AWS Smart Business Blog

What You Need to Develop a Data Protection Strategy for Your Small and Medium Business

While it is difficult to run a business, today small or medium businesses (SMBs) have the added challenges of defending themselves from sophisticated cyber and ransomware exposures, staying in compliance with their industry’s rules and regulations, and protecting customer data getting accidentally deleted or lost. A recent survey by CyberCatch revealed that 30% of SMBs don’t yet have a plan to defend themselves against digital issues, accidental deletions due to faulty applications, or because of human errors. Significantly, 75% would survive less than a week in the event of such an incident.

What is data resiliency and why should SMBs care?

The AWS Well-Architected Framework defines resilience as having “the capability to recover when stressed by load (more requests for service), unauthorized events (either accidental through a bug, or deliberate through intention), and failure of any component in the workload’s components.” Common issues where resilience becomes important include improving availability and performance of your applications as well as for disaster recovery use cases due to IT outages, natural disasters, or other security events. As you may know, downtime can be expensive and difficult to mitigate.

To meet your business resilience requirements, consider the following core factors as your IT team or tech partner designs your workloads:

  • Design complexity: Usually, the more complex your workload becomes, the more complicated your resilience requirements will be. Each individual workload component has to be resilient, and you’ll need to eliminate single points of failure across people, process, and technology elements.
  • Cost to implement: Costs often significantly increase when you implement higher resilience because there are new software and infrastructure components to operate.
  • Operational effort: Deploying and supporting highly resilient systems require more complex operational processes and advanced technical skills. Before you decide to implement higher resilience, your in-house IT lead or third-party tech vendor should evaluate if you have the required level of process maturity and skillsets.
  • Effort to secure: Security complexity isn’t always directly correlated to resilience. However, there are generally more components to secure for highly resilient systems. AWS Security best practices can help customers achieve their security objectives for such complex deployments.

Resilient data is at the core of a business continuity plan

Today, SMB customers experience enormous challenges in terms of costs and maintenance to be able to build resilient applications within their own data centers. Many SMBs turn to AWS Cloud to leverage its highly resilient and globally available infrastructure services as part of a business continuity plan. But remember, durable infrastructure does not mean your data is automatically protected.

You need to understand the AWS Shared Responsibility Model, and build a strategy to protect your business and customer data. For example, AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure includes the hardware, software, networking, and facilities that run AWS Cloud services. Customers are required to perform all of the necessary security configuration and management tasks within the utilized services for their applications. Having a cloud data protection strategy early on sets you up for long-term business resilience.

How to protect your business data whether you’re new to cloud or already migrating

The first step is to be aware of the need for data protection. Before you get into data protection, however, it is key to identify the kinds of data your business is gathering. Here are questions we often pose to customers migrating to the cloud:

  • Are you running web applications that use or collect sensitive data?
  • Are you storing customer data, such as Personally Identifiable Information (PII) or Personal Health Information (PHI)?
  • Do you have confidential financial information that requires adherence to industry-specific laws?

Questions like these will help us determine the overall profile of the data that underpins your business, and help you determine what to protect. Mapping out your data estate—which includes all of the cloud services you use, like virtual machines, storage, database, and more—is a prerequisite to robust data protection.

1. Identify the key data security issues

Once you’ve mapped out your data estate, it’s time to identify the key exposures it could be subject to. It’s not just enough to set up firewalls and vulnerability scanners—these are prevention techniques that may not be enough to secure your data. Despite investing millions of dollars into cybersecurity measures, even the largest companies in the world get targeted. Hence for your data security, a recovery-focused strategy often works better.

Depending on the kind of data your SMB has, it’s a smart idea to identify the security exposures most pertinent to your business.

  • Ransomware if you have sensitive information and store any kind of PII data
  • Operational or software-based disruptions for high-frequency commerce
  • Accidental deletions if you handle large volumes of unstructured data like scans, photos, and media
  • Insider issues if you have classified or material nonpublic information
  • Non-compliance if you handle data in a regulated industry

For any of these, simply investing in cybersecurity tools is not enough. Data protection strategies are the last and strongest line of defense, and will help you continuously backup your data and recover it instantly if your systems experience major security events.

2. Simplify your data protection strategy

Once you have an idea of what data needs to be protected, you have the choice to build your own solution from native tools, or simplify your data protection posture with easy-to-use software. For younger businesses with dedicated IT staff, taking a do-it-yourself approach can be risky and incur high development costs. You will need to hire specialized staff, train teams of engineers, and build custom software, workflows, and scripts. If you’re one of the many SMBs with no in-house IT talent, this can be daunting.

Often, the better solution is to use intuitive software that can protect all of your data assets on AWS Cloud. Even non-technical teammates can simply define groups of files, objects, or datastores that need to be protected. The data protection software is designed to do the rest.

