The past few months have been incredibly instructive on the critical importance of keeping one\u2019s data safe, be it customer data or your own intellectual property. \u00a0Data protection itself covers a broad span:\n\nPhysical data protection\nProtection from device failure\nProtection from data loss and breach\n\nNot only is data security important to the success and reputation of your company, it can be IT that goes \u201cunder the bus\u201d when a security event occurs. This means that your career is literally on the line. As a result, your storage architecture better be up to the task of maintaining the integrity of your data store.\nHybrid-cloud architectures provide one of the most secure means\u00a0of protecting stored data\nThe good news is that the hybrid-cloud storage architecture we\u2019ve been examining in this column is one of the best potential solutions for small- and medium-sized enterprises (SMEs) to leverage when security is of paramount importance. It delivers a secure, end-to-end architecture that provides the flexibility of the cloud with the performance of an on-premises solution, while still encrypting data flows from one site to the other.\nYou might well ask the question \u2013 Why can\u2019t a data center be made as secure and fault-tolerant as the cloud? The answer is clearly it can, however this is very costly, and while affordable for very large enterprises, this option is out of the price range and scope for SMEs. With their scale, cloud providers can afford highly qualified specialists in redundant facility design, network security, network operations and develop optimized products and processes. Public cloud data centers typically have at minimum SOC-2, ISO 27001 and PCI-DSS compliance and extend to federal compliance standards.\nPublic cloud providers are starting to apply big data and AI techniques to monitoring their cloud operations looking for leakages and misconfiguration. Only the largest organization can afford or acquire this expertise inhouse. Public cloud providers rely on their brand to protect their business and invest accordingly, while many CIOs and IT manager will only be too aware that IT is still often considered a cost center.\u00a0 Hybrid-cloud storage enables SMEs to garner the benefits of cloud scale and efficiency including soft benefits of expertise and operational excellence.\nPhysical data protection\nCloud protection starts with physical security protecting against theft, loss, accidents, power failures and natural disasters. Cloud data centers are physically secure, often in remote areas, with multiply redundant, backed-up power supplies, redundant telecom connections, have secure building physical security with controlled access and their size and nature of storage management makes it near impossible identify the physical location or device storing any one organizations data.\u00a0 By comparison many enterprises at best tend to have a single data center, while SMEs might just have an in-building server room or data closet.\u00a0 Very small companies may just have a NAS sitting unprotected on site.\u00a0 To protect against physical data loss, it essential to have a physically separate offsite backup copy.\u00a0 Unsurprisingly, simple data backup to cloud is the oldest application and until the advent of big data with cloud compute one of the largest consumption of cloud storage.\nFor physical separation, cloud storage is divided into redundancy or availability zones.\u00a0 Users can select from multiple zones within one data center (locally redundant) or data can be duplicated across different data centers in different locations in a region (zone redundant) or in different regions (geo-redundancy).\u00a0 Unlike traditional storage tiering or offsite backup, cloud-based storage is distributed across redundancy zones and handled by the cloud storage system software transparently to users.\nProtection from device failure\nThe next stage is protection from data loss stemming from device failure.\u00a0 No matter the storage medium, there is always the risk of device failure, and with HDD its inevitable and Flash devices used in SSD will wear out.\u00a0 RAID technology was developed to protect against drive failure although with very large drives, RAID is increasingly less effective. For traditional storage, best practice in the industry is to follow a 3-2-1 backup strategy - backup to a second device and then backup to offsite.\u00a0 This quickly becomes expensive both in hardware and IT time spent on maintenance, time that could be spent on strategic business initiatives.\nA variant of data loss is inadvertent or malicious deletion of data.\u00a0 Over time users, and even IT managers, utilizing file hosting and collaborative solutions such as Dropbox and Office 365 have become so accustomed to cloud reliability they assume files are always available.\u00a0 However, if a file is deleted it is only available for recovery for a short time.\u00a0 A 2015 study by EMC found the top causes of data loss were accidental deletion (41%), migration errors (31%) and accidental overwrites (26%).To protect against this several new products that provide cloud backup are becoming available especially for Office 365.\u00a0\u00a0\nData can also be lost via corruption by viruses or ransomware.\u00a0 Ransomware is the most prevalent incident of malware today, per Verizon\u2019s 2018 study of business risks. Another recent example including the WannaCry attack and the major metro of Atlanta, Georgia is still reeling from a major ransomware attack that crippled the city\u2019s applications, from payroll to public transportation.\nBy using a hybrid-cloud architecture, the authoritative data storage is in the cloud and gains all the benefits of cloud storage covered below, while still presenting a traditional on-premises filer interface, with the added advantage that the filer is now no longer a critical, high maintenance component.