OPINION TOP CONSIDERATIONS FOR BUSINESS ONLINE BACKUP OCTOBER 2013 We define online backup as using the cloud to provide users with a highly scalable and elastic repository for their backup data. This is true across all online backup users but mid- market and enterprise businesses have specific requirements and some risks that consumer and SMB customers do not share. Consumer and SMB including education and small government agencies primarily require acceptable backup and restore performance, plus security and compliance reporting in their online backup. The enterprise needs these things too but they are dealing with additional pressures from backing up larger data sets across multiple remote sites and/or storage systems and applications. Note that no one is talking about backing up the corporate data center s petabyte- sized storage to the cloud, not yet anyway. At its present level of development online backup is best done for smaller scale systems, which usually means corporate workgroups, Tier 2 applications, and remote offices. But even with this limited approach, enterprise backup needs security and compliance, backup and restore performance, data availability and flexibility, and centralized backup management. Online backup has its advantages Online backup fulfills the DR requirement of keeping backups off- site. It does not take the place of remote sites with failover capabilities that are mirroring hot data. But it can take the place of off- site tape vaulting. We support tape and tape libraries for active archives and massive online back- up, but for regular backup tape requires users to change tapes, label them, track usage, and order the truck to take them to the off- site vault. In this respect online backup is far easier and less prone to manual error. Additional advantages include: The cloud offers unlimited data retention because the customer is not bound by the size of on- site data centers and storage systems. This doesn t mean that you should practice unlimited da- ta retention more on that later but you can certainly grow your backup storage quite easily. Most online services will version your backup which is extremely useful in recovering to your Recovery Point Objective, or RPO. Cost- effectiveness maybe. More on this later. and its disadvantages Even given these advantages, enterprise IT is right to be wary. Enterprise online backup is loaded with complexity because of performance, security, size, and compliance needs. IT needs to know what these needs are, what to do about them, and if the return justifies the effort. 1 of 5
Network bandwidth is a lot slower than backing up to disk and even to tape, especially if you are backing up to a tape library. This should not be too bad for backup once the initial upload is accomplished, but it can significantly affect restore times. This is why a lot of companies write in their SLAs that if remote data cannot restore over the pipeline with the Recovery Time Objec- tive (RTO), the provider will ship the data on removable media. Low tech for sure but necessary in these cases. Never assume that your data is kept private from the service provider employees. This is not necessarily a bad thing depending on maintenance and operational agreements, but it is a big security hole. For this reason many providers offer at- rest encryption for backup data as well as in- transit. (Don t lose the encryption key.) Many online backup service providers operate on razor- thin profit margins and are actively looking to be acquired. When you are looking at providers, be certain that you will have guaran- teed and easy access to your backup data should the company go out of business or be pur- chased. We will talk more about avoiding vendor lock- in in a few minutes. Cost- effectiveness can be an issue. This sounds odd when one of the major marketing points for online backup providers is low price. Sure the price can be low for the most basic of backup services simply storing massive data in the cloud without having to restore it often. (Or ever.) And the cloud does offer real savings if you are running out of data center real estate, the cloud is a great choice. But the more data you add the higher the cloud storage cost grows, and a one- to- one comparison between the per- GB cost of online backup and buying local disk is not in the cloud s favor. Best Practices In spite of online backup s advantages, many enterprises have been reluctant to engage. There are several good reasons for this reluctance including trust issues, security, data availability, compliance, backup and restore performance, cost concerns, and fear of vendor lock- in. Objections include issues and concerns around security, data availability and accessibility, compliance, backup and restore performance, cost concerns, and vendor lock- in. CENTRALIZED BACKUP An enterprise online backup service will not backup from individual workstations straight to the cloud, but will create backups from a central location and send them to the cloud provider through a gateway. OPTIONAL BUT HELPFUL: CONTINUOUS BACKUP Online backup services offer continuous backup for priority applications in addition to scheduled backup. We strongly suggest looking for a service that offers both options, which allows you to set priority backup procedures for different applications. Continuous backup and granular restore services will be more expensive but will be a good trade- off for an important application. BACKUP AND RESTORE The way to achieve greater speeds is not merely by accelerating the pipeline but by changes at local and in- transit levels. Storage vendors have been actively developing products that counteract latency s effects such as employing Web protocols on backup gateways, minimizing data with inline data dedupe and compression, and optimizing the WAN. For backup look at the following features: dedupe and compress before sending, WAN accelerators, and proven fast ingestion on the cloud side, often from solid state drives and/or caching at the storage controller. Some networking 2 of 5
solutions offer multi- threaded data transfer and/or do not use throttling, but these are individual corporate decisions. Data dedupe and compression. These features are absolutely critical to acceptable backup and restore performance. For obvious reasons dedupe and compression need to occur on- site on the backed up data before sending it over the pipeline. The cloud service should send back the data in the same compressed condition. WAN acceleration. Sending deduped, compressed, and changes- only backup through the pipe- line helps to accelerate the WAN. Networking throttling can help with some workloads, as can biting the bullet and investing in fatter pipes. Scheduling backups for idle network times is also a time- honored performance idea. Only changed data. You will have to do full backup uploads at first and periodically thereafter. However, on a regular hourly or daily schedule your online backup service should only be uploading changed data. The ability to granularly restore is also important. Closer physical distance between the provider s data center and your backup