- Understanding the Data Protection Trends 2022 Report
- Drivers of Change in Data Protection
- Modern Data Protection
- Cloud-powered Data Protection
- Cloud-based Disaster Recovery
- Real World Outages
- Ransomware Frequency
- Recoverability from Backups
- Enhanced Data Protection
The Data Protection Trends report is published by Veeam annually, so why don’t we start with letting Jason tell us a bit about the report and his own industry experience?
Understanding the Data Protection Trends Report
I’ve been in the data protection space for about 32 years. It’s the only thing I’ve ever done since leaving school. Seven of those years I spent as an industry analyst. Veeam was my client, as was Commvault, Rubrik, Cohesity, Dell, Veritas, and IBM. So I spent a lot of time doing industry research, and I’ve been with Veeam for the last four years. One of the projects I’ve participated in for the last several years is our annual data protection trends report. It’s important to note that Veeam contracts with an outside independent research firm. They ask all the questions, so their panel is not Veeam customers, and Veeam marketing does not get involved.
This year’s Data Protection Trends report is actually the largest independent research project in data protection in our industry. There are 3,400, (technically 3,393) responses in this survey, and it covers 28 different countries.
The vast majority of responses are from organizations with more than a thousand employees, although there’s a good percentage of mid-market and some upper-lower commercial, et cetera. So I’m really excited to share some of the results for this and hopefully hear how Global Data Vault is responding to what 3,400 of my closest friends say they need in data protection.
Yeah. What happened to those other seven responses?
The project was supposed to be built from 3000 responses, but when we were 393 responses, we found a typo in one of the questions. It was an important question, so they over-sampled, and that’s how you get a lovely round number, like 3,393.
What you see here is the actual URL, and all the data that I’m going to talk about here is in the report. You can download the Data Protection Trends 2022 report here: https://vee.am/DPR22.
In 2020 we asked organizations what percentage of their servers were physical in the data center, virtual in the data center, or cloud-hosted, either hyperscale or MSP-based. And we also asked: What do you think it’s going to be two years from now, and that brought the 2021 projections up to 2023.
The report also shows what they think it’s going to be in 2024. So taking three different annual reports and 8,000 IT leaders across those three reports provide some interesting trends make a good basis for our conversation today.
The report covers both pre-Covid and post-Covid data. As we know, one of the effects of the global pandemic and quarantine was that many organizations accelerated their use of cloud services in response to a remote workforce. And so you see the report reflects that, but you can also see that physical goes down, that virtual goes down, and net result cloud goes up, right? But beyond that, what you see is that the data center never goes to zero.
There are a lot of reasons why you should still be running your own metal on your own floor in your own facility. Most organizations are taking an authentic cloud-first approach, which basically says if you can stand it up in a cloud, why wouldn’t you?
They are not decommissioning old platforms and workloads at near the same rate; they’re spinning up new ones. So you see physical and virtual percentage is eroding or diluting as more and more workloads embrace cloud-hosted. And certainly, the net result is that your data protection architecture equally addresses legacy, physical platforms, modern virtual platforms, and multiple cloud-hosted IaaS and SaaS architectures because this is not a fad, and this is not coming sometime in the future. It is already here!
You mentioned that the pandemic had a lot to do with this and the way that we use data, the way that we embrace virtualization, and we’re protecting different types of data. We’re accessing it from different areas and different locations. And so, in my view, people are saying, okay, we have our infrastructure, we still need that. But now that we have to do all of these other new things let’s just go ahead and put that in the cloud, and we still have to protect it. Right?
Drivers of Change in Data Protection
To paraphrase a politician, if you like your data center, you can keep your data center – but for everything else, there’s cloud. One of the questions you would want to ask every customer and partner is, “What would drive you to change?”
You know, I was buying a car for my daughter a couple of weeks ago, and the first question I asked her was, “What are you looking for? What does it need to do?”.
When answering the question for the report, the respondents were able to choose all the things that applied to their situation and which were most important. Three meta trends that came out of this. The most common one was: I need backup to work better.
