Lack of Cloud Backups Poses a ‘Real Problem’ for Data Protection, Expert Says

TU IS/Getty Images

A Veeam report found that a third of IT leaders did not think their cloud data needed to be backed up for security.

As the government and other organizations are increasingly moving to cloud environments, efforts must be taken to ensure the safety of data in these environments, according to Veeam’s Cloud Protection Trends Report 2023

The report, released earlier this year, examines four cloud protection pillars: infrastructure as a service, platform as a service, software as a service and backup and disaster recovery as a service. The report surveyed 1,700 IT leaders in the fall and found that 98% of organizations are using some form of cloud capability. 

According to the report, 34% of respondents think their cloud-hosted files are durable or do not need to be backed up and 15% believe their cloud-hosted databases are durable or do not need to be backed up. However, a lack of backups can pose problems for an organization when it comes to cyber attacks on their cloud-hosted data. According to the report, 59% of respondents have cloud-hosted files and 79% of their cloud-hosted databases are backed up. 

“That is a real problem because—when we ask in data protection trends, ‘what was the cause of the most significant outage that you had in the last year?’—cyberattacks are consistently the most significant cause of outages,” Jeff Reichard, Veeam’s vice president of solution strategy, told Nextgov. “And other causes of outages are things like overwrites, accidental deletion, accidental corruption in that report. So, if you’re not protecting resources that you’ve got on a public cloud—whether it’s file shares, whether it’s database as a service, whatever—those things are entirely vulnerable to an administrator making a mistake and accidentally losing data, or misconfigured or overwriting data.”

Additionally, in reference to Veeam’s November 2022 ransomware report, Reichard noted that organizations tend to encrypt their cloud-based data after experiencing a ransomware or malware attack. 

“Backup is important because the native resiliency of cloud resources cannot let you turn back the clock the way that backup can and that turning back the clock is very important for legal matters,” such as for legal discovery requests, Freedom of Information Act requests or a security inquiry, according to Reichard.   

He added that backups are also important in case of a malware attack and in supporting data as a zero trust pillar. 

“If I’m already breached, if my adversary has escalated credentials, how can I make sure that I can continue the mission, even if they do set off an attack?” Reichard said. “And secure backup is really the last line of defense for making sure that you can do that.”

However, in comparison to last year, cloud protection is improving, Reichard said. 

“What we’re seeing is an uptick in folks that are using backup or disaster recovery as a service compared to previous years,” he explained. “But we are seeing a continuation of using storage resources in the cloud and an uptake of using more advanced as a service resources for backup in the cloud. This year, as an example, disaster recovery as a service, we had 49% of respondents saying that they’re using [a] DRaaS solution, which is up from last year, and we expect those lines to continue as well.”

The report also found that two-thirds of backups of cloud-based workloads are performed by backup teams and one-third are performed by cloud administrators. 

“The reason why that is good news is that typically the folks who have traditionally done backup of on-prem resources are more aware of what the organization’s long term retention mandates are and disaster recovery requirements are. And so the fact that the folks who have been protecting data are getting more dialed into protecting cloud-based data is enormously good news for the security of that data,” Reichard said.

However, according to the report, a large number of organizations are returning their cloud-based data back to on-premises—known as data repatriation—mainly for two reasons: cost and workflow challenges. Specifically, the report found that only one out of eight organizations did not repatriate cloud workloads back to datacenters. Additionally, 88% of organizations returned their workloads to their datacenter because of “disaster recovery failback, staging versus production, or reconciliation that the cloud was not optimum for that workload.” 

The report stated that an organization's data protection strategy must include: backing up cloud-hosted workloads when they are brought into a cloud environment, as well as helping to migrate from cloud to datacenter or another cloud alternative.

“What I hear repeatedly is that cost containment is a major problem,” he said. “The other cause that I hear from federal customers for repatriating data is just unexpected connection of workloads with other workloads, basically, performance based on how often databases, for example, are being hit and from how many different locations.” 

Reichard stated that there are several mistakes that agencies can make in regards to cloud protection. 

“When we look at the mistakes that federal agencies make, one of them is basically not backing up cloud-based workloads. Not being aware that cloud-based workloads are just as vulnerable to misconfigurations or to deliberate cyberattack as on-prem workloads are,” he said. ”The opportunity for them is to think about backing that stuff up and thinking about what their long-term retention requirements are.”