Craft a data protection strategy for multi-cloud

What is multi-cloud data protection?

Multi-cloud data protection is the practice of safeguarding and securing data stored across multiple clouds. It's based on the same principles as data protection, but it's tailored for the unique challenges of multi-cloud environments.

Multi-cloud data protection includes all aspects of ensuring that data is safe and usable, such as the following:

• Data security. Data must be protected against unauthorized access or manipulation.
• Accidental data loss. Data should be secure against accidental deletion, which could occur due to human error or automated processes, like log rotation.
• Data corruption prevention. Data must be safeguarded against changes, such as failed conversion to a new encoding format, that could make it unreadable.
• Data availability. Data should remain available for all users and apps that need to access it. Ensuring this requires the ability to protect the cloud infrastructure that hosts the data against failure.

The challenges of multi-cloud data protection

Addressing the various components of data protection is hard enough when all of your data lives in a single cloud. But when using multiple clouds from different providers -- such as AWS, Microsoft Azure and Google Cloud -- you face some unique challenges.

Inconsistent tooling

In most cases, the data protection tooling that each cloud service provider offers only works within their own respective clouds. As a result, you can't centrally monitor or manage all data using cloud providers' native tools.

For example, different providers use different identity and access management frameworks that govern permissions and authentication to access data. They also offer different tools that use automation for data backup, data loss prevention and data monitoring. Because of this, teams need to juggle multiple security tools. They can't rely on a centralized, consistent set of tools or configurations to protect all data.

Varying cloud security and data protection standards

In multi-cloud environments, some clouds might be subject to more rigid security controls than others. For example, if your business uses one cloud to host all its workloads and uses a second cloud only for data storage, it's likely that the first cloud will receive more focus from security teams because it's the primary environment for the business. This means that the second cloud could be more prone to oversights that trigger data protection risks.

Lack of experience

Engineers tasked with data protection across multiple clouds are more prone to making errors -- such as accidentally misconfiguring data access policies -- on clouds with which they are not as well-versed. Additionally, it is costly and takes time to properly train staff on different platforms.

Best practices for multi-cloud data protection

There is no simple solution to these challenges. Multi-cloud data protection requires careful planning and significant effort. However, the following practices can help ensure that data spread across multiple clouds is as protected as possible, without placing an excessive administrative burden on engineers.

Define high-level data protection requirements

Set data protection goals based on the overall needs of your data and business, rather than in a cloud-centric way. Instead of thinking in terms of which clouds you use to store your data and what your data protection needs on each cloud are, identify the security measures and requirements you need to meet, regardless of which cloud your data happens to live on. From there, develop a data protection plan that works for a multi-cloud strategy.

Use third-party data protection tools

Turn to third-party tools for security, backup, disaster recovery and monitoring to centralize and consolidate data protection. Consolidating data protection around a single tool set helps ensure that engineers can master one set of tools, reducing the risk of mistakes due to lack of tool expertise. Third-party solutions are more likely to work consistently across multiple clouds. They integrate with each cloud's data services natively rather than expecting you to deploy a cloud-agnostic platform.

Consider cloud-agnostic platforms

Deploy data on platforms that work the same way regardless of which cloud they run on. For example, if you provision each of your clouds with Kubernetes, you can use Kubernetes-based tools to manage your data. In this case, Kubernetes would become an abstraction layer for your clouds, enabling a consistent approach to data protection across multiple clouds. By storing data on top of a cloud-agnostic platform, you can use that platform's native tooling to manage your data consistently across clouds.

Use consistent tags

Each major public cloud has a somewhat different system for tagging or labeling resources. But they all let you assign whichever names you want to data assets or other resources. Apply consistent tags or labels to all data resources across all clouds to easily monitor and protect data. The terms you use to identify data assets will be the same regardless of where the data exists.

Use different data services on different clouds

Each type of service typically requires its own data protection practices. For example, backing up object storage buckets is a different process from backing up a MySQL database.

To simplify data protection, consider using one cloud for a given set of data services and a different cloud for other services. For example, rather than using object storage services on two clouds, rely on one cloud for all your object storage needs, and turn to another one for other types of cloud storage. That way, you can implement data protection controls for each type of cloud service without having to worry about nuanced differences in various types of storage services.

Chris Tozzi has worked as a journalist and Linux systems administrator. He is particularly interested in open source, Agile infrastructure and networking. He is senior editor of content and a DevOps analyst at Fixate IO.