Before considering a foray into the data protection business by delivering secure online backup services, VARs must weigh the implications of being responsible for both availability and customer data security, experts say.
SaaS-based online backup enables customer data to be automatically copied offsite via a secure Internet connection, and allows on-demand restoration by authorized users. Early last year, IDC predicted the worldwide market will grow to $715 million by 2011.
Online backup is a cost-effective alternative to on-premise tape and/or disk backup, which is time-consuming, labor intensive, hard to scale and prone to errors that can result in lost data.
"Nearly all of the onsite CapEx costs, as well as OpEx costs, are eliminated," said Lauren Whitehouse, a senior analyst specializing in data protection for Milford, Mass.-based Enterprise Strategy Group (ESG). "Bandwidth requirements may increase; manpower costs will be greatly lessened."
SMBs whose backup volume is much lower than, say, an enterprise data center -- and have small IT staffs -- are good candidates for online backup, Whitehouse said. However, large enterprises, with terabytes of data, may want to use online backup for desktop/laptop and remote office backup.
But before a company trusts their data to a remote third party, they'll likely need to be assured that it can be easily restored and is well protected, Whitehouse said.
Encryption and access control are built into most online backup software products. Strong encryption, for data at rest and in transport, should be a basic feature of any online backup service, Whitehouse said, but there are opportunities for VARs to bolster security.
"The only place where an MSP can provide extra encryption services is in key management," Whitehouse said. "Some customers are very good at managing keys; some are bad, so some MSPs offer escrow services, keeping a copy of keys in a safe place."
The backup software service provides basic access control capabilities, leaving it to the customer to assign user privileges. Typically, there is a high-level administrator who delegates access to employees based on their role (e.g., "help desk").Build or "buy" secure online backup infrastructure
Experts say providing a successful online backup means more than choosing the right software and investing in additional storage or backup hardware. Solution providers are the custodians and protectors of other companies' business-critical and sensitive data. Demonstrable proof that customer data is secure can be a differentiator in the market.
" End users don't want to hand over the reins to just anybody.," said Whitehouse. "Physical and electronic safeguards need to be in place, and certain assurances or proof points may be required. "
Whitehouse and other experts say that in practical terms, an online backup service provider must assure customers it can provide a secure environment for their data. This includes:
Redundant systems -- An MSP's equipment is liable to failure as well as anyone else's. These systems should failover seamlessly to avoid any interruption of service.
Mirrored data -- In other words, have backups to the backups, in case data is somehow lost, corrupted or inaccessible.
Geographic redundancy -- At least one duplicate data center, well separated from the primary location, in case of shutdown or disaster.
Strong, layered security -- This means investment in security technologies -- network firewalls, IPS, Web security, network access controls, etc. -- as well as strong policies and processes, including configuration, patch and vulnerability management, penetration testing and third-party security assessments.
Certification -- A SAS certification Level II means the auditor attests not only to the controls the service provider has in place, but also that they are effective.
Who provides the security depends on whether the service provider simply resells a service, collocates with a hosting provider or has its own infrastructure. In any case, from the customer perspective, responsibility for data availability and security rests with the service provider.
San Jose, Calif.-based Concentric invested heavily in infrastructure and licensed online backup technology from Seagate subsidiary i365. It added online backup to its portfolio of hosted IT services (hosted Exchange, server, email security) for the SMB/SME market.
"This approach provides many opportunities to differentiate the service, including packaging, pricing and integration with the company's other services," said Gary Ellis, Concentric's senior product marketing manager. "However, compared to reselling an existing service, the start-up effort will be considerably higher."
Alternatively, Whitehouse said, a solution provider who'd like to get involved in this opportunity can enter into a collocation partnership, setting up an online backup service on a third party's infrastructure backbone, reducing the total investment, while depending on the partner to assure uptime and data security.
"Building out your own data center will require networking and security expertise," she said. "Partnering with an infrastructure provider alleviates these issues."
Simply reselling another service is a popular and easy way to get into managed secure online backup services. The margins are relatively small, but VARs can ramp up quickly and build a client base with recurring revenue.