What are the risks involved in adopting Cloud backup for organizational data? Here are some issues that must be considered before you sign up for a Cloud backup service.

Cloud backup subscribers should be aware that while the data continues to belong to the organization, the IP address of the server on which the data is stored will have to belong to the Cloud backup vendor. The ownership of the IP is a necessary condition for any enhancements the Cloud backup vendor may need to make to the service. There are always risks associated with the storage as the IP does not belong to the organization.

Vendor lock in can become a problem if the organization is not careful while contracting with the Cloud backup service. There are three types of lock-in—contractual lock-in, technical lock-in and inertial lock-in.

Contractual lock-in is generally agreement based and can be for a specified period of time. The organization must check out whether the lock-in period specified is acceptable.

Technical lock-in is not specified in any contract, but is implied if the software is a proprietary product and does not comply with industry standards. This type of lock-in will have to be avoided at all costs.

Inertial lock-in is more a psychological lock-in. If the solution is implemented and it works, the organization does not feel comfortable changing the service provider.

It is important to look closely at the statements that are made by the service provider. The statements could at times be misleading. For instance, a “SAS 70 Type II certified service” is different from “a service housed in a SAS70 Type II certified data center”.  The organization must make sure that the service provider has put in place all the policies and practices that are required for SAS70 Type II certification, and the policies and practices are in compliance with the requirements of the legislation.

No organization can afford to compromise on data protection. The organization must evaluate the data protection policies of the Cloud backup service provider and satisfy itself that their approach is the right one. If the service provider is offering tested and proven technologies for data replication, mirroring, storage, de-duplication, compression and encryption and has an unstained reputation for delivering data security, the organization can consider the service favorably.

In Part II, we will discuss scalability, reliability, bare metal recovery, ROI, and other due diligence action items that organization need to consider in order to mitigate risks associated with Cloud backup services.