how to choose a cloud-to-cloud backup provider for … · 8 how to choose a cloud-to-cloud backup...

A COMPLETE GUIDE

HOW TO CHOOSE A CLOUD-TO-CLOUD BACKUP PROVIDER FOR THE ENTERPRISE

ContentsHow to Buy Cloud-to-Cloud Backup ……..……..……..……..……..……..……..……..……..……..……..…… 4

Wait.What is Cloud-to-Cloud Backup? .……..……..……..……..……..……..……..……..……..……..…… 4

1 Backup Storage Durability ……..……..……..……..……..……..……..……..……..……..……..……..……..…… 5

1.1 Bring Your Own Storage (BYOS) Option …..……..……..……..……..……..……..……..……..……..……..……..……. 5

2 Application Coverage ……..……..……..……..……..……..……..……..……..……..……..……..……..……..…… 5

3 Backup Functionality ……..……..……..……..……..……..……..……..……..……..……..……..……..……..…… 6

3.1 Frequency .……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……. 6

3.2 Error Notifications .……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……. 7

3.3 Manual Control ……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……. 7

3.4 Encryption and Security ……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……. 7

3.5 Retention Policy ……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……. 8

3.6 SLA on Data Integrity …..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……. 8

4 Access to Backups ..……..……..……..……..……..……..……..……..……..……..……..……..……..……..…… 8

4.1 SLA on Uptime .……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……. 9

4.2 Independence from Source Application .……..……..……..……..……..……..……..……..……..……..……..……. 9

4.3 Search Functionality ……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……. 9

4.4 Browse Methodology ..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..…….10

4.5 Export / Download .……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..…….10

5 Restore .……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..… 10

6 Security and Oversight ..……..……..……..……..……..……..……..……..……..……..……..……..……..……11

6.2 Externally Verified Security Policies ..……..……..……..……..……..……..……..……..……..……..……..……..……. 11

6.2.1 Security Audit .……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……. 11

6.2.2 Third-Party Penetration Testing .……..……..……..……..……..……..……..……..……..……..……..……..…….12

6.3 Relevant Regulatory Compliance .................................................. 12

3 Checklist: Key Features for a Cloud-to-Cloud Backup Solution .……..……..……..……..… 12

Backup Storage Durability .……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..…….12

Application Coverage .……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..…….12

Backup Functionality ..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..…….12

Frequency ……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..…….12

Error Notifications .……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..…….12

Manual Control ……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..…….12

Encryption & Security .……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..…….12

Retention Policy …..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..…….12

SLA on Data Integrity ..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..…….13

Access to Backups .……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..…….13

SLA on Uptime ……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..…….13

Independence from Source Application .……..……..……..……..……..……..……..……..……..……..……..……..…….13

Search Functionality ……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..…….13

Browse Methodology ..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..…….13

Export / Download .……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..…….13

Restore ……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..…….13

Security & Oversight ……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..…….13

How to Buy Cloud-to-Cloud BackupChoosing a cloud application backup provider is like any technology decision: there is no one-size-fits-all solution… You must determine which provider offers the best cost/benefit for your organization’s unique needs… This guide will highlight the most important features and policies associated with cloud-to-cloud backup systems to help you thoroughly and effectively evaluate your options and select the right vendor for you…

Wait…What is Cloud-to-Cloud Backup?Cloud-to-cloud backup is a specific type of offsite backup that duplicates data in a software-as-a-service application (like Google Apps or Salesforce) and stores the duplicate information in another SaaS system… It takes data in one cloud app and backs it up in another cloud app, never involving a local hard drive or storage system…

For more information you should consult our TL;DR Cloud Backup Glossary

4 How to choose a cloud-to-cloud backup provider for the enterprise


1 Backup Storage DurabilityBefore you entrust your data to a cloud application backup system, it is critical that you validate that the vendor has their own backups and recovery plans in place… If the vendor is using their own data center to host the backups, then they should be able to provide you with details on their redundancy, distribution and availability levels as part of their Service Level Agreement (SLA)…

