall storage needs by doing checksums on data transferred over SSL to ensure they do not have a duplicate of the data which is compared encrypted. This decreases storage requirements, but you do not own the keys to your own encrypted data, therefore Dropbox can decrypt any data at will. Do you trust the Dropbox cloud admins? One way to make Dropbox more secure is to place within it a pre-encrypted container created using tools like TrueCrypt where you do own the keys. But this will eat through storage costs.
Oxygen Cloud
Oxygen Cloud has an odd form of encryption at rest. The data is pre-encrypted before transfer over an SSL channel and then re-encrypted on the other side using a per tenant Oxygen Cloud key. This has quite a bit of overhead on the Oxygen side, that does translate to the sync phase of the data with the desktop if you loose your internet connection.
Backup/Replication Specific Clouds
There are also backup and replication specific clouds using virtualization and other tools. Such tools are clouds that make use of ZeRTO and Veeam products as well as custom tools such as Twin Strata (which broker data transfers to back-end cloud storage such as Amazon S3, Atmos, etc.  Twin Strata on the other hand presents volumes to systems as iSCSI instead of making use of custom protocols.
Conclusion
Even traditional backup tools such as Carbonite are getting into the cloud data protection storage where the backup is sent automatically to the cloud.  Cloud backups for small businesses replace the offsite backup mechanisms of perhaps taking tapes or disks to other locations. But have their own issues with security, SLAs, and questions about how to get your data back out if you have to do so. Can the company hold your data hostage?
The key to backing data up to a cloud, is to understand your data, compliance requirements and the tools you already use as their may be a cloud connector already available. If you go to the cloud for backups, read the technical and contract data carefully to understand how things are protected and ultimately about availability.
So back to the original question, if the data was corrupted would the cloud help? Only if you can get verified backups into the cloud, and do data protection testing of data stored in the cloud to know if it is corrupt. This will require the ability to download backups and restore them. So in essence, the data protection in the cloud becomes a part of your multi-tiered data protection, disaster recovery, business continuity, and backup plans and procedures.