DATA PROTECTION IN THE CLOUD SMBs Embrace Affordable Online Backup and Disaster Recovery End users have a wide variety of options for data protection today all of which are relatively low-cost. This enables SMBs in particular to implement data-protection measures that were previously available only to large enterprises. KEY FINDINGS Two of the biggest barriers to end-user adoption of cloud-based data protection thus far have been performance and security. But hybrid cloud backup now provides faster operational backup/recovery, as well as a relatively low-cost approach to disaster recovery and business continuity. Meanwhile, technologies such as advanced encryption and multitenancy have helped eliminate many security concerns. Online backup/recovery is, for the foreseeable future, a growth market only in the SMB segment, and not in the enterprise space. Most SMBs will prefer to have backup data stored on-site (in addition to being stored in the cloud), which is why we re proponents of the hybrid cloud backup model. We expect additional funding to flow into online backup/recovery startups, in part because most of the players sorely need differentiators and developing or acquiring technologies will require additional capital. APRIL 2013 451 RESEARCH: ENTERPRISE SECURITY PRACTICE
ABOUT 451 RESEARCH 451 Research is a leading global analyst and data company focused on the business of enterprise IT innovation. Clients of the company at end-user, service-provider, vendor and investor organizations rely on 451 Research s insight through a range of syndicated research and advisory services to support both strategic and tactical decision-making. 2013 451 Research, LLC and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication, in whole or in part, in any form without prior written permission is forbidden. The terms of use regarding distribution, both internally and externally, shall be governed by the terms laid out in your Service Agreement with 451 Research and/or its Affiliates. The information contained herein has been obtained from sources believed to be reliable. 451 Research disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although 451 Research may discuss legal issues related to the information technology business, 451 Research does not provide legal advice or services and their research should not be construed or used as such. 451 Research shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. New York 20 West 37th Street, 6th Floor New York, NY 10018 Phone: 212.505.3030 Fax: 212.505.2630 San Francisco 140 Geary Street, 9th Floor San Francisco, CA 94108 Phone: 415.989.1555 Fax: 415.989.1558 London 37-41 Gower Street London, UK WC1E 6HH Phone: +44 (0)20.7299.7765 Fax: +44 (0)20.7299.7799 Boston 125 Broad Street, 4th Floor Boston, MA 02109 Phone: 617.275.8818 Fax: 617.261.0688 451 RESEARCH: ENTERPRISE SECURITY PRACTICE i
The following is an excerpt from an independently published 451 Research report, Data Protection in the Cloud, released in April 2013 and reproduced here by Symantec with permission of The 451 Group. EXECUTIVE SUMMARY Historically, two of the biggest barriers to end-user adoption of remote, cloud-based data protection have been performance and security which means that, until recently, use of the cloud for backup purposes has been concentrated in the area of laptop/desktop protection. This usage has been driven mostly by consumers; while there have been pockets of adoption among businesses, by and large businesses have not used such services for backing up their servers and applications. However, advances in Internet bandwidth coupled with bandwidth-optimizing technologies such as data compression, data de-duplication and WAN optimization have eliminated many (but certainly not all) of end users concerns over performance, from both the backup and restore perspectives at least for SMBs with relatively small backup sets. At the same time, most cloud-based data-protection vendors have invested significant resources to address concerns over security with technologies such as advanced encryption (often at the source, in flight, and at rest in the cloud), multi-tenancy and other security enhancements. This has effectively eliminated many of the security concerns that have kept a lot of IT organizations from considering online backup and recovery at least at the lower end of the market (i.e., SMBs). As a result, the cloud model is now emerging as a viable and attractive option for small businesses in particular to protect a broader set of their business data and applications, spanning end-user devices and also servers. But it s not the pure cloud model that is leading the charge; at the vanguard of this movement is the hybrid cloud model, which combines on-premises data protection with remote, cloud-based services for disaster recovery. The current move toward cloud-based data protection began picking up between 2008 and 2011, and we saw significant acceleration in the 2011-12 period, particularly in adoption of hybrid cloud backup deployments (see Section 3.2). End-user studies being conducted by various 451 Research service teams indicate that this trend will accelerate in the 2013-15 time frame. Through 2015, we predict a 24% CAGR for revenue in the online backup market. We think that cloud-based backup/recovery will be the number one data-protection trend beginning in 2013, and that the hybrid cloud backup model will be the preferred method of deployment. 451 RESEARCH: ENTERPRISE SECURITY PRACTICE 1
