Agencies often transition to the cloud to close security gaps, but the cloud itself poses unique risks. In fact, in the last five years, some of the largest cybersecurity breaches were tied to cloud permission issues that allowed anyone to access protected data.
“There’s been a tendency to mistake the operational resiliency and uptime capabilities of cloud environments, the ability to fail services over from one region to another …, for data protection,” said Jeff Reichard, Vice President, Solutions Strategy with Veeam, which provides software solutions that strengthen data resiliency. But the cloud offers protection against downtime, not data deletion. “The shared responsibility model for all kinds of cloud services … leave[s] the mandate for data backup and regulatory compliance in the hands of the data owner,” he said. “It’s not the cloud service [provider], it’s you.”
Danger in the Cloud
Organizations that suffered ransomware attacks in 2023 lost considerably more data in the cloud than in data centers or home offices, according to Veeam survey results. Two case studies offer profound examples of what can go wrong, Reichard said.
Earlier this year, an Australian pension fund managing the investments of 600,000 educators — with $125 billion of assets under management — lost all its cloud-stored data due to an administrative error. The mistake deleted the fund’s entire tenant account, which also deleted the fund’s cloud data at remote sites, said Reichard.
The fund might have been forced to “cobble together from multiple disparate data sources what people had in their life savings and their retirement accounts,” he explained. “And the reason they’re not in that position — the sole reason — is because they had a backup out of the cloud.”
In the U.S., a large city began repatriating data from the cloud to on-premises systems, Reichard added, and ultimately lost data affecting 17,000 criminal cases. The city wasn’t as fortunate as the retirement fund: It lost everything. “It turned out,” he said, “they thought they had a backup of the data they were repatriating, and they didn’t.”
Backup the Right Way
So what is the answer? First, identify the highest impact data you have and steadily back it up, Reichard advised. Second, make sure you have immutable backups of your data, wherever it lives. In other words, if an adversary breaches your environment and compromises all your administrator credentials, do you have data copies that will survive?
Veeam solutions, which are deployed on U.S. Navy ships, offer what Reichard calls “radical resilience.” That falls into three categories: data security, delivering multiple layers of protection; data recovery, providing multiple ways to restore da data whenever and wherever you need it; and data freedom, so you’re not tied to specific platforms or file formats, he explained.
“In the old days, we knew [not to] keep all of our backup data and replicated data in the same data center because then you’re vulnerable to a power outage or flood or tornado,” Reichard said. “It is the same with cloud resources.”
This article appeared in our guide, “How to Build a Cyber-Savvy Workforce.” To read more about how agencies are raising their cyber game, download it here: