21 June 2016
On 25 May 2016, the EU’s General Data Protection Regulation (GDPR) came into force. Ratified earlier this year, the legislation changes the way in which organisations collect, use, transfer and store personal data of millions of EU customers (see News, Jan 2016). That includes any EU-based provider that holds data as part of offering a business continuity (BC) service.
According to the Henley Business School at the University of Reading, the GDPR represents a “huge threat” to BC for the IT sector in the UK. Companies now have just two years to comply with the new ruling or risk fines of up to four per cent of global turnover or €20m (around £153m), whichever is higher.
Henley points out that one of the key changes brought about by the legislation is the way in which consent for processing personal and special data – such as financial information of EU citizens or those within the union – can be done lawfully.
“Firms will now face a raft of guidance from the ICO that will be in alignment with these new data protection principles,” warns Ardi Kolah, co-programme director at Henley. “This will effectively introduce the GDPR ‘through the back door’ well before the deadline of the two-year transition has expired.”
He adds that organisations will now need a new generation of data protection officers (DPOs) to ensure GDPR compliance. Citing research from specialist recruitment agency GO DPO, Kolah says that in the financial services sector alone, around 33,000 companies will require a DPO as part of a raft of new obligations that make the GDPR a “game changer” in how organisations can continue to do business within the EU.
That’s only the tip of the iceberg. In research published earlier this year, YouGov and cloud access security broker Netskope found that almost 80 per cent of IT professionals in medium and large organisations are not confident of ensuring GDPR compliance in time for the May 2018 deadline (see News, Feb 2016). It advises both cloud-consuming organisations and cloud vendors to take active measures now.
Dave Allen, SVP and general counsel at cloud-based internet performance management company Dyn, sounds further alarm bells: “While some internet companies have begun to address new challenges at the fixed locations where data is stored, this alone will not necessarily be enough to ensure compliance.
“Those companies focusing solely on data residency may well fall victim to a false sense of confidence that sufficient steps have been taken to address these myriad regulations outlined in the GDPR. As the GDPR will hold businesses accountable for their data practices, businesses must recognise that the actual paths data travels are also a key factor to consider. In many ways, the constraints which come with the cross-border routing of data across several sovereign states mean these paths pose a more complex problem to solve.”
Allen says companies that rely on the global internet to serve their customers should be “seriously considering” visibility into routing paths along both the open internet and private networks. He believes that as we enter an era of emerging geographic restrictions, firms with access to traffic patterns in real time, in addition to geo-location information, will find themselves in a much stronger position to tackle the challenges posed by the GDPR.
According to Jon Geater, CTO, Thales e-Security, the new rules also highlight another factor that everybody should already know: you can outsource your risk, but you can’t outsource your responsibility.
“If organisations use a third-party provider to store and manage data – such as a cloud provider, for example – they are still responsible for its protection and must demonstrate exactly how the data is protected in the remote system. Therefore, formal privacy-by-design techniques need to make their way down the supply chain if companies are to avoid penalties or nightmarish discovery and analysis tasks.”
Geater uses the term “privacy-by-design” as this is an integral part of the GDPR. Businesses now have an obligation to factor in data privacy from the very first stages of a project as well as throughout the life of the relevant data processing.
While the issues of data protection and privacy should be at the top of the agenda for all concerned (and that includes GCHQ and the NSA, although we don’t have space to talk about PRISM here), the GDPR looks set to be a big headache for most organisations and enterprises. Is there a solution? Well, we could all vote to leave the EU on 23 June. So what would a so-called ‘Brexit’ mean for the providers of business continuity and disaster recovery (DR) services in the UK?
The long arm of the law
Disaster recovery software specialist Zerto says ensuring uninterrupted operations is always a high priority for companies but if Britain exited the EU the need for flexible BC & DR would be even more important in achieving that objective.
“Companies should be carefully assessing their IT infrastructure to validate that their systems are ready for any disruption, including those caused by the changing political landscape,” warns EMEA VP Peter Godden. “If Brexit comes to fruition, companies may find themselves needing to move their data into or out of Britain to align with new compliance regulations, which will truly shine a light on the importance of BC/DR software as many will struggle to manage mission critical data across disparate systems without experiencing downtime.”
But that could be easier said than done. Intralinks, which provides a cloud-based content collaboration network, believes that if we were to leave the EU, it would be some time before UK and firms based elsewhere outside the country would know what to do around the issue of data transfer. Deema Freij, the company’s global privacy officer, says: “Any practical guidance would be unlikely to arrive immediately. During that time, many companies could be unknowingly operating against the law, leaving them with a number of critical legal issues and increasing the risk of data breaches.”
