Data Protection: How Reliable is Your Cloud Data Protection Provider? – Part 2

In part 1 of this blog post , I talked about some important statistics you may want to know when evaluating a cloud data protection provider. I finally got around to publishing part 2 (my sincere apologies for the delay), and below I cover Security and Availability.

 

stephenablogpost.png

 Security seems like a no-brainer. Of course you expect you data to be protected securely in the cloud; this is 2013 after all, right? Well--not so fast. Just encrypting data is not enough these days, because organizations want to know about physical security, processes and procedures, hard drive cleansing / shredding, and audited compliance certifications too. Many organizations have a Chief Compliance Officer, and it will be that COO’s job to ensure your corporate data is protected and managed in the right way. HIPAA, PCI DSS and ISO 27001 all fall into this category, and complying with them is no small task.

 

How many of you have stored data with Dropbox.com? Did you know Dropbox doesn’t comply with PCI DSS or HIPAA?! - I’m now imagining many of you double-checking to see if you stored any healthcare or credit card related data there and purging it quickly…

 

If you’re a small business, healthcare provider or government agency storing credit card data,   complying with the regulations referenced below is non-negotiable. When you’re selecting a cloud vendor to work with that will store your data, you must ensure they comply and have the audited certificates to prove it.

 

HIPAA (Health Insurance Portability and Accountability Act) is designed to protect patients’ medical records and other health information supplied to health plans, doctors, hospitals and other healthcare entities. It defines a set of security standards to protect personally identifiable health information and covers administrative, physical and technical safeguards that an organization must take when handling such data.

 

PCI DSS (Payment Card Industry Data Security Standards) are a set of regulations developed jointly by Visa, MasterCard, Discover and American Express to prevent consumer data theft and reduce online fraud. Compliance with these standards is mandatory for any organization that stores, transmits or processes credit card transactions. This sweeping requirement means all merchants, service providers, and payment card network members must be compliant if they wish to continue accepting payments made with those credit card types.

 

ISO 27001 covers all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organization). It is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties. ISO 27001 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization’s overall business risks.

 

If you want to check on a vendor, for example HP Autonomy, here’s how you can do it easily online:

 

PCI DSS: Navigate to the Visa website and in the Company  search field on the left-hand side, enter Autonomy  and click the Go button to search. You’ll see both of HP Autonomy’s cloud data protection services are listed, LiveVault and Connected Backup.

 

ISO 27001: You can search the bsiamerica.com site. The results for Autonomy can be found on this page: “BSI- Certificate/Client Directory Search Results” and includes LiveVault and Connected Backup.

 

HIPAA: While there are a set of standards to comply with, there is no official certification. Having said that, organizations should leverage a third party auditor to determine compliance. The best way to check with a vendor is to ask them to sign a BAA (Business Associate Agreement). This is the vendor committing officially in writing on a legal document that they meet and comply with the HIPAA standards. If a company won’t sign a BAA with you, you shouldn’t store healthcare data with them.

 

Many solutions on the market advertise low cost data protection solutions, everyone wants a bargain, but you get what you pay for. Not only with complying with the above standards, but also in service availability & redundancy. Low cost solutions typically are not mirroring / duplicating a redundant copy of your data somewhere else, either in the same location or to a geographically separated location. While the vendor will likely have data integrity checks going on to ensure your data is good and restorable, events can (and will) happen outside of the vendor’s control. A hard drive will fail, the RAID controller will occasionally write a bad block, the file system (e.g. NTFS) makes an error etc. All of these are completely separate events not at the fault of the vendor’s software but still they happen. And of course there are natural disasters, fire, floods and hurricanes.

 

If you don’t have a second copy of your data somewhere, or your cloud vendor isn’t storing another copy in another location, you should be worried.

 

-Stephen

 

#HPDPB

Labels: Data Protection
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Responsible for Cloud Server Data Protection products, including LiveVault and Data Protector. Based in Boston, MA. Twitter: @sraldous
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.