There’s a dirty little secret in the IT industry. You cannot restore what you did not back up.
A second trend relates to economics: Cost, Value & Consumption.
What Does Modern Data Protection Look Like?
Backup should be part of a holistic strategy that includes IT management so that you do more with your data. Another thing is orchestration and getting rid of a lot of manual processes along the way.
When organizations are asked what modern data protection looks like, they say it looks cloudy. So there’s a recognition of leveraging DR from a cloud. There’s recognition that you want consistency between how you protect on-premises and how you protect IaaS and SaaS. Another interesting one is recognizing that workloads not only move from the data center to a cloud often, but it’s also important to move them between clouds. So you might do your development initially in Amazon but then want to run production in Azure, right?
You may want to do your development in a cloud, but you want to run production on-premises, being able to actually move stuff back and forth. While Azure and Amazon will help you get it into their cloud, they won’t let you put it back, and they won’t let you move it between. That’s where a self-describing and cloud-agnostic approach to data movement becomes really important.
Yeah, I agree. And we see that every day. For one reason or another, other customers choose hyperscale cloud, big cloud, some cloud; a lot of organizations, particularly in the public sector, get certain credits with Microsoft. So perhaps they lean toward an Azure deployment, but maybe certain organizations like the scalability and the quick deployment for DevOps in AWS. They typically have something that pulls it all together.
That’s when they start wondering where their data lives. How do I protect it? We often hear customers ask those questions, and at the same time, how does the 3-2-1 rule fit into this? Because, like any other solution, none of these things will protect your data natively. You don’t just put your data in the cloud, and it’s magically protected.
We see outages all the time that affect entire portions of the United States from one big cloud provider or another. Even something as simple as a DNS outage affects many, many services, so customers are trying to find ways to leverage and utilize workload flexibility and portability. Portability of applications and data, while at the same time still trying to protect it. That is a challenge that we work to solve and provide a central, easy to manage, and use, yet reliable solution focused on data protection.
At Global Data Vault, we don’t care what your data is, where you put it, how you do it, we’re going to protect it, and we’re going to make it available to you.
Cloud-Powered Data Protection
Well, that’s a good segue to take a look at what’s modernizing in protection and then leaning into what that means for protection using the cloud as well.
The primary concern is ransomware. We’re all familiar with how ransomware works. It goes after your primary data, wherever it exists, whether it’s in your facility or a data center. That’s why the 3-2-1 backup rule — three copies of your data, two different types of media, and one offsite copy–is going to protect you from any site outage. Three copies and two different media protects you locally from any type of issues that you might have on-premises with certain systems or that copy. But it’s the one copy of data that you keep offsite that will protect you from fire, natural disasters, and ransomware.
People think that as long as it is in the cloud, their data is protected, and that is egregiously false. We see it all the time. So no matter if you choose public or private cloud or both, or a hybrid of on-premises versus cloud, you want something to protect the data offsite.
We also happen to be cloud-powered, but we also happen to be cloud-agnostic, and we have multiple data centers of our own to provide protection that way. We’re not putting all the eggs in one basket, and there are multiple copies of your data, whether they’re on-premises, in the cloud, in our cloud, et cetera. As people continue to push, we’re going to see further adoption of disaster recovery in a cloud-powered scenario.
And we got some good data on that in the Data Protection Trends Report. One of the things that came up was the feasibility of migrating out of the public cloud. So the idea there is that for as long as people have been migrating from one platform to another, it’s always been a one-way thing, right? When I first started in this industry, I was working on network servers. I was moving them to windows NT many, many, many years ago
I gave up many three-day weekends on that kind of project. Then there was the virtualization wave.
One of the fun parts about Veeam is that we back up the data in such a way that if you want to back it up as a Hyper-V VM and restore it to a VM, we can do that. If you were to back up a physical windows box and you want to restore it into a VMware instance, you can, or you can restore it to Azure or GCP. And oh, by the way, when you back up a VM that is in one of those clouds, and you want to bring it back on-premises, would you like that as a physical device?
