Commercial clouds host and deliver agency applications just as services from an agency’s own data centers. The two sources often present identically to end users. But systems administrations must make adjustments to ensure data protections in place at agency data centers are also in place at their cloud service providers.
That requirement — to have equal levels of protection in hybrid, multicloud environments — extends to making sure an agency can recover from a cybersecurity breach or other interruption in service.
Nic Perez, chief technology officer for cloud practice at ThunderCat Technology, put it this way: “There’s cloud native backup. There is cross-region backup. But the recovery piece is the hard part.”
The reason is simple. Each cloud service provider constructs services in its own way, he said. The challenge arises because agencies “have invested in procedures and policies on premise that have evolved over many, many years,” Perez said during Federal News Network’s Industry Exchange Cloud.
When adding cloud computing, “they are now having to adapt those and ultimately identify gaps and augment those current solutions differently as they adopt each cloud provider and software as a service solution.”
Often organizations have mistaken perceptions about the security features of their cloud service providers, added Brad Montgomery, director of federal presales for data protection at Dell Technologies. “An assumption is made that once an organization ports an application to the cloud, the cloud platform itself is going to give them everything they need from a resilience and a data protection standpoint. That’s not necessarily true,” he said.
Montgomery cited a common application, Microsoft Exchange, with its extensive settings for security and data protection in on-premise instances.
Agencies gain many advantages to moving to the cloud version of Exchange when switching to Microsoft Office 365, “but at the same time, it’s not going to provide the same level of data protection that you had on premise with backup and recovery,” Perez said. “Even if you are moving up to M365 for Exchange, you still need to make sure that you have that data protection to meet the service level agreement you agreed to for your on-premise solution.”
Otherwise, that need — to make sure each cloud provider is configured to the agency’s security requirements — can hold up authorities to operate when a given application is ported to more than one cloud provider.
Embracing security in the cloud
The answer, Perez and Montgomery said, is to adopt specific SaaS backup and recovery tools. Such tools are multitenant, multivendor and aimed at specific applications not only within M365 but also within other widely used platforms such as Salesforce.
An important benefit is how such applications let IT staffs manage multiple instances of application data protection from a single pane of glass, Perez said. That’s been a Holy Grail since the inception of cloud computing, he said.
“I do have customers that are utilizing Amazon and backing things up into Azure for continuity,” Perez said.
Moreover, these applications, Montgomery added, enable a best practice in data protection. Namely, that backup and recovery instances do not exist on the same physical infrastructure as the production instance. After all, all commercial clouds experience occasional periods of downtime.
“When you’re talking about multicloud, what is the best practice for protecting data? You want to make sure that it is decoupled from the source,” he said. “You don’t want to have your backups on the same array as your production. You don’t want to have your data protection in the same cloud as your production.”
He added, “Cloud is still very much a part of agencies’ modernization efforts, but we’re much more precise on how we’re leveraging it. Data protection is a great use case for it.”
Both Montgomery and Perez emphasized how the cloud SaaS market is continually adapting. For example, backup systems are increasingly the target of ransomware attacks, Perez said. He advised looking into least-privilege access tools that feature temporary keys to minimize anyone’s access. Such tools support the zero trust posture that all agencies are pursuing.
Perez also said cloud data protection technologies are migrating to on-premise data centers. Customers with secret, enclosed environments without internet access cannot access cloud-hosted SaaS.
“But the providers are now providing edge boxes,” he said. “You can wheel in racks. They give you your own region. They give you those cloud technologies … in that locked-in environment.”
To listen and watch other Industry Exchange Cloud sessions, visit our event page.