As my colleague George Crump discussed in his article on disaster recovery as a service, “Introducing DRaaS 2.0”, there are a number of compelling advantages in using DRaaS solutions. However, regardless of the cost savings and other advantages when organizations use DRaaS services, they must remain aware of how the cloud and DRaaS can impact the security of their data.
All organizations today face a myriad of government regulations and requirements that task them to ensure the integrity, durability and security of their data. Failure to comply with these requirements can result in very heavy penalties and worse, exposure to cyber-attack. The various data protection features found in cloud storage and DRaaS solutions can help protect the integrity and durability of an organization’s data.
Securing Data Regardless of Location
While organizations store their data on their local systems and in their data centers, they can easily maintain full access control to their systems and their data. They dictate who can physically access which systems as well as which data sets. They also have the means to track individual access to any system or data set in the enterprise. This enables them to also maintain chain of custody of their data.
However, once an organization starts using cloud storage and DRaaS solutions, they move their data from their facilities into the hands of various other third parties that are not part of the organization. Nevertheless, their data must remain secure so no unauthorized personnel can access it whether the data is on-premises, in the cloud, at rest or in flight.
Strong Encryption Provides the Necessary Protection
The first line of defense for data is robust, 256-bit AES encryption. All data should be encrypted whether it is at rest or in transit to another device or system. Where cloud storage is concerned, encryption should be selectively available at the business functional level (bucket or container) as opposed to technological level (hard drive). This provides the flexibility of supporting multi-tenancy with different encryption keys for each data set. With data properly encrypted, it will be useless to anyone without the necessary encryption keys to decode it.
Who Controls the Encryption Keys
This brings us to a very critical consideration, which is the control of the encryption keys. Practically all cloud providers and DRaaS services provide industry standard 256 bit AES encryption for all data entering and stored on their systems. However, the important question is who controls the encryption keys? Some cloud and DRaaS providers do not offer the organization the option to control the encryption keys. Instead, they reserve this right to themselves. Unfortunately, this means the organization no longer has exclusive control of its data.
Lack of exclusive control over encryption keys could lead to a difficult situation for the organization. For instance, under the right circumstances a cloud provider or DRaaS service could be forced by a subpoena or court order to turn over an organization’s data, without their consent, to another entity. At that point, the organization would no longer have any control over that data.
The other side of the issue is if the provider has no access to the keys, then they are limited as to what help they can provide the customer in the recovery process. The provider can no longer “see” the data, which limits the provider’s ability to provide other specialized indexing or search functions. There is also the concern of the customer losing the key. Some organizations may decide the keys are better left in the hands of the provider.
There is no perfect answer. To ensure absolute control and security of data, an organization should always be the one that creates and controls the encryption keys with the ability to “loan” key control to the provider for given periods of time. Ideally, an organization would want to use DRaaS providers that give the organization the choice over who has key ownership. Ultimately, each organization will need to evaluate their security requirements and decide whether or not to use services that do not let them control their own encryption keys.
QuorumLabs, Inc. is headquartered in San Jose CA with offices all around the world. Quorum “Disaster Recovery as a Service” (DRaaS) solutions provide organizations with both local and remote instant recovery capabilities for their servers, applications and data. Quorum onQ provides the fastest on premises backup and recovery appliance combined with the most flexible DRaaS in the industry. This hybrid approach allows Quorum customers to enjoy high performance and cloud scale in a single product. To learn more, visit www.quorum.com/product for details.