The smartest person in the room is the one managing the backups, troubleshooting the logs, capacity planning, and all the architecture that goes into that, but at some point, they figure out the cloud is not a silver bullet. The only thing you’ve done is added survival data.
It’s a good, better, best situation. Good, you’re backing up your data. Better, you get your data out of the building. Best, someone smarter than you is driving it.
It would be interesting to see how this varies with different sizes of organizations, like if they have a wide and broad IT staff with a lot of expertise and 50 people who can handle different things versus an IT staff of three. Or, we’re too busy focusing on business-driving initiatives, so we can’t concentrate on backups. Let’s bring something else into play, and it goes back to the other point of businesses adopting more of an OpEx model versus a CapEx.
SMBs tend to embrace backup-as-a-service predominantly because they need someone to help them with success rates. We talked about improved reliability, so for many of them, this was their way to accomplish that by supplementing their expertise through backup-as-a-service.
On the enterprise side, they have the acumen on-staff. Although candidly speaking, is that really where you want those high-value, highly experienced IT professionals? Wouldn’t you rather them be working on things that are perhaps more strategic to the business than managing last night’s backups? They’re trying to offload the mundaneness managed over scale. So if they can offload that, then their individual contributors can focus on those things that positively impact business and value creation instead of babysitting backups.
Cloud-Based Disaster Recovery
Speaking of expertise, let’s look at another angle of cloud and data protection – disaster recovery. I’ve been doing backup for three decades. At a certain point, the backup guy starts getting invited to the BCDR meetings. Those meetings are bigger than just backup, right? Disaster recovery is more than just recovering the workload someplace else. Surely if it powers up, it’ll work, right? There’s a lot more to it than that.
When you look at what disaster recovery looks like in the Data Protection Trends Report, you can see that those folks that are still using two or more self-managed data centers account for roughly 30% of organizations.
These are traditional, large enterprises. They already have multiple sets of infrastructure; you know, the East Coast protects the West Coast and vice versa. You have IT staff at both locations. Usually, this is a massive vCenter-type architecture or a Microsoft System Center environment, and it’s well managed on both sides. There is a huge amount of power and agility that happens when that’s well-architected across the way. So again, if you have your data centers and you like them, you should keep using them for that.
With disaster recovery leveraging cloud-based services, you see that growth goes from 23 to 30 to 36 to 51 to 53. And there are really two primary drivers for that. If you want to talk about the maturation of the tools, Veeam can take some credit for that, but take Veeam out of the picture, and you still get two primary drivers as an industry. Certainly, one of them is that elastic infrastructure, right? So if you didn’t have two data centers, you couldn’t do the [bottom of the chart], and so that top line is “Hey, I’m gonna use the cloud.” So I have a secondary infrastructure when I need it, and I’m not paying for it when I don’t, other than storage. You see some growth that comes out of that. Technically, you could get that from both a hyperscale/Azure/Amazon model or an authentic disaster-recovery-as-a-service (DRaaS) provider, which you don’t get until you embrace DRaaS.
Even an enterprise organization often does not have a BCDR planner on staff, right? Certainly, commercial-sized organizations don’t; SMBs surely don’t, right? So being able to not only leverage infrastructure on-demand but leverage expertise on-demand. The other thing that you’ll see, even in a large enterprise, is the BCDR planner only really has one framework of infrastructure to base their architecture and guidance on. In contrast, a DRaaS provider is delivering BCDR outcomes to organizations of all sizes, so they get a lot more best practices and consistency in learning that way. The reason that disaster recovery is becoming more obtainable for a broadly increasing percentage of organizations of all sizes is not only that elasticity on demand but the expertise that authentic DRaaS providers can provide.
I agree. We’re in an age where flipping the switch is a very popular thing; you just turn it on and access it whenever you need it. There’s an app for it; you can do it with your phone type of mentality. Disaster-recovery-as-a-service is another one of those. It can be easy. There are people who can provide that for you, and much like the BCDR planner you mentioned, every organization has internal niches, and all have areas that they fall short on. So for them, organizations that deliver DRaaS as a business model are nothing but positive.
