Premise. Enterprises moving to the cloud must sustain necessary IT capabilities. At the same time, digital business transformation increases the importance of some IT capabilities. Data protection, in particular, is an IT capability that becomes more important in a digital business – and more challenging in a multicloud environment. Digitally transforming large enterprises requires a clear approach to multicloud data protection.
Data protection is moving from historically being an IT task to a strategic business imperative. The reason is simple: As businesses undergo digital business transformations, they must treat their data – the basis for any digital business strategy – as a valuable asset. Like any asset, data must be protected to establish data quality, availability, and integrity. Indeed, Wikibon’s clients increasingly agree that in a digital business world, data protection is evolving into digital business protection.
However, data isn’t like other assets. Data can be copied, shared, and moved at almost zero cost and with zero loss of fidelity. Indeed, the challenge for digital businesses is to appropriately privatize data, ensuring that the business can control how and for whom its data creates value – and risk. The tactical backup/restore legacy of data protection tooling is morphing into a strategic imperative for data asset management.
The emergence of cloud makes the data protection problem more complex – and more strategic. Increasingly, an enterprise’s core data is associated with a SaaS application or a multi-tenant cloud relationship. Cloud can accelerate application delivery, which is a very good thing for a business, but often the developers or application owners pushing for speed under-value the need for operationally sound and certain data protection. Decisions regarding data asset exploitation and protection are among the most important facing any digital business. Only a strategic approach to data protection can optimally generate the returns and limit the risks of digital business options.
Amidst digital business change, enterprise leaders and IT professionals are exploring different avenues to satisfy their digital business imperative. To understand the paths they’re taking, Wikibon conducted a series of Crowdchats, online gatherings of the Wikibon community, about multicloud data protection. On 8 November 2018, 37 members of the Wikibon community gathered to discuss multicloud data protection, reaching over 850,000 IT decision makers. On 29 January 2019, Wikibon conducted a second Crowdchat on the relationship between data protection and emerging multicloud operating models (MOMs). That Crowdchat included 41 industry experts who collectively reached 1.1 million IT professionals and produced the survey data presented in this Voice of the Community paper.
Data Protection Is a Strategic Digital Business Capability
Every business organizes its people, engagement practices, workflows, and business models around the assets it considers differentiating and valuable. Increasingly, Wikibon clients use the notion of “strategic business capability” to describe how assets, organization, and actions are sustainably aligned to ensure that the business can efficiently and effectively perform the essential work demanded by customers, markets, and legal environments (see Figure 1). An insurance company, for example, requires the capability to manage claim lifecycles, or it will cease to exist. Fully formed “capability networks” describe how a firm’s map of capabilities – which can easily number 200 or more at a high level of abstraction – work together to serve a business’s mission and stakeholders.
Figure 1. Example Map of Strategic Business Capabilities, Emphasizing IT
Historically, IT capabilities have been treated as “enabling business.” These include capabilities like application delivery, resource management, performance and change management, tech service and process management, and tech support. While connected to almost all other business capabilities through the business’s information flows and exploitations, IT capabilities often aren’t regarded as “strategic” because the business value they produce typically shows up as increased productivity in other functions like finance, sales, and marketing.
However, the most fundamental difference between a business and a digital business is that a digital business uses data assets as an organizing principle (if not the organizing principle) for an enterprise’s value proposition, engagement practices, and profit-making operations. Every business, therefore, must invest in strategic business capabilities that can efficiently and effectively perform new classes of digital business work. In terms of IT functions, business capabilities that become strategic include capabilities like cybersecurity, strategic vendor management – and data protection.
Data protection has a decidedly unsexy past, but Wikibon believes it has a smoking hot future. Data protection began with a focus on recovering from standalone hardware failures. During this period, the main concerns (in addition to cost) were (1) how much work did you lose (recovery point) and (2) how long does the recovery process take (recovery time). As the relationship between application availability and business performance matured, disaster recovery and business continuity were added to the data protection taxonomy. Consequently, data protection has evolved to provide important security and data movement functions. Most recently, the emergence of privacy ethics and regulation (like GDPR) has added the need for greater data management services. As a result of these changing demands, most members of the Wikibon community expect to expand investments in data protection (see Figure 2).
Figure 2.Data Protection More Important
However, as enterprises adopt multicloud architectures, the evolution of data protection will enter into a new, strategic phase for business. Why? Because:
- Data will feed more diverse value streams. It’s common to say that “data is the new oil,” but it really isn’t. Data is the basis for the next generation of economic value creation; that is true. But the same drop of oil can’t be applied to multiple uses – say, to power your car or turned into a plastic hula hoop – at the same time. Data is different. The same data can be copied and applied to multiple uses without loss of fidelity. Today’s customer data becomes tomorrow’s product strategy insight. That simple difference – that data can be copied, moved, and combined at nearly zero cost if properly managed – is driving new data protection requirements. But the key phrase here is “properly managed.” The right approach to data protection will ensure appropriate data quality while minimizing barriers to data reuse.
- Data will be more distributed. Virtually 100% of large enterprises, and the vast majority of mid-sized enterprises, will eventually adopt a multicloud approach to their cloud operating model. Otherwise, businesses would be locked out of SaaS and managed service options and locked into IaaS choices. Indeed, the cloud is better thought of not as a technology for centralizing data, but for more simply distributing data, close to where it is created and/or will be used. In other words, the cloud dramatically expands distributed data options. Ultimately, the right approach for data protection will be to move data protection services to the data, and not necessarily moving data to data protection services – a statement strongly supported by the Wikibon community (see Figure 3).
