More and more businesses and government agencies are considering the cloud as a possible solution to their data storage and backup needs. In general, when businesses talk about “the cloud,” they are referring to a type of computing that involves sharing computing resources, usually via the Internet. For a more in-depth definition of the cloud and a discussion of cloud security issues, you can read our blog post, “When Security in the Cloud Gets in the Way of Work.”

Cloud storage refers to the use of the cloud as a replacement for more traditional kinds of data storage, such as a Network Attached Storage centralized storage device (a server dedicated solely to file sharing). Similarly, cloud backup refers to the use of the cloud as a way to protect data.

Cloud storage and backup offer several advantages.

• Lower costs. Using the cloud means you can avoid paying for the infrastructure you would otherwise need. Administration costs are also drastically reduced.
• Offsite, redundant data storage. Cloud storage is inherently offsite, providing appropriate storage in case of natural disasters. You can also find larger cloud service providers who offer redundant storage of data in multiple servers. This means that if one server goes down, you can still access data from the other servers without adversely impacting your business.
• Reliable and secure backup. Most cloud backup offers data deduplication (a specialized data compression technique for eliminating duplicate copies of data) and compression (a process of reducing file sizes by encoding data information more efficiently), making it both efficient and more secure.
• Scalability. Cloud based data backup allows your business to easily increase storage as its data grows over time, while only charging for the storage you use. You avoid the upfront costs you would otherwise face to add to your data storage infrastructure.
• Easy access to data. Cloud data storage allows teams in widely separate locations to easily share data and files.
• Simple data backup and recovery. For some cases, the cloud makes it easy to automate data backup and to recover data.

Of course, there are also some disadvantages to consider.

• A full initial data backup can be prohibitively time consuming. Further backups are much faster as they should only include new or modified data. If your company’s backups frequently involve large files, it can be more effective to backup your data first to an on-site server and then to the cloud.
• Bandwidth availability may be limited. If so, your backup strategy will need to take into account how much data can actually be backed up daily.
• Dependency on your cloud service provider. If your provider has unexpected issues, you will have no control over fixing those issues, instead having to rely on them.
• Entrusting data to a third party. Naturally, using the cloud means you are entrusting your data to your cloud service provider. This may be more of an issue for some industries than others. You can make certain that your cloud service provider uses modern encryption tools, or encrypt it yourself before you back up to the cloud.

Whether or not cloud storage and backup will be a good solution for your business is going to depend on your specific needs. It is well worth the time to consider if lower costs and scalability, along with other advantages, might make a cloud solution work for you.

For your data backup and recovery strategy to be worthwhile, you’ll need to go beyond merely copying your data. Some of the factors you’ll need to delve into include just how well you can recover your data, the operational expenses associated with your strategy, and how well your vendor really supports virtualization.

You copied it, but can you recover it?

Data backups are meaningless if they don’t successfully facilitate data recovery. Tape backups and online backups are two major culprits when it comes to recovery failures.

Tape backups were introduced in the 1950’s and remain in use to this day, partly due to their low cost. But they often offer only an illusion of security. Studies show that anywhere between 50% to 77% per cent of users trying to restore data from tape backups have experienced failures.

Online backups can seem to be a better, more modern solution. The good news is that online backups definitely have a better recovery rate than tape backups. Unfortunately, recovering even small amounts of data from online backups can take a significant amount of time, perhaps even months.

You know what you’d like, but should you spend the money?

In a world where money is no object, businesses would probably demand data backup and recovery plans that allowed for zero data loss and zero time spent to recover data. But in the real world it’s necessary to establish reasonable objectives for acceptable data loss and for the amount of time spent on recovery.

Your Recovery Time Objective (RTO) is the amount of time required to get the crucial aspects of your business back up and running after a disaster. For example, if your RTO for a particular service is zero, that means that the service must be restored immediately. A less crucial service might have an RTO measured in hours or days, depending on how long your business can reasonably function without it. Unsurprisingly, an RTO of zero is going to cost more to support.

Your Recovery Point Objective (RPO) is the point in time to which your data is going to be restored. If your RPO for your data is zero, this means that when service resumes there must be no loss of data at all. This might be necessary for banking or similar applications. In contrast, an RPO of 24 hours or more might be acceptable for some internal reporting applications where the loss of one day of reporting is not significant enough to justify the cost of complete data recovery.