At the end of the day however, the UK leaving the EU does not necessarily mean a split with the union’s regulations. Technology and digital media law firm Kemp Little notes that businesses offering goods or services to EU residents or monitoring their behaviour will need to comply with the GDPR regardless of whether they are based in the EU.
“In the event of a vote for the UK to leave the EU, the impact of the GDPR may be reduced, although many UK firms are likely to be caught by the extra-territoriality requirement, and will therefore need to comply with the GDPR regardless of the outcome of the referendum,” says Nicola Fulford, Kemp Little’s head of data protection and privacy.
US-based Quorum has offices around the world and believes it’s important that organisations keep data stored in the country it originated from. It says this filters right down through every part of the business, from offsite storage through to backup and replications residing in an offsite data centre.
Gabriel Gambill, Quorum’s senior director of product and technical operations, says: “UK organisations are now fearful of what might happen to their data stored abroad. But whatever the outcome will be in June, businesses need to use this opportunity to opt for solutions that store data within the country it resides in.”
Challenges beyond the EU
Gambill says that while most organisations think of downtime as a result of a natural disaster, this actually only equates for five per cent of data loss. But he adds that whether it’s the result of a natural disaster, hardware failure, human error or malicious attack, data loss and downtime remain a huge threat which businesses can ill afford.
“Businesses need to be prepared for human error and hardware failures which are inevitable. Staff members simply clicking on the wrong button can cause disastrous consequences, and businesses need to have a DR and BC plan in place to make recovery as quick and simple as possible. The reality is that data loss can come from a wide variety of sources and it is therefore a huge threat to businesses, but it can be countered by a simple disaster recovery and business continuity platform.”
But Daren Howell, senior manager of solutions marketing at Sungard AS, believes simple solutions are not enough as today’s enterprise IT environments are now far more complicated.
“Several years ago it would have been acceptable for a business to simply have a robust BC & DR plan in place with the aim of getting the business back up and running as soon as possible. BC/DR is no longer about recovery but availability.
“The daunting challenge of delivering all time availability is also compounded by an increasingly complex IT landscape; meaning this quest for availability sometimes takes a back seat when brought to the attention of the wider business.”
To put this into context, he says recent research by the Ponemon Institute found that the cost of just a single minute’s downtime for general businesses could reach more than £5,700 – and that’s not even taking reputation damage into consideration.
Howell agrees that traditional forms of disruption such as power outages and hardware failures still plague businesses, but says several threats have also emerged that were hardly on the radar a few years ago. “Notably, we are seeing more issues arising from communications-related failures. This suggests that while technology resilience has been prioritised, enterprises may be neglecting other important factors in maintaining availability, namely, people and processes.”
In April, Macrium Software published the findings of its research that asked reseller partners for their views on the backup industry, challenges and changes (The Good, The Bad and The Ugly – the Backup Space from a Reseller Perspective). It revealed that hardware failure and human error are the biggest threats to corporate data.
“This indicates that businesses need to make sure that backup is an integral part of their data security strategies,” says the company’s sales director Stephen Macpherson. “They need to ensure they are investing time and effort in appropriate trustworthy technologies and regularly testing their current backup solution for recoverability.”
All about the cloud?
Macrium’s study also found a trend towards Backup-as-a-Service (BaaS) with almost 75 per cent of its resellers now offering this. “It appears that many of their clients want backup and recovery taken off their hands and handled by the professionals, either on premise, in the cloud, or a hybrid solution,” states the research report.
It therefore comes as no surprise that when it comes to new products for BC & DR, there seem to have been far more new cloud-based solutions launched as opposed to physical appliances.
For example in May, data protection specialist Druva claimed to have launched the industry’s first public cloud platform to converge backup, archival and DR.
The US-based company describes Phoenix as a “secure and elastic cloud solution that stores data indefinitely with limitless snapshots and flexible retention policies using patented, client-based global deduplication”. At the same time, the platform is said to provide for continuous backup of physical and virtual servers, including the ability to automatically failover and spin up VMs in the AWS public cloud, ensuring always-on business continuity.
Druva says Phoenix is built upon a unique, scalable, cloud-first architecture that offers “unprecedented” cost savings for enterprises. The firm reckons these are achieved by minimising the backup and archival storage footprint while eliminating the need for expensive hardware and data centre facilities. Druva adds that it has adopted true consumption-based licensing so organisations only pay for what they use.
Asigra is hoping more managed services providers (MSPs) in the UK will use its cloud-based backup and recovery software following a recent partnership deal signed with Azlan, the value added enterprise distribution arm of Tech Data.
