Data protection

What is data protection?

Data protection is the action of keeping data safe from loss, theft, or corruption, and includes the ability to restore it to a usable form if adverse events have made it inaccessible or useless.

Data protection involves people, data security processes, and data protection tools and technology. It includes the following use cases:

• Backup and recovery — This essential part of data protection is the process of copying data and storing it in a safe place in case of loss or damage, and then restoring that data to either an original location or a secure alternative so it can be used again to fuel operations.
• Instant mass restore — This data protection solution enables organizations to recover data and applications at scale instantly and to reduce recovery point objectives (RPOs) to minutes.
• Data resilience / business continuity / cyber resilience — Data resiliency, as well as business and cyber resilience, are what data protection enables—the ability to continue business operations and quickly recover when unexpected disruptions or loss of availability of data occur.
• Continuous data protection — A data protection method that ensures the continuous and automatic backup of data, capturing real-time or near real-time changes that enable fast recovery from any point in time allowing organizations to recover from any data loss incident with minimal business disruption.
• Long-term retention — A policy that enables customers to retain or archive their backup data for long periods of time that could span months to decades for reference, compliance, legal, or historical purposes.

What are the principles of data protection?

If an organization processes data, it should do so based upon the seven principles of data protection. These are detailed in Article 5.1-2 of the European Union (EU) General Data Protection Regulation (GDPR):

1. Lawfulness, fairness, ethical, and transparency — Any use or processing of the data must be lawful, fair, ethical, and transparent to the data subject.
2. Purpose limitation — Organizations can use data only for legitimate purposes as explicitly communicated to the data subject when they collected it.
3. Data minimization — Organizations should collect and use the minimum amount of data as absolutely necessary for the purpose(s) communicated.
4. Accuracy — Organizations must keep data accurate and up to date.
5. Storage limitation — Personally identifying information (PII) can be kept only as long as required for the stated purpose, and securely deleted or anonymized when no longer needed.
6. Integrity and confidentiality — When using or processing data, organizations must apply appropriate measures concerning its security, integrity, and confidentiality.
7. Accountability — The organization must be able to demonstrate compliance with all of the previous principles.

Why is having a data protection strategy important?

Businesses commonly store sensitive data to process or use in their operations. This data—employee records, customer details, intellectual property (IP), loyalty schemes, sales transactions, and more—must be managed and protected from being misused by bad actors (both internal and external) for financial gain, notoriety, revenge, or other reasons that can hurt both the subjects of the data and the organization.

Data protection is essential to prevent unauthorized access, use, or disclosure of private data. It minimizes negative fallout from important data being lost, stolen, compromised, misused, or corrupted. Proven techniques for data protection include backing up data—continuously when possible—to ensure critical data is preserved and can be restored with minimal business disruption, creating a virtual “air gap” separation between data and external facing direct network connections that enable isolation of critical data, and, very importantly, the ability to instantly recover data with the least amount of data loss. For example, in the event of a hurricane and the need for disaster recovery or a cyberattack and the need to perform ransomware recovery. Not only does this help organizations recover in near-real-time, but a robust data protection strategy keeps mission-critical applications operational and business doors open.

What is the data protection act?

A number of laws have been passed around the world to address data protection and privacy issues.

The General Data Protection Regulation (GDPR) is considered by many to be the toughest data protection law in the world. Though written by and for the European Union (EU), it imposes obligations onto organizations anywhere in the world that collect data on EU residents. The regulation was put into effect on May 25, 2018. The EU hasn’t hesitated in giving out punishing fines to any organization that violates its data protection standards, with penalties exceeding tens of millions of euros.

The United States has a number of federal and state laws that target different industries and aspects of data protection, such as health data (HIPAA), financial information (PCI), or data collected from or about children. Some states, notably California with its California Consumer Privacy Act (CCPA), have passed strict data protection laws. However, data protection in the U.S. is quite different from in the EU, as it is decentralized—with no central government authority imposing compliance, thus organizations are expected to regulate themselves. Indeed, because of this somewhat lackadaisical approach to data protection regulations, in many states companies can use, sell, or share data without notifying or even considering the subject.

In June 2022, the American Data Privacy and Protection Act was introduced in the U.S. House of Representatives. This bill would establish requirements for how companies keep and use consumer data. The Act had many of the same principles as GDPR, like data minimization, individual ownership, and private right of action. However, the burden of evaluating each organization’s programs would fall to the organization itself—in other words, self-regulation. No action has been taken on the bill since it entered committee.

In the United Kingdom, the Data Protection Act 2018 is the legislation that governs data protection, replacing a previous act passed in 1998 based on the EU’s GDPR.

Data Protection laws and regulations in Asian countries vary—with each having its own governance framework. As these continue to evolve, it is crucial for organizations to track each country’s requirements to operate within those jurisdictions. In 2020, for example, China, Cambodia, and Sri Lanka proposed or introduced cybersecurity regulations and legislation focused on personal information. China’s Personal Information Protection Law (PIPL) went into effect on November 1, 2021. Japan’s data protection is governed by the Protection of Personal Information (APPI). In Singapore, the Personal Data Protection Act (PDPA) is in place, while India enacted the Personal Data Protection Bill in 2019.

