29 Nov 2022, by Slade Baylis
With more and more services now being provided as Software as a Service (SaaS) platforms hosted out of cloud infrastructure, a lot of assumptions are made about these services by the people that use them. Primary among these assumptions is the unfortunate belief that the data stored on these services is inherently protected by being “in the cloud”. They should also be forgiven for making that assumption, as nearly every cloud provider will highlight the resiliency, redundancy, and protection that their platform provides, without making it clear that they only protect you from some risks whilst leaving you wide open to others.
Downtime and loss of data are two of the primary risks an organisation will face on their IT front, and whilst a cloud-based virtualised solution can help protect you from the first, it does little to protect you from the latter. In fact, due to the assumption about the data being inherently protected, the potential loss of data could be even more likely, as organisations may forgo the standard backups that they would have implemented had their data been hosted on a non-cloud platform.
This is why it’s important to know where the lines are drawn around the responsibilities for your systems, as SaaS platforms are often run with a “Shared Responsibility” model.
One of the easiest ways to explain the Shared Responsibility model is to juxtapose these new SaaS solutions against more traditional IT infrastructure arrangements.
In the past, most software that organisations would use would likely be hosted on-site, on hardware/servers that were purchased outright. That hardware would then either be managed by internal IT personnel or by externally hired IT providers.
With this type of approach, it’s quite intuitive as to where the lines of responsibility are drawn. The developers of the software would be responsible for making sure it functions as expected; the internal or external IT people would be responsible for making sure the environment was up to date and secure; and the organisation would be responsible for replacing hardware or the server if there was a failure. In this model, ultimately the organisation is responsible not only for the data on these servers, but also for the infrastructure that the server relies on, such as the server itself, power, cooling, and physical security, etc.
In the transition to a cloud-based SaaS model, some of these responsibilities shift over to become the responsibility of the SaaS provider, however some others remain the responsibility of the organisation signing up for the service.
With these “as a Service” solutions, the software remains the responsibility of the software developers, but the main difference is that the infrastructure that the software runs on also becomes their responsibility - this includes purchasing, maintaining, and replacing the hardware itself if needed. It also includes the power and cooling, as well as the physical and digital security to keep the platform functional and secure. One large benefit of this, is that it allows organisations to avoid the risks and potentially large capital expenditure associated with purchasing and replacing that expensive hardware if it ages or fails. However, the most important thing to note is that the data stored on these services is always the responsibility of the organisations that sign up to use them.
The lack of awareness around this Shared Responsibility model is quite a large problem. As reported by TechTarget1, a survey of IT professionals in North America and Canada completed by the Enterprise Strategy Group, found that as little as 13% of businesses understood that their data was entirely their responsibility to protect. One of their senior analysts, Christophe Bertrand said that it was concerning “how many organisations are totally disconnected from the reality that they are responsible for protecting this data” and issued a reminder that using a SaaS application doesn’t remove the necessity of performing backups of your data.
With it being the case that even cloud services need to be backed up for complete protection, the next question is what is the best way to back up your data? As mentioned, by utilising cloud-based virtualised solutions, businesses are able to move the responsibility for hardware to their provider as well as significantly reduce their own financial risk. Due to this, it would be ideal if the backups of your SaaS services could also be cloud-based. The good news is that this already exists as a service, in the form of “Cloud-to-Cloud” backup services.
As the name implies, Cloud-to-Cloud backup is a term that refers to a service that takes a backup of data within one cloud environment and stores it in a separate cloud environment.
It may not be clear to those outside of the IT space, but as defined by CloudFlare2, the term “cloud” simply refers to servers that are accessed over the internet and hosted in a data centre, as well as the software that run on those servers. With this definition it’s easy to see that there is no singular “cloud” and that different cloud providers and cloud-based services can be thought of operating in entirely separate cloud environments. What this definition highlights is that having your data stored only in a single cloud can leave you just as vulnerable to any issues that affect that provider’s infrastructure or the physical location that cloud is hosted within. This is why we recommend all organisations consider having some form of backup of their systems stored outside of their primary location.
To that end, Cloud-to-Cloud backup services use software to automate the backup of data within one cloud-based service and automatically transfer and store that data in another cloud-based environment. Not only does this protect from data loss, but as it’s stored on separate cloud infrastructure, it can also help meet Disaster Recovery or Business Continuity requirements for storing data off-site. One important thing to note is that having your backups hosted on “separate cloud infrastructure” doesn’t require that those backups be through a separate provider, but rather it just requires that you ensure that there is some form of separation between the backup platform infrastructure and the infrastructure your systems run on.
