Protecting Data In A Hybrid Cloud Environment

This is an excerpt of the Veeam Report ‘Availability in the Age of the Cloud’, to read more articles surrounding cloud technology, protection and security, download the report for free here.

Technology is integral to business operations today and there is a widespread expectation that important data be available and secure 24 hours a day, 365 days a year.  In many ways, securing your business’s data has become the most critical role for the IT division.   As this dynamic market creates even more sophisticated attacks and glaring vulnerabilities, it will be IT’s responsibility to stay ahead of the game.  A hybrid-cloud storage architecture should leverage this by delivering secure, end-to-end architecture that provides the flexibility of the cloud with the performance of an on-premises solution, while still encrypting data flows from one site to the other.  Here’s how you can keep your customers’ information, and your own business, safe in a hybrid cloud architecture:



Cloud protection starts with physical security protecting against theft, loss, accidents, power failures, etc.  Cloud data centres are physically secure, often in remote locations, with multiply-redundant, backed-up power supplies, and redundant telecom connections.  They offer secure building physical security with controlled access, and their size and the nature of storage management makes it near-impossible to identify the physical location or device storing any one organisation’s data.  By comparison, many enterprises at best tend to have a single data centre, and SMEs might have only an in-building server room or data closet. Very small companies may just have a NAS sitting unprotected on site.

To protect against physical data loss, it is essential to have a physically separate offsite backup copy.  Unsurprisingly, simple data backup to cloud is the oldest application and, until the advent of big data with cloud, one of the largest consumers of cloud storage.

For physical separation, cloud storage is divided into redundancy or availability zones.  Users can select from multiple zones within one data centre (locally redundant) or data can be duplicated across different datacentres in different locations in a region (zone redundant) or in different regions (geo-redundancy).  Unlike traditional storage tiering or offsite backup, cloud-based storage is distributed across redundancy zones and handled by the cloud storage system software transparently to users.


No matter the storage medium, there is always the risk of device failure.  With HDD it’s inevitable, and Flash devices used in SSD will wear out.  RAID technology was developed to protect against drive failure, although with very large drives, RAID is increasingly less effective.  For traditional storage, best practice in the industry is to follow a 3-2-1 backup strategy – back up to a second device and then back up to offsite.  This quickly becomes expensive in both hardware and IT time spent on maintenance – time that could be spent on strategic business initiatives.

A variant of data loss is inadvertent or malicious deletion of data. Over time users, and even IT managers, utilising file hosting and collaborative solutions such as Dropbox and Office 365, have become so accustomed to cloud reliability that they assume files are always available. However, if a file is deleted it is only available for recovery for a short time.

A 2015 study by EMC found the top causes of data loss were accidental deletion (41%), migration errors (31%), and accidental overwrites (26%). To protect against this, several new products that provide cloud backup are becoming available, especially for Office 365.

Data can also be lost via corruption by viruses or ransomware.  Ransomware is the most prevalent incident of malware today, per Verizon’s 2018 study of business risks. The WannaCry attack is one recent example; and the city of Atlanta, Georgia, is still reeling from a major ransomware attack that crippled the city’s applications, from payroll to public transportation.

Using a hybrid-cloud architecture locates the authoritative data storage in the cloud and gains all the benefits of cloud storage while still presenting a traditional on-premises filer interface, with the added advantage that the filer is now no longer a critical, high-maintenance component.  Because the filer is just a cache of the cloud data, if it is replaced it will simply replenish with most active files, once accessed.

Data in cloud storage is spread across multiple drives, and data on the drives is managed throughout their lifecycle by the cloud provider to prevent data loss and make failed drive replacement transparent to the user.  As noted above, data can also be saved in geo-redundant locations for maximum protection.

For additional protection, the cloud object store can be configured with versioning and made immutable – meaning data can only be written, not erased, although in practice time limits can be set for when erasure is enabled.  This ensures that any saved version of the file is always available for recovery.

Disaster recovery/file level recovery

With legacy NAS devices based on hard drives, we know that these drives will inevitably fail, and it’s only a matter of time before data must be recovered.  Disaster recovery is a storage function that everybody recognizes as an important baseline to have implemented.  However, many businesses today are leveraging two different storage backup and disaster recovery (DR) strategies.  They have one system for use as primary storage and another separate version for backup and recovery.

Leveraging the hybrid-cloud model streamlines this process significantly, as SMEs use the same cloud storage service for both primary storage and backup/DR.  The hybrid-cloud storage architecture consolidates files into a single store. This is especially beneficial for organizations with multiple sites, because it avoids multiple copies being stored on separate file servers for access with the attendant replication costs, active-version headaches, and overhead.  With the scalability and falling cost of cloud storage, combined with full namespace visibility and cached cloud filers, it always makes sense to just keep every file available in the cloud.

Hybrid-cloud storage services support file-level restore combined with versioning that lets users find prior versions of their files, which means you can restore/backup individual files without having to deal with the whole data store. And all of these have a high-performance connection as part of the on-premise acceleration.


Protection from data breaches incurred through human behaviour – many data breaches and even ransomware incidents start with phishing attacks through social engineering.  Another problem, especially with file hosting solutions, is shadow IT, where employees upload restricted data to an unauthorised personal cloud file hosting application such as Google Drive, OneDrive, or Dropbox.

Many of these do not deliver encrypted end-to-end traffic, although this might be expected from more consumer-oriented services. The bigger issue is that all these services readily facilitate file sharing – but now IT has no knowledge of what files have been shared and with whom.  This can easily violate industry compliance measures like HIPAA (Health Insurance Portability and Accountability Act) and GDPR (General Data Protection Regulation).

By avoiding shadow IT, investing in audit tools, using identity management tools like Azure AD combined with device management, and encrypting files at rest and in-transit, breaches can be better avoided and identified when they do occur.

In 2018, the GDPR made breach reporting mandatory – all companies processing or holding the personal data of data subjects in the European Union are subject to GDPR.

Although most major cloud vendors fully intend to be GDPR-compliant, it’s essential that your IT organisation ensure your on-premises and global file system are a compliant storage architecture. Adopting a hybrid-cloud architecture with secure on-premises filers for access and encryption at rest and in transit, utilizing identity and device management and audit capabilities, preventing shadow IT, and limiting how files can be shared and by whom will minimise breaches.  In the unfortunate event of a breach, accurate log files, immutable data, and versioning will speed forensics and recovery.

Maintaining security on an ongoing basis – audits / reviews

Once you finally secure your hybrid-cloud storage architecture, there is no guarantee that it will stay that way!  As a result, you should perform regular cloud-compliance audits. These audits can span your cloud storage provider (or providers) and your own on-premise architecture piece as well. As this dynamic market creates even more sophisticated attacks and glaring vulnerabilities, it will be IT’s responsibility to stay ahead of the game.  A hybrid-cloud storage architecture should smooth that pathway.


Find out more about cloud security, protection options & legislation for your cloud at the Cloud Migration Summit in London on 14th May 2019. It is the only conference dedicated to the business challenges, strategy and implementation behind successfully migrating to the cloud through proven case studies, round tables and networking sessions. Download the agenda.




Article Link: