One of the highest priorities for securing any organization, big or small, is data backup. Most organizations could not survive the loss of their data, and hardware failure, software failure, ransomware, other malware, human error, etc., can all completely or partially destroy that data in an instant.Protection against those threats come as two types of security controls: prevention and recovery. You implement security controls to try to prevent the threats from materializing, and you also implement security controls that should help your operations recover if they do.
Here or there?
The recovery security control for loss of data is data backup, and there are two broad categories: cloud and local. Because local backup -- such a external drives, flash drives, or network-attached storage -- is in the same building as – and often right beside – the computer that it is backing up, it is subject to the many of the same physical risks as the source computer. If the building is damaged by a fire, hurricane, or flood, or a thief breaks in and steals electronic equipment, both the original data and the local backup could be lost at the same time, negating the benefit of the backup. Cloud backup is therefore usually a higher priority than local backup.I'll talk first about cloud backup for a professional with a single computer, then I'll extend this to a multi-computer organization.
The usual suspects
Most people immediately think of the "cloud big four" when they think of cloud storage or sync: Apple iCloud Drive, Dropbox, Google Drive, and Microsoft OneDrive. People gravitate to them because they are large, reputable companies (with excellent security, by the way) and they offer free storage for a certain amount of data. You can also pay a subscription fee to get storage beyond the free limit.So you could backup all your data in one of the big four, but should you? The answer is usually "no".
What you need
Let's back up a bit. What should you be looking for in a data backup offering, whether cloud or local, to help you choose the best offering for you? These are the backup-specific requirements that apply to most situations:
- sufficient confidentiality;
- sufficiently long retention for deleted files and old file versions; and
- the ability to restore data – one file or the entire backup set -- not only from the most recent backup but from any chosen point in time (called a point-in-time restore).
I'll show you why there's a really good chance that the big four won't meet your needs in those three areas.
"Sufficient confidentiality" means sufficient with respect to the level of confidentiality required for the data you are backing up. This is not black and white, rather it's a spectrum.
At one end of the spectrum, for data already in the public domain – say, cat videos that you've collected from the Internet – you don't need to be too concerned about theft or release of the data. But at the other end, for sensitive data -- tax records (which contain your SIN or SSN), a personal journal (your darkest secrets), a list of account userids and passwords (the keys to your kingdom), sensitive personal information of your customers (privacy and data protection laws), etc. – you want high confidentiality. Every other type of data -- your photos, for instance – falls somewhere in the middle, depending on how sensitive it is.
So you first need to look at your data to identify and classify the different confidentiality requirements – sensitivity -- of the various types of data present. Then you can determine what cloud services meet the needs of your data.
If your data to back up contains some sensitive data – and almost everyone's does – the big four don't provide sufficient confidentiality, because they don't support end-to-end encryption (E2EE).
E2EE means, literally, that your data is encrypted from one end to the other. This term was originally applied to communications that are encrypted from one end – one user – to the other end – the other user – in such a way that no one in the middle can decrypt the messages being exchanged between the two users.
By extension, the term has come to be applied to cloud storage (including backup) as well, with the same user – the one with the data -- being at both conceptual ends: one end for encryption on the user's device, going across the network to the cloud server for storage, then back across the network to the user's device for decryption. With E2EE cloud storage, no one in the middle – including, most notably, the cloud service – is able to decrypt the user's data. You can read more on Wikipedia. You might also see E2EE referred to as "zero knowledge", because the cloud service has no knowledge of the contents of the data.
The big four may have excellent security, but they don't provide E2EE. If an attacker manages to break into a cloud service provider's servers, they may be able to extricate your data. For low and medium sensitivity data, "excellent security" as provided by the big four is usually sufficient, but that may not be good enough for sensitive data, for which you should probably be using E2EE.
"Sufficiently long retention for deleted files and old file versions" refers to how long the cloud service will save files you've backed up and then deleted, and files you've backed up and then edited or replaced with different contents. If you delete a file from your computer by mistake, delete a file and later realize you need it, overwrite a file by mistake, or make edits that you later want to back out – you'll be depending on your backup provider's retention of deleted files and old file versions.
The big four cloud storage provides provide only a minimal 30-day retention for both deleted files and old file versions. So, for example, if you delete a file on your computer by mistake and only notice this two months later, it's too late to restore the file from your backup, because it will have been automatically purged by the provider. For most of your data, 30 days is not nearly long enough.
There's one exception to the 30-day retention for the big four: if you buy one of Dropbox's (expensive) business plans, you'll get 180-day retention.
When you need to retrieve a file files from your backup, that's called a restore. There are broadly two types of restores you can do:
- restore an individual file as it was just before it was changed or deleted – a file restore; and
- restore a folder/directory – which could also be the entire set of backed-up data – as it was at a particular point in time – a point-in-time restore.
If you want to get back a file or a few files that you deleted or changed, you would use a file restore. But if your computer was lost or stolen, suffered a serious failure, or got infected with malware (including ransomware), you would need to do a point-in-time restore of your entire backup, to the date and time just before the problem occurred.
The big four offer file restores to all plans but offer point-in-time restores only to paid customers. Naturally the restores are possible only within the retention period.
Cloud storageIf used one of the big four for your backup, you might very well need to buy a paid plan in order to get enough storage capacity to back up all your data. That would give you point-in-time restore capability, but you'd still have only 30-day retention, which is not enough. The big four are actually storage or sync services with a little bit of backup, as opposed to being true backup services. And because they are not E2EE, you'd only be able to store low sensitivity data, not all your data. What to do?
