StorageCraft Technology Corporation

The changes in the regulatory landscape have had a significant impact on the area of data management and security. In the process of providing better protection and privacy for consumers, these changes have created a mixed bag of challenges and opportunities for all parties involved. Combined with existing mandates and changing requirements, the risks associated with failure to comply have made compliance management a daunting task for organizations of all sizes. Interestingly, not all is lost and there is a group of problem solvers waiting on the sidelines, ready to jump in for help.

Verizon’s 2015 PCI DSS Compliance Report found that four out of five organizations are still not compliant. This shocking statistic does more than uncover the glaring problem in the payment card industry. It also highlights the opportunity for third-party service providers to capitalize on the issue and assist struggling companies with their compliance needs. Adding Compliance-as-a-Service (CaaS) to your menu of service offerings is a strategic way for MSPs to not only attract new business, but cater to the regulatory requirements of existing clients as well.

Compliance is a virtual goldmine for service providers with the management expertise to simplify and satisfy the complex requirements associated with regulations such as HIPAA, PCI-DSS, and GDPR. At the same time, hopping on that bandwagon is akin to opening Pandora’s Box because of the requirements that come with the territory. MSPs must walk a fine line in order to ensure that the convoluted legal component of compliance doesn’t land them in hot water.

Lingo and Liability

Borrowing the “as-a-Service” moniker popularized by cloud computing, CaaS is far more than a cleverly named fad. It’s recognized as a legitimate industry on the rise. CaaS providers make their money by customizing solutions around individual compliance requirements. Their management efforts are designed to help organizations prioritize internal policies and processes per mandated regulation and rule. In a perfect world, CaaS is a cost-effective solution that enables regulated businesses to minimize the risk, cost and complexity of meeting compliance.

Trendy name aside, CaaS is a rather vague term that could be interpreted in more ways than one. Based on the name’s general nature, one might assume that the provided service involves direct handling or securing of confidential information. On the other hand, a potential customer may assume that it refers to managing internal processes typically performed by employees or actually guaranteeing compliance for one legislation or another. There’s ambiguity in the CaaS term that can lead to a lot of confusion.

Third-party providers are often needed to help with aspects such as auditing, storage management, and disaster recovery. These services come in handy and allow organizations to free up valuable time and eliminate some of the challenges associated with meeting industry regulations. However, the burden of achieving and maintaining compliance falls on the customer’s shoulders. Therefore, MSPs’ contracts should accurately describe service offerings and make it clear that those services alone can’t ensure compliance. MSPs should also consider avoiding the term CaaS altogether and invest in liability insurance for added protection.

Technology and Expertise

The same regulations and rules that have companies scrambling for compliance solutions can be equally perplexing for MSPs. Take the healthcare field, for example. HIPAA requires organizations to assess their level of data security risks, implement policies and technology to mitigate those risks, regularly report their assessments to industry regulators, and in worst case scenarios, notify regulating bodies within 72 hours should a breach occur. These and other responsibilities demand that MSPs acquire the security expertise to help healthcare organizations meet HIPAA compliance.

The move from MSP to CaaS requires a special set of tools and procedures. While the targeted field and legislation will determine the specifics, every successful transition is built around three key elements:

  1. Providing rock-solid security that prioritizes data protection
  2. Training personnel on the finer details of the regulations in question
  3. Integrating new technology in a manner that is consistent with billing cycles and overall service offerings

If there were ever a time to call on your vendor partners for assistance, this would be it. IT networking powerhouses like Cisco offer solutions that are a custom fit for MSPs and designed to support regulatory standards in numerous industries. These vendors can provide valuable insight into delivering compliance-friendly services, so there is a lot to gain from tapping into their expertise.

Practitioners in emerging businesses such as medical marijuana are buckling under the pressures traditionally regulated industries have been dealing with for years. When it comes to CaaS or compliance work in general, MSPs must be careful not to take on risks they cannot properly asses or manage—or the risk to their own business will quickly outsize the rewards.

View Comments

  • Hello,

    I'm just wondering if any of you have actually tested this scenario in the end and come to any conclusion since this article was published.

    Thank you!

    • Hello Octavian,

      Thank you for asking. To be honest I haven't tested this theory, though it's been on my "to do" list since the question first came up. Have any of our other readers tried storing backup images on a Server 2012 deduplicated volume? I would be interested in at least two qualities of this test: 1) how much storage can be freed using this process (as a percentage of the original data size), and 2) is their any discernible difference in I/O speed compared with a data volume that isn't managed? I'm interested in your comments.


  • you missed so many important factors. just don't bother writing an article like this if you don't provide all the information, its far too dumbed down. you have probably lead astray some poor network/system admin who will choose to back up to disk and sacrifice his companies data retention for cost. you don't know the cost of the average company to lose recoverable data.

