Guest post written by Dave W, Network Security Analyst.
Continuing from Part I of my last post about performance and bandwidth in the cloud, how can I protect my data and where is it stored on the cloud?
Putting your data out into the cloud is generally a great way to protect it from the many hazards of a home or small office IT environment. Generally, the cloud provider is going to have a nice datacenter with redundant hardware, redundant power, air conditioning, physical security, and most importantly a team of professional sysadmins and other IT pros who know how to take care of your data better than you do. Assuming you have done your homework, this is most likely the case.
There are still many things that can go wrong in a complex data environment and you need to know that your chosen service is prepared for this. Look at what your service says about their power, hardware, network, about cooling, physical location and staff. Redundancy is key and the more they have the better you can sleep at night.
Once you have found the right provider it is also important to look at what options they have for data protection and service reliability. Too often people will upload their data to the cloud and assume that that data is protected. These are two things that are often extras for a cloud servicer and, at minimum, they will have different options at different price points. You need to look at both backup services and data replication/availability when you decide where to store that data. Just like at home and at the office it is imperative that your cloud data is backed up.
You do back up your data at home and at the office right? Of course you do! That was a silly question, back to my post.
So just as at home and at the office, your cloud data needs to be backed up. If the data is itself a backup copy then you may feel safe not worrying about it being backed up again, however, if the cloud data is primary data that is the ONLY copy of that data, then you want backups.
Many cloud services will provide backups as part of the service and you don’t need to think much about it. Others will offer different levels of service with backup in some or all of them. When choosing a cloud service, make sure you know which option applies to you.
Once your data is backed up you need to think about data resiliency. Data disasters happen. There is nothing we can do to prevent them entirely. From sprinklers going off at the datacenter to earthquakes to somebody tripping with a cup of coffee in front of the rack with all your data in it, things can happen to the hardware that stores your data. And while we can’t prevent these from happening entirely it is important to understand what would happen to your data if this should occur.
In some cases you can have your data replicated to a second location. In other cases the data might be backed up to tape and shipped offsite to a secure location for safekeeping. Every reputable cloud service should have a disaster recovery plan, one that is in place to get your data back to you and online and available in the event that the primary site is for some reason not available. Describing these plans would be a rather large series of articles in itself; the point, however, is that something is in place to ensure the data will still existing and be available to you in the event that the primary location of that data goes away.
After you have dealt with performance aspects of locating your data somewhere else you have to look at the impact of who has access to your data. This is a separate issue from the security conversation and is more about some interesting jurisdictional and political issues. These can sometimes seem overly paranoid or at least extremely unlikely but if this data has any business implications they are real world concerns that you want to address.
One of the first things to understand is where the servers your data will be living on reside. It seems counter-intuitive to put your data into the cloud and yet be worried about where exactly it sits but there are very good reasons to do so. For instance many industries have strong regulations on where data can be stored. These regulations range from prohibiting data from leaving the country, province or region, to prohibiting data from being shared with certain embargoed nations for security reasons.
While most people will see the wisdom in this for medical records or legal documents, many do not see the reasons for worrying about this for personal data. Who cares if you store your LOL cats pics and emails from your elderly relatives on a server in another country? This is a perfectly understandable position and one I can’t argue with but it comes down to understanding what really is in your horde of data and what the impact is if it gets seized by another government’s agency.
Remember your data might not have anything in it that the FBI or IRS might want to see but your data is unlikely to be the only data stored at the cloud provider’s site. If you’re a Canadian putting your personal data on an American server, as so many of us are (myself included), and somebody else stores their gambling data on those servers the authorities are not overly concerned about only impacting the gambling company and are much more likely to seize everything and ask questions later.
If your data has any value to you make sure you think about the jurisdiction your data is being sent to and understand what that might mean. As always when in doubt contact the service provider and ask them the tough questions.