Also, remember to avoid any solution that requires running hardware for data protection. Running on-premises hardware is a path to excessive capital investments, maintenance charges, and sunk costs.

3. Store and protect what you can’t afford to lose

If you manage highly classified or sensitive information, chances are you need an air gap data protection solution. In fact, this is a requirement to comply with common regulatory standards such as ISO27002. The recommended solution is to vault it outside of your access control framework (isolating it from the boundary of your network). This ensures that even if an unauthorized party gets unintended access to your systems, your sensitive information is safe.

There are simple cloud-based software tools—like Clumio Secure Vault—that can help you get your sensitive data vaulted in minutes, and protect it continuously which we will discuss in this post. Clumio is part of the AWS Partner Network, which means they are trusted to have deep expertise and specialization in AWS Cloud technology. They can help you setup and protect you data, especially if you have limited technical experience and rely on outside IT solutions.

4. Test your defenses

Now that you have a data protection software in place, you have to check that it works. Don’t wait for a security event to test your data protection posture. Understand your recovery objectives and confirm your critical data is getting continuously backed up. Your data should be instantly recoverable when you need it most by running Recovery Point Objective (RPO) and Recovery Time Objective tests. RPO allows you to test against how much of data loss can your applications withstand. RTO helps you define how much time it would take to recover your applications back to its operating state. The best cloud-based data protection tools help you recover from a last known good point in time using simple calendar views, and can help identify which objects or files to recover using filtering and search capabilities without you having to build them.

5. Develop cost-effective approaches

SMBs such as yours are already cost constrained, so data protection shouldn’t add a hole in your budget. While evaluating a data protection solution, make sure there are no licensing fees. Your data protection solution should size your environment transparently, and charge you only for the GB of data you protect. Support should also be built into your contract.

Let’s now summarize the key data protection challenges of fast-growing SMB businesses, and evaluate how software such as Clumio can help.

What is Clumio and how can it help SMBs?

Clumio continuously protects your data so you can focus on your customers, by providing simple and secure data protection. Clumio is also an AWS Storage Competency Partner and has helped many of your peer businesses become more resilient.

Identifying the key data security issues

Clumio helps build a fortress for your business data that can withstand cyber events, operational disruptions, software errors, and accidents. No matter what data you store within Clumio, it stays secure.

Simplifying your data protection strategy

Clumio is a click-to-play software solution available on the AWS Marketplace. One reason SMB business leaders find value in Marketplace is because their teams can search for approved cloud solutions and roll them into their existing AWS bill. With Clumio, you can back up a several of AWS data sources literally within minutes, without worrying about asset size or capacity constraints. No hardware, hosts, installations, or data backup failures—just simple and speedy data protection. Clumio’s intuitive protection groups lets you protect exactly what you need to and ensures faster recoverability. During a restore, Clumio’s calendar views and search help identify exactly the point in time you want your systems to revert back to.

Clumio Calendar

Figure 1: Calendar Views within Clumio Protect Console

Vaulting your most important data

Clumio’s SecureVault backs up data outside of your AWS accounts and are completely separated from your production environments. Data is stored on an immutable storage, is encrypted both at-rest and in-flight, with the ability for customers to bring their own keys and cannot be altered or deleted by anyone. In addition, access to Clumio is multi-layer authenticated with Single Sign On (SSO) Integration, so only authorized users can access your data protection hub.

Recovery performance when you need it most

Clumio routinely clocks the fastest RTO for AWS workloads in the industry, is easy to test, and has got customers back up and running in minutes in the most critical of situations.

Cost efficient

Clumio is built to scale on demand, and you can be sure to be charged only for the data you protect. There is no need to train staff or sign expensive licenses. In fact, Clumio provides insights into hidden data protection charges, intelligently estimates spend, and proposes ways to reduce cost.

Clumio Savings

Figure 2: In addition to securely backing up your data, Clumio helps you cut down hidden or redundant data protection costs.

Next steps

If your SMB is still backing up its data on-premises, across different solutions, or not at all, now is the time to prepare for better business resiliency. One way customers are doing it is by migrating their applications to the AWS Cloud and leverage its global footprint. In addition, to help with challenges around improving resiliency AWS Marketplace offers software tools such as Clumio that are simple to manage and provides all the capabilities that are required for you to build a strong data resiliency strategy at effectively lower costs. If you’re ready to speak with an expert, contact us. Otherwise, learn more about the importance of data resiliency and protecting data with AWS Smart Business.

Harshil Shah

Harshil Shah

Harshil Shah is a Partner Solutions Architect at AWS who helps SMB customers scale their operations with integrated software vendor (ISV) solutions. He holds a Master’s degree in Computer Science from the New Jersey Institute of Technology and is based in New Jersey (US).

Ari Paul

Ari Paul

Ari Paul is Director of Product and Solutions Marketing at Clumio. Clumio helps businesses make their data and applications more resilient against ransomware and operational disruptions. Ari is based in the US.