Azure backup and business continuity strategies aren’t keeping pace with the rate of migration to the cloud. There’s a good reason for the lag, as cloud computing services in general and the Microsoft Azure line of business in particular are growing at a blistering pace.
Commenting on the 50% growth rate of the Azure product line in Q3 2021 over the previous quarter, Satya Nadella, Microsoft CEO said, “Over a year into the pandemic, digital adoption curves aren’t slowing down. They’re accelerating, and it’s just the beginning. We are building the cloud for the next decade, expanding our addressable market and innovating across every layer of the tech stack to help our customers be resilient and transform.”
SMBs are contributing to this growth story as they increase their embrace of the benefits of moving infrastructure to the cloud. However, cloud computing creates some new risks and challenges for SMB management, including assuring adequate provisions for backing up workloads.
Whether you are making your first moves to the cloud or are ramping up your existing investment in cloud resources, addressing these ramifications is necessary to ensure your past investment in business continuity planning carries over fully to the new environment and provides protection comparable to data backup for private networks. To bring these issues to the forefront, this post:
- Describes the cloud computing market
- Discusses cloud computing’s shared responsibility model
- Identifies the vulnerabilities created by the shared responsibility model
- Outlines some best practices for mitigating these vulnerabilities
- Supplies an overview of Microsoft Azure
- Provides a description of Datto Continuity for Microsoft Azure
Cloud Computing Overview
Cloud computing is defined as the delivery of configurable computing resources such as servers, storage, databases, networking, and software over the Internet. This delivery mechanism allows faster innovation, flexible resource allocation, and economies of scale. Businesses pay for only the services used, enabling a shift from a CAPEX to an OPEX spending model.
There are three types of cloud computing deployment approaches or architectures: public cloud, private cloud, and hybrid cloud. These implementations are defined as follows:
- Public Cloud – Public cloud architectures are multi-tenant environments in which users share a pool of virtual resources that are automatically provisioned for and allocated to individual tenants through a self-service interface. With a public cloud, all hardware, software and supporting services are owned and managed by the provider.
- Private Cloud – A private cloud refers to cloud computing resources used exclusively by a single business or organization. A private cloud can be physically located on the company’s on-site datacenter, or a company can pay third-party service providers to host their private cloud.
- Hybrid Cloud – Hybrid clouds combine public and private clouds, which allows data and applications to be shared between them. By allowing data and applications to move between private and public clouds, a hybrid cloud provides enhanced flexibility, a variety of deployment options, and optimizes existing infrastructure, security, and compliance.
Using these deployment models, a cloud service provider (CSP) delivers three major types of services: infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).
- Infrastructure as a Service – With IaaS, you rent IT infrastructure such as servers and virtual machines, storage, networks, and operating system from a cloud provider on a pay-as-you-go basis.
- Platform as a Service – Platform as a service refers to cloud computing services that supply an on-demand environment for developing, testing, delivering, and managing software applications. PaaS allows developers to quickly create applications without setting up or managing the underlying infrastructure.
- Software as a Service – With SaaS, cloud providers host and manage the software application and underlying infrastructure, and handle any maintenance, like software upgrades and security patching.
The market share leaders in the infrastructure segment of cloud computing (IaaS and PaaS) are Amazon Web Services (33%), Microsoft Azure (20%) and Google Cloud Services (10%). The top players in the SaaS market are Microsoft (17%), Salesforce (12%) and Adobe (10%) with SAP and Oracle each registering a 6% share.
The Shared Responsibility Model
The degree of responsibility for cloud services depends upon the deployment type and is referred to as the shared responsibility model. The degree of customer responsibility declines as you move from IaaS to PaaS to SaaS deployment approaches.
IaaS gives the highest degree of control to the customer, allowing companies to install software on provisioned servers and control the configuration of all devices. Customers share responsibility with the CSP for performing security configuration and management tasks and implementing network controls. The customer is responsible for the security of the operating system and software stack required to run their applications, as well as their data. The physical security of the virtual infrastructure falls to the CSP.
In a PaaS deployment, the CSP performs more of the tasks involved with the operating system and server software. Companies build on top of this infrastructure but retain responsibility for everything specific to their applications, including testing, deployment, and patches. The cloud provider maintains the base platform’s security and the customer handles application and data security.
