Managing data risk in the enterprise and the Cloud - Event Summary
7 July 2011, The British Library, London
Information governance and the management of data is no longer just the concern of the IT department – but has become a key corporate and commercial issue. Never more has it been true to consider information as the lifeblood of the organisation. We have all become only too well aware of the catastrophic operational and financial impact to the business of losing data. Consequently, we have seen a tightening of the corporate compliance obligations now placed upon businesses to align their data strategies to much higher standards.
Information can be your greatest asset and our greatest liability. Managed properly, it can accelerate growth. Managed poorly, it can drive up costs and expose your business to risk. In the face of this, many organisations are now re-evaluating their IT solutions with regard to information management, availability, scalability, efficiency and cost; so it is particularly important, now more than ever, to assess the potential business benefits from managed services in the area of data backup and disaster recovery. The primary objective is to feel 100% confident that your most prized asset – your data – is managed, protected and recoverable, whenever and wherever you need it – and arguably the recovery component is the most important ingredient.
Most organisations are embracing virtualisation – certainly in the back office with servers, and since the turn of the year are beginning to make the shift to virtual storage and desktop service provision... The pulse of the room was typical of NCCs recent cloud and VDI events 20% doing it and 80% still evaluating and realigning their strategic thinking. Certainly it feels more a case of when than if – and the next 12-24 months will see a major shift to Cloud services – VDR and managed services in particular playing a vital role.
If you still need convincing – on what, how and where to virtualise your data backup and disaster recovery – hopefully the various formal presentations, not least the user case study outlined a clear routemap of the key drivers. The event focussed on:
- How to manage virtual data backup and disaster recovery
- Understand the real issue around data security and information governance
- Improved disaster recovery solutions
- Improve information reliability and flexibility
- Managed services as part of a cost containment strategy
- Reduce Capital & Operational expenditure
- Overcoming the standards challenge and meeting compliance obligations
Whilst the economic climate remains tough and cost savings paramount, data backup and DR technologies and services are now mature. Gareth Fraser-King shared a high level view of the key business drivers across most organisations which are impacting technology investment.
A common thread across all four speakers.... is my data safe? The short answer is yes – and no. Cloud computing does carry some inherent risks – breaking up and sharing data between servers does create greater vulnerabilities than retaining data on a dedicated server in a known location. These risks, however, are not insurmountable and the key to ensuring data security in a cloud environment is less an issue of what security is in place, but who is providing it. The vital ingredient of trust and confidence featured heavily across all presentations and was apparent in supplier/user relationship between DCG & Symantec and Northern & Shell and DCG Group.
As well as the integrity and safety of company data, there is also some growing concern of the risks of losing precious intellectual property by placing it in the cloud. Given the variables, transparency is key. Consequently, if your provider is unclear or worse unable to reveal exactly how, and where, the data entrusted to them is handled. This should ring alarm bells. If you, the customer are to be able to properly evaluate the security of your data with a cloud computer service provider, then it is imperative that you are given access to their security architecture as well as being provided with detailed information on data management policies and processes.
In addition to the type and level of encryption used by a provider, some of the important questions to ask revolve around the hardware the supplier uses – do they use storage area network (SAN) solutions, or do they rely on network attached storage (NAS)? What types of V-LAN servers do they have and what switches do they use? There are not necessarily right or wrong answers to these queries, but all can have security implications in certain contexts. Moreover, even with those providers that can demonstrably tick all the right boxes, it is also wise to check what would happen in the event that they are taken over by another provider.
Can they provide both the security and the transparency that your business needs – one key message – go with a dedicated backup provider... an organisation that specialises. The challenge, in what is still an immature market, is to sort the wheat from the chaff.
Undoubtedly, there are universal themes to the core drivers… at a strategic level – James Harris shared his thought leadership and drivers centred on data growth, unwillingness to make CapEx investment, complexity and concerns over the business vulnerability over information security.
These factors mapped directly on to those from our user perspective from Ben Dyer… who was challenged by an aging infrastructure, exhausted capacity and resource limitations due to a succession of cut backs… and a senior executive shying away from CapEx. All in all a foundation for a service requirement to be outsourced or at least controlled through a managed service.
The simple truth is that you need to understand the risks and questions to ask your service provider – here’s some key questions below that came out of the event that will enable you to both benchmark and evaluate potential solutions and the potential suppliers… We are at the start of a huge learning curve with cloud services and you need to undertake the due diligence that your board of directors - and where appropriate, shareholders - are looking for. DCG provided a very useful checklist…
Questions to ask your cloud service provider
Q1 - Who can see my information?
Data loss is now a reality and a sizeable chunk of all data loss incidents are either down internal or human vulnerabilities or to third party providers. As a result, you need to know whether the service provider, who is the administrator of the system, can see your data. Most have this ability. Therefore, do they have the controls in place to avoid sending, copying, emailing etc etc your data? Remember they will be responsible for your data but, the liability remains with you…
Q2 - What happens if the service provider lost some of your data?
You need to ask your cloud service provider what their data protection policy is and what their audit procedures are. And then you should perform due diligence on those procedures.
Q3 – Where is my data located?
What does the third party organisation do to separate information and systems? You need to stipulate your requirements around co-location and or separation…. Could your competitors - who may also be using the service - get their hands on your data? Remember that, in the cloud, you cannot tell whether your data is copied. So you really need to get this one answered!
Q4 - What happens in the event of data corruption?
How many copies of your data does the third party have? Do they use incremental backups and can they reconstruct an image of your data at a given point in the past from these partial backups. How far back to their backups go in calendar terms?
Q5 - How easy is it to migrate to another cloud service provider?
This all too often a question few companies ask - until it's too late. Porting data between cloud service providers is a relatively new capability and only a small number of service providers have implemented what will become a very necessary service.
Q6 - Are you relying too much on service level agreements?
A service level agreement (SLA) is the contract between you and the cloud service provider that enables them to provide the service… Figures are usually central to most SLAs, but remember you also need a remediation process in the event the service provider does not meet their agreement. Things can - and do, sometimes - go wrong, so it is important to agree the remediation process, your organisations future could rest on the integrity of the agreement.
Cloud computing can really work for most organisations.
The session provided a very balanced and insightful routemap to virtual back-up and disaster recovery – we hope you found this of value… if you’d like to discuss any aspect of the event in more detail of would like to engage directly with any of the speakers please don’t hesitate to come back to me… This summary includes only a handful of the slides used, the full slide deck for the session can be accessed at:
NCC Head of Research & Content
Tel: 07880 788985