I often get asked about how secure is our clients’ data, and how can a customer backup their data safely. European privacy laws, for example, require that personal data are kept secure and can always be recovered, but there is huge ignorance or wrong assumptions on the part of many IT managers that once they backup data in the cloud, they can have peace of mind.

Among liars in our industry, some low cost, control panel hosting or cloud providers, for example, offer unlimited in/out data transfer, unlimited disk space and free backup services at a very low monthly cost. They are just not liars, but their marketing strategy works well in low advertising cost and free options, well, until you need your data back. If you look carefully between the lines of most fine printed SLAs and contracts, there is mostly no liability for service interruption or data losses. Likely you will also be discontinued if your disk space or monthly data transfer is above the average clients’ usage.

As a side note, Microsoft just discontinued its unlimited OneDrive storage because apparently someone was abusing it and they were surely losing money.

Let’s focus on cloud backups

Several low-cost web hosting companies offer free daily or even hourly backups of web data. What a temptation to upload all of your pictures, all music and videos to a web hosting space for a few dollars, and even get a free backup!

Akeeba backup plugin for WordPress and Akeeba extension for Joomla are some of the solutions that our clients use to save a backup copy of both their web data and databases automatically on the same web/FTP space as the website. Our clients apparently save money, instead of ordering an off-line backup service that is charged more but offers some (real) additional peace of mind.

In fact, for this or any similar backup solution, you should check whether backup files live on the same web or FTP space as the website, because (quite often) a backup remains indefinitely on the same disk or same physical storage device as the original data.

What does it mean? If there is a severe hardware failure, especially with cheap storage solutions, then there may be no data and no backup left, since both the original data and any backup copies were on the same broken storage device. There is usually no or little incentive on the cloud provider in recovering your data because in most cases you have no contractual guarantee on persistence or recovery of your data (check liability or service agreements of major cloud providers excerpted below).

Online services, backup and restore procedures may greatly differ from low cost, professional hosting services and cloud providers. On the low-cost control panel web services, risks can be much higher, also due to the fact that there may not be any off-line backup of clients’ data; control panel software can be more exposed to bugs and security issues that cannot be corrected immediately; and hundreds of clients are usually packed on high density, memory, disks and networks of low-cost service providers.

No liability for data losses in the cloud

In general there is no guarantee of service continuity or data loss when you look at contracts and SLAs or – if there is any – it’s not for standard services and not in standard SLAs. Amazon, Google and Microsoft mention very clearly that their liability is none (or almost none) in case of service interruption and loss of customers’ data (I lost an entire disk when running a test on Amazon AWS, it failed and was put out of service. However, since all data was replicated on WorldDirector’s servers outside AWS, I could easily rebuild it).

Amazon AWS data loss liability

Amazon’s AWS terms:

https://aws.amazon.com/agreement/ – specifically, section 11:

WE AND OUR AFFILIATES OR LICENSORS WILL NOT BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES (INCLUDING DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, OR DATA), EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHER, NEITHER WE NOR ANY OF OUR AFFILIATES OR LICENSORS WILL BE RESPONSIBLE FOR ANY COMPENSATION, REIMBURSEMENT, OR DAMAGES ARISING IN CONNECTION WITH: (A) YOUR INABILITY TO USE THE SERVICES, …

Google data loss liability

Excerpt of Google’s liability: https://www.google.com/policies/terms/

WHEN PERMITTED BY LAW, GOOGLE, AND GOOGLE’S SUPPLIERS AND DISTRIBUTORS, WILL NOT BE RESPONSIBLE FOR LOST PROFITS, REVENUES, OR DATA, FINANCIAL LOSSES OR INDIRECT, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES …

Microsoft’s data loss liability

Microsoft Policy:

https://azure.microsoft.com/en-us/support/legal/subscription-agreement-nov-2014/

7.2 : EXCLUSION. Neither party will be liable for indirect, special, incidental, consequential, punitive, or exemplary damages, or damages for lost profits, revenues, business interruption, or loss of business information, even if the party knew that such damages were possible.

What can you do to secure your data?

I started my career in the GTD5-EAX digital telephone exchange world in the 80 and 90s’. At that time, if you wanted to guarantee uninterrupted telephone service, exchanges had to be duplicated (as well as billing data), and spare copies of hardware were to be made active automatically whenever there was a fault. The only bottleneck was the digital subscriber’s line and its interface.

To avoid service disruption, if you work on critical applications, you should use a backup solution based on multiple, redundant, off-line storage that is not using the same hardware devices as your live data. The higher the number of redundant copies made off-line and at different geographical locations, the higher the likelihood that you can recover your data in full as soon as it is needed.

Also: never trust your only cloud provider 100%, use more than one provider, and more than one data-centre to store your data, and also keep additional copies off-the cloud if you can.

Conclusions

If you want to have a close to 100% service guarantee and a real ability to recover data, what you can do is minimize the risks by paying more and make use of fully redundant services, i.e. redundant connectivity offered by many different AS (Autonomous Systems), full hardware and software redundancy (multiple cold or hot copies), maintain redundant off-line backups, and store data and offer access from servers located at different geographical locations in a global load balancing configuration that has no single point of failure.