For Any Business, Backing Up Data Is Simply Not Enough
The concept and importance of multi-tenanted applications has raised many questions and uncertainty in the cloud storage and particularly so in the cloud backup arena. Cloud solutions have enabled the masses to get industry leading services without the massive cost and expertise required in managing such specialist solutions.
Multi-tenancy is one of the corner stones of cloud computing in that it must ensure the security, confidentiality and integrity of data stored via cloud service. This must be to the extent that customers can rest easy knowing their data is safer and more confidential than being on their own devices, on their own network regardless of how many other customers reside on the same service offering.
However, it is shocking to find when looking at reviews and technical details of certain products that the customers data is secured by a global encryption key effectively giving the provider access to all data stored on their facilities. Furthermore in many cases the provider of cloud service's terms and conditions indicate that they "the provider" own all data resident on their platforms.
Secure multi-tenancy means in short that only the end user has access to their data and retain ownership of the data regardless on the infrastructure or location hosted, this is a function that needs to be ensured first and foremost by the backend software used to protect the backed up data.
With businesses looking for cost effective and scalable data management solutions, multi-tenanted software applications have become increasingly popular. By sharing a service with other organisations, multi-tenancy solutions offer all the expertise and flexibility associated with an individual cloud solution without the cost. Unsurprisingly there has now been huge growth in the number of providers offering multi-tenanted solutions for data back-up. However, many of these solutions present new pitfalls for businesses, particularly when it comes to data protection.
I have identified the following areas for a business to explore before selecting its multi-tenanted back-up solution:
Security should be paramount to any business especially when it comes to protecting sensitive and personal data. Many multi-tenant solutions only use a singular global encryption code, which is held by the service provider and effectively gives them access to stored data. Additionally many don't segregate data from different customers leaving open the possibility that a fellow user of the service could inadvertently gain access to another company's data, such a case was found in the Mozy offering recently. To avoid this, a business should select a reputable provider with multiple levels of encryption to ensure maximum data security.
2. Data ownership
Many businesses are under the assumption that when they select a back-up solution the data remains their property. What they'll be surprised to learn is that a growing number of providers will claim joint ownership over the data. This gives them access to use it in any number of ways that could compromise its protection and leak confidential information. To work within statutory regulation businesses must seek guarantees from their providers that the ownership of the data remains solely their own and cannot be used by the provider for any purpose. Until recently even Goolge's offering Google drive had this pitfall in their agreement where they ended up "owning" and having access to customer's data.
3. Data location and reliability
The universal nature of the cloud means it's possible that data could be stored in a variety of geographical locations that could contravene data protection legislation. It could also make data available to a number of external organisations.
If, for example, a UK company stores its data on a server in the USA the American government has a legal right to access it under the Patriot Act. The business could then be held liable under UK data protection and privacy law. It is essential that businesses know where their data is stored to ensure they are working within data protection laws. Look at any stories of data loss for the providers being investigated as an example Carbonite recently had a massive loss of many customers backed-up data, providers learn through mistakes and although this may have been addressed it is an aspect to be mindful of when selecting a service.
4. Data access and management
Many providers impose limits on number of accounts, data size or data location which forces businesses with a large amount of data into having multiple logins to administer their environment. These accounts might be with the same provider but because of the segregation there is no central or tiered administrative control. To ensure that the service is as easy as possible to use businesses should look for a provider that allows multiple accounts with various access levels that suits the task that the individual end user or level of administrator requires.
A business should always seek a service provider that is reputable and transparent with its terms and conditions. Selecting a reputable service can be challenging especially for those businesses with no dedicated IT team but the use of FIPS-compliant technology with AES encryption are usually good indicators that the service is of a good standard. The more reputable the company the less likely it is that a business will encounter any problems with either security or breaching their statutory obligations. Look at offerings that have reference customers in critical areas such as government, education and other highly sensitive data types.
For any business backing up data is simply not enough, they must also ensure that the data is stored securely whilst meeting all legal obligations. Multi-tenanted services will offer a cost effective flexible service but it is essential that businesses select a provider that offers them the required options to store data in a secure and manageable way. Failing to do so could be catastrophic not only due to lost information but also potential reputational damage and legal proceedings.