Absolutely! Talking about disaster recovery, one thing that has always been an issue is that folks are willing to make a bet. It won’t happen to me, right? But disasters are a ‘when,’ not an ‘if.’ I live in North Dallas, and I was actually in a tornado warning last night, got some hail. I still have a roof on my house. But if you’re in a tornado or fire zone, there’s always a chance that a natural disaster could strike. You can only hope that it is an ‘if,’ not a ‘when.’
Talking about cyber, ransomware is a disaster, and it’s a disaster that is a ‘when’ not an ‘if.’
For those who are willing to make a bet, are you willing to bet your job on whether you can successfully recover? That used to mean recovering from a simple backup, but these days it’s whether you can recover your entire business. I live in the same area as Jason, and I was also under a tornado warning last night, but most of the attacks we’ve seen with customers aren’t natural disasters. Now, granted, we have our fair share of those, and they’re typically large spread, but they’re generally short, right?
There are thousands of cybersecurity attacks happening across the world per second. Obviously, there are not thousands of hurricanes going on every second. Every ransomware attack has the potential to be a disaster for someone. It’s a real threat, not a fear tactic. It happens, and we get panicked customers calling us all the time, so it’s important to have cybersecurity awareness planning as well as disaster recovery. The attacks are prevalent, and they are not going to stop.
Let’s talk about prevalence and ransomware frequency. When we talk about ‘whens’ versus ‘ifs,’ for the data report, we asked organizations how many ransomware attacks they had suffered in the last 12 months. Best case, one in four, so 24% said no attacks. But I’m saying best case because a lot of those who said they hadn’t experienced an attack just haven’t found out about it yet.
The average gestation of a cyber attack is over 200 days.
In the best case, 24% say they had not been attacked, and another 16% say they’ve only been attacked once – so together, that’s 40%. That means 60% of the respondents in this global, unbiased survey had more than one successful attack. Cybercrime is a full-time business, and if they can successfully get money from you once, they’re going to wait six months, and when they need more, they’re going to treat you like an ATM. They’ll come back and say, ¨Hey, do you think you fixed all those holes? Oh, cool. One’s not fixed. I’ll just enter my pin and get more money from you again.¨
The frequency of ransomware attacks is an important metric.
We’ve heard some interesting stuff from customers. One gave us the insight that the attackers didn’t even know that the attack was successful. It was only a while later that the customer’s organization got a message that said something like, “Oh, I guess my attack was successful. Now you give me money.”
That indicates that ransomware attacks are automated. They’re AI-driven software. So there doesn’t have to be somebody pounding away at a keyboard for these things to happen. As Jason said, they could be quietly propagating undetected, or it hasn’t registered with the hackers yet that they have successfully breached your system.
Combine that with frequency, and it’s scary!
It’s kind of like how exterminators work in reverse. They throw six or seven of their traps in your attic and come back in three or four weeks to find out which traps actually caught something, right? It’s the same kind of a deal. Only the hackers have varmints instead of the traps, and unfortunately, you don’t get to lay any traps in advance.
Or your traps get so full they can’t stop the number of rodents or bugs.
Recoverability After a Ransomware Attack
Another thing to understand is that after an attack, the average percentage of data that is retrievable is 64%. So, every time that you have a massive attack at scale be prepared for a third of your data to be encumbered.
What enhancements does Global Data Vault provide if a customer gets attacked and their data is compromised?
Enhanced Data Protection
If 64% of data is recoverable, how do we help with that? In a lot of cases, customers are completely unable to recover their data. It’s the nature of ransomware attacks. The virus tries to encrypt the data, and if it can’t encrypt it, it deletes it. If it has the permissions and the appropriate access, it will delete local backups, cloud backups, and anything else that it can get to, so we’ve seen customers get hit and lose a hundred percent of their data.
