Google Cloud Backup service expands with vault offering
The latest updates to Google Cloud's backup and recovery offering adds immutable and invisible data vaults for VMs and databases alongside other features.
Google Cloud backup admins will soon be able to create immutable data vaults invisible to users by using new features coming to Google Cloud Backup and Disaster Recovery Service.
These features, available in preview today, include the backup vault, integration with Compute Engine virtual machines, and updated management and governance backup options.
Backup vaulting services have become a common offering for hyperscalers including AWS and Microsoft Azure, according to Jon Brown, an analyst at TechTarget's Enterprise Strategy Group.
Such capabilities are a way to keep additional data backups available for recovery in the event of a cyberattack or data loss due to human error, he said.
"This is table stakes at this point," Brown said. "But it's good they're doing this and 100% necessary."
Vaulting in Google Cloud backups
The backup vault provides immutable and indelible data backups, meaning they cannot be modified or deleted, within a Google-managed project that is logically separated from a customer's Google Cloud project.
The vaulted backups are only accessible through Google Cloud Backup and Disaster Recovery Service APIs and console services and are not accessible or visible to an organization's users.
Supported services for the vault capability currently include Compute Engine VMs, VMware Engine VMs, Oracle databases and SQL Server databases, according to Google.
Developers or platform administrators creating new Compute Engine VMs can choose backup policies and opt into a backup vault for data at the time of creation and provisioning. When generally available, the vault service will offer access through APIs and Terraform by HashiCorp, an infrastructure-as-code software tool.
Schrodinger's vaults
Air-gap backups are backup copies of data separate from a local network or the wider internet to maintain integrity.
Backing up data in a cloud service doesn't automatically constitute an air gap for data security, said Phil Goodwin, an analyst at IDC, as the cloud itself is a massive network of computers connected to the internet. Instead, additional safeguards are needed to isolate data through user or network access controls -- a process referred to as logical air gaps.
Customers of vault services should ensure these backups are immutable, available and untainted for recovery from disasters or cyberattacks, Goodwin said, regardless of the delivery mechanism.
"That's rule No. 1 when recovering from any event," he said.
The logically air-gapped vaults have become a staple service for backup vendors, according to Krista Case, an analyst at Futurum Group.
A vault service may provide a convenient way to offload and protect data following the 3-2-1 backup strategy, where three copies of data are stored on two types of media and one copy is stored off site, she said. But the level of protection needed for backups is determined by a customer's industry, legal regulations and specific technology needs.
"For any cloud-hosted data vault, the ability to be truly air-gapped is debated amongst IT operations," Case said. "Not all industries, regions and customers in general are at a place where they can, or want to, use a cloud-hosted data vault compared to a traditional, on-premises, physically air-gapped solution."
Tim McCarthy is a news writer for TechTarget Editorial covering cloud and data storage.
