Does complacency risk your compliance? Backup in the cloud: part one

31/01/20

Backup in the cloud: part one

For organisations within regulated industries, compliance is a major concern. Failing to store data in line with requirements – for instance by ensuring it is kept for a specific length of time – could mean severe repercussions. Backup is a key element of this, as the organisation needs to be sure vital data is recoverable for as long as it is needed. Yet as more businesses make use of cloud services, is there a risk that organisations do not understand whether they are meeting their compliance obligations? 4sl’s recent survey of senior IT decision-makers across 200 large UK enterprises suggests there is.

The findings unveiled a gulf between enterprise perceptions of backup and the reality of cloud service providers’ policies, with many assuming backup data is kept for far longer than it actually is. In the first part of this two-part blog series, we’ll take a look at the major findings of the survey and explore the risks these gaps in the understanding present.

A question of compliance

It may, at a glance, seem a topic of little importance; is it really so crucial that organisations have a thorough understanding of their cloud backup? Simply put, yes. If a business uses Microsoft Teams to communicate or bases its infrastructure on AWS, it needs to be certain that crucial data on those platforms is backed up. Not only for business continuity but to guarantee that the right data is accessible when regulators demand it. This isn’t a rare issue: 80 percent of IT decision-makers say they have to retain backups for a specific period of time.

Yet if a cloud provider doesn’t back up data in a way that meets the organisation’s obligations, this could easily result in a breach of compliance. For instance, if a business is called upon to retrieve an email exchange from four years ago, only to find out that the backup was automatically deleted after two months. This risk is real: as only 30 percent of organisations know their cloud service providers’ backup and recovery processes in detail.

Gaps in understanding

The greatest risk for organisations comes from over-estimating their cloud service providers’ backup retention periods. As part of their standard offerings, the majority of providers will only keep backups for a relatively short time. After all, this isn’t the focus of their service. However, if organisations believe that standard retention periods are longer than they actually are, they are beginning to put themselves at risk – as they may believe backups are still available long after they have been deleted.

The table below lays out the extent of this misunderstanding. For instance, 73 percent of respondents using Microsoft Office 365 Exchange Online said they believe data is recoverable for longer than the standard 14 days; and 92 percent of those using Google Cloud incorrectly believe the service includes backup provision as standard. There are very few services where fewer than half of users don’t over-estimate the length of backup retention periods. In each case, these are those that offer the longest periods as standard – suggesting organisations’ accuracy may be more a matter of luck than of knowledge.

View Table here

While this lack of understanding is a concern, it doesn’t automatically mean that organisations are putting themselves at risk. Those that have made provisions beyond their cloud providers’ standard offerings – for example by opting for additional backup services, or ensuring they still control backup internally – will be protected. Yet worryingly, more than half rely on just the standard backup provision of at least one service provider.

As a result, a significant proportion of cloud service users’ backups are at risk because they incorrectly believe they are covered by standard backup services and have not made any additional provisions. As shown in the table below, 46 percent of organisations using Microsoft Office 365 Exchange Online and 51 percent of those using Google Cloud Platform believe their data is recoverable for far longer than it is.

View Table here

Re-balancing responsibility

It’s clear that organisations who depend on cloud services have the potential to fall into non-compliance. Enterprises need to understand that, in the main, the standard level of backup provided for infrastructure or software as a service won’t meet their needs. However, fixing this isn’t as simple as abandoning the cloud altogether, or taking more responsibility for backup back in-house.

There are clear reasons for organisations to adopt the cloud, and clear challenges that they are facing with backup. In part two of this blog we will explore these reasons and challenges, and what actions businesses need to take to ensure that they aren’t putting their compliance at risk.

To see 4sl’s full research report, visit here

Barnaby Mote