Backup and Governance
Showing results for 
Search instead for 
Do you mean 

Data Protection: How Reliable is Your Cloud Data Protection Provider? – Part 2

StephenAldous ‎12-02-2013 06:30 AM - edited ‎02-19-2015 12:26 PM

In part 1 of this blog post , I talked about some important statistics you may want to know when evaluating a cloud data protection provider. I finally got around to publishing part 2 (my sincere apologies for the delay), and below I cover Security and Availability.


 Security seems like a no-brainer. Of course you expect you data to be protected securely in the cloud; this is 2013 after all, right? Well--not so fast. Just encrypting data is not enough these days, because organizations want to know about physical security, processes and procedures, hard drive cleansing / shredding, and audited compliance certifications too. Many organizations have a Chief Compliance Officer, and it will be that COO’s job to ensure your corporate data is protected and managed in the right way. HIPAA, PCI DSS and ISO 27001 all fall into this category, and complying with them is no small task.


How many of you have stored data with Did you know Dropbox doesn’t comply with PCI DSS or HIPAA?! - I’m now imagining many of you double-checking to see if you stored any healthcare or credit card related data there and purging it quickly…


If you’re a small business, healthcare provider or government agency storing credit card data,   complying with the regulations referenced below is non-negotiable. When you’re selecting a cloud vendor to work with that will store your data, you must ensure they comply and have the audited certificates to prove it.


HIPAA (Health Insurance Portability and Accountability Act) is designed to protect patients’ medical records and other health information supplied to health plans, doctors, hospitals and other healthcare entities. It defines a set of security standards to protect personally identifiable health information and covers administrative, physical and technical safeguards that an organization must take when handling such data.


PCI DSS (Payment Card Industry Data Security Standards) are a set of regulations developed jointly by Visa, MasterCard, Discover and American Express to prevent consumer data theft and reduce online fraud. Compliance with these standards is mandatory for any organization that stores, transmits or processes credit card transactions. This sweeping requirement means all merchants, service providers, and payment card network members must be compliant if they wish to continue accepting payments made with those credit card types.


ISO 27001 covers all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organization). It is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties. ISO 27001 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization’s overall business risks.


If you want to check on a vendor, for example HP Autonomy, here’s how you can do it easily online:


PCI DSS: Navigate to the Visa website and in the Company  search field on the left-hand side, enter Autonomy  and click the Go button to search. You’ll see both of HP Autonomy’s cloud data protection services are listed, LiveVault and Connected Backup.


ISO 27001: You can search the site. The results for Autonomy can be found on this page: “BSI- Certificate/Client Directory Search Results” and includes LiveVault and Connected Backup.


HIPAA: While there are a set of standards to comply with, there is no official certification. Having said that, organizations should leverage a third party auditor to determine compliance. The best way to check with a vendor is to ask them to sign a BAA (Business Associate Agreement). This is the vendor committing officially in writing on a legal document that they meet and comply with the HIPAA standards. If a company won’t sign a BAA with you, you shouldn’t store healthcare data with them.


Many solutions on the market advertise low cost data protection solutions, everyone wants a bargain, but you get what you pay for. Not only with complying with the above standards, but also in service availability & redundancy. Low cost solutions typically are not mirroring / duplicating a redundant copy of your data somewhere else, either in the same location or to a geographically separated location. While the vendor will likely have data integrity checks going on to ensure your data is good and restorable, events can (and will) happen outside of the vendor’s control. A hard drive will fail, the RAID controller will occasionally write a bad block, the file system (e.g. NTFS) makes an error etc. All of these are completely separate events not at the fault of the vendor’s software but still they happen. And of course there are natural disasters, fire, floods and hurricanes.


If you don’t have a second copy of your data somewhere, or your cloud vendor isn’t storing another copy in another location, you should be worried.





0 Kudos
About the Author


Product Manager for HPE VM Explorer within HPE's Data Protection portfolio. Based in Boston, MA. Twitter: @sraldous

27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all