Blog Archives

Securing Your Data in the Cloud

In the late ‘90s when consumer Internet was relatively new, there was a controversy swirling around online commerce: is it safe to use your credit card online? Fast forward to today. Online commerce is ubiquitous, and one of the largest credit card breaches recently occurred in Target’s brick and mortar stores. Now with enterprise cloud computing, there’s another controversy swirling: is it safe to store your data in the cloud? As a provider of EMC cloud services—including Mozy and Spanning—and in working to tier our on-premises storage products to an EMC object service, I’m often asked this question. The answer depends upon the level of security deployed by the cloud service. Just as online commerce sites vary in their level of sophistication, so do cloud services when it comes to security features, operations, and compliance.

By federating identity and authentication with employees’ corporate authentication service, IT can make access to these services more convenient and more secure. Revoking a former employee’s corporate credentials also revokes access to the associated cloud service. Data should be encrypted in transit and at rest, and customers should have an option to either use encryption keys provided by the cloud service or apply their own corporate encryption keys. To validate that the data arriving in the cloud is exactly the same as from the point of origin, the service should apply a payload integrity validation check, which safeguards against either accidental or intended corruption in transit. And a solid role-based access schema will ensure authorized users can only perform the duties for which they are intended, reserving privileged/administrative rights to the few, while allowing capabilities such as simple reads and writes to the many. Finally, to respect data sovereignty laws, the service should provide geographical data residency options.

Now that the right data has landed in the right place, let’s review the data center operations to make sure it stays that way! Physical access must be strictly controlled on building and cage entrances by professional security staff utilizing video surveillance, alarm systems, and other electronic means, while legitimate access is granted through two-factor authorizations (for example, passcode and fingerprint) and strictly enforced visitor policies. But even more important is cyber hardening of the perimeter, hosts, and applications. Even one security hole in the perimeter could be exploited to gain access through the intended boundary, allowing access to the high-value servers and data within the product environment. In this sense, an ounce of prevention goes further than a pound of cure. Steps like ongoing vulnerability monitoring (especially critical zero-day vulnerabilities) and solid patching practices are essential. Add to that a practice of gold image creation and maintenance that contains all necessary configurations to ensure the hosts are configured securely; for instance, all unnecessary services are turned off at install. Access management is also crucial, and increased security measures for legitimate administrators, such as two-factor authentication with one-time passwords like with RSA’s Secure ID capabilities, go a long way in preventing brute force password hacks.

The next step in prevention is early detection. While the expectation of a perfectly hardened environment is a noble one, in reality, active monitoring provides an ideal air cushion in the event a flaw is exploited somewhere along the way. Tools such as RSA Security Analytics provide alerts from both unexpected log activity and indicators of compromise within the active network traffic flow, while ensuring log and network capture data is maintained in an unalterable state for future investigations and forensic needs. And in case the worst happens, the service needs a trained incident response and containment team available 24/7.

How does one know that a service is taking these measures? That’s where it can be helpful to have a thorough attestation of the level of security provided. There are self-certification attestations, such as assuming responsibility as a Business Associate under HIPAA, and there are independently certified attestations, such as SOC I or 2 Type 2, ISO 27001:2013, just to name a few. In addition, some services employ security professionals to help address customer-specific inquiries and reviews.

When it comes to security there are no absolutes, but with the right security features, operations and compliance in place, a cloud service can provide the same or better protection than on-premises data protection options. After all, corporate IT environments are also susceptible to attacks, and most of them are not held to the same standards or external reviews described here.

Expanding the Data Protection Continuum with the Cloud

Vince Lombardi once famously said: “We are going to relentlessly chase perfection, knowing full well we will not catch it, because nothing is perfect. But we are going to relentlessly chase it, because in the process we will catch excellence.”

A few years back, Mozy shook up the idea of what a “perfect” backup strategy looked like. Computer usage had changed with laptops becoming the preferred tool of mobile workers. By and large, many businesses simply gave up on trying to protect data stored on devices at the edges of the network.  A “perfect” end user data protection strategy consisted of a successful nightly backup of the file servers. Few gave laptops a second thought. With the expansion of the data protection into the cloud, the “perfect” backup just got even more excellent than before.

Since first launching Mozy in 2006, we’ve continued to enhance our service to better support your organization’s data protection strategies. We started with backup for Windows endpoints and then bridged the continuum further by adding support for Mac endpoints and later Windows and Mac servers. With continued investment in research and development, Mozy backups got faster and more efficient so larger data sets could be protected. In September 2011 we introduced the Mozy Data Shuttle, accelerating the backup of large data sets in the cloud. This past year we introduced Mozy Sync which enables data to be securely accessed across desktops, laptops, and mobile devices, further unleashing employee productivity.

Today, we’re proud to announce that we’re expanding the continuum even further into the cloud with the launch of Mozy data protection for Linux servers.

Why?  Because information is the lifeblood of your organization and we understand your challenges in trying to protect data, wherever it resides. Desktops, laptops, mobile devices, or servers at branch offices; it all needs to be protected and made available whenever and wherever your employees need it.

That’s also why Mozy is included in the EMC Data Protection Suite – a comprehensive portfolio of data protection solutions from the leading provider of backup, recovery, availability, and archiving solutions.

But that’s not all we’re announcing today. Mozy is also making your data protection journey to the cloud even more secure with the addition of three new features:

1) Corporate Key Support for Mozy Sync
With the introduction of C-Key encryption support, your organization may now choose to utilize your own secure encryption key with the popular Mozy Sync feature.

2) Enhanced LDAP Support
Our new on-premise connector interfaces directly with your LDAP-capable directory service and pushes account information to Mozy. Because your directory service does not need to be exposed externally, this makes automated user provisioning and management more secure.

3) HIPAA Compliant Data Protection
The latest iteration of the Mozy service includes a new one-click custom configuration setting to ensure end-user data is protected in accordance with Health Insurance Portability and Accountability (HIPAA) guidelines.

Like the legendary Coach Lombardi, we will continue in our relentless chase of data protection perfection at Mozy and EMC. The rules of the game are simple: Protect your data and make sure it’s there when you need it.

We hope you enjoy the new features.

How Do You Shift to People-Centric Computing? Two Words: Centralize and Hybrid, Says ESG

“It’s all about the people,” argued Peter Drucker, the most influential management thinker of the past century (see WSJ article).

It’s a philosophy that we hold dear in our hearts at Mozy – and one the analysts at ESG appear to champion, as well. The latest report from the storage experts highlights the shift in emphasis needed to deliver comprehensive data protection for the modern workforce. And it really boils down to the people.

As the world of backup evolves, it’s becoming less about forcing people to use specific devices that you force them to back up to a specific destination – and more about protecting the data belonging to those people and intelligently selecting a backup destination that suits it best.

“A hybrid architecture means that an organization does not need to make ‘either-or’ data protection decisions, but can instead use centralized and distributed backup approaches wherever each makes sense,” said Jason Buffington, Senior Data Protection Analyst, Enterprise Strategy Group.

“For example, centralized data protection could provide the foundation for compliance, while distributed backup could add agility in dealing with remote data,” said Buffington. “The key to success is choosing the right data protection tools for each recovery goal — and, rather than the IT department trying to own every single piece of the infrastructure, making sure that they own the management for all of the organizations’ data backup, regardless of method.”

It’s well known that EMC has a comprehensive portfolio of backup services that offers on-premise, private cloud, public cloud and hybrid solutions. The new ESG-Mozy white paper helps big companies better understand those different tools. It offers advice on building a hybrid, people-centric approach that meets all their needs.

And this kind of approach will meet their needs so long as the business makes sure that the ownership and control of backup management holds fast across the entire enterprise. Corporate office employees, remote office employees and workers on the go all have different data backup and access requirements and need to be treated uniquely.

Putting people at the heart of the backup strategy is core for Mozy. We talked about this in July when we made big changes to the foundation on which the Mozy service is built. And we’ll continue to talk about it as we bring more features to market based on our new infrastructure.

The ESG White Paper’s hotlist of “must haves” for a successful hybrid backup architecture includes the following characteristics:

- Data protection and access and the ability to recover that data are all provided
- It’s manageable by the IT organization
- Remote and branch-office employees are equally supported
- Security is as strong for the cloud piece as for the on-premise piece
- Productivity is enhanced through the hybrid approach.

You can find out more about implementing a hybrid backup solution by reading the new ESG White Paper, and the recently released ESG Lab Validation Report: MozyEnterprise: Secure, Efficient Cloud-based Backup.