Of the three deployment models, Saas places most of the responsibility on the CSP. SaaS users simply log in and use the provider’s application running on the provider’s infrastructure. Customers are only responsible for managing data, user access/identity permissions, and controls such as encryption to safeguard their data against attackers. They can also use measures such as a principle of least privilege to control who can access their applications.
Microsoft depicts the shared responsibility model for its services offerings in the following way:
Navigating the Shared Responsibility Model
To assist users in addressing the ambiguities in the shared responsibility model, the Software Engineering Institute (SEI) at Carnegie Mellon University identified a list of vulnerabilities and threats that are present in “cloud-unique” and “shared cloud/on-premises” environments described below:
Cloud-Unique Threats and Risks
- Users Have Reduced Visibility and Control. Organizations lose some visibility and control over assets and operations, so organizations need to perform monitoring and analysis without using network-based monitoring and logging, which is available for on-premises IT.
- On-demand Self-Service Simplifies Unauthorized Use. The use of unauthorized cloud services due to the ease of provisioning new services could result in an increase in malware infections or data exfiltration, since an organization is unable to protect resources it does not know about.
- Internet-Accessible Management APIs Can Be Compromised. API software vulnerabilities become exposed to the Internet and exposure to attacks.
- Separation Among Multiple Tenants Failures. An attacker can use these failures to gain access from one organization’s resources to another user’s or organization’s assets or data.
- Data Deletion Is Incomplete. With diminished visibility into where data is physically stored in the cloud, users have a reduced ability to verify the secure deletion of their data to confirm that remnants of the data are not available to attackers.
Cloud and On-Premises Threats and Risks
- Credentials Are Stolen. An attacker who gains access to a CSP administrator’s cloud credentials may be able to use those credentials to access other organizations using the CSP.
- Vendor Lock-In Complicates Moving to Other CSPs. The greater the level of responsibility a company yields to CSP, the harder it becomes to extricate from that relationship.
- Increased Complexity Strains IT Staff. IT staff must have the capacity and skill level to manage, integrate, and maintain the migration of assets and data to the cloud in addition to their current responsibilities for on-premises IT. Varying management requirements across hybrid cloud and on-premises implementations can lead to an increased potential for security gaps.
- Insider Abuse of Authorized Access. In an IaaS environment, an insider’s abuse of provisioning abilities has the potential for widespread impact and complicates detection.
- Stored Data is Lost. As the burden of avoiding data loss does not fall solely on the provider’s shoulders, customers must understand all aspects of the CSP’s storage model.
- CSP Supply Chain is Compromised. To the extent that your CSP outsources parts of its infrastructure, operations, or maintenance to third parties, users are exposed to non-compliance with CSP policies in the supply chain.
- Insufficient Due Diligence Increases Cybersecurity Risk. Organizations migrating to the cloud often perform insufficient due diligence.
Best Practices to Address Vulnerabilities
SEI extended their analysis and developed a series of best practices geared towards SMBs to address these vulnerabilities. SEI grouped its recommendations into four buckets: Perform Due Diligence, Managing Access, Protect Data, and Monitor and Defend.
SEI advises that you Perform Due Diligence across the lifecycle of applications and systems including planning, development and deployment, operations, and decommissioning. It highlights the importance of team training to get the details right for correctly using CSP services and deploying applications. As cloud-based virtual infrastructure is software defined, users should treat it as source code and manage it in a source code control system, with change control procedures enforced.
For Managing Access, the SEI encourages the ability to identify and authenticate users, the ability to assign users access rights, and the ability to create and enforce access control policies for resources. Multi-factor authentication and unique access policies for each type of storage service (virtual disks, blob storage, content delivery) are recommended.
Best practices for Protect Data call for encrypting data at rest to protect it from disclosure due to unauthorized access, augmenting CSP processes with additional backup and recovery actions and knowing where sensitive data may have been copied or cached to ensure these copies will be deleted.
To Monitor and Defend, SEI recommends that companies consider combining in the cloud all three monitoring sources: the CSP-provided monitoring information, your cloud-based monitoring information, and your on-premises monitoring information. This approach creates a complete picture of your organization’s cybersecurity posture and reduces charges. In this environment, the ability to work with CSP-provided tools and collaborate with the CSP personnel to investigate and respond to potential security incidents becomes essential.