- Data sources are exploding. Mobile and edge computing is expanding rapidly. Each of these devices – and all the software running on them – is a potential source and target of data. As instrumentation turns more products into “services,” adds automation to assets, and includes health informatics, more – and more important – data must be protected in accordance with increasingly diverse policies and laws. The right approach to data protection must account for tomorrow’s scale and scope of data sources, accommodating diversity where it is a source of business value.
- Data security is a “must have” in business. As data increasingly evolves into a highly valuable business asset, the range of security requirements expands. Yesterday’s backup and restore services might have focused on the physical security of tape robots, but tomorrow’s complex array of data-based value streams must be protected both from inadvertent human errors and malicious attacks from bad actors. Ransomware, corporate espionage, and IP theft are just a few of the potent attacks on data that must be thwarted. The right approach to data protection must mesh with advanced data security practices and technologies to assure that the data that must be available and integrous to keep digital business up and operating actually is.
Figure 3. Multicloud Data Protection Operating Model
Paths to Establishing a Strategic Data Protection Capability
The centrality of data in digital business models demands a modernized approach to data protection. But the key word here is “modernization.” Data protection technologies will specialize based on the characteristics of the data that must be protected. This includes data associated with high-value traditional applications (HVTA) that run today’s business operations. Businesses must weave together a data protection capability that doesn’t force application migrations just to fit one or another bucket of cloud services. The need for a more modern approach to data protection is driving investment in these technologies, according to the Wikibon community (see Figure 4).
Figure 4.Cloud Data Protection Service Objectives
Wikibon believes that enterprises will have three broad alternatives to establishing a strategic data protection capability (see Figure 5). They are:
- Master multiple “stack-specific” approaches to data protection. Data protection is not new. The precepts have been around for decades and have been manifest in a wide-array of environment-specific toolkits. Thus, we’ve seen successful data protection suites for mainframes, client/server, web app, and now clouds like AWS or Azure. Generally, these “stack-specific” data protection suites work well. However, a proliferation of stack-specific data protection suites can lead to suboptimal enterprise data protection capabilities. Each stack-specific suite engenders specific processes and tools that must be mastered. This is no small problem. Wikibon research shows that the opportunity cost (mainly lost revenue) of failed data restores due mainly to human error can exceed $1.4 billion over 4 years in a $5 billion business. Moreover, given the different business models of different classes of stack supplier, the vendor management challenges of this path can be daunting.
- Employ a federated data protection technology model. Specialized data protection needs can call for specialized classes of data protection and data management services, but it’s increasingly possible for enterprises to take a federated approach that provides both rich data protection services and simplified data protection operations. Federated technology models have been imagined for decades, but only recently are becoming real in the data protection world. Essentially, a federated approach allows for the optimization of local data protection function under the control of global policies and processes. Typically, this involves the use of specialized data protection appliances, software tools, and cloud-tier services that all operate according to a common data protection management platform. The result can be improved data protection policy management, visibility into performance of local data resources, time-to-problem discovery, and streamlining of remediation tasks and times. Enterprises that choose a federated approach cannot just employ a transactional governance model with their vendor. Rather, they must align their capability management with the technology approach, innovation schedule, and overall strategic agenda of the vendor.
- Orchestrate data protection services as part of application management. Some applications (e.g., SAP) are central enough to an enterprise that they attract data protection technologies built just for that application, especially in the realm of data privacy regulation. Enterprises that choose this path can avoid some of the proliferation of the stack-specific approach. However, as applications are more deeply networked together in an effort to generate derivative value streams from application data, impedance mismatches of function and service quality can become overwhelming. Moreover, during a period of crisis, discordant application priorities and policies can collide. While this approach can optimally protect specific high-value applications, it probably isn’t ideal for pursuing a strategic enterprise data protection capability.
Figure 5: Three Data Protection Capability Options
Federated Data Protection Will Work Best for Most Multicloud Operating Models
Wikibon believes a federated approach to establishing a multicloud data protection capability will work best for most enterprises. Ideally, it becomes part of the enterprise’s plan for establishing a multicloud operating model (see Figure 6). That means:
- A data protection capability must evolve to support multicloud operations. While finding tooling that can protect data on different technology stacks, including cloud stacks, is relatively easy, weaving them together to support a multicloud operating model is not. Moreover, a multicloud operating model creates new and shifts old technology priorities. For example, multicloud operations requires the enterprise to protect application build and test data to support rapid, agile application delivery. Additionally, cloud-native technologies, like Kubernetes, must be embraced by any strategic multicloud data protection capability – embraced in both “exploiting” and “supporting” terms. A federated approach to data protection can simplify ops, lower data sharing barriers, and be controlled by a data-first control plane. Moreover, it’s the best bet for simplifying operations in ways that encourage rapid evolution of increased automation.
- Data protection suites must evolve multicloud delivery options. Cloud stacks typically include data protection services – for that cloud stack – delivered utilizing cloud-native, subscription-oriented, and elastically-scaling business models. To provide the same flexibility across all data protection needs, federated data protection suites must evolve similar packaging and pricing models. No enterprise wants to invest to get rid of archaic data protection functions, processes, and capabilities only to replace them with unwieldy procurement, licensing, and service regimes.
Figure 6. A Strategic Data Protection Capability Is Core to a Multicloud Operating Model (MOM)