Affordable Disaster Recovery: Compliance in the Cloud
The primary reason to have a data disaster recovery strategy is to ensure that data is protected, preserved, and recoverable, in the event something happens.
But those aren’t the only reasons for backups. Think disaster recovery compliance.
Are You Subject to Disaster Recovery Compliance Regulation?
Depending on what industry your company is in or serves, you may be subject to government and/or industry regulations. Disaster recovery compliance includes ensuring data protection and availability – even after a site-level data disaster event.
Disaster recovery compliance regulations that affect backup:
HIPAA (Health Insurance Portability and Accountability Act) for medical organizations
HITECH (Health Information Technology for Economic and Clinical Health Act)
SOX (Sarbanes–Oxley Act of 2002) for financial institutions and practices
FERPA (Family Educational Rights and Privacy Act), for educational institutions
For example, the Health and Human Services department says about HIPAA, “covered entities must: Ensure the confidentiality, integrity, and availability of all e-PHI [Protected Health Information] they create, receive, maintain or transmit.”
This means that, according to Sandra Nutten and Chris Mansueti from the American Health Information Management Association (AHIMA), “At a base level, the proper policies, processes, and technologies must be put in place to ensure that electronic PHI is backed up regularly and can be restored.”
Because an “event” can make onsite data, or even an entire data center unavailable, it's the job of the offsite backup to satisfy these requirements.
Encryption and Geography are the keys to compliance
StorageIO Group founder and senior analyst Greg Schulz has this advice for compliance-meeting features to look for in off-site backups:
“Make sure they are source-side encrypted — that backups are encrypted before they leave your computer or building. Some services only encrypt when the data arrives.”
Also, says Schulz, “When you are sending your backup data, do you know where it’s going, and can you control the destinations? Are you assured that your data isn’t leaving the state or country, or not going to specific other countries? Is this explicitly stated in the user agreement, or your SLA or SLO (Service Level Objective) requirements?”
It’s also important to understand which disaster recovery compliance requirements a storage solution can’t address, for example, the “automatic logoff” required by HIPAA, which is outside the storage layer, and therefore a client-device concern.
Using the offsite backup to get compliant, save money
For backup and recovery, many compliance requirements are identical to features you have – or could get – from the backup solution you’re already using to protect business data.
Zetta Data Protection, for example, encrypts data both in flight and at rest, and has regular audits of operating controls like SSAE-16 (the replacement auditing standard for SAS-70 Type 2) and SysTrust controls. These will support your company’s implementation of HIPAA or FERPA controls.
If you have enough of a features match, this may mean that the backup you are using for business purposes may also be able to serve as your compliance-meeting backup(s), letting you, for a change, remove some items from your IT budget.
So, if your organization is subject to HIPAA, SOX or another disaster recovery compliance requirement, see if your data-protection backup can also serve as a compliant backup.
The odds are good that even if this means spending more on backup, the total will be less than having to do multiple redundant backups to get compliant with both your CIO and Uncle Sam.