What are some examples of data protection?

Some examples of data protection follow the most common use cases, and all involve a combination of people, process, and technology:

Backup and recovery — Natural disasters like Hurricane Florence caused catastrophic damage in the Carolinas in September 2018. A Category 4 hurricane with wind speeds of almost 150 miles per hour, and damages that topped $24 billion, Florence took inland businesses by surprise at how fast floodwaters rose. Few thought to salvage their onsite backup media as they rushed to safety. Afterward, companies realized just how important multi-tiered backup solutions were, as the businesses that were able to get up and running fastest were those with modern backup and recovery solutions such as the cloud. With their data in the cloud, they could recover and restore from anywhere, even if their premises had been damaged.

Ransomware protection, detection, and recovery — Simply backing up data is only half the picture when it comes to protecting data. How fast the data can be recovered in the face of a cybercrime or natural disaster is also vitally important. One ESG ransomware study shows that 79% of the organizations surveyed reported having experienced a ransomware attack within the last year, so it’s not a matter of if or when just like a natural disaster but with no warning. Organizations understand that protecting backups is the norm in light of ransomware attacks specifically targeted at these workloads/processes, but by recovering data quickly, organizations can minimize downtime and data loss, and ensure that they can continue operating efficiently and effectively. The longer data remains inaccessible, the greater the risk of corruption and potential regulatory compliance consequences, as well as disruption to SLA’s that lead to issues with customer satisfaction. After a ransomware attack, a large property company was able to protect and restore all of their customer and enterprise data within three hours and avoid paying the ransom demands.

Data compliance — Organizations with this use case need a data security solution designed on zero-trust principles, that includes a combination of immutability, Quorum controls, data encryption, multifactor authentication, and granular role-based access control that helps to stop unauthorized applications and bad actors from modifying or deleting your data.

Disaster recovery and business continuity — Continuous Data Protection delivers near-zero RPOs for your mission-critical VMware virtual machines, minimizing data loss, and maximizing your ability to ensure business continuity. Instead of backing up data once a day or even once an hour, a national restaurant chain used a continuous, data management strategy of backing up data every time a change was made to its point of sale (POS) system. This meant there was a record of every transaction that took place in every restaurant across the country in a remote cloud repository. And because the solution keeps multiple versions of each file, it is easy for the chain to “roll back” to previous versions in case the data is infected with malware.

Long-term retention and archival — A policy that enables customers to retain or archive their backup data for long periods of time that could span months to decades for reference, compliance, legal or historical purposes. One prominent law firm needed to retain data long term to support ongoing litigation and it decided to go with the cloud for quick and easy access in case of an urgent query by a client.

Cohesity and data protection

Organizations across the world face significant challenges to business continuity for their mission-critical operations. The 24/7 nature of enterprise organizations, combined with the growing threat of cyber attacks, is leading customers to place increased emphasis on data resiliency. Data silos and lack of visibility of the data across the enterprise (on-prem and in the cloud), inconsistency in how data is stored and managed, and lack of interoperability between legacy backup solutions and existing technologies, put organizations at risk of loss of data in the event of a cyber attack or outage. This increased risk, combined with the sheer size and scope of enterprise data estates, has led to an urgent need to build for scale (e.g., cloud hosting), all while maintaining lower data costs.

Cohesity DataProtect is an industry-leading, modern backup and recovery solution. With Cohesity, customers can protect enterprise data at scale, increase data resiliency by significantly minimizing RPO and RTO in a cyberattack or outage, and reduce data costs. DataProtect is part of a comprehensive data security and management platform, the Cohesity Data Cloud, and offers these key benefits:

Increase data resiliency. Modern enterprises require granular, near-zero Recovery Point Objectives (RPO) and near-instant Recovery Time Objectives (RTO). Cohesity enables organizations to recover data at scale in the order of minutes instead of hours. With Cohesity, organizations get fully hydrated snapshots, continuous data protection (CDP), and recovery flexibility to exceed their SLAs.

Lower TCO. Cohesity drastically reduces the total cost of ownership by consolidating enterprise data protection into a single platform with unlimited scale, minimizing overhead, and dramatically decreasing data storage costs The Total Economic Impact of Cohesity.

Protect enterprise data at unlimited scale Cohesity provides an end-to-end backup and recovery solution that offers unlimited scale for your enterprise data across on-prem, cloud, and edge workloads. Organizations can take a large number of snapshots with uncapped retention policies, and leverage the Cohesity snapshots with fast, parallel data ingestion so businesses can protect data and applications as often as desired.

Get near instant data availability, access, and restore that enables instant access of your data and applications at scale across your entire data landscape without waiting to repair or restore the original storage, or without waiting to move the data to another location. Only Cohesity offers the ability to instantly restore thousands of VMs and near-zero recovery times for databases. You can learn more about these unique capabilities here:

• NAS Instant Access
• Instant Mass Restore (VMs)
• Instant Recovery of Databases (Oracle & PostgreSQL, and others)
• Zero-Cost Clones (Dev/Test)