Importance of Maintaining Proper Security and Control of Data in DRaaS Environments

As my colleague George Crump discussed in his article on disaster recovery as a service, “Introducing DRaaS 2.0”, there are a number of compelling advantages in using DRaaS solutions. However, regardless of the cost savings and other advantages when organizations use DRaaS services, they must remain aware of how the cloud and DRaaS can impact the security of their data.

All organizations today face a myriad of government regulations and requirements that task them to ensure the integrity, durability and security of their data. Failure to comply with these requirements can result in very heavy penalties and worse, exposure to cyber-attack. The various data protection features found in cloud storage and DRaaS solutions can help protect the integrity and durability of an organization’s data.

Securing Data Regardless of Location

While organizations store their data on their local systems and in their data centers, they can easily maintain full access control to their systems and their data. They dictate who can physically access which systems as well as which data sets. They also have the means to track individual access to any system or data set in the enterprise. This enables them to also maintain chain of custody of their data.

However, once an organization starts using cloud storage and DRaaS solutions, they move their data from their facilities into the hands of various other third parties that are not part of the organization. Nevertheless, their data must remain secure so no unauthorized personnel can access it whether the data is on-premises, in the cloud, at rest or in flight.

Strong Encryption Provides the Necessary Protection

The first line of defense for data is robust, 256-bit AES encryption. All data should be encrypted whether it is at rest or in transit to another device or system. Where cloud storage is concerned, encryption should be selectively available at the business functional level (bucket or container) as opposed to technological level (hard drive). This provides the flexibility of supporting multi-tenancy with different encryption keys for each data set. With data properly encrypted, it will be useless to anyone without the necessary encryption keys to decode it.

Who Controls the Encryption Keys

This brings us to a very critical consideration, which is the control of the encryption keys. Practically all cloud providers and DRaaS services provide industry standard 256 bit AES encryption for all data entering and stored on their systems. However, the important question is who controls the encryption keys? Some cloud and DRaaS providers do not offer the organization the option to control the encryption keys. Instead, they reserve this right to themselves. Unfortunately, this means the organization no longer has exclusive control of its data.

Lack of exclusive control over encryption keys could lead to a difficult situation for the organization. For instance, under the right circumstances a cloud provider or DRaaS service could be forced by a subpoena or court order to turn over an organization’s data, without their consent, to another entity. At that point, the organization would no longer have any control over that data.

The other side of the issue is if the provider has no access to the keys, then they are limited as to what help they can provide the customer in the recovery process. The provider can no longer “see” the data, which limits the provider’s ability to provide other specialized indexing or search functions. There is also the concern of the customer losing the key. Some organizations may decide the keys are better left in the hands of the provider.

StorageSwiss Take

There is no perfect answer. To ensure absolute control and security of data, an organization should always be the one that creates and controls the encryption keys with the ability to “loan” key control to the provider for given periods of time. Ideally, an organization would want to use DRaaS providers that give the organization the choice over who has key ownership. Ultimately, each organization will need to evaluate their security requirements and decide whether or not to use services that do not let them control their own encryption keys.

About Quorum

QuorumLabs, Inc. is headquartered in San Jose CA with offices all around the world. Quorum “Disaster Recovery as a Service” (DRaaS) solutions provide organizations with both local and remote instant recovery capabilities for their servers, applications and data. Quorum onQ provides the fastest on premises backup and recovery appliance combined with the most flexible DRaaS in the industry. This hybrid approach allows Quorum customers to enjoy high performance and cloud scale in a single product. To learn more, visit for details.

Joseph is a Lead Analyst with DSMCS, Inc. and an IT veteran with over 35 years of experience in the high tech industries. He has held senior technical positions with several major OEMs, VARs, and System Integrators, providing them with technical pre and post- sales support for a wide variety of data protection solutions. He also provided numerous technical analyst articles for Storage Switzerland as well as acting as their chief editor for all technical content up to the time Storage Switzerland closed upon their acquisition by StorONE. In the past, he also designed, implemented and supported backup, recovery and encryption solutions in addition to providing Disaster Recovery planning, testing and data loss risk assessments in distributed computing environments on UNIX and Windows platforms for various OEM's, VARs and System Integrators.

Tagged with: , , , , , , , ,
Posted in Blog

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 22,215 other followers

Blog Stats
%d bloggers like this: