A large number of workers use mobile computing platforms (laptops) to perform work both in the field and in the office. With a global pandemic in full swing in the last few months, more workers have been sent home with laptops and told to be productive. Despite the fact that organizations are constantly spending large sums of money on software-as-a-service and cloud-based applications, large amounts of data are still being generated by laptop users and kept by those users on their laptops. There are several different ways to perform laptop data protection, including using local hard drives or cloud-based services to constantly protect the laptop. These tools aren’t materially different from the tools used by enterprises to protect servers, data, and applications in the data center, and deliver a high degree of reliability and recoverability in the event of a hardware failure or accidental file deletion. They normally support monitoring and reporting and generally protect everything on the laptop by default.
I Sync, I Share, I’m Okay
Sync and share file tools are a relatively new enterprise capability. Gone are the days when users could only work on data stored on file servers on the corporate network. And gone are the days when working remotely meant taking a copy of a file home with you to work on and then copying back to the file server on Monday morning. Now there are tools available that mean you can access your files wherever you happen to be, and frequently on devices that didn’t even exist ten years ago. There are many sync and share tools available, including Box, Dropbox, and Microsoft’s OneDrive. They offer a variety of different features, but all of them offer the ability to store data in various cloud environments for access across many platforms. While these tools offer varying levels of data integrity and security, they don’t fall in the same category as traditional data protection tools.
OneDrive
There is no service level agreement in place for the recovery of data with OneDrive. It has been designed as a way to store files locally and have them synchronized across many devices. It hasn’t been designed as a tool to protect your data, and if it’s a little slow to get something back from OneDrive when you’ve zapped a file on your laptop, it’s because you’re using a tool for something it wasn’t meant to do.
I’m not suggesting that Microsoft isn’t doing anything to protect your data when it’s stored in OneDrive. There’s a very useful article you can read that outlines the effort it takes to protect your data, including security measures and replication of data. This doesn’t mean, however, that these protections can’t be easily defeated by human error or malfeasance. For example, your end users could decide simply not to store data in the OneDrive folder.
In a well-run organization, measures would be put in place to ensure that data is always stored in OneDrive, with Group Policy used to control the configuration of the laptop to protect the users from themselves. How many times though has the hapless administrator been hassled by the executive user or a rambunctious salesperson to just sort out the laptop so they don’t have to do that? It seems farfetched until you see it happen and realize that it happens more frequently than you’d like to imagine. How about the smaller environments, without a lot of IT staff support, looking for ways to protect laptop data but without the means to set up a robust configuration?
What if you have users working around OneDrive, or just not aware of how it works or how they should be storing their data? What if something goes wrong with OneDrive, or it’s been disabled by a user? There’s no centralized reporting of the fact that happened by default. The notification will usually go to the end user, particularly in smaller environments where there isn’t a lot of IT capability. Your end users? They’re not reading those notifications. Most of them are diligently ignoring pop-ups and have thousands of unread messages in their inboxes.
Finally, there is the issue of ransomware, which can encrypt all files stored in OneDrive. This encryption would immediately be replicated to OneDrive in the cloud. While the unencrypted versions should still be available, the restore process requires three steps: restoring the cloud version of OneDrive, deleting all local data, then resynchronizing your entire OneDrive. A robust backup and recovery service could do all of that in a single step.
When It Goes Sideways
There are all kinds of things that go wrong with corporate laptops and cause data loss. These events range from the obvious (hardware failure, theft, sudden liquid ingestion), to the unfortunate (files being deleted accidentally, software update failures), and the malicious (ransomware infection and bad actors). When something goes wrong, replacing the hardware is often the easy part. If you’re not backing up the laptop configuration, it can be a real pain to replace the laptop and get it back to the state it was in as the end user experienced it. Invariably you need to reconfigure it with the user’s account, their applications and related settings, as well as every customization that user has made to the device. There is wasted time and cost associated with getting everything back to “just right”. Then there’s the time it takes to bring whatever data you were storing on the laptop back from wherever you (hopefully) had it stored. As I said before, mature organizations have this in hand to an extent and have control over this reinstallation process. Nevertheless, it is a process, and it can take some time to rebuild a laptop from scratch, even with robust automation tools in place. These processes are also more complicated at the moment due to COVID-19 and everyone working remotely. I’ve had experience working in smaller environments, and we did not have these controls or processes in place. When something went wrong, a new laptop was acquired, and, depending on the technical capability of the end user, little was done to assist with the return to productivity.
Recovery with Druva, on the other hand, is a snap. When the end user receives the new laptop and activates Druva inSync for the first time, all of the system and app-related settings are automatically carried over to the new device (if the user chooses to do so). This allows for completely remote replacement of a device, something that is even more important in the current environment.
It’s Not Just Data Loss, It’s Leakage Too
Data protection isn’t just about ensuring that you can recover your data in the event of a failure. It’s also important to ensure that it’s secure and doesn’t get into the hands of people who shouldn’t have access to it. The process is known as data loss (or leakage) prevention (DLP) and stops data from being taken or sent where it shouldn’t be sent. There are a variety of ways this is controlled on laptops, including locking down USB ports and preventing access to third-party sharing tools. Another common DLP feature is remote wipe, which is used to delete all sensitive data on a device when it is lost or stolen, or someone leaves the company and does not return their device. If you have users handling sensitive data on laptops, remote wipe is a critical feature. As of this writing, OneDrive does offer some DLP features, but it does not support remote wipe.
The Right Tool for The Job
People back up laptops for different reasons, including regulation, control, and data protection. It’s important to use the right tool for the job when you’re tasked with protecting your organization’s data. It’s my opinion that OneDrive is a fantastic corporate sync and share tool that runs across a variety of platforms and does a great job of managing data on a variety of end user devices. OneDrive is not a backup, however, it’s a thing that needs to be backed up. With Druva inSync endpoint protection, on the other hand, you get backup, eDiscovery, data loss prevention, and compliance monitoring, all in the one package. When combined with centralized monitoring, mobile device management integration, and single sign-on support, Druva looks to be a pretty compelling option for laptop data protection.