\u00a0 As the filer is just a cache of the cloud data, if it is replaced it will simply replenish with most active files once accessed.\nData in cloud storage is spread across multiple drives and data on the drives is managed throughout their lifecycle by the cloud provider to prevent data loss and make failed drive replacement transparent to the user.\u00a0 As noted above data can also be saved in geo-redundant locations for maximum protection.\nFor additional protection the cloud object store can be configured with versioning and made immutable - meaning data can only be written not erased, although in practice time limits can be set for when erasure is enabled. \u00a0\u00a0This ensures any saved version of the file is always available for recovery.\nDisaster recovery\/file level recovery\u00a0\nWith legacy NAS devices based on hard drives, we know that these drives will inevitably fail and it\u2019s only a matter of time before data must be recovered. As one of the most basic protection mechanisms available, disaster recovery is a storage function that everybody recognizes as an important baseline to have implemented. However, many businesses today are leveraging two different storage backup and Disaster Recovery (DR) strategies. They have one system for use as primary storage and another separate version for backup and recovery.\nLeveraging the hybrid-cloud model streamlines this process significantly, as SMEs use the same cloud storage service for both primary storage and backup\/DR. The hybrid-cloud storage architecture consolidates files into a single store. This is especially beneficial to organizations with multiple site as it avoids multiple copies being stored on separate File Servers for access with the attendant replication costs, active version headaches and overhead.\u00a0 With the scalability and falling cost of cloud storage, combined with full namespace visibility and cached cloud filers, it makes sense to just keep every file available in the cloud at all times.\nHybrid-cloud storage services support file-level restore combined with versioning that lets users find prior versions of their files, which means you can restore\/backup individual files without having to deal with the whole data store. And all of these have a high-performance connection as part of the on-premise acceleration.\nProtection from data loss and breach\nThe third part of data protection is Protection from Data Breach incurred through human behavior.\u00a0 Many data breaches and even ransomware incidents start with phishing attacks through social engineering.\u00a0 Another problem especially with file hosting solutions is Shadow IT where employees upload restricted data to an unauthorized personal cloud file hosting application \u2013 such as Google Drive, OneDrive or Dropbox.\nMany of these do NOT deliver encrypted end-to-end traffic, although this might be expected from more consumer-oriented services. \u00a0The bigger issue is all these services readily facilitate file sharing and now IT has no knowledge of what files have been shared and with whom.\u00a0\u00a0 This can easily violate industry compliances like CJIS (Criminal Justice Information Services), FERPA (Family Educational Rights and Privacy Act), HIPAA\u00a0(Health Insurance Portability & Accountability Act), MPAA\u00a0(Motion Picture Association of America) and GDPR (General Data Protection Regulation).\u00a0\nData breaches remain a significant IT problem, \u00a0mostly a result of human error.\u00a0 While the best prevention is training, systems and process, an ongoing challenge is being aware a breach has incurred. By avoiding Shadow IT, Investing in Audit tools, using Identity Management like Azure AD combined with Device Management and encrypting files at rest and in-transit, breaches can be better avoided and identified when the do occur.\nUntil recently there was no requirement to report breaches and they typically only became publicly known when they hit the news. The GDPR (General Data Protection Regulation) changes that and makes Breach reporting mandatory. The GDPR which comes into effect May 25, 2018, with severe penalties, both monetary and otherwise, not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company\u2019s location.\nWhile most major cloud vendors (AWS, Azure, etc.) fully intend to be GDPR compliant, it\u2019s incumbent upon you and your IT organization to ensure your on-premises and global file system together make for a compliant storage architecture.\nBy adopting a hybrid-cloud architecture with secure on-premises filers for access, encryption at rest and in transit, utilizing Identity and Device Management and Audit capabilities, preventing shadow IT and limiting who and how files can be shared, \u00a0breaches can be minimized.\u00a0 In the unfortunate event of a breach, accurate log files, immutable data and versioning will speed forensics and recovery.\nMaintaining security on an ongoing basis \u2013 audits\/reviews\nOf course, once you finally secure your hybrid-cloud storage architecture, there is no guarantee that it will stay that way! Constant vigilance is always warranted, as well as regularly checking on your platform to ensure it\u2019s still where it needs to be. As a result, you should perform regular cloud-compliance audits to make sure everything is as it should be. These audits can span both your cloud storage provider (or providers) and your own on-premise architecture piece as well.\nIn many ways, securing your business\u2019 data has become the most critical role for your IT group. As this dynamic market creates even more sophisticated attacks and glaring vulnerabilities, it will be IT\u2019s responsibility to stay ahead of the game. A hybrid-cloud storage architecture should smooth that pathway.