Your vendor says they support virtualization, but what do they really mean?

Webopedia provides this definition: “In computing, virtualization means to create a virtual version of a device or resource, such as a server, storage device, network, or operating system.” This means that, in theory, backing up a virtual machine should involve simply copying its files and configuration data. This copied information should then be easily available to move a virtual machine to different hardware as needed.

However, virtualization can represent a significant load for a host server and for the virtual machines running on that host. For some businesses, having virtual system that operate at a much slower pace will be acceptable. But for situations where speed is necessary, the slower pace may come as an unexpected shock.
Understanding the details of your data backup and recovery plan is crucial to making sure it meets your business needs. You will need to know exactly how recoverable your data really is, how your strategy impacts your costs, and the real facts about how well your vendor supports virtualization.

If you’re an IT person, you’ve probably experienced the daunting challenge of explaining technical matters to colleagues with non-technical backgrounds. Particularly in the case of explaining technology to executives, you need to be able present your case from a perspective that makes sense to them.

You’ll need to make sure that you and your audience have a shared understanding of basic concepts. For example, does your CFO understand that data backup must also include effective retrieval of backed up data? Do they understand the concepts of automation and retention? Are they aware of any financial penalties the company face if it fails to meet regulatory requirements?

You’ll also need to present the business need for backup and recovery in a way that makes sense to them. While you might expect a CFO to automatically understand the need to mitigate risk, this is not always the case. Their primary focus is often on reducing costs; it will be up to you to make a compelling argument that failure to mitigate the risks potentially associated with data loss is likely to be more costly in the long run.

IT managers often compare backup and recovery processes to insurance to make this point. Discussing backup and recovery as a type of insurance that offers financial risk management in case of disaster is likely to appeal to a CFO or other executive whose primary concern is budget.

In this vein, providing your CFO with actual costs for ineffective backup and recovery can help to illustrate your point. Break down, as accurately as possible, the costs associated with lost employee productivity, lost revenue, and the costs associated with recovering data. Will you need to bring in outside help to assist with recovering data from unreliable tape backups? Is it possible you’ll you need to hire computer forensics experts to recover data from hard drives that are not currently being backed up properly?

It’s also worthwhile to touch on less quantifiable losses. Will your clients lose confidence in your ability to deliver your services or products reliably? Will your company be liable for failures associated with any data loss?

You should also explain to your CFO the ways in which your proposed data backup and recovery plan will make sure your company is getting the most value for its money. Be prepared to discuss the scalability of your proposed solution to your data needs, so you can assure your CFO that your company will be able to spend only what it needs to at any given time.

Keeping operational costs down will also be appealing. For example, be prepared to describe how your solution takes less time to recover data, or requires very little human intervention to perform and monitor backups.
It’s up to you to go beyond mere technical explanations when you discuss data backup and recovery with the decision makers in your company. And you can’t assume that they have a clear grasp of the risks the company faces or the advantages of any solutions you propose. Framing your discussion from their perspective will help you to help them to make the right choices for everyone’s success.

What is Cyber Espionage? According to this comprehensive definition from Wikipedia, “cyber spying” or “cyber espionage” is:

“The act or practice of obtaining secrets without the permission of the holder of the information (personal, sensitive, proprietary, or of classified nature) from individuals, competitors, rivals, groups, governments, and enemies for personal, economic, military, or political advantage using methods on the Internet, networks, or individual computers through the use of cracking techniques and malicious software including Trojan horses and spyware.”

With the likelihood of U.S. economic sanctions against China in response to repeated acts of civil cyber espionage, many U.S. companies are asking if they might also be targeted. The possibility of such attacks is definitely increasing, as cyber espionage is not strictly limited to the political sphere; financially motivated hacker groups appear to be on the rise. These groups’ efforts are focused on acquiring business secrets that can be sold to third parties, or used for insider trading. Closer to home, similar attacks from former employees or business competitors are a real concern.

What kinds of information might be targeted in a cyber attack?

