The shift brought about by the pandemic has accelerated many companies’ plans to move to the cloud. But all migrations come with some risk and rushing them through may be storing up problems for the future.
A successful hybrid strategy can help in avoiding these issues. We spoke to Arcserve’s backup, DR, and ransomware protection evangelist Sam Roguine to find out about the potential risks of rushed cloud migrations — like security gaps and missing data — and how IT leaders can address them.
BN: What are the biggest risks of not properly planning a migration?
SR: One of the biggest risks is leaving any security gaps open for ransomware actors. In March of 2020, as the world learned about the severity of COVID-19 and many people started to work remotely, businesses did their best to accommodate working from home. This abrupt change may have led to a hasty migration, which is understandable. However, we’ve now approached over a year of working from home, and for some, remote work will be permanent. For others, there will be a shift toward a hybrid in-person and remote schedule.
Businesses need to make sure that they’re properly protecting cloud data that’s been created over the past year and that will be created as the shift continues. While it’s up to IT teams to make sure there are no security gaps and misconfigurations in their hybrid strategy, there’s also some responsibility on remote employees to backup all of their work done on laptops to the cloud. If your organization didn’t hold any employee training on remote work best practices, it’s not too late! Making sure all employees know how to protect their data is crucial to achieve WFH business continuity.
Lastly, if businesses don’t properly plan a migration, they may forget to invest in third-party backup solutions. Companies might think that applications like Microsoft Office 365 automatically backup their data, when the reality is that the system runs on a shared responsibility model. It’s up to organizations to invest in a third-party solution to backup this information, should there be a ransomware attack or unplanned outage that wipes out your data.
BN: Are there particular obstacles to adopting a hybrid strategy?
SR: There are a couple of obstacles that IT teams need to consider. While hybrid models are a great way to protect workloads, they can also be complex. One reason for the complexity is the fact that IT infrastructures are generally composed of a mix of legacy systems and modern cloud deployments, so orchestrating data storage and disaster recovery across these environments can quickly become challenging if not approached pragmatically.
It’s critical for IT teams to know how to recover data from all systems that are in use. It’s equally important for teams to know what applications and information is stored in which location. If something were to happen to your cloud, your IT team should know what systems were impacted, and how to get them recovered and back up and running. A comprehensive business continuity and disaster recovery plan can let a business’ key decision makers know this information.
BN: How should hybrid fit into a wider IT strategy?
SR: A hybrid model should, in essence, allow your IT team to have data and applications move freely between on-premise and cloud environments. This makes it easier for teams to recover data after a disaster. It should serve as a safety net, in a way, for multiple recovery options.
However, a hybrid strategy is not the end-all for business continuity and disaster recovery. This is because some forms of ransomware will hide for weeks or even months before encrypting data stored in the cloud. Businesses should consider taking an extra step, and have an air-gapped copy of their data and information that’s secured offline and away from the company network to ensure ransomware cannot reach the copy. Investing in a ransomware protection solution can ensure your backups in all locations remain safe. Organizations can choose a solution that combines cybersecurity and data protection capabilities, as well as ones that protect cloud and on-premise data.
Hybrid is a key part of any IT strategy, but it’s important to make sure your organization has other procedures in place to minimize cyberattacks and maximize business continuity and disaster recovery.
BN: How do you prioritize what should be in the cloud and what should remain on-premise?
SR: The most important factor to consider is whether or not something is business-critical. As a general rule, any applications and systems that are business-critical should be backed up on-premise to ensure a speedy restoration process after an outage or cyberattack. Operations that aren’t as critical to getting your operations back up and running can be managed in the cloud.
Another factor that should be considered when it comes to the cloud is cost. Both public and private clouds have costs associated with them. IT leaders should be aware that public clouds can charge fees for moving, accessing, and recovering data. Private clouds, on the other hand, often have predictable cost models. If your workload needs to be moved or accessed frequently, it might make more sense to store it on-premise or in a private cloud, compared to a public cloud.
BN: What’s the best way of measuring the success of your strategy?
SR: Of course, an organization doesn’t want to rely on its hybrid strategy being successful only when it’s needed (i.e. after a disaster or ransomware attack). That’s why businesses should run backup tests for their on-premise and cloud solutions. After all, your recovery plan is only as good as your most recent working backup. Generally, a partial disaster recovery test should be completed every six months, and a full disaster recovery test should be completed each year.
Ideally, a successful hybrid cloud model should be able to prevent data loss and maintain uptime during an incident. Data and applications should also be able to move freely between cloud and on-premise environments, which gives IT teams onsite and offsite recovery options.
Another way to measure the success of your hybrid strategy is to test your recovery time objectives (RTOs) and recovery point objectives (RPOs) set in place. RTOs define how long a system can be down before a business is significantly harmed, and RPOs are the largest amount of data that can be lost before a business is heavily impacted. RTOs and RPOs should be as accurate as possible; otherwise, businesses risk spending too much time and money on recovering a system that’s not mission-critical, or trying to back up data that has lesser importance. Businesses should test their RTOs and RPOs to make sure that the necessary systems and data stay protected in case of a disaster.
Photo Credit: Stokkete/Shutterstock