TECH GUIDE - Online Backup for Servers
By Cloud Direct • 28 May 2014
Today, more companies than ever recognize the value and convenience of using online backup to protect their server data. If your company is considering Cloud Direct's server backup service, or any other online backup service, consider these questions:
- Could an unauthorized individual gain access to your backed-up data?
- Could your backed-up data be altered?
- Will necessary data be available when needed?
- Is data protected against fire, floods, and human error?
Cloud Direct addresses all these concerns with the most secure solution available. For example, our online server backup service encrypts all data before transferring it from the customer’s servers. All data remains encrypted at secure offsite Data Bunkers and on optional TurboRestore (TRA) appliances.
Only the customer controls the data encryption passwords. To ensure the physical security and availability of stored data, Cloud Direct uses a fully redundant vaulting infrastructure at two HP and IBM managed underground Data Bunkers.
Security for Data in Transit
Cloud Direct assures that the connection between application servers and the off-site Data Bunkers is secure. Our backup software uses the best electronic security methods available, including:
Automatic, outbound-only connections: There is no added security risk to the customer’s environment. In particular, there are no inbound connections. The software agent on a customer’s server communicates only with the backend infrastructure. The agent initiates all connections from the customer’s server (outbound connections) over two ports reserved for the backup service, or over port 443 (the SSL port) if those ports are not available. Normally, there is no need to alter the firewall security perimeter. This makes installation particularly simple and secure at remote sites.
Public key encryption for mutual authentication: There is no possibility of spoofing. The backend infrastructure and the backup software independently validate certificates each time a connection is made. This authenticates the agent to the electronic vault, and the vault to the agent.
256-bit Advanced Encryption Standard (AES) encryption of all data before transmission and storage: There is no possibility of eavesdropping on data transfer between the agent and the electronic vault, and no possibility of Cloud Direct seeing your data on the vaults. 256-bit Advanced Encryption Standard is the level of encryption that banks and government agencies employ.
Customers control encryption passwords. Customers may keep their encryption passwords private, so there is no possibility of any Cloud Direct employee accessing customer data. Cloud Direct also offers a free, optional encryption password escrow service that enables customers to recover data even if the encryption passwords are not available.
Customers can change encryption passwords: Whenever there is a potential security breach, such as when an individual leaves a customer’s company, the customer can simply change the data encryption passwords, which is similar to changing the door locks. Older backed-up data can still be restored, but only with the new password.
Protecting encryption keys and passwords: All data is encrypted (256-bit AES) at the source, using a unique encryption key. To guard against forgetting or losing encryption keys, the backup service offers a password- protected, user-changeable, human-friendly encryption key built on top of the machine-readable encryption key. As additional protection, there is the free option to escrow the key with Cloud Direct. A customer can change the password that accesses encrypted data, so that all data is only available with the new password (and not available with the old password).
Digital signatures: There is no possibility of corruption or modification of data. All communication between the Cloud Direct agent and vault uses industry-standard SSL (Secure Sockets Layer). This prevents any accidental or malicious modification, and protects the integrity and confidentiality of all data.
Security for the Cloud Direct Web User Interface
The Cloud Direct Web user interface is convenient for customers to use because only a Web browser is needed for access. Security features of the Web user interface include:
Encrypted communication: Secure Sockets Layer (SSL) encryption protects the Cloud Direct Web user interface.
Data protection: The contents of backed-up files are not accessible.
Privacy protection: Because data encryption passwords are not set or accessed with the Web user interface, even if someone steals a user's login and password, they cannot restore data, except to the machine where it originated.
Strict password rules are available: A company can set password specifications for their account, such as minimum password length, reuse policy, expiration period, and requirement for non-alphabetic characters.
Limits on insider attacks: Customers can grant users only the rights and privileges necessary for their specific job duties. For example, a help desk person might have the ability to initiate restores, but not to set or change backup policies or add other users. Similarly, an IT administrator might have some (or limited) responsibilities for servers and users where they work, but not be able to see or manipulate servers or user accounts at other locations.
Physical Security for Data Stored in Electronic Vaults
Cloud Direct uses HP and IBM owned and managed off-site data centres that provide high-security environmentally-controlled storage for a variety of media. These data centres are located in Milton Keynes and London with two EU based data centres in Amsterdam and Brussels. Each data centre has comprehensive security features including:
- Steel gates with 7x24 armed security.
- OSHA-certified fire brigade and EPA-certified water treatment plant.
- Redundant generators for full backup power for up to 7 days.
- Redundant bandwidth providers.
- A Level 9 (Ultra-Reliable Data Center) rating by independent security consultants BRUNS-PAK.
All data centers have achieved SysTrust® certification. SysTrust examination assures that a system is reliable when measured against four essential principles: availability, security, integrity, and maintainability.
All data is stored in two places - a primary and secondary data centre. When customers sign up for the Cloud Direct service, their data is mirrored between vaults at each data centre site for high availability. The data centres are constantly monitored by HP and IBM personel. In the unlikely possibility of a failure, backups are rerouted and continue automatically to the secondary data centre. When the failure is repaired, all missing backup data replicates to the repaired or replaced data centre. All other elements of the backend infrastructure, such as the Web servers, the backend database, and the command and control systems, are also fully redundant.
Storage security features include:
- The data center stores the 256-bit AES-encrypted backup files without decrypting them.
- Every account has a unique encryption key, used to encrypt and decrypt each backup file. Only the key that encrypted the file can decrypt it.
Secure, Reliable Server Protection
Enterprise sized companies including Google, Amazon, Cisco, HP, Time Warner, Price Waterhouse Coopers have all selected data backup solutions based on the same technology used by Cloud Direct. Cloud Direct now brings the same enterprise class technology to the small-medium sized company in an affordable backup package. Today, over 9,000 servers worldwide are under the protection of this backup technology and customers have restored over 234 million files.
Data backed up with Cloud Direct is automatically off-site and safer than it is in the customer’s own facility. Customers rely on Cloud Direct to have their data available when they need it, while protecting the privacy and integrity of the data.
Share this post