For example, within our own Veeam backup platform, we’ve designed the platform to store all backups in a separate secure cloud to add that extra level of protection. Having this data backed up separately from the primary infrastructure allows businesses to easily access and restore data in the event they accidentally delete data or if their data has become corrupted – it can also protect against other incidents that affect the integrity of their data, such as the continually increasing risk of Ransomware attacks.
As we’ve reported earlier in our Dangerous cyber-threats to look out for leading into 20233 article, one of the most disruptive cyber threats to organisations and individuals continues to be the risk of Ransomware attacks. As a quick introduction, a Ransomware attack is one in which a cyber criminal will seek to gain access to the devices of a businesses or individual, and once in, will encrypt the data on that device with the intent of ransoming that data back to the victim for a fee. As an added risk, the perpetrator may also sell the data to other malicious third parties for profit, or use the successful attack to damage the reputation of the victim.
Whilst backups of the data won’t help with those latter risks, they can protect you from losing data through that malicious encryption. This is achieved by allowing you to recover the data without needing to pay the ransom for its decryption, with the added benefit of allowing you to avoid funding further cyber-crime against others (or yourself in the future!). But the configuration of your backup infrastructure can dramatically affect whether it will adequately protect your data, or if instead it is also compromised along with your other systems.
The main factor affecting whether or not your backup infrastructure is protecting you from Ransomware is how segregated it is from your systems. When a Ransomware attack gains a foothold inside of a device, one of the first things it looks for is other systems within reach that it can jump into to also compromise – the aim here is to gain access to and encrypt as many systems and as much data as possible. The reason for this is to increase the chances that their victim will feel enough pressure to meet their demands and pay out. Alternatively, as a fallback, it also increases their chances of getting information they can profit from if sold to others.
Put simply, if your backup server is accessible from the compromised machine, it’s entirely possible that it too could be compromised, removing your only option for restoring your data without being forced to comply with the attacker.
To protect from this, extra thought should be put into the design of your backup infrastructure. Specifically, designing or choosing to use a backup platform that can back up your data via a one-way connection to your systems can isolate them from your internet-facing platforms, preventing them from being able to be compromised if such an attack were to occur.
This is one of the reasons we’ve implemented our Veeam backup platform the way that we have – one of the reasons it’s configured to take backups of our client systems at the hypervisor level is to remove the requirement of establishing a two-way connection between those systems and the backup infrastructure. Doing this means that the backups we take of our client’s systems protect them not only from data loss due to accidental deletion or corruption, but they also protect them from more malicious threats such as intentional deletion or encryption of that data.
The most important thing to know when it comes to your IT systems is that regardless of whether they’re hosted on-site, hosted in a data centre, or hosted on a SaaS service provided to you from the cloud - your data is always your responsibility.
As always, you need to ensure that you have adequate backups of that data so that you can restore systems in times of emergency or recover data that’s been accidentally or maliciously deleted or corrupted. These backups should ideally be in a separate physical location to your primary premises, and storing these backups in a separate cloud can help improve your protection and reduce the risk of losing your data.
Ensuring that there is also an adequate level of separation between backup platforms and your other business systems helps protect against the continually growing threat of Ransomware – taking what could have been a business destroying event and turning it instead into an unfortunate incident that can still be recovered from.
Commonly used services like Microsoft 365 and G Suite often don’t come with any backups of your data – this is why we recommend that our clients back up their data in external locations to make sure that they are covered in the event of an emergency. We have Cloud-to-Cloud backup services that can be used with these platforms which can back up your data to offsite locations to meet Disaster Recovery and Business Continuity requirements or just for that added peace of mind!
If you are looking to back up your data but aren’t sure where to begin, reach out to us! You can call us on 1300 769 972 (Option #1) or email us at sales@micron21.com.
We’ll be able to discuss your unique requirements to help remove some of the mystery and get you started on the right foot!
1, Data protection experts weigh in on SaaS backup confusion, <https://www.techtarget.com/searchdatabackup/feature/Data-protection-experts-weigh-in-on-SaaS-backup-confusion>
2, What is the cloud?, <https://www.cloudflare.com/learning/cloud/what-is-the-cloud/>
3, Dangerous cyber-threats to look out for leading into 2023, <https://www.micron21.com/blog/dangerous-cyber-threats-to-look-out-for-leading-into-2023>