I have been talking to customers about the cloud and what it means to them. A common misunderstanding they have is the perception of how their data is protected.  I often ask “Do you have control of your data? Do you have access to all the items you need?” The knee-jerk reaction is typically, “Of course I do,” or “my cloud provider takes care of it all.”

Cloud providers take care of quite a bit, and can provide a great service for their customers. However, cloud providers’ primary focus is on managing the infrastructure and maintaining uptime to your users. They are empowering YOU with the responsibility of your data. The misunderstanding then is often between the users perception of the cloud provider’s responsibility and the user’s actual responsibility for protection and long-term retention of their cloud data.

Questions to Ask

When trying to understand what your cloud provider does, ask these three questions:

• What do they backup?  The misconception is often that they carry out complete backups of your data, when commonly they will typically replicate the data to another data centre and only keep the latest copy;
• How do they backup?  This can be about where your data is being sent (eg sensitivity and security if data is leaving Australia) This can also include what they backup on to which leads to the next question;
• What is your access to this backup?  Is the device accessible, and in the time frame or frequency that you need it. To understand what your requirements may be, see the five vulnerabilities below.

When trying to answer how a provider completes its backups, some providers offer geo-redundancy, which is often mistaken for backup. Backup takes place when a historical copy of data is made and then stored in another location. However, it is even more important that you have direct access to and control over that backup. So if data is lost, accidentally deleted or maliciously attacked, for example — you can quickly recover. Geo-redundancy, on the other hand, protects against site or hardware failure, so if there is an infrastructure crash or outage, your users will remain productive and often oblivious to these underlying issues. In summary geo-redundancy can be beneficial, but cannot be used in place of a backup.

Software as a Service (SaaS)

One way that a user can manage their cloud services is by using a robust and highly capable Software as a Service (SaaS) platform. To understand why this is necessary, advice from hundreds of IT professionals across the globe who have migrated to SaaS, have found six main vulnerabilities in data protection:

Accidental Deletion

If you delete a user, whether you meant to or not, that deletion is replicated across the network, along with the deletion. Native recycle bins and version histories included in some SaaS solutions can only protect you from data loss in a limited way, which can turn a simple recovery from a proper backup into a big problem after the platform has replicated the changes, or it has fallen out of the retention period.

Retention Policy gaps and confusion

The fast pace of business in the digital age lends itself to continuously evolving policies, including retention policies that are difficult to keep up with, let alone manage. Just like hard and soft delete, SaaS platforms generally have limited backup and retention policies that can only fend off situational data loss, and is not intended to be an all-encompassing backup solution.

Internal Threats

The idea of a security threat brings to mind hackers and viruses. However, businesses experience threats from the inside, and they are happening more often than you think. Organizations fall victim to threats posed by their very own employees, both intentionally and unintentionally. Access to files and contacts changes so quickly, it can be hard to keep an eye on those in which you’ve installed the most trust. Cloud providers have no way of knowing the difference between a regular user and a terminated employee attempting to delete critical company data before they depart. In addition, some users unknowingly create serious threats by downloading infected files or accidentally leaking usernames and passwords to sites they thought they could trust. Another example is evidence tampering. Imagine an employee strategically deleting incriminating emails or files — keeping these objects out of the reach of the legal, compliance or HR departments.

External Security Threats

Malware and viruses, like ransomware, have done serious damage to organizations across the globe. Not only is company reputation at risk, but the privacy and security of internal and customer data as well. External threats can sneak in through emails and attachments, and it isn’t always enough to educate users on what to look out for — especially when the infected messages seem so compelling. Limited backup/recovery functions are inadequate to handle serious attacks. Regular backups will help ensure a separate copy of your data is uninfected and that you can recover quickly.

Legal and compliance requirements

Sometimes you need to unexpectedly retrieve emails, files or other types of data amid legal action. Something you never think it is going to happen to you until it does. Some solutions have built in a couple safety nets, (Litigation Hold) but again, these are not a robust backup solution capable of keeping your company out of legal trouble. For example, if you accidentally delete a user, their onhold mailbox, personal SharePoint site and OneDrive account is also deleted. Legal requirements, compliance requirements and access regulations vary between industries and countries, but fines, penalties and legal disputes are three things you don’t have room for on your to-do list.

With this in mind a (SaaS) platform can fit the needs of many organizations perfectly as long as the above items are addressed and managed. SaaS provides application availability and uptime to ensure your users never skip a beat, but a SaaS backup can protect you against many other security threats. You or your boss might be thinking, “The recycle bin is probably good enough.” This is where many people get it wrong. The average length of time from data compromise to discovery is approximately 100 days (*FireEye 2018). A shockingly large gap. The likelihood is high that you won’t notice something is missing or gone until it’s too late for the recycle bin.

All of these questions can easily be raised, all you have to do is start the discussion. Whilst the world is evolving even faster than before the old rules of backup still apply. There are security gaps you may not have been aware of before, but the cloud is still something to be embraced you just simply need to be informed.

*https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf

Photo by Samuel Zeller on Unsplash