Virtualization Technology News and Information
Why Shared Responsibility for Data Backup and Recovery is the Only Way

By Niels Van Ingen, Chief Customer Officer, Keepit

We're all familiar with the saying, "better late than never." Still, when it comes to backing up and recovering your critical, cloud-based business data, there's no "better late than..." option. That is, if you want to keep your business up and running following a data breach, loss, or ransomware attack.

So, who is ultimately responsible for safeguarding cloud-based data? Surprisingly, this simple-sounding question is often overlooked until it's too late, which is why SaaS customers need to be proactive when it comes to protecting their own data.

IT professionals may unknowingly assume that widely deployed SaaS services, such as Microsoft 365, Azure AD, Salesforce, and Google Workspace offer customers adequate data backup and recovery. After all, most companies rely on these essential SaaS services to run their daily operations, so they should be protected, right?

The truth is that these providers do offer some level of data backup and protection in their service agreements, but if you read the fine print, you'll discover the hidden truth that cloud vendors offer very limited protection, and when the time comes to rely on them to recover lost data, it's usually disorganized and prohibitively expensive to recover.

Taking Shared Responsibility

When it comes to backing up and recovering the data that keeps businesses running, Keepit, as well as other SaaS providers, urge companies to follow a Shared Responsibility model, where customers take control of their own data by assuming the lion's share of responsibility for protecting it. After all, entrusting your email, collaboration tools, financial documents, legal contracts, intellectual property, and proprietary information to SaaS vendors whose focus is other than backup and recovery represents tremendous exposure.

Look at Microsoft's own documentation, which states, "it's critical to understand the Shared Responsibility model and which security tasks are handled by the cloud provider and which tasks are handled by you. For all cloud deployment types, you own your data and identities. You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control (which varies by service type)."

Microsoft goes on to say that if a customer loses data due to third-party software, malicious deletion, or human error (the most common cause of data loss, by the way), they will not provide data backup because they follow the Shared Responsibility model and are not liable.

As you can see, the stakes are too high to take a hands-off approach. Just look beyond the immediate impact of a ransomware attack. Not only are you facing a catastrophic business interruption, but the long-term consequences can also lead to damaged customer relationships and keeping your business in compliance, not to mention the high cost of paying ransom to cyber thieves who are always looking for vulnerable targets.

The Customer's Role in a Shared Responsibility Model

The days are gone when customers could rely solely on cloud service providers to offer meaningful backups as part of their service. With the Shared Responsibility model becoming more prevalent, it's clear that customers must have their own backup and recovery strategy.

You may be familiar with the 3-2-1 backup rule, which requires storing multiple copies of backup data on different devices and in separate locations. Even though the 3-2-1 principle comes from the days of on-premises data storage, it's still commonly referenced today in the modern, cloud-computing era. 

While the 3-2-1 rule it isn't 100 percent applicable to cloud data, it can still be useful today to help guide security decision-makers toward improving their infrastructure against the current onslaught of data risks, with the biggest change being the shift of how data is created and where it is stored. 

In today's cloud environment, remote workers who use SaaS applications are creating data in many different locations around the world, where it is then transferred and stored in a location different from a company's physical office. Rather than asking where your data is stored (in the cloud), the better question is whether it's backed up in the cloud and whether it is really backed up.

In short, components of the 3-2-1 rule include: 

  • 3 Copies of Your Data. This refers to the number of copies of your data, with one being the primary dataset in the production environment while the remaining two copies are backups. This is still applicable to modern data protection best practices. 

  • 2 Administrative Domains. Having two administrative domains ensures that copies are managed independently from one another or are stored within separate logical environments, such as two types of media, which helps create what's known as a logical gap.
  • 1 Copy External. Formerly known as the single off-site storage copy, this still applies for the same reasons as it did in the past: You don't want to store all of your data in the same exact location, taking into account that the cloud is located in physical data centers. This means having a backup copy outside the cloud of the production environment and outside the administrative domain of the other backup.

Finally, here are a few data points that shine a light on the financial costs associated with data loss and ransomware:

  • A successful ransomware attack resulting in disruption to operations for an organization with 5,000 employees for five days would cost more than $5 million. (Forrester Research).
  • An ESG study found that only 50 percent of the organizations were able to recover all their data in a clean and recent state. 
  • Verizon's annual Data Breach Investigations estimates that a large data breach (with 100 million records or more) costs an average of $5 million to $15.6 million and can top out at $200 million. 

So, returning to the original question about who's responsible for protecting your cloud-based data, it's clear the onus is on the customer for what we believe are obvious reasons.




Niels Van Ingen, Chief Customer Officer and VP of Business Development at Keepit, has a strong 20-year track record in data protection/data management, eDiscovery, and compliance space having worked with both the smallest and the largest of customers globally.
Published Monday, January 09, 2023 7:33 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2023>