Security Practices All Cloud Backup Vendors Should Follow
Companies that want to add cloud backup services to their data protection strategy sometimes hold off because of concerns about security. These concerns take the form of questions like:
• Once data leaves my premises, can someone unauthorized see it?
• Can someone change my data?
• Can I meet my compliance requirements if my data is stored in an online data backup service?
If cloud backup vendors can’t answer these questions in the right way, an IT director is compelled to go through the expense of purchasing and maintaining their own backup servers, disk arrays, tape libraries and appliances, along with all the security software, protocols and audits needed to keep everything secure.
Unfortunately, keeping data onsite is not necessarily any more secure than having it in an offsite data center. Every week there are news reports of data being stolen from a bank, credit card company or retailer, not to mention breaches of secure government servers.
What’s important is what security systems are in place, not where the data is stored. This is especially true for organizations that have compliance requirements like:
• The health information privacy and security rules of the Health Insurance and Accountability Act of 1996 (HIPAA)
• Financial Industry Regulatory Authority (FINRA) data security and privacy rules.
• Family Educational Rights and Privacy Act (FERPA) regulations on access to student data.
• Securities and Exchange Commission (SEC) Rule 17a-4 which “requires that the electronic storage media preserve the records exclusively in a non-rewriteable and non-erasable format.”
• Sarbanes-Oxley Act of 2002 (SOX) Section 404 on auditing internal controls over financial records.
To keep ahead of hackers, it makes sense for small and medium sized firms that lack in-house security and compliance teams to use a secure cloud backup and restore solution like Zetta. The must-have cloud backup security features are:
1. The data is encrypted both in transit and at rest.
2. The data is stored using advanced RAIN-6 (Redundant Array of Independent Nodes) that ensure that even if two entire storage nodes go down, not just two disks, the data is still available.
3. File level hashing to validate that all the data is free of corruption so it can be restored when needed.
4. Storage in SAS70 Type II data centers under audited service procedures.
5. Data immutability and preservation procedures for compliance with regulations such as SEC Rule 17-4a.
6. Service Auditors to the Statements on Standards for Attestation Engagements No. 16 (SSAE-16) certified service
7. User and group level access control to limit data access.
8. Authentication and logging of all access to your data.
When a data backup service provider offers this level of data protection, it can be safer to move backup offsite than keeping the service in house. With such a service, even small business can achieve enterprise-level security and reliability, all at a fraction of the cost of hiring in-house experts.