We also believe the market for cloud-based data protection is overcrowded (at both the enabler and service-provider layers), and we do not expect many new entrants over the next couple of years; more likely, there will be a consolidation of players as the reseller and service-provider channels become saturated. Despite increased interest in the cloud as an added layer of data protection, our research shows that end-user adoption will be limited mainly to the SMB segment of the market for the foreseeable future. Our research particularly from end-user studies conducted by TheInfoPro, a 451 Research service also shows that large enterprises are showing little or no interest in cloud storage in the context of data protection, which is one of the key themes of this report. In TheInfoPro s most recent survey of midrange enterprises (with $150m to $1bn in annual revenue), cloud storage ranked 15 th out of the top 30 storage initiatives in 2012. In fact, it was cited by less than 5% of survey respondents as being a top priority. And interest in cloud storage among larger enterprises (over $1bn in revenue) was even lower it ranked next-to-last in the top 30 storage initiatives in 2012. This report examines what forces are driving the trend toward cloud-based data protection (and what forces are still working against it) and reviews key technologies and representative vendors. It also provides market sizing and predictions, and includes advice on evaluation criteria for vendors, products or services. KEY FINDINGS Two of the biggest barriers to end-user adoption of online backup and recovery have been concerns about performance and security. Hybrid cloud backup provides faster operational backup and recovery, as well as a relatively low-cost approach to disaster recovery and business continuity. A handful of vendors lead the online backup market now, but a second tier of legitimate contenders has appeared to provide some stiff competition in the business (as opposed to consumer) segment of the market. We predict a 2011-15 revenue CAGR of 24% for the online backup market, with sales growing from $378m in 2011 to $677m in 2015. This includes hybrid cloud backup revenue, but does not include revenue from consumer-centric services. Online backup/recovery is, for the foreseeable future, a growth market only in the SMB segment, and not in the enterprise space. Most SMBs will prefer to have backup data stored on-site (in addition to being stored in the cloud), which is why we re proponents of the hybrid cloud backup model. Because online backup/recovery vendors have at least partially eliminated major concerns around performance and security, we think the time is now right for SMBs to consider cloud-based data protection as an alternative to traditional tape-based backup/ recovery and high-cost methods of achieving disaster recovery and business continuity. 2 DATA PROTECTION IN THE CLOUD
METHODOLOGY This report on cloud-based data protection is based on a series of in-depth interviews with a variety of stakeholders in the industry, including IT managers at end-user organizations across multiple sectors, technology vendors, managed service providers and VCs. This research was supplemented by additional primary research, including attendance at a number of trade shows and industry events. Reports such as this one represent a holistic perspective on key emerging markets in the enterprise IT space. These markets evolve quickly, though, so 451 Research offers additional services that provide critical marketplace updates. These updated reports and perspectives are presented on a daily basis via the company s core intelligence service the 451 Market Insight Service. Forward-looking M&A analysis and perspectives on strategic acquisitions and the liquidity environment for technology companies are also updated regularly via the Market Insight Service, which is backed by the industry-leading 451 M&A KnowledgeBase. This report was written by Dave Simpson, Senior Analyst, Storage. Any questions about the methodology should be addressed to Dave Simpson at: dave.simpson@451research.com For more information about 451 Research, please go to: www.451research.com 451 RESEARCH: ENTERPRISE SECURITY PRACTICE 3
THE CASE FOR AND AGAINST CLOUD-BASED BACKUP & RECOVERY ADVANTAGES OF ONLINE BACKUP/RECOVERY The core value propositions and growth drivers behind cloud-based backup/recovery are largely the same as for cloud computing in general: a shift away from a capex-centric model to an opex-driven, automated, on-demand (pay-per-use) model. This includes predictable, subscription-based pricing; minimal to no new infrastructure requirements or expenditures; ease of upgrades; and hands off management of the backup infrastructure because data-protection functions are handled by cloud enablers or their third-party channel partners. Additional benefits include a reduction, or elimination, of on-premises floor space, as well as staff, energy and maintenance expenses. Adoption of cloud-based data protection is especially strong among SMBs because these organizations often lack the internal resources (e.g., personnel, equipment, budget, remote datacenters, etc.) to meet service-level agreements (SLAs) for backup, disaster recovery and business continuity. As such, cloud-based data protection can often provide a more costeffective, hands-off approach for SMBs. Since cloud-based data protection is typically delivered as a managed service requiring only minimal involvement by the end-user customer, a key advantage is a reduction in the time spent on backup and recovery. This is particularly important because of the inordinate amount of time that IT administrators spend on