Protecting your data in public cloud services

Published: Tuesday, 22 January 2019 08:47

Rapid growth in the use of public cloud services for core business operations is changing the technological landscape. But in the rush towards taking advantage of the agility that public cloud offers are organizations in danger of neglecting a core area of business continuity?

In the last eighteen months the acceleration of public cloud services has been overwhelming. It is no coincidence that UK based instances of Microsoft Azure and Amazon Web Service instances made more organizations willing to move workloads and data into public cloud services, and has seen these services go from strength to strength.

It is estimated that more than 60 percent of organizations use Office365 email services, for part, if not all of their messaging users. The most popular public cloud services like Microsoft Office365, Azure, Salesforce, Google Suite and Amazon Web Services have lowered the barrier to entry for small and medium sized businesses to access IT, and many larger organizations have also seen the benefits of moving to a pay monthly model. Getting access to these professional business applications, billed in a low-cost subscription model is helping accelerate business growth and agility.

However, using these public cloud services does not abdicate you from being responsible for protecting YOUR data! So, what cyber security and data protection is provided and contracted by these global IT providers? And, what are the gaps that you need to be aware of when you a putting together your plan for protecting your data that is live in public cloud applications?

The public cloud providers have done a good job of delivering highly available computing platforms and application environments, they specify this in their contracts and even include service levels - if requested. They have built infrastructure across multiple data centres / centers and heavily invested to ensure that when your users/customers login, the application is available and access is granted. They do this IT plumbing well.

What is less clear from the subscribers’ point of view is how the users’ data, which is actually YOUR organization’s data, is being protected.

The candid answer is, your data is NOT protected by the public cloud providers within their services, but, there are obvious requirements for you to ensure your data is safeguarded. The lack of protection usually comes to light when data is deleted, becomes corrupted in a hardware or software failure, or is compromised in a malware or ransomware attack. The public cloud providers are asked to recover the data but are unable to get it back, because they don’t perform the backup services that are necessary to be able to consistently recover your data.

There are a number of data protection service providers that can protect your data in public cloud services and ensure that when something goes wrong and the data is lost, a backup copy of the data can be recovered back into the public cloud service, and normal working can be resumed with minimal disruption and without loss of business: but this does not come as a standard part of the public cloud provider’s service.

Using an automated backup service that is outside the public cloud services platforms, across an effective air gap, ensures that any underlying platform or data integrity issues do not affect the recovery systems or the recoverability of the data, and in turn makes it more difficult for malware and ransomware to rapidly and easily contaminate the backup data used for recovery. In advanced data protection services, further measures are also available to prevent malware attack loops and cyber attacks aimed at encrypting or deleting backup files to prevent successful recovery.

Aside from safeguarding the organization’s data to prevent financial loss, reputational loss and provide organizational resilience - regulations like GDPR and certifications, like the UK’s Cyber Essentials, require that an organization has the ability to recover data when it needs to. This includes recovery of data into public cloud services.

Adopting or switching to a new backup service often is triggered following a data loss event or because an existing backup service is failing – by then it is too late. The biggest challenge, if you have been running Office365 for some time, and have not yet had a data loss incident, is to decide how you raise the subject of needing to protect your data.

The first step is to review your service agreement with the public cloud provider and talk to data protection providers to put the right protection in place for YOUR data - before you find out the hard way with a group of angry users and their line manager knocking on your door, demanding you get their data back; or, worse still, angry customers or regulators, when it is likely that a whole lot more people in the wider world will be aware of the problem, and your organization’s reputation is on the line.