Recent Posts

Categories

What's the difference between a Storage Cloud and a Black Hole

If you are like most small businesses, you believe that if you are using a SaaS that all of your data is backed up and protected. That is the biggest misconception most users have. While the SaaS does offer more advanced securities, robust environments, and more features than ever…it is not full proof.

Misconceptions include

The Cloud Vendor is Responsible for my Data.

This is a huge misconception. It is important to ready up on the levels of responsibility and read up on your terms and conditions. For instance, Microsoft 365 one of the biggest SaaS is very clear about the level of responsibility, and many are the same. Understanding those responsibilities can help guide you on what your business needs. The Microsoft 365 shared responsibility model is as follows:

Vendor Responsibilities

Infrastructure Uptime
The vendor takes the responsibility of keeping your cloud infrastructure up and running for your access. This does not guarantee 100% uptime; however, they will make best effort and have policies and procedures in place to quickly address and remediate issues.

Geographical Redundancy
It is their responsibility to replicate the data across data centers that have enough geographical distance to allow them to recover from a natural disaster.

Recycle Bin
Microsoft manages a short-term recycle bin, so when an item is deleted, it goes into a recycle bin for 90 days until it is permanently deleted. Once it is permanently deleted, you are unable to restore it.

Infrastructure Security
Microsoft 365 is responsible for Physical, Logical, App-Level Securities, and user/Admin Controls. So, while securities are in place, it does not protect your data from users, rogue apps, hackers, or other malicious users and software. Controls put in place put the data security into the hands of the Administrators.

Regulatory Compliance
They are responsible for Data Privacy, Regulatory Controls, Industry Certifications, i.e., HIPPA, Sarbanes-Oxley. This does not necessarily extend to the controls a business chooses to put in place.

Your Business Responsibilities

Access and Control of Your Data
It is the responsibility of the business owner to put the proper access and controls in place to manage their data. Features exist for you to restrict access and data or to completely open it up to the world. It is your responsibility to handle that data properly, putting all liability on the company.

Backup stored in another location
It is the businesses responsibility to backup data stored in a different location and set the retention policies to meet their needs and requirements. This includes Short-Term and Long Term to fill the policy gaps required, such as granular and point-in time of recovery options.

Data Corruption
Data can be corrupted for many different reasons in many different ways. Some examples the business would be responsible for include:

  • Human Error: People make mistakes and may delete items or choose the wrong administrative configuration changes that can be detrimental to the business. Being able to recover is the responsibility of the business. This includes unintentional to malicious insiders or disgruntled employees or contractors.
  • Malicious Software: Malware and ransomware can corrupt data that can only be recovered through a third-party backup. This software can land in your environment regardless of security measures put in place, and it is the business’s responsibility.
  • Cyberthreats: As attackers become more sophisticated there are new attackers and threats hitting the online world every day. If you fall victim, it is your responsibility to recover and protect your data.
  • Rogue Apps: There are applications that we all use in our everyday workplace. Each application can have its own set of vulnerabilities and risks. When those applications integrate or communicate with your Microsoft 365 infrastructure in a malicious way, it can cause data corruption and more that business is responsible for.

Regulatory Compliance

Each business and industry have its own set up regulatory compliance. There is also growing compliances put out in regard to data protection. How your business manages and enforces those regulations is up to you.

Cloud Backups Protect Me Against Ransomware

Cloud backups are a recovery tool for your response to ransomware and not a safeguard or protection. In addition, if your data is stolen and used for malicious purposes, sold on the black market, or exposed, a backup will not protect you from such exposures. Backups with the right policies and procedures in place can help you quickly recover, it does not protect you. It is your responsibility to protect your business from vulnerabilities with additional security measures in place.

All Backups are the Same

Backups are not created equal. What you backup, how you backup it, where you back it up, and how long you backup it up is contingent on the backup you choose. There are simple backups that cover basic data only, to more complex backups, that will truly backup your infrastructure including policies, access and control, and security settings. If data is not properly encrypted and truly disconnected from your infrastructure, your backups may not be able to protect you from data corruption. Local backups could leave you vulnerable to hardware failures and network access. All this and more should be taken into consideration when choosing a cloud backup solution.

Related Posts

An image of a security operations center watching for threats.

What is a Security Operations Center?

An image of a hand hovering over a dimly lit cell phone screen that reads "Vishing".

What is Vishing in Cyber Security?

An image of connected circles representing business continuity and disaster recovery.

Business Continuity vs. Disaster Recovery