Compliance Regulations for Data
Nowadays online backup has become in vogue thanks to a combination of faster, cheaper bandwidth and the increased need for off-site backups. In fact, in many ways online backups have greatly improved the practice of disaster recovery. However, if your company is one that falls under any regulation or standards body, it could bring as many pitfalls as solutions. If you accept or store any kind of financial, health or personal information, you probably fall under some local, state or federal regulation And its possible your online backup facility may not comply with these standards.
You have worked really hard to get your infrastructure, processes and people up to snuff to pass audits and compliance exams. But a hastily made decision in the area of online backup could put all of that at risk. After all, your backups typically contain the crown jewels of your organization; all your key data wrapped up in a neat and tidy bundle for hackers to go through if they obtain access to the files.
Most online backup services at least pay lip service to the idea of security. Encryption of data both at rest and in motion is pretty standard. If it’s not, you definitely need to find a new home for your online backups. But depending on the industry or standard you are trying to comply with, more than just data encryption may be required to meet minimum standards.
Assessing Compliance Requirements
Poor storage and handling of encryption keys are common mistakes a vendor can make that can undo a lot of the cryptographic protection they have in place for your data. Another area of potential non-compliance is in the separation of data. Is your online data stored kept separate, both logically and physically from other customers? Have these vendors passed their own exams and inspections by respected third parties for the standards or regulations you are expected to adhere to (PCI, HIPAA, GLB, CJIS, etc.)?
In fact almost any security breach on the part of your online backup vendor can cause a major breach on your part, even if you are doing everything right in-house. Remember, these facilities often replicate a significant portion of your IT assets (otherwise what is the point?). Any hacker who gains access to the vendor’s network or systems will most likely gain access to yours. In choosing an online backup or DR solution, you need to beyond the usual marketing spec sheets. Don’t just talk to the sale people who will just parrot what the marketing people tell them. Get their actual audit reports (SSAE-16, SOC2, etc). and actually read them versus dropping them into the vendor due diligence file. Talk to the technical people as well. They will often be much more candid and should have the definitive answers you need.
Ask the tough questions. Get acceptable answers. Keep in mind that your weakest vendor can be the weakest link in your security chain. And one non-compliant vendor is all it takes to bring it all crashing down on you no matter how much money you have spent on infrastructure or training. Your online backup provider should be as compliant as your in-house infrastructure, or even more so given that the data will reside outside your owned infrastructure. Ignorance is no excuse in this area.