Several vendors use trusted hosting services to securely hold your data, such as Amazon S3 or Microsoft Azure… In this case, you will “inherit” the SLA of the third-party service… Even so, you can ask questions about distribution of the data across regions or data-centers even within those services…

For durability, you should understand your needs, typically expressed in the number of “nines” for durability… For example, Amazon S3 offers nine 9s (99…999999999%) durability, meaning that only one file out of every one hundred billion will be lost or corrupted… Compare your own needed durability threshold to that offered by the backup vendor…

1.1 Bring Your Own Storage (BYOS) OptionIf your enterprise has an existing relationship with a storage provider, you may wish to direct your SaaS backup files to your own vendor, rather than the storage system your backup provider typically employs… This Bring Your Own Storage (BYOS) option puts you in control of the durability of your backups, and offers you a measure of control not available in less mature cloud-to-cloud backup solutions… Even if you don’t want BYOS today, as your organization grows, there may come a day when BYOS makes strategic sense for your company… Your SaaS backup vendor should be prepared to support you as your enterprise’s technical needs become more sophisticated…

2 Application CoverageYou may choose to consolidate your cloud backups with a single vendor… If so, select a vendor that covers as many cloud applications as you have or plan to have in the future… The biggest danger of consolidation is that all of your backups are with one vendor… However, consolidation with one vendor is often useful because it can reduce costs, reduce management overhead, and may make it easier to perform archiving or restores when all data for an employee (across applications) is needed…

If you choose to consolidate, be sure to consider all the cloud applications you wish to backup today and in the future… Since cloud-backup solutions require custom coding to the API of each individual


cloud application, you will find that each vendor has chosen a different set of applications to support… Note that if you are selecting your first cloud application backup vendor and have not yet decided whether or not to consolidate your backups, then it is an advantage to choose a vendor with the widest possible application coverage, since it leaves your options open to a later possible consolidation…

3 Backup FunctionalityBackups in the cloud are typically architected differently than traditional on-premise backup solutions, mostly to handle the less reliable nature of network calls over APIs (relative to local network calls to file systems)… Don’t expect backups to work just as they have in the past: in many cases the new model can be easier to use and access…

3.1 FrequencySince cloud application backup services call APIs, they are typically set to do so at regular intervals… You should understand how often you want your backup system to poll for new data… Two key settings apply to backup frequency:

• Intervals Some services only backup on fixed intervals (usually daily), others may allow you to select the intervals to be more or less frequent than daily… Your needs should match the options offered by your vendor…

• Fixed Times Some vendors do not allow you to specify exactly when during the day a backup will occur; while others only guarantee that a backup will occur within a certain time frame… Determine whether or not it is necessary to know exactly when a backup will occur, then ask your vendor if they can support this…


3.2 Error NotificationsVarious vendors have different processes built around error notification… For instance, one company may only notify you if more than x% of data is not backed up, while others will notify you every time any file is not backed up properly… Some vendors may provide a regular status update as well… Aside from the frequency of notifications, you should also be aware of the types of errors that validate a notification… Do you receive alerts only for failed backups, or will the vendor notify you if various aspects of their service are disabled? Determine the frequency and types of notifications that you require in relation to what a vendor provides…

3.3 Manual ControlWhile automating backups frees up your time and ensures you are protected even when you don’t think about backing up your data, the ability to force a manual backup is convenient when making major changes or taking an account offline… You should consider different use cases where you require the ability to force a backup, and ensure your vendor meets those requirements…

3.4 Encryption and SecurityAs all IT professionals know, there is no such thing as perfect security, so understanding the safeguards built into the storage of your backups is critical: how protected is your data in the event of a breach?