Microsoft Azure Overview
Microsoft offers its cloud computing capabilities under the Azure brand name. There’s a lot under the Azure hood, with over 200 products and services across their IaaS, Paas, and SaaS offerings. For SMBs, the broad complement of Azure services offers strong options for enabling hybrid cloud implementations. Azure solutions can extend modern cloud capabilities like elastic scale, automation, and unified management to on-premises infrastructure.
Azure presents one of the most comprehensive portfolios of compliance offerings among cloud providers, covering global, industry, and government-specific regulations, including GDPR, HIPAA, NIST, and FedRAMP, allowing SMBs to focus on business operations rather than compliance management.
Microsoft Azure cloud services offer integration with open-source software and development platforms such as Linux, Kubernetes, and .NET. This flexibility provides a future-proof platform that enables you to run and develop workloads more flexibly and innovate more freely using cloud-first, on premises, and hybrid setups.
Azure customers benefit from the over one billion dollars Microsoft invests each year in security. Customer networks are segregated from management networks to protect them from attacks targeting management networks and customers are separated from each other using networking virtualization methods. As a result, customers cannot gain access to other customers’ networks. For backup, Microsoft offers several branded individually-priced services, including Azure Backup and Azure Site Recovery.
Datto Continuity for Microsoft Azure
Datto Continuity for Microsoft Azure is a comprehensive continuity solution for protecting your Microsoft Azure workloads. It can serve as an important element of your overall business continuity toolkit by enabling your company to mitigate some of the vulnerabilities and risks resulting from the shared responsibility model by adding an extra level of Azure backup.
As this solution runs on a separate and secure private cloud, it can maximize protection and recoverability and provide a level of protection unavailable through Microsoft offerings. If you run backup solutions on one cloud, your company’s workloads remain susceptible to single points of failure and cloud outages.
Datto Continuity for Azure backs up your Azure virtual machines to the Cloud SIRIS that resides in a Datto-owned Azure tenant. For an extra layer of protection, that data is backed up every hour to the Datto Cloud for an extra layer of protection, contrasted with the more commonly supplied daily backups.
Unlike solutions that rely on public clouds or charge for resource utilization when their cloud is used for recovery, Datto Continuity for Microsoft Azure gives you a predictable and simple cost structure: one flat fee that includes replication to the Datto Cloud and 1-year retention and no egress charges.
Data Continuity for Azure comes equipped with single pane-of-glass management which allows monitoring of on-premises and cloud systems from a client-centric BCDR + Azure status page. From this page, backup progress and the Cloud SIRIS device settings can be viewed.
Azure Backup Security Delivered by the Datto Cloud
Attackers, especially those who spread ransomware, have set their sights on backup solutions to make recovery impossible. The Datto Cloud includes multiple security layers to protect client data and is supported by a team of in-house security professionals. The elements of protection built into the Datto Cloud include:
- Two-factor authentication for access to the Datto Backup Portal login and no direct partner or client access to snapshots stored in the cloud.
- Hardened back up appliance with no cloud admin access to ensure no backdoor access to the cloud.
- Multiple gates for internal access to the cloud.
- Cloud Deletion DefenseTM to “undelete” malicious or accidental agent or backup snapshot deletion.
- Encryption (AES 365) in flight with optional encryption at rest.
Another advantage of powering your Azure backup operations with the Data Cloud is instant virtualization. The Datto Cloud can instantly virtualize any backup of servers, storage, or networks as a virtual machine, either locally or in the Datto Cloud.
Through this backup virtualization, businesses can instantly regain access to any mission-critical systems after a catastrophic data-loss event, even if the actual full data restore will take much longer. This enables companies to continue operations until they can permanently restore any machines affected by a disruption, with effectively no interruption to their business, clients, or employees. With Datto’s screenshot verification, an image of the boot up process is delivered to you by email.
Conclusion
As companies reap the economic benefits from the flexible cloud computing model and use its power to become more responsive to market opportunities, it’s easy for business leaders to let business continuity considerations take a back seat. By investing in the skill sets required for the emerging environment, implementing best practices for operating in the cloud, and adopting Azure backup protection above and beyond standard offerings, SMBs can avoid downtime situations that will negatively impact revenue and business operations.
