Insight and analysis on the data center space from industry thought leaders.
Don’t Rely on the Cloud Provider to Protect Your Data
AWS customers must take responsibility on their end by choosing which Amazon services to use in order to fully protect the availability and integrity of their cloud data.
September 8, 2018
Andrew Langsam is COO at N2WS.
The advantages to moving from the more “traditional” on-site infrastructure model to the cloud are enormous. Cloud offers unparalleled convenience, reliability, scalability, cost savings, and security. In fact, most organizations have already taken the plunge, and not just for test-dev or “science experiments.” A N2WS survey of 750 re:Invent attendees, indicated that two-thirds of IT organizations were using at least one AWS service in a production environment, with 40 percent of monthly spending exceeding $100,000.
Unfortunately, many organizations that rely on cloud services for mission-critical applications assume that there’s no need to protect the data and apps that live there. The survey above sheds light on this issue, showing that most IT organizations are either using just scripts (25 percent) or nothing at all (23 percent) to back up their AWS data. And when it comes to disaster recovery for AWS, only 19 percent have plans in place. Thirty-six percent are working on a plan, but an alarming 45 percent have no DR plan at all.
Those who are relying on their cloud provider to protect their data are making a huge mistake. That's because the big cloud services, such as Amazon EC2 or S3, are exceptionally durable and redundant, they assume that the cloud’s architecture mitigates any risk of downtime from a failure, error, outage or security attack. This is wrong. The end-user license agreements of AWS and most large public clouds put final responsibility for data on the customer. While the “cloud” itself is secured by AWS, everything within that cloud is the customer’s responsibility. If data is corrupted, encrypted or deleted, either in an attack or by accident, that data is lost forever unless it was backed up.
Security and Compliance Shared Responsibilities
While cloud computing is changing the way enterprises manage and store data, relieving the operational burden associated with maintaining physical data centers and infrastructure, IT is still responsible for deploying, configuring, and maintaining the security of everything within the cloud.
For example, let’s take a look at the AWS shared responsibility model. Amazon is responsible for its various services and infrastructure that offer features that will secure workloads and other assets. AWS services operate, manage, and control the physical security of the facilities in which services are operating. This allows AWS customers to shed their infrastructure headache, they no longer have to think about backup power generators or the temperature in a server room, instead they can focus on managing their core business and leave the management of data center facilities to the pros at AWS.
AWS customers, in turn, must take responsibility on their end by choosing which Amazon services to use in order to fully protect the availability and integrity of their cloud data. They must also be sure to meet their specific organizational requirements, such as recovery time objectives (RTOs) and recovery point objectives (RPOs), for protecting that data. A customer may be diligent in the implementation of patches and updates. However, if they fail to configure security groups, IAM or cross-region disaster, massive backup lapses and security vulnerabilities can emerge.
If a customer accidentally terminates a workload without having a backup copy, AWS assumes no responsibility, the shared responsibility model clearly states that the customer data in AWS along with the platform, operating system, and security settings are all customer responsibilities. This includes ensuring that your AWS environment is secure and protected. “Secure and protected”, obviously includes the need to backup your data!
The AWS portion of responsibility includes the security of the cloud, while the customer is responsible for the security of the data in the cloud. AWS provides durable infrastructure with extremely low failure rates and also provides tools needed to protect that data in the event of failure.
These tools include:
EBS snapshots (Block-level incremental backups)
Regions
Availability zones
APIs
CLIs
Automation via Lambda Scripts
The AWS Shared Responsibility Model chart
As an AWS customer, IT can ensure resilience by creating Snapshot backups of EBS volumes. The snapshots are stored in an S3-like format and are highly available. This means that the workload that someone accidentally terminated can be recovered very quickly, often in less than 30 seconds.
IT can automate snapshot backups using Lambda scripts and the AWS CLI and APIs, or they can deploy a cloud-native data protection solution that takes advantage of the cloud’s own services. Either way, IT organizations need to ensure they have a way to rapidly backup and recover data before they place mission critical applications in the cloud. Otherwise, they may find out the hard way that responsibility for cloud data rests squarely with the customer.
Opinions expressed in the article above do not necessarily reflect the opinions of Data Center Knowledge and Informa.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating.
About the Author
You May Also Like