Security Experts:

Backupify - Securely Backing up the Cloud from the Inside Out

Given the necessity of backups, because lets face it - hardware fails, users make mistakes, and hackers have no issue wiping the server after they’re done with it, organizations make it a key part of their business continuity and incident response plans. What about the data stored in that mythical cloud? How is it protected?

SecurityWeek recently spoke with a company that wanted to answer that question.

BackupifyThe company in question is Backupify. Founded in Kentucky in 2008 and now headquartered in Cambridge, Mass., the company isn’t a giant by any means, but they’ve grown quite a bit over the past few years, and demand for their offering is rising. Why has the demand grown? It’s driven by the need to retain an ever-increasing amount of data. In addition, backups have expanded form an onsite enterprise need, to one that touches hosted environments as well.

Unlike other SaaS backup vendors, Backupify is a little different. I’m not going to lie, I’m always skeptical of any company that claims to be unique when they’re in a market with scores of vendors that do the same thing. Yet, they’ve got something good going on, and what got my attention the most was the level of transparency showed on our first meeting.

Last month, during the RSA Conference, SecurityWeek spoke with Ben Thomas, the VP of product development and security. He’s energetic and extremely proud of the company, and it’s clear that he has a large amount of personal investment it. We met with Thomas because of some news that came out shortly before the conference started. Backupify had just completed a penetration test performed by Rapid7, and they were willing to talk about it.

Testing performed by Rapid7 isn’t cheap. An audit from them can be quite pricy, but it’s worth it if the goals of the test align with a given organization’s security needs. Thomas selected Rapid7 because he preferred a local vendor, and he wanted to form a relationship based on trust and hands on testing, not a general website scan. Backupify passed the penetration test. We confirmed the results with Rapid7, and as an additional check, we spoke to the Rapid7 employee who performed Backupify’s test himself to confirm the data we were shown.

(Note: After talking to both sides, we can report that Backupify did indeed pass and no major security problems were reported, however we cannot reproduce or cite the report for confidentiality reasons.)

At the same time, the penetration test was just one part of their security enhancement plans. They also bucket level versioning on Amazon S3, giving them multiple copies of a given file that has been backed up the moment the original is altered, and AWS multi-factor authentication delete capability, to harden the deletion process.

This is on top of the practices within the company itself, the stuff their customers never see. Secure development and design are a core part of the engineering process. The reason for the baked-in security approach is two fold; for one Thomas is a security guy himself, so it comes as a habit and it just makes sense in order for their customers to trust them. Backupify was founded on the principal of trust after all.

So while the company was built with a security mindset, and it is baked-in to the product, what exactly do they do? They make backups of all of your cloud data, and their most popular service is focused on Google Apps. You may not know it, but in January, 94% of the seats used by Google Apps belonged to just 15% of the companies that use the service.

As it turns out, when a company starts their free trial, Google’s API reports the total number of seats that organization uses. This offers some interesting data, such as the fact that of the organizations with 1,000 or more users, 40% of them are educational domains. Another tidbit is that the average amount of space stored in a Google Apps account is 2GB, and of that 97% of it comes form GMail. With that said, it should surprise no one that the number one reason for data loss in Google Apps is human error, and that’s exactly what Backupify wants cut down on.

Again, backups are something that just happens in IT, a long standing process that will never go away. The ability to backup and restore single items or entire users with a click of a button, for about $3 per user, is a huge deal for some organizations. Backupify had just over 3,000 customers when we talked to them, but that’s bound to change now that they offer backup solutions for Salesforce (It’s called Snapshot and it’s a one-time backup and download service for an entire Salesforce CRM).

In addition to Salesforce and Google Apps, Backupify also allows customers to save social media accounts, including Flickr, Twitter, Facebook, LinkedIn, and Blogger. At the same time, demand is leading them to develop offerings for other services too.

When it comes to archives, not only is the data stored in the cloud by Backupify, but customers can download those backups and keep them internally. This is just another feature to ensure that their customers retain full control over data. There’s other granular management controls too, such as searching and data retention policies.

Overall, they’re affordable; they have a solid system in place to help organizations in the cloud deal with backups just as if the data was in-house; and the entire platform was built with security in mind from the start. Not bad for a company that you’ve probably never heard of.

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.