Generic Backupify
April 02, 2015
Cloud-to-Cloud BackupCybersecurity

Evaluating Cloud-to-Cloud Backup Solutions: Rethink Security and Oversight

First and foremost – the cloud to cloud backup vendor that you (eventually) choose will be holding a second copy of your company’s data which means any assurance that the vendor itself is respecting security best practices is to your advantage.

Any SaaS vendors (cloud to cloud backup providers included) should have a documented security policy that the company can provide you, in writing, at any time. The policy should include specific practices around these key areas:

  • Physical hardware security
  • Security update frequency
  • Audit frequency
  • Policy for notification of breaches
  • User password strength requirements

Security Audit

Ideally, an auditing body will have verified that the vendor is in fact complying with its stated security policies. A SOC 2-level audit (or higher), or ISO 27001, are baseline audit standards you should be looking for.

Third-Party Penetration Testing

A company may rigorously abide by its security policies, but if those policies are inadequate, slavish devotion is a hindrance, not an asset. The best way to ensure a security policy is actually effective is to conduct a penetration test (also known as a “pen test”) wherein a third-party security firm actively attempts to breach the vendor’s defenses in order to assess weaknesses. Reputable SaaS backup companies will conduct regular pen tests and share the general results with customers upon request. (No company will share specific pen test results, as sharing explicit details of security systems could actually harm the vendor’s security.)

Relevant Regulatory Compliance

In addition to the above, your SaaS backup vendor should be able to explicitly address if and how it complies with the requirements of several regulatory standards, including:

  • HIPAA (Healthcare)
  • PCI (Financial transactions)
  • Sarbanes-Oxley (Publicly traded company)
  • Data Protection Act (U.K. data privacy compliance)
  • Safe Harbor (E.U. data privacy compliance)

Security and compliance should be key criteria as you evaluate cloud to cloud backup solutions but there are other key areas you should consider. For more information on what to specifically look for in a cloud to cloud backup vendor, download the complimentary eBook below.

See Why Backupify Wins SaaS Backup