When I write “data protection,” do you assume this means endpoint security, data security, data encryption, disaster recovery, or business continuity? Or do you think it entails just knowing where your data resides? Actually, it could mean all of the above, which in turn means that data protection comprises several overlapping technologies. There is no single bullet that does everything. In some ways, data protection is anti-malware, anti-ransomware, and antivirus. In others, it is about the recoverability of data. In yet others, it is about managing the risks to your data. I recently had to look into business insurance once more, and it has a very different view of data—one that, while I understand it, seems not to have kept up with the times.
My insurance agent asked if I had any data in the cloud. This was not quite the question I expected, but it is one that, on the part of an insurance company, actually makes sense. Insurance companies tend to move slower than most, but they watch trends very, very carefully at the same time. They believe that if your primary business data is in the cloud, it is at risk, and so are they. Will they insure it? Perhaps, but at a much higher cost than they would normally.
There are risks to putting data in the cloud. That risk is about data protection, which encompasses everything I mentioned earlier. However, most likely this is a risk borne from data lost in clouds due to the clouds’ own actions. There have been several cases recently of clouds losing data while not actually being responsible for said data. There have been cases of:
- S3 going down and data being lost permanently
- Clouds going out of business and data not being made available by the courts
- Companies being hacked and all data in the cloud being deleted
- Law enforcement confiscating most of the cloud and returning very little
In all these cases, data was at risk because it was treated poorly (data security), had no redundancy (disaster recovery or business continuity), or lacked basic security controls (endpoint security, multifactor authentication), or because there was too much trust that the cloud would do the right thing.
The last is the crucial part. The cloud needs to do the right thing, but what is the right thing? Remember, a cloud is a bunch of cookie cutters; the company takes your business, which may be unique, and forces it into the cookie-cutter shape the cloud requires. For IT, this is a good thing, as long as we realize we are managing something different. Different rules are involved. We need to understand those rules, specifically as they pertain to data protection.
In all of these cases, insurance companies would have to pay out a large sum of money, which they would rather not do. As a result, their basic rule is that if it is in the cloud, they cannot issue insurance and will not underwrite your case.
So now, data protection takes on new aspects: legal and insurance. Insurance companies will insure data kept on-site or within certain data protection locations, like Iron Mountain. However, that is because Iron Mountain and similar businesses have negotiated with law enforcement, insurance companies, and legal companies to work out the lowest-risk approach to data protection.
If your data protection is of the form of “there and back again,” then you may be protected as well—at least, according to an insurance company. “There and back again” means you have data in the cloud, you know where your data is in the cloud, and you keep a copy of the data both on-site and off-site in an approved location. This lowers your risk of disastrous data loss. These systems—cloud, on-site, and off-site—need to be completely unattached from each other in some fashion. The most common detachment is not to allow any one of the three to directly access data from any of the other locations or use a versioned write approach.
Where data protection lives and what your data protection needs encompass much more than IT these days. They also include more and more basic business requirements, such as insurance, legal, and law enforcement. There are many types of risk. Are you prepared for all of them? Does IT even know about these other risks so it can help to mitigate them?