Compliance has moved from a secondary consideration to a primary one. The emergence of personally identifiable information (PII) regulations worldwide with harsh financial penalties has changed the data protection landscape. Multiple overlapping data protection make compliance much more difficult by duplicating processes that increase the probability of non-compliance.
Compliance processes
The European Union (EU) and United Kingdom (UK) General Data Protection Regulation (GDPR), Singapore Personal Data Protection Act (PDPA), California Consumer Privacy Act (CCPA), Canadian personal data privacy acts, 9 states with similar acts to California’s, and dozens of countries with laws in progress similar to GDPR, have made managing PII backups essential, albeit difficult processes.
Most of PII regulations require the “right-to-be-forgotten” a.k.a. “right-to-erasure”. This right enables individuals to request any organization with their PII to erase all traces of it in a “timely manner”. Timely manner typically means less than 30 days. It’s a relatively difficult but doable process for primary data applications as long as the PII can be located. Data protection/backup applications are a very different story, especially the very popular image-based backups. Image-based backups or snapshots are popular for their very fast recovery time objectives (RTO). But there is a significant problem with this type of data protection and the “right-to-be-forgotten”.
The PII data cannot be deleted once and then propagate that deletion across all the other time stamped image-based backups. Each image backup after the first full volume backup is an incremental backup of the changes from the previous backup. Recoveries or mounts are virtual or synthetic full volume backups. Erasing any PII from a specific backup where there are subsequent backups will likely corrupt any backups that exist in time after the that backup. PII must be deleted from each and every backup in which it exists, one at a time starting with the most recent and working backwards. That’s a huge labor-intensive problem.
Erasing PII data from image-based backups requires each and every timestamped backup be mounted, specific file or database with the PII data found, the PII data deleted, and the backup put back in a backup state. When backup retentions are months to years, the process becomes much too laborious and excessively time consuming. It cannot be completed in a timely manner and it out of compliance.
Now consider multiple data protection/backup platforms many of which are image-based. Each has to provide similar “right-to-be-forgotten” timely results for much of the same overlapping PII Data. Non-compliance for PII regulations is a serious expensive situation. Fines can easily be into the $10s of millions, which no one budgets for.
Avoiding that potentially calamitous result requires a change in data protection processes and a single comprehensive data protection system that deletes one time and propagates to all of the other backups. The process change is to keep only recent backups of two weeks or shorter on image and longer-term retention in file-based backup preferably in a single data protection system.
Part 4 of this series will reveal how security is deeply compromised when there are multiple data protection systems.
To learn more contact us at: info@asigra.com
Asigra Software v14.x
The Asigra Software is architected from the ground to meet the very large-scale requirements of managed service providers delivering backup as a service (BaaS) and disaster recovery as a service (DRaaS). Asigra continually leads the market in comprehensive solutions. From file to image backups; instant or single file recoveries for any hypervisor, physical, virtual machines, cloud instance, SaaS, and Docker containers; laptops – protect, geo-locate, and remote wipe; repurposing of backup data for DevOps, TestDev, Search, and analytics; intuitive management interface; variable RPOs and RTOs; deduplication, compression, encryption, and more.
More importantly, Asigra Software is the first and only data protection/backup today that prevents malware and ransomware from being backed up or recovered. It stops attack-loops in its tracks. Several others detect detonations and notify that an attack is in progress, but do not detect or prevent infections in the backup and recovery streams. Asigra Software additionally prevents malware, ransomware, or disgruntled employees from deleting backups without proper multi-factor authorization. And Asigra Software is the first to enable the “right-to-be-forgotten” PII compliance for GDPR, PDPA, CCPA, and others in backups with documentation of what, who, when, etc.