Why endpoint backup strategies fail in the cloud

Some CIOs might pine for the days when they only needed to protect machines behind the firewall. With the rise of the cloud, SaaS, mobile devices, and IoT, enterprises have had to redefine endpoint protection to corral an ever-expanding perimeter of roaming data. So just how are IT organizations ensuring that they can recover all of that data in the event of a disaster?

Michael Cantor, CIO at Park Place Technologies, said his enterprise, like others, is still approaching data protection much as it has for decades. “An IT organization will always prioritize around the criticality of the data,” he said. “The data from IoT devices tends to be less critical than the data from inside corporate databases. So if an organization is collecting data at the edge from an IoT device and not actively transacting the data, it will often be left there without an effort to back it up and centralize it to the cloud.”

Mat Hamlin, vice president of products at Spanning, agrees that most organizations have not extended their backup and recovery solutions to mobile and IoT endpoints, despite having developed strong mobility security practices built around mobile device management. That’s because most IT organizations treat mobile and IoT devices as thin clients that are replaceable, he argues. “The mass majority of corporate data that is accessed and used on mobile devices resides in the cloud and is only presented through mobile applications,” he said. “Since no corporate data is exclusively resident on the device, the risk of corporate data loss is low.”

That’s changing, though. In light of many business-busting natural and manmade disasters, organizations are moving more and more data to cloud services,  and actively adapting their backup and recovery processes and products to meet governance policies.

If you’re part of the cloud migration, here are a few key considerations to ponder.

The Forrester Wave: Enterprise Service Management 2018

Consider cloud backup and recovery

Dozens of available backup services are available for protecting cloud and remote data, but there are some common fundamental differences between on-premises and cloud backup and recovery. Todd Matters, chief architect and co-founder of RackWare, notes that on-premises backup has traditionally resided at the storage level: Techs were simply backing up server volumes and discs. This worked, but the recovery process was tedious and complex, since organizations had to take those volumes and reconfigure them for their servers.

Cloud technology is more application-focused, and it doesn’t care as much about the storage itself. When you back up your applications, you back them up in the context of an existing operating system, with an existing application. “When you recover it, those associations are already well known,” Matters said. “You don’t have to worry about things like, ‘How do I map the data on all these volumes to these new compute resources I need to spin up?’”

Cloud backup and recovery also brings different concerns and considerations. One of the biggest has to do with architecture. Hamlin noted that the only way to get data in and out of SaaS applications such as G Suite, Salesforce, and Office 365 is by using their public APIs and downloading individual items at very high scale. There is no available access to the underlying infrastructure, storage, or databases. 

“This means that many traditional backup and recovery solutions will not work, which is why you see new entrants in the backup and recovery market and traditional backup vendors working to adapt their current products to support cloud architectures,” he said.

“To effectively back up cloud data, solutions must horizontally scale and perform backup and recovery operations in parallel.”
Todd Matters

SaaS vendors’ continuous release cycles—which rapidly introduce new functionality, new services, and updated APIs—can also be a challenge, making it difficult for organizations and data protection vendors to keep pace, Matters said. To ensure the highest success rate for keeping up with the changes, organizations must review and adapt their processes often, he said.

“Backup and recovery solutions should be able to match the rapid, continuous release cycles of the SaaS application provider.”
—Todd Matters

Confusion around the various cloud backup services’ SLAs regarding data protection is another potential hurdle that can leave organizations unsure of exactly what is protected and what isn’t. In the event of a ransomware attack or other disaster, discovering that a key asses was unprotected can be as devastating as not having backed up the data at all, said Steve Wright, product manager at Rocket Software.

The cloud model for backup and recovery requires a major rethinking of SLAs to better represent cloud providers’ culpability, he said.

"Companies using the cloud for backup and recovery need to clarify the commitment of the vendor company to providing fast and easy access to all their data, even if some of it has been moved to secondary storage.”
Steve Wright

Quiz your cloud backup provider

With so much at stake, it pays to ask a few questions of any cloud provider up front. Getting clarification on those pesky SLAs is a good place to start, said Barracuda Networks technology evangelist Greg Arnette.

“Ask how many ‘nines’ the vendor offers. Five nines or greater should be the goal.”
Greg Arnette

He also advises reviewing the vendor’s public operational status page. This is typically a good, unbiased view of uptime performance, since the marketing department can’t influence the raw details, he said. “If a vendor’s real uptime doesn’t match their claimed uptime SLA, then there’s a credibility problem. Uptime performance is different than data durability, but reveals how truthful the company is about these matters.”

Cost will undoubtedly be top of mind for most organizations, so that’s a good place to investigate next. Cost dimensions are important, and there are more dimensions than with on-premises, Park Place Technologies' Cantor said. “For instance, there is physical storage cost, tiered storage cost, and data transfer cost, among others. Asking the vendor to help calculate and optimize the cost will be critical.”

You also should ask if the data is automatically encrypted or if you have to do anything on your end to encrypt it, Matters said. Make sure that stored data is encrypted at rest. “Cloud providers are beginning to provide encryption, but you will want make sure that is included by default in any backup or data recovery environments that you would provision,” he said.

Compliance questions will also be important for regulated or global industries, Cantor said. Ask where storage will be located and if you can have any say in that decision. Also ask about the difference in cost among locations, and find out if the cloud vendor will certify compliance with whatever standard is necessary.

Share the responsibility

Most important is to remember that a cloud backup provider is only one half of a bulwark against data threats.

“Data protection in the cloud is a shared responsibility between the cloud provider and the subscribing organization, where organizations are still ultimately responsible for ensuring that data can be recovered in line with the requirements of the business. That’s why we continue to see new solutions and rapid adoption of backup and recovery for SaaS applications and cloud platforms.”
Michael Cantor