Luckily there's a nice alternative to the big four: true backup services with full confidentiality via E2EE, long retention times, and point-in-time restore.
I'll present three such providers that are excellent choices for your backup: CrashPlan, Backblaze, and Sync.com. You can use the information below to select the best provider for you as a function of your needs: price sensitivity, retention, confidentiality, and features (e.g., selecting vs. excluding vs. moving, pure backup vs. combined backup and sync, etc.). You might even care about data residency – where the servers, and therefore your data, are located -- although technically it doesn’t matter for an E2EE provider.
CrashPlan for Small Business
- USD $120 (CAD $160) for retention forever and unlimited storage
- UPDATE 2021-09-16: Crashplan announced that, starting 2021-10-20, retention of deleted files will change from "forever" to "90 days". (link)
- Full E2EE implementation, except for web UI
- UPDATE 2021-09-25: CrashPlan no longer offers Custom Key Encryption (so no longer offers E2EE) for new customers. (link)
- The UI allows you to select the folders/files you want to back up
- The UI allows you to request a point-in-time restore
- U.S. company (Code42) and servers
- USD $84 (CAD $110) for 365-day retention and unlimited storage
- USD $84 (CAD $110) plus a USD $0.005 (CAD $0.007) per GB monthly charge for retention forever
- Partially E2EE: your data is stored in an E2EE manner, but any restore of your data is not E2EE, as your decryption key must be sent to the server temporarily so that it can decrypt your data to send to you
- The UI does not allow you to select the folders/files you want to back up – instead, everything on the selected drive is backed up but you can exclude any folders you want
- The UI allows you to request a point-in-time restore
- U.S. company and servers
iDrive.com -- nice but severe limitations
- UPDATE 2021-09-25: I added iDrive given that CrashPlan might be trying to exit the backup business (a guess based on its recent feature downgrades).
- iDrive is the best cloud backup I've found after CrashPlan and Backblaze. It has very nice features, on the surface, but also severe limitations. I can't recommend it.
- It's E2EE for the desktop and mobile apps but not for the web UI. (Same as CrashPlan.)
- Backup: It doesn't support a true point-in-time restore. When you restore from a particular point in time, you get not only the files as they were at that time in the backed-up directory, but also all files that had been deleted up until then. The only way around this is to do an Archive Cleanup before the restore, and that should give you a true point-in-time restore -- but the Archive Cleanup will permanently delete from the server all files that had been deleted from your computer at any time. To me that's completely unacceptable.
- Sync: I couldn't get the Sync feature to work properly; it synced only partially between my computer and the server.
- CAD $96 for 180-day retention and 2 TB of storage (Pro Solo Basic)
- CAD $240 for 365-day retention and 6 TB of storage (Pro Solo Professional)
- Full E2EE implementation
- The UI does not allow you to select the folders/files you want to back up – instead you have to move all folders/files you want to back up into the "Sync" virtual folder. This can be an inconvenience, but using junction points is a possible alternative.
- For the folders/files in the Sync folder, Sync.com additionally provides real-time syncing between multiple devices, a great feature for some many cases
- The UI does not allow you to request a point-in-time restore, but you can request it by contacting customer support
- (The Sync.com Vault feature is an alternative to the standard "Sync" folder sync: you manually upload files to the Vault using the Sync.com web interface whenever you want; this is useful when you need to move files to the cloud to free up storage on your main drive. But remember that you should always have more than one copy of all files.)
- Canadian company and servers
Mix and match?
Of course you could choose to divide up your data: back up your less sensitive data to one or more of the big four – say, to take advantage of their free plans --- and back up your more sensitive data to an E2EE backup provider -- maybe the 5GB of free storage from Sync.com.
If you do this, though, you have to be careful in two ways: (1) to keep your data well-segregated so that high sensitivity data doesn't get backed up by mistake to a non-E2EE provider, and (2) to ensure that all of your data is backed up to at least one service and no data is missed.
This may sound simple
but it's prone to mistakes happening over time. It's obviously much simpler to ensure that all your data is backed up, and with the proper
confidentiality, if you choose a single E2EE provider for everything -- so which path you choose depends on how price sensitive you are.
If you're an organization with more than one computer to back up, all three E2EE backup providers will accommodate that. Organizations need, among other enterprise features, an organization-wide account and an administration console for the service, and all three have that. CrashPlan's base plan is already a business offering so includes the admin console, while with Backblaze and Sync.com you'll get an admin console if you choose a (more expensive) business plan.
Do you want more?
A key tenet of information security is defense in depth. When applied to backup, this means having more than one backup of your data, in case something goes wrong with the first backup. As described above a cloud backup is the first priority, so you should generally add backups in this order: (1) a cloud backup, (2) a local backup, (3) a second cloud backup, and (4) a second local backup. How far down the list you go depends on how important your data is and how paranoid you are.
One last thing, that will be obvious if you're read my previous posts: use a strong and unique password for your cloud storage/backup account, store the password in your password manager, and turn on two-factor authentication (2FA) for your cloud account.
That's it for the cloud! My next post will cover local backups.
For further reading
Here are a few good sources for more learning on backup services:
- Wirecutter: The Best Online Cloud Backup Service
- Wired: How to Back Up Your Digital Life
- bitcatcha: The 7 Best Cloud Storage For The UK 2020 (GDPR Compliant!)
- Cloudwards: Sync.com Review
- Wikipedia: Comparison of online backup services
- My blog, 2016: Are your cloud storage and backup services secure enough?