According to Asigra, its enterprise-class, multi-tenant and agentless Cloud Backup software reduces recovery time objectives and eliminates silos of data backups. The firm says it does this by providing a single consolidated repository with dynamic autonomic healing along with recovery assurance and low total cost of ownership.
All backups are encrypted before transmission to a cloud vault and remain encrypted while they are stored. Asigra says the only one that has access to the decryption key is the customer.
Meanwhile in March, Zerto announced that it had solved the “most frequent” data centre IT request with the general availability of its Virtual Replication v.4.5 software.
The latest version includes the new Journal File Level Recovery feature. Zerto says this enables the restoration of any file from a point in time just seconds before a deletion, virus or data corruption occurred. As a result, the firm reckons its software significantly reduces the impact of data loss on common daily requests for data restoration.
Utilising compressed journalling of the changed blocks from the protected VMs, Zerto adds that Virtual Replication maintains a granularity of the data in increments of seconds up to the past two weeks. This is said to enable point in time recovery with the ability to rewind data back to recover from corruptions, deletions or even system-wide data disruptions due to ransomware or system upgrade errors.
“The ability to help IT and business leaders confidently recover and restore within minutes any aspect of their IT infrastructure up to the last seconds of an outage is one that truly gives our customers a competitive advantage,” says Zerto CTO and co-founder Oded Kedem. “For highly regulated industries such as healthcare and financial services, this level of business continuity and disaster recovery granularity helps them easily exceed compliance requirements, while providing better customer experiences.”
Quorum has unveiled its first software-only solution for DR in the shape of the onQ vApp virtual appliance. Gambill says: “onQ delivers high availability and robust disaster recovery, and with a software-only solution we are able to work closely with our customers and partners to provide a solution which can quickly and seamlessly integrate into their current environments.”
Utilising Quorum’s DRaaS platform, the virtual appliance has been developed to deliver instant unified protection for both physical and virtual VMware environments, allowing businesses to maintain continuity. The company says it can be immediately leveraged to work on existing infrastructure, enabling businesses to re-purpose old servers and storage as DR equipment.
Quorum adds that the onQ platform was originally developed for US navy warships to ensure that on-board computers never ‘go down’ during combat. It says the “highly robust” technology is designed for businesses to rapidly recover their most critical applications and data in the cloud after any storage, systems or site failure.
Cloud services and solutions are certainly instrumental as organisations continue to adopt a more flexible approach to work with remote employees, mobility, geographically distributed teams, etc. So is the future of BC & DR all in the cloud?
Despite the increasing digitalisation of businesses and the trend towards virtualised and cloud offerings, Sungard AS says traditional third-party workplace recovery centres are still an important part of many businesses’ DR strategy. Howell believes that with business availability needing to embrace people as well as processes and technology as part of the overall resilience and recovery mix, this stands to reason. “In addition, the increase in business rental prices, decrease in viable space and the rising complexity of today’s businesses means that expertise in delivering an all-encompassing approach to workforce, as well as IT, availability is needed. This means that shared, dedicated and remote solutions all come into play as part of keeping office-based and mobile workers productive and available when disruption occurs.”
Sungard AS has recently developed Recovery as a Service (RaaS) to help harmonise what it says is both the ‘run’ and ‘recovery’ aspects of any organisation from the perspective of their people and systems availability. Howell says RaaS covers primary production environments and traditional DR infrastructure.
“While there are many ‘point’ solutions on the market today we believe ours is the only one in which a provider takes responsibility for recovering not only a customer’s IT systems but its business – people, processes and technology – backing this commitment with RTO-based SLAs and reducing restore times by up to 70 per cent.”
The respondents in Macrium’s study mentioned above also had positive and negative comments about using cloud-based services for BC & DR. On the plus side, resellers said that as cloud usage goes up, the costs per GB are going down. Cloud platforms can also be used alongside a local copy for increased protection.
But on the downside, as well as the predictable issues of security and trust, respondents said customers didn’t understand the limitations of using cloud-based services and wrongly believed the technology was infallible.
Other negative points expressed by Macrium’s resellers included comments that the cloud is not a solution for disaster recovery as it takes too long to download a backup; concerns about cloud backup solutions which don’t work well with image backup/restoration (“too time consuming due to internet bandwidth limitations”); and customers not wanting to be part of the trend as “cloud equals a loss of control”.
The latter could prove key here: on the one hand we have the cloud industry telling us that ‘XaaS’ solutions for disaster recovery, backup, etc., are the way to go. And on the other hand, new legislation demands that organisations get a tighter grip on their data. The future for data in the context of BC & DR looks murky if not cloudy.