site also helps to diminish latency especially around restores. Some online providers offer multiple geographical locations for data backup storage. However, that rather defeats the purpose of cloud storage flexibility and requires that your online backup provider has multiple national or international cloud storage sites, and will shift your data accordingly. Still, physics being what it is, the ability to keep your data geographically close is a workable fix for latency issues. COMPLIANCE Each standard has different compliance details and concerns, but in general online backup for regulated information must include compliance features such as: Verified Backup. The online backup service may be continuous or scheduled. No matter what you have chosen, the process must be able to verify each backup and report accordingly. Acceptable data security. Standards universally require encrypting the backup data stream. There are additional requirements depending on the standard including highly secure user access control, physical and digital security of the provider s data center, and a particular encryption scheme depending on the standard s requirements. On- demand copy data retrieval. You do need to be able to locate the required copy and begin the retrieval process, although how long it takes to retrieve will depend on the size of the data to be restored and your pipeline, or how fast the service provider can truck it back to you. Generally ediscovery and compliance requests do not have next- day requirements but the faster the restore is the better. VENDOR LOCK- IN PROTECTION We don t blame cloud vendors for hanging on to their customers, but they should at least offer data migration tools or services to facilitate mass data transfers as necessary. CACHED BACKUP Downed connections will affect direct- from- PC consumer backups, but the enterprise online backup service should backup to a separate storage repository. Backups will reside safely in this repository until the remote connection is reestablished. There are more advanced usages for this type of backup that we will discuss in the next few minutes. 3 of 5
SECURITY Secure data center. Encryption data- in- transit is all well and good but what about once it hits the provider s data center? Look for data center certifications like Tier- 4 SAS 70 and review both digital and physical security. Data encryption. Encrypting in- transit data is a basic requirement. The most widely used level of encryption is xxx and you might want to look at xxx. Encrypting at rest is also common especially for sensitive data in multi- tenant environments. Encrypting path names and directories is as important as encrypting the data. Access control. User access controls need to be in place both from the corporate site and on the provider site anyone who has the opportunity to touch your data needs to have their access controlled. Ask if the provider carefully screens their employees and tracks their activities while at work. A tad big- brother- ish maybe, but remember Edward Snowden? Exactly. DATA AVAILABILITY Customers need to know this going in. They must write service level agreements for rapid recovery. Don t be surprised if an Amazon won t write a customized SLA for you. It might but flexibility is not its business offering. Other providers will, ask them. You also need to know how well your provider is protecting your data at their site. They should be remotely replicating your backups in addition to offering secure data centers. If your provider hosts your backups on Rackspace, when a tornado approaches San Antonio, Texas you will be very happy to know that your data has been mirrored to San Francisco, California. COST EFFECTIVENESS Choose a service that lets you manage your data retention requirements. You should also have some provision for matching cloud resources to your data requirements. Amazon Glacier for example is fine for very inexpensive long- term storage as long as you don t need to restore much data often. You will pay for cloud backup storage with decent restore requirements; be certain that the money you are spending matches data restore priorities. Taneja Group One important solution to recovery times is to NOT treat data as one- size- fits- all. The customer should be able to prioritize certain type of data that by RPOs and RTOs. The Tier 1 applications will likely be backed up on- site using continuous backup capabilities. We see cloud backup prioritizing as primarily applicable to Tier 2 applications: important and need to recover quickly, but not necessarily immediately. Still, if a restore of Exchange or SharePoint takes days this is clearly unacceptable. A restore of a Tier 2 application may take 1 day without massive business disruption, but should not take longer. A granular approach to backup storage and restore can offer this quick recoverability even from a cloud site. The customer should be able to decide if they want to maintain some level of backup self- management through a customer portal, or turn it over to the service provider. In no case will the customer impact or manage the size or infrastructure of the provider s data center, which is why it is important for the enterprise to 1) carry out due diligence on data center performance, storage growth and security and 2) sign service level agreements for acceptable performance, storage growth and security before ever signing the final dotted line. Portal interfaces or customer policies for the provider to carry out would include items such as data priority, RTO agreements, and data retention times and destruction. 4 of 5
Some cloud backup vendors are tackling the challenges and are providing simplified, easy- to- use, and cost- effective ways to get data safely in and out of the cloud infrastructure. These tend to be the vendors who specialize in supporting corporate cloud clients. However, some cloud backup providers are unwilling to reach the level of SLAs that corporate users need. Frankly we think they are leaving vast amounts of business on the table and we do not suggest that you go with them for any but the most basic white bread backup. Is online backup worth it for the enterprise? Yes, absolutely if you know your backup needs, if you know online advantages and disadvantages, and if you do due diligence. Do these things and it s the start of a beautiful friendship.. NOTICE: The information and product recommendations made by Taneja Group are based upon public information and sources and may also include personal opinions both of Taneja Group and others, all of which we believe to be accurate and reliable. However, as market conditions change and not within our control, the information and recommendations are made without warranty of any kind. All product names used and mentioned herein are the trademarks of their respective owners. Taneja Group, Inc. assumes no responsibility or liability for any damages whatsoever (including incidental, consequential or otherwise), caused by your use of, or reliance upon, the information and recommendations presented herein, nor for any inadvertent errors that may appear in this document. 5 of 5