Up, up, and away: On-premises data to the cloud

Welcome back! This article is the second on a 3-part series where we will take a good hard look at the 3-2-1 Rule of backups and how it applies (or doesn’t) to the new, always connected, cloud integrated IT world of today. If you have not seen our previous article and would like to start at the beginning: read 3-2-1…Airgap!?. Otherwise, read on for our take on securing on-premises data to the cloud. 

An increasingly popular alternative to on-premises tape backup is to migrate backup data to the cloud. There are dozens of backup software providers who offer this as an option, and each has a different name for it, so for the sake of simplicity in this article we will refer to this general approach as a “cloud tier”. 

Up and Away

The cloud tier option works similarly to tape copies. Data is “aged out” of the on-premises disk backups (2nd copy) or can be copied immediately after the local backups are finished (or both).  

Does this process conform to the 3-2-1 Rule? It definitely makes a 3rd copy. The cloud storage is object storage, which is not the same as classic on-premises storage, so we arguably have a 2nd media type (we will touch on this a bit more in our 3rd article). What about the air-gap though? 


This seems to be the biggest sticking point for adoption, so let us break the air-gap question down. In our previous article we dissected the purpose of the air-gapped copy. It should generally provide protection against the following: 

  1. Environmental disaster
  2. Infrastructure failure
  3. Malicious activities such as ransomware.

On-premises this is realized by the tapes being stored offsite and being “offline” in that they are inert copies until they are re-inserted and read by a tape library. This is a physical airgap. What is cloud tier then?  

A Logical-Airgap. 

The cloud is never offline, and is always connected, but this does not mean it cannot be secure, or provide similar protections for your data as tapes would. Depending on the provider, cloud tiers offer: 

  1. Data Encryption both in-transit and at rest.
  2. Infrastructure encryption.
  3. Immutability.
  4. Resource Locks.
  5. Excellent physical security.
  6. Role based access control (RBAC).
  7. Multi-layer authentication.
  8. Redundancy.
  9. Durability guarantees up to 11 nines (99.999999999%)
  10. Advanced monitoring and alerting.

Two of these points deserve a bit more explanation, Immutability and Resource Locks. Immutability protects your data from changes once it is written. This is analogous to WORM (Write Once Read Many) physical media. With Immutability set on your storage account, not even an admin or your cloud provider can alter or delete the data until the retention time is expired. Resource Locks are not permanent like immutability but do protect the storage accounts themselves from being deleted when used in combination with access restrictions like RBAC, and multi-layer authentication.  

In addition to providing strong security and durability, cloud storage offers:

  1. Pay-as-you-go pricing: Cloud storage is generally charged by monthly usage. This transforms costs from a capital to an operational expense, which is easier to forecast and budget. 
  2. (Virtually) unlimited space.
  3. Storage Tiering: Data can be tiered between “hotter” and “cooler” tiers, saving money for long term storage, while providing the flexibility of keeping other data sets accessible quickly. 
  4. Accessibility: The standard accessibility SLA for both AWS S3 is a minimum of 99% and Azure Blob storages is a minimum of 99.9%: 
Service Level Agreement and standard accessability in AWS S3
Abb. 1: Amazon S3 SLA

Cloud-Tier: ready if you are

These features can add up to a robust, secure, and flexible storage option that can be configured to provide excellent protection against the risks that should be mitigated by a gapped data copy. Despite this, cloud tier storage is not a slam-dunk that can be implemented in all cases. For example, storage in the cloud brings with it a new set of compliance topics. Retrieving data out of the cloud can incur data transfer costs which can be significant depending on the amount of data retrieved. This process can take time and can require a lot of network bandwidth. All these aspects must be evaluated together along with internal guidelines such as corporate cloud strategies or disaster recovery plans to determine if a cloud-tier is the best option.

Next time, in the 3rd and final article in this series, we will tackle how well the 3-2-1 Rule fairs when dealing with data already in the cloud and bring everything together for a few final words. Stay tuned!