Global Data Vault has a method in place called Enhanced Data Protection. We bring some extra protection capabilities to the table to give customers peace of mind.
Of the last five customers that were hit, we recovered 100% of them using the Enhanced Data Protection that we provide.
It’s not fun to talk about ransomware, but it is what’s top of mind for a lot of organizations. That’s not the only thing that causes outages, though. The data protection survey asked over the past two years, what have been the causes of outages? For two years in a row, the most impactful outage has been a cyber event.
Real World Outages
The first thing that the ransomware attacker wants to do is infect the backup repositories, and that’s where Enhanced Data Protection becomes really interesting and arguably a strong differentiator for Global Data Vault within your space. But if the only thing we were solving were ransomware, BCDR would not be the business that it is today. It’s worth noting that the top two most impactful sources of outages are humans. We’ve got ‘bad humans’ in the number one slot, and then not that far behind them are ‘silly humans.’
The user that took last month’s spreadsheet and overwrote it with this one. The user that took a gorgeous, Windows-based PowerPoint file and boogered it up, because they used a Mac. I’m poking fun, but you know there are bad users, and then there are silly users, and those are the top two causes of outages.
Even in 2022, the most common cause of outages is stuff breaking, right? Infrastructure breaks, hard drives die, applications crater, OSes patch badly. Stuff still breaks, and all those reasons why we’ve been doing business backups for the last 30 years still apply, even in 2022.
One of my favorite things about Veeam has always been Instant VM Recovery®️– the ability to recover a VM directly from a backup file without restoring it first is huge! It allows for a bit of protection against primary storage or hypervisor host failures and provides faster recovery overall.
So, two-thirds of the cause of outage list can be solved with one feature of Veeam Backup & Replication™. Then come some of the added features. We didn’t have cloud options back in the day. We had, ‘Here are my computers, here’s what I am dealing with, and here’s my backup.’ So we had to come up with ways to get around it.
It wasn’t until technology advanced more that we saw the cybersecurity events on the list. People are doing more things and are able to click on the wrong buttons themselves. Hopefully, best practices like least access and zero trust methodology negate some of that, but it’s a really compelling story. It’s interesting that even today, so much still depends on physical things that can break.
Another problem is assuming that when stuff breaks, the cloud is a silver bullet that makes all the bad stuff go away, and that’s just not true.
We can talk about physical and virtual and multi- and hybrid cloud architectures. It doesn’t matter, and cyber doesn’t care. You can delete a file from cloud storage just as easily as you can delete it on-premises. Amazon’s hard drives can still break your instances of Windows, even when they’re cloud-hosted, and they can still patch badly. In none of these outages is the cloud a silver bullet that absolve this.
While you’re probably not going to failover Office 365 or Salesforce, just because you decided to run part of your business as a service instead of a server does not absolve you of five year retention mandates or data destruction mandates. All those regulatory mandates around data protection still apply, even if you don’t own the metal.
The vast majority of outage causes are not acts of God. Hurricanes and fires didn’t even score 1%, which is why they didn’t make the charts in the report.
In cybersecurity webinars, I am always talking about what you should be doing and what you should be thinking. But you only hear that from me, right? It’s really great to have a source like the Data Protection Trends Report to reference, and I want to encourage people to download it from https://vee.am/DPR22.
Jason mentioned a silver bullet, and we’ve talked about the ease of DR as a service. It’s not all Hollywood makes it out to be, and it isn’t magic. In the movies, we see people furiously typing away on keyboards, and suddenly they’ve hacked into the infrastructure. Real-life is not like that.
It’s still technology, and we still have hard drive speeds and internet speeds and copper and fiber and all of these limitations to our capabilities. So the truth about DRaaS is that it’s not going to happen overnight.
Now, bringing up the systems, the applications, and the workloads is almost magical. Let’s not go wrong there because there’s some pretty cool stuff behind the scenes that enables that to happen very quickly. It’s getting the data back and putting things back to as close to the way they were as possible that takes a while. We have to somehow get data from our cloud or any cloud back to where it’s supposed to be, and that isn’t necessarily a quick process, and it takes time.
