Cloud backup is infrastructure independent. Service subscribers have no control over where the service instance may be spawned or where the data may be stored, replicated, mirrored. While this makes for high availability, infinite scalability and all the pluses of cloud backup and recovery, it creates problems of governance. Privacy laws demand that the user must know how and where and by whom the data collected by the service provider from private individuals or customers is being used or distributed. Failure to control the flow of information and its distribution and failure to communicate and obtain consent for the said use from persons who share their personal information with the business, will be treated as a violation of the extant legal provision by those who perform compliance audits for governmental bodies.
The crux of the matter is that businesses subscribing to cloud backup services must make the effort to know more about where the cloud backup data centers are located, to which alternate site it is replicated or mirrored for ensuring high availability and disaster recovery. They need to understand how instances and services are provisioned and whether data is ever sent to countries or states which will result in the breach of extant local privacy laws which govern your data.
Fortunately, cloud backup service providers are conscious of the governance needs of businesses and make all out efforts to ensure that data breaches are rare. Almost all cloud backup software encrypts data at source and retains it in an encrypted format at rest. The encryption key used –for the AES 256 encryption or Tripe DES encryption or Blow Fish encryption as the case may be—is often user defined and not available even to the service provider. It follows that though the service provider can copy, replicate or mirror information contained in the primary server to a number of secondary replication servers and disaster recovery servers, there is no way in which the service provider can access the content that is owned by the service subscriber.
Cloud backup service subscribers can also build in additional layers of data security by creating role based or machine specific security protocols for access to enterprise information. Data will only be decrypted and displayed, only to users who have been given access to the information by the enterprise data administrator or Chief information officer by assignment of specific rights and permissions.
Cloud service providers themselves can ensure compliance by locating data centers, hot sites and disaster recovery sites in multiple countries and replicating mirroring data to appropriate locations within the home country to ensure that their customers are never in breach of data privacy laws.