mundane data-protection tasks such as backup administration. For example, according to an end-user study of storage professionals conducted by TheInfoPro, a 451 Research service, backup administration was the number one time drain for storage managers and administrators in 2011 (and #2 in 2012). And our 2013 study, which is in progress now, indicates similar findings. DRAWBACKS TO CLOUD-BASED DATA PROTECTION All of these potential advantages do not mean that cloud-based data protection is a no-brainer. One of the major themes of this report is that online backup is, for the foreseeable future, a growth market only in the SMB space, and not in the enterprise arena (although remote/branch offices may be exceptions here). There are a number of reasons for this, but they center on technology constraints that have effectively limited adoption (to nearly zero) among large enterprises. One primary barrier to adoption is the latency associated with backing up (and restoring) large data sets over the Internet. For most large organizations, the costs of procuring enough bandwidth for backing up and restoring large data sets far outweigh the cost advantages promised by cloud-based data protection. 4 DATA PROTECTION IN THE CLOUD
In TheInfoPro s recent study, IT managers at large enterprises reported that less than 1% of their total backup capacity is stored in the cloud, and they expect no increase in cloud-based backup capacity in 2013 (although we see signs that larger enterprises may view the technology more favorably in the 2014 time frame, at least for data protection in remote or branch offices). In addition to performance concerns, there are other reasons for limited adoption of cloud-based backup/recovery. Security Although fading as a top barrier to adoption, many enterprise IT managers still cite security concerns as a key reason why they are not considering online backup. IT managers at large enterprises who view security as a key impediment to adoption of cloud-based data protection identify the following concerns: access control, data encryption and auditing, and related concerns regarding compliance. (Interestingly enough, those concerns are also cited as benefits of cloud-based data protection by many end users.) Although SMBs also sometimes mention security as a barrier to cloud adoption, that concern appears to be on the decline, according to our discussions with end users at SMB sites. Online backup vendors have increased security through technologies such as multi-tenancy and encryption often source-side, in-flight and at rest in the backup datacenter (see Section 4.5). Loss of control Another reason for the hesitancy among end users in adopting cloud-based data protection is the often-cited, but rarely adequately explained, loss of control over data and user access to data. We believe this is closely related to the growing bring your own device (BYOD) trend, which makes it difficult for IT organizations to control employees access to cloud-hosted data. However, based on our talks with end users, this is rapidly diminishing as a gating factor to adoption, partly due to the security measures that cloud providers have implemented. Compliance Another obstacle for cloud-based backup/recovery adoption is IT managers concerns about regulatory compliance, which is particularly true in highly regulated vertical markets such as the financial, legal and healthcare industries. We believe this concern at least in industries with strict compliance requirements is legitimate, and that cloud-based data-protection providers are behind the curve in assuring compliance with a wide range of regulations. However, more and more cloudbased backup providers are emphasizing their compliance capabilities and strengths. Aversion to change One final factor in IT organizations reluctance to rely on online backup and recovery is merely their aversion to change. This is particularly intense in the context of backup applications, which are relatively sticky applications that are difficult to rip and replace, especially in large organizations. 451 RESEARCH: ENTERPRISE SECURITY PRACTICE 5
DEPLOYMENT MODELS AND VENDOR LANDSCAPE Broadly speaking, there are three deployment options for cloud-based data protection: traditional online backup, hybrid cloud backup, and peer-to-peer networking. STRAIGHT TO CLOUD BACKUP Traditional also known as straight to cloud, or cloud only online backup is the model used in consumer-based backup services, and it is sometimes employed in the business market, although mostly for desktops/laptops and rarely for servers. This approach involves a small agent running on each device to be backed up, which sends backup data directly to a cloud (typically, a public cloud). Although this model is sufficient for virtually all consumer requirements, it often falls short for all but the smallest businesses. This is because, although it provides cloud-based backup and archival functions, this deployment model does not store backup data on-premises for faster backups and more rapid recovery than is possible over the Internet. The lack of on-site backup resources means that users are limited to the performance of the Internet, which can translate into prohibitively slow backup/recovery times. We believe that most SMBs will prefer to have backup data stored on-site (in addition to being stored in the cloud), which is why we are proponents of the hybrid cloud backup model. HYBRID CLOUD BACKUP/RECOVERY Hybrid cloud backup vendors combine local, on-premises backup software with (often, but not always) on-premises backup appliances or gateways