First, you should make certain that your data is encrypted when at rest… That is to say, the data in your backup system is encrypted at all times, such that a hacker stealing the file does not expose the data…

Second, you should understand the encryption-key management techniques used by your vendor… The two primary key management options are:

• Single Key for All Customers This is the least secure because if this one key is compromised then all customer data is at risk…

• Key per Customer, User or Object This is more secure as long as these keys are likewise protected by some other master key… In these cases, an intruder would need to compromise progressively more keys to get access to your data…


Finally, you should understand how the application (and thus the employees of your backup vendor) manages the keys and provides access to your data… If your application offers restore or export functionality, it needs to decrypt the data, and therefore needs to manage keys that can decrypt… Find out the policies within the company for managing the keys and what employees (if any) can see your organization’s data…

3.5 Retention PolicyCompliance around the timing of a permanent deletion of backed-up data should also be considered… If your company has data-retention requirements, determine whether or not the vendor can support these needs… Some vendors offer the ability to set a specific time period after which backups are cleaned out, while others require you to do so manually…

3.6 SLA on Data IntegrityAn SLA typically refers to the uptime of an application, but for a backup service, the most important aspect of the SLA should relate to the reliability of the service to back up your data… If you need to restore data, must first have the right data backed up… This is different than the durability measure above, which guarantees that your backups won’t degrade or become lost over time… Backup integrity ensures that your data is accurately duplicated during the backup process… Ask your vendor what their SLA guarantees as to the integrity of backup data…

4 Access to BackupsBackup access has several components including:

• Will the application hosting your backup data be available when you want it?

• Will you be able to easily find the data you want to access or restore?

• When you get to the data, will you be able to make use of it as you wish?


4.1 SLA on UptimeUptime is the percentage of time an application is accessible… Any reputable vendor must include an uptime guarantee in their SLA – that’s usually the key component of an SLA – and should have very clear processes for compensating you if that threshold isn’t met… If money is on the line, it’s much likely the LSA uptime guarantee will be adhered to…

4.2 Independence from Source ApplicationA cloud world offers new uses for backups, and one of these is handling the potential unavailability of the source cloud application itself… If a business application “goes down” the day an executive needs to deliver an important presentation or access a critical contract document, your backup can save you - if you can access it independently…

The backup can only work in this case if:

• Backup sets can be accessed even if the source application is down

• Backup sets (or items from them) can be downloaded or exported

• Downloaded items arrive in a format that you can use without the source application

For example, if Google Drive was unavailable, and you needed a Google Docs word processing document from your Google Apps account, you’ll need to make sure that your backup provider allows you to log in even if Google Apps is down, that you’ll be able to download the document, and that the download will give you the file in Microsoft Word, RTF or some other useable form…

Different vendors provide different levels of service for this use case – for example, some Google Apps backup vendors use the Google Oauth service to allow access to your backups, so a Google authentication outage also means a backup outage… Be sure to ask about independent access…

4.3 Search FunctionalitySearch functionality within backup archives is often misunderstood because most backup vendors only offer a subset of the search functionality of the original cloud application… Why? While search is used nearly every day in SaaS applications, you only typically search a backup archive when data is lost (which hopefully is a less frequent event, and thus requires a less-robust search index)… As a result, cloud-to-cloud backup vendors offer a wide variety


of functionality over search, so it is important to understand what options match your needs… Some dimensions over which vendors have focused their search efforts:

• By User

• By Application Type

• By Meta-Data (for example, delivery date or sender for email, or titles for documents)

• By Data (for example, the full text from the body of an email message or document)

4.4 Browse MethodologySearch is typically the easiest way to find the information you’d like to restore or export, but in cases where multiple lost documents are stored together, browsing can be useful as well… For example, to restore an entire folder of documents that was lost all at once…

Find out the browse capabilities of your vendor, and the setup of backups which determine how you can browse the data… Is it listed chronologically? Do they maintain the folder structure you are used to? Do they provide simple filters to more easily browse and find what you need? Determine how you and your users would most effectively browse backups and understand the browse capabilities of your backup vendor…

4.5 Export / DownloadThere may be times when you need either a local copy of a document or an entire backup set on your hard drive… For example, when you’d like to archive the data of a departing employee, or collect data for legal reasons… Understand whether your vendor allows you to export or download single items, multiple items, or entire backup sets… Remember that your export is only useful to you if the data is in a format you can read and use… Find out what formats the data will arrive in to make sure it meets your needs…