    • Hi Daniel,

      Thank you for your comments. Yep, there is so much to talk about with this topic. What information would you like to see in more detail? We're always looking to talk about the tech that interests our readers as well as what interests us.


  • This appears to no longer work on their 6.1 and 6.1.1 versions. I tried FAT32 and NTFS partitions as well.

    It appears they switched to some sort of linux boot to do this.

    • Hello Greg,

      Yes, there have been some updates to the process since I wrote this article in March of this year. We now have the StorageCraft Recovery Environment Builder for Windows which does most of the heavy lifting. This means I don't have to come up with creative solutions using unsupported third-party software to create a bootable USB, I can make a bootable USB natively with the Recovery Environment Builder.

      Some of the benefits of using the builder include the ability to add custom drivers to the recovery environment during the build process, faster boot times because each build is language specific, and the builder is able to leverage the latest Windows PE (currently Windows 8) with the latest Microsoft drivers and security fixes.

      The Recovery Environment Builder creates ISO's using the Windows ADK you have locally installed. These ISO files can be used to boot a virtual machine or they can be burned to CD/DVD or USB using the Recovery Environment Builder application. StorageCraft also provides an ISO Tool utility which comes free with StorageCraft ShadowProtect. This tool can rip, burn, author and mount/dismount ISO files and makes a handy addition to your IT toolkit. This ISO Tool can also be used to burn bootable CD/DVD drives using the ISO created by the Recovery Environment Builder.

      Basically we're trying to make your recovery process as easy and fast as possible, which is why the Recovery Environment Builder now creates customizable ISO's in several "flavors" of the recovery environment (e.g. IT Edition) and burns those ISO's to your available removable media. The builder application is your all-in-one solution for creating a bootable ShadowProtect recovery environment.

      If you want more about the ISO tool utility, check out this article:


  • I have a question with the following...your use of the Word "Host" in between the *stars* (see below)

    5. Regularly check the virtual machines’ event logs for VSS errors as they can indicate problems with the backup. This is good to do because when the *host* machine calls for a backup of the VM, the VM is asked to pause processes while ShadowProtect takes the snapshot

    Don't you mean "Guest"? As per you reasoning in the above statements, the "Host" is only backing up the OS drive. The ShadowProtect Client, that's installed on the VM "Guest" machine, calls for the backup itself, not the Hyper-V "Host".

    • You’re correct, we were referring to the guest. But, after further review, we noticed that the sentence you pointed out in step five doesn’t quite fit with the remainder of the post, so we’ve removed it. It is, however, still important to check the virtual machines’ event logs for VSS errors-- this is just a standard best practice to make sure everything is running smoothly.

  • The price of a microlized hypervisor is in case of Hyper-V, that it is to large to get fully loaded into the RAM. This could have backdraws if you lost the contact to the boot volume. I found an impressive demonstration about this topic @Youtube:
    In case of this, it seems VMware has still the better product.

  • Well done to Guy & Casey it's an excellent eBook, well worth reading and well worth keeping a copy close to hand!

  • I have no bone in this debate. However, I have used both agentless and agent based backup solutions in my 14 yr IT career. I am also a Certified Ethical Hacker and Certified Penetration Testet. That distinction is important to my comments below:

    1- The statement made above "It’s important to keep in mind that in order to take a true disk image for complete, fast bare metal recovery, something has to be installed on the machine." is false. This can be done by agentless, remote capability. I have done this myself.

    2- I have used the security holes proclaimed above to not exist to break into systems using the usually weak backup passwords. The machine was in fact running shadow protect. Yes the holes exist, yes it is up to the local IT folks to keep that in mind.

    • Hello David,

      Good points, and we respect your professional opinion. It's true that the perfect system has not been created yet, meaning that every system is imperfect in some way. With this in mind we are attempting to represent the "best" solution based upon the Microsoft Windows architecture and philosophy. Of course, this solution is limited to the underlying OS architecture and any of its inherent weaknesses. You have aptly pointed out one of those weaknesses yourself: that of weak backup passwords. If an administrator chooses not to implement the strongest passwords at their disposal then the administrator presents an opening for unethical and malicious behavior. It should be noted that this is not the fault of the software, but of the human managing the software. The software may be designed perfectly but implemented or secured in a manner which allows for errors or weaknesses.

      With regards to agent-based backups, it is Microsoft's intent that their Windows OS be managed (in this respect, backed up) using agents. They themselves use agents to manage Windows Server backup processes. We understand that it is still possible to create a disk image with an agent-less backup; however, Microsoft's propensity towards agents warrants the use of an