that are tightly coupled with online backup services which are provided either by the hybrid cloud backup vendor or, more often, by third-party service-provider partners such as MSPs, CSPs, VARs, or other resellers and IT providers. The key advantage of this model versus traditional online backup is faster backup and restore from the local software and appliances, in addition to the traditional advantages of the cloud, including added (off-site) data protection, security, remote disaster recovery and lower cost. This is particularly appealing to SMBs that historically haven t had the budget or facilities to implement a DR plan other than to make tape copies and send them off-site, which offers some protection but has limitations in terms of recovery times. (It should be noted that some vendors prefer the term backup and disaster recovery, or BDR, to describe the hybrid cloud backup model in part to emphasize the business continuity advantages of this deployment model while others use the term disk-to-disk-to-cloud, or D2D2C, to differentiate from disk-to-disk-to-tape approaches.) 6 DATA PROTECTION IN THE CLOUD
In a hybrid cloud backup scenario, once the backup is performed locally, all or some data is sent via replication to the cloud (or clouds) for added data protection and business continuity and disaster-recovery purposes. Essentially, this is a backup of a backup. File versioning and retention policies can be applied to reduce both on-site and cloud storage costs and to meet compliance requirements. Although coupling on-site and online backup can increase overall costs for data protection, a hybrid cloud backup approach provides faster backup and recovery (compared with pure public cloud approaches), as well as a relatively low-cost approach to disaster recovery and business continuity. PEER-TO-PEER NETWORKS Although most of the activity in cloud-based data protection for SMBs centers on the hybrid cloud backup model, a few vendors are focusing on an approach that is sometimes referred to as peer-to-peer networks. The underlying technology is often called data distribution or data dispersal whereby backup data is distributed across all systems on the network. A key advantage of this approach is that it does not require datacenters and all of the associated capex/opex costs for hosting backup data. Another big benefit to this approach is that Symform, for example, offers unlimited capacity for free to participating users and companies that contribute capacity to the network (called the Global Cloud Storage Network) a payment model that Symform refers to as bytes rather than bucks or capacity rather than currency. SECURITY Although SMBs also sometimes mention security as a concern in terms of cloud adoption, that concern appears to be diminishing, according to our discussions with end users at SMB sites. Online backup vendors have increased security measures through technologies such as improved physical security at cloud locations, multi-tenancy (the logical separation of one customer s data from another s), and encryption often source-side, in-flight and at rest in the backup datacenter. Although we acknowledge that security is still a gating factor to adoption of cloud-based data protection, we note that many end users cite the following security-related benefits of online data protection: less time spent on IT security; less time spent on identity management and authentication; decreased concerns regarding cyber-attacks; and increased confidence in meeting regulatory compliance requirements (e.g., HIPPA, PCI DSS, Sarbanes-Oxley, Graham-Leach-Bliley). This in part explains why some of the early adopters of cloud-based data protection were in the financial, legal and healthcare markets. 451 RESEARCH: ENTERPRISE SECURITY PRACTICE 7
Types of data that many end users are still not willing to put in the cloud include credit card information, company financial information, intellectual property, healthcare records, employee records and customer records. SYMANTEC IS IN THE CLOUD Backup market-share leader Symantec has cloudified options for both its enterprise-class Symantec NetBackup and SMB-focused Symantec Backup Exec software. For NetBackup, the company offers cloud connectors (essentially, protocol translators) for backing up to Nirvanix, Rackspace, Amazon (S3) and AT&T (Synaptic Storage as a Service) clouds. For its SMB-focused Backup Exec product, Symantec offers cloud connectors to Nirvanix clouds and, for disaster-recovery and business-continuity scenarios, to cloud facilities from Doyenz (acquired by Persistent Systems), which is a Symantec partner. In addition, Symantec offers Backup Exec.cloud, which backs up data to Symantec s datacenters. Despite its name, Backup Exec.cloud is not a version of the standard Backup Exec product, but rather a stand-alone product designed for very small businesses e.g., companies with one or two servers and connected desktops and laptops. With Backup Exec.cloud, backup data flows directly from protected devices to Symantec s cloud, with no on-premises backup operations. Symantec manages the back-end infrastructure, although the service is sold by both Symantec and its channel partners. For true hybrid cloud backup, Symantec has a newer, optional feature for Backup Exec. cloud that enables customers to back up data both locally and to Symantec s cloud. This document is an excerpt from an independently published 451 Research report, Data Protection in the Cloud, released in April 2013 and reproduced here by Symantec with permission of The 451 Group. 8 DATA PROTECTION IN THE CLOUD