Generally, the answer is anything that could give your competitors an advantage. For business owners, this could mean having your competitors gain access to information about your product features, pricing, customer or vendor contracts, M&A plans, employee information, and more. Customer contact information is also of interest to attackers, who might use it to engage in phishing attacks.

What steps can you take to protect your company?

There are several steps you can take to mitigate the risk of cyber espionage:

●    Use up-to-date malware and virus removal software. If you aren’t already doing this, now is the time to start. Your network is most likely to be infected when employees visit websites that contain viruses and other malware. While you can employ web usage controls to limit the sites your employees access and to monitor the ones they do, you can still be infected when employees use their own devices, such as laptops, flash drives, and so on. Keeping your virus removal software up-to-date can greatly decrease this problem.
●    Have a process in place for properly suspending or terminating the accounts of problem employees or employees who are no longer with your company. It’s easy to overlook the importance of promptly removing access, but the most sure way to protect against misuse of access is to remove it.
●    Enforce the use of “strong” passwords. This means both educating your employees concerning the risks of using common passwords, and requiring them to use complex, unique passwords instead.
●    If you have data on a public cloud, consider whether it is sensitive or not. If it is, it may be in your best interests to move it to a private cloud where you have more control over security.
●    Train your employees on all aspects of cyber security. We discussed the need for strong passwords above; additionally, educate your employees on other security issues. For example, offer guidelines for how to identify suspicious emails, and how to report them when received.

As more companies move to cloud-based services, security in the cloud is becoming a greater concern. How can you make sure your company’s sensitive data is protected while still taking advantage of the convenience the cloud offers?

What is the Cloud?

First, we need to understand exactly what we mean when we talk about the cloud. Confusingly, the term can be used for very different things. People may be referring to the public cloud, to a private cloud, or to a hybrid of public and private.

A public cloud is one that is accessed by multiple users and organizations. With a public cloud, providers offer applications and storage via the internet to the general public. Lower cost is the main advantage of a public cloud. Limitations include security concerns for sensitive data.

A private cloud is accessed by only one organization. While a private cloud can reduce security concerns and offer the opportunity to customize for an organization’s needs, it also involves the additional costs of development.

A hybrid cloud, obviously, is a mix of public and private, allowing organizations to use different solutions for different needs.

To take advantage of cloud services effectively, organizations need to be aware of their needs. For example, companies that deal with health information or financial, or other sensitive data will want to avoid storing that data in a public cloud.

What Issues Do Your Company and Your Employees Face?

One of the greatest difficulties faced by employees is cumbersome security requirements. For example, according to a July 1015 study done by Dell, approximately 85% of users are faced with the need to have and keep track of multiple passwords for the different services they use on the job. Additionally, 82% of users who work remotely reported that they are required to use additional security measures. Ultimately, the study showed that 91% of users feel that their productivity is impacted by the steps they have to take to meet security needs.

The case of multiple passwords is especially worrisome, as employees tend to be focused on completing tasks over meeting security requirements. This can lead to disastrous workarounds, including using the same password for all cases, making a hacker’s job easy, or even writing down passwords and keeping them in poorly secured locations. If you’ve ever written a password on a slip of paper and “hidden” in under your keyboard, you know how easy it is to fall into the habit of workarounds.

However, most companies know that security has to take priority over ease of use. This makes sense, especially when dealing with sensitive customer data. How can companies balance these two competing needs?

What Solutions are Available for These Issues?

One promising approach is known as “context aware” security. This approach involves varying levels of security requirements depending on different factors. For example, a company might require only a standard level for a user whose geographical location is in California, but place additional scrutiny on a user logging in from an Eastern European country. This is a more sophisticated approach than those available in the past, which would either allow all users to log in easily regardless of geographical location, or would subject all users to intense scrutiny regardless of location.

More generally, encouraging IT professionals to move away from a “silo” approach to security will alleviate the need for multiple passwords. In the “silo” approach, new features are added to systems independently of each other, without much thought given to how each addition will interact with old features. In the short term, a quick and easy way to provide security in this environment is to require users to create a new password each time they need to be given access to a new feature. But in the long term, this is costly in terms of encouraging users to get around security with risky workarounds. Taking the time to have a coherent overall plan for adding new features will minimize this risk.