5 RestoreThere are various ways to restore backup data into your SaaS application… Some backup services require you to export, and then reimport the data manually into the source application… Others can more conveniently “restore in place” and put the information right back where it was before you lost it… If restoring-in-place, it will be important to make sure the restoration process clearly marks your


restored data back in the source application, especially if multiple versions may be visible to users… Most vendors who support in-place restores make use of application tags to label restored data… Also, vendors offer different levels of support in the user-interfaces: for single item restores, multi-item restores, or even full restores of the entire set of data for that user… Make sure all your needed use cases are supported…

6 Security and OversightYou cloud-to-cloud backup vendor will be holding a second copy of your company’s data: any assurance that the vendor itself is respecting security best practices is to your advantage…

6.1 Documented Security PoliciesAny SaaS vendor – cloud-to-cloud backup providers included – should have a documented security policy that the company can provide you, in writing, at any time… The policy should include specific practices around these key areas:

• Physical hardware security

• Security update frequency

• Audit frequency

• Policy for notification of breaches

• User password strength requirements

6.2 Externally Verified Security Policies

6…2…1 Security Audit

Ideally, an auditing body will have verified that the vendor is in fact complying with its stated security policies… An SOC 2-level audit (or higher), or ISO 27001, are baseline audit standards you should look for…


6…2…2 Third-Party Penetration Testing

A company may rigorously abide by its security policies, but if those policies are inadequate, slavish devotion is a hindrance, not an asset… The best way to ensure a security policy is actually effective is to conduct a penetration test (also known as a “pen test”) wherein a third-party security firm actively attempts to breach the vendor’s defenses in order to assess weaknesses… Reputable SaaS backup companies will conduct regular pen tests and share the general results with customers upon request… (No company will share specific pen test results, as sharing explicit details of security systems could actually harm the vendor’s security…)

6.3 Relevant Regulatory ComplianceYour SaaS backup vendor should be able to explicitly address if and how it complies with the requirements of several regulatory standards, including:

• HIPAA (Healthcare)

• PCI (Financial transactions)

• Sarbanes-Oxley (Publicly traded company)

• Data Protection Act (U…K… data privacy compliance)

• Safe Harbor (E…U… data privacy compliance)


Checklist: Key Features for a Cloud-to-Cloud Backup Solution

Backup Storage Durability

Where will your backup sets will be stored? Are comfortable with the reliability of that data store?

Application Coverage

Does your vendor provide maximum coverage for your current and anticipated future SaaS applications?

Backup Functionality

Frequency

Does the vendor “polling” for backup data only once per day, or do they offer options to back up more frequently?

Error Notifications

Do you understand how you are notified of backup errors? Can you ensure you know when you’re unprotected, but avoid being spammed for every minor glitch?

Manual Control

Can you initiate an immediate backup – a “Backup Now” button – before making a major change or taking an account offline?

Encryption & Security

Do you understand how each vendor protects their encryption keys and how access to your data is controlled within their company?

Retention Policy

Can the vendor support your data retention period – or, more specifically, your data backup purge frequency – requirements?


SLA on Data Integrity

Does your vendor offers an SLA on the frequency and completeness of backups to ensure data integrity?

Access to Backups

SLA on Uptime

Does the vendor’s SLA address the availability of their own cloud application to ensure access to your data?

Independence from Source Application

Can you access your data and extract it in a usable format if the source application is not available?

Search Functionality

Does the backup application have a rich enough search index to ensure you can locate backup data quickly and easily?

Browse Methodology

Can you browse your backup data in an intuitive fashion, such than you can locate and restore whole sets of data quickly?

Export / Download

Can you download or export both individual items and complete backup sets? And are these exports delivered in a usable format?

Restore

Where will your backup data be restored to, and do you have the flexibility to restore individual items, multiple tems, or entire accounts?

Security & Oversight

Does your vendor possess the requisite security certifications to satisfy your compliance and risk thresholds?

how to choose a cloud-to-cloud backup provider for … · 8 how to choose a cloud-to-cloud backup...

Documents