Unfortunately, Hollywood has a big part in this and marketing, no offense to all the marketing people, but they tend to just play on the best and the brightest points, and the truth of the facts sort of gets left behind to experience later. But when we look to recover, we’re always going to do the critical components first. Sometimes people complain that they can’t get into their print server or some other lower-hanging fruit that isn’t necessarily critical to running your business. But traditionally, we see the critical components are going to come first. Part of creating a disaster recovery plan is identifying what those systems are and in what order they should come up, how you should recover them, et cetera.
Also, you should plan for who’s going to be in charge of what and who’s going to manage which processes. Sometimes when outages are going on, and tensions are high, things are happening. We have to set expectations that we, as a cloud provider and the DraaS provider, have to protect ourselves. We store petabytes of data, and we are under the assumption that all of it is infected with malware, and it’s not, don’t worry. But we have to think of ourselves because we protect petabytes of data, and if we have one instance where we let something into our environment that shouldn’t be there, we put those petabytes of data at risk.
So sometimes, a DraaS provider will tell you no. They may say, no, we cannot do that for you, even though it seems so easy. We also have to take a step back and protect the rest of the data that we have, make sure that we’re not propagating that to anybody else. I want to be a little transparent here and state that things aren’t magic. We’re doing everything logistically and accurately, and in a safe manner to get your business back up and running. We do it well with Veeam.
There was something that I hoped you’d cover today, and that is Enhanced Data Protection. That, to me, is actually one of the most interesting and differential features in the Global Data Vault portfolio.
Yes, we extend the 3-2-1 rule with Enhanced Data Protection. Basically, to the three copies of data, two different media, one offsite, we add an additional copy offsite. And what that looks like to a tenant, a customer, is a copy of their data disappears. We take it; we gap it. We take a copy of it and keep it somewhere else that is inaccessible from the customer network; therefore, it is inaccessible to any ransomware viruses, accidental deletions, insider threats, you name it. Anything that originates from the customer’s network cannot touch this data.
We do some cool things with it by keeping an entire copy of the backup chain in that repository, so if something happens to your incrementals and you can’t recover, or something gets mucked up in your repository. You can’t recover; we keep an entire copy of that backup chain in the repository at all times. We can recover from different restore points. We can go back in time, not necessarily just the most recent backup, to make sure that we can get what you need from there, from a point before the data was corrupted or infected. Something like that.
The other cool thing that it does is, as you know, we do disaster recovery testing. Everybody should do it. If you’re not, stop, drop and test. When you think about disaster recovery tests, we build disaster recovery as a service into what we do. We base a lot of things off of backup files, so when you send a backup to our repository, we use that data to do a disaster recovery test to test your backups, make sure everything comes up, et cetera. If you have Enhanced Data Protection, we can actually do the disaster recovery test from that data, so we are testing it as well. We are then not interfering with your primary backup files. Your cloud files can do the backup merges and continue as usual since we’re testing your data from a different source, which is just yet another value add that EDP brings.
I will never forget the first time that I was talking with some of the GDV staff about ransomware preparedness and GDV actually produced what we call Vanguards, which are our best, our brightest, our most influential and awarded outside influencers along the way. One of your engineering leaders, Steven New, was talking about Enhanced Data Protection, and the folks on our side were just super impressed by that. That’s pretty amazing as far as what you do there, so in the context of a ransomware conversation, everybody should understand the power that a cyber preparedness perspective provides.
Definitely, and we offer BaaS and DRaaS but we don’t feel that BaaS is a complete solution. If it’s something somebody wants, we do offer it and we do offer Enhanced Data Protection with that. So from basic to full, we’re going to offer that solution to you. Obviously, it doesn’t work with something like Backup for Microsoft 365, that’s a little bit different data source and solutioning there. But yeah, we can make it work with BaaS, DRaaS, cloud, on-premises, hybrid, anything like that—we can provide Enhanced Data Protection for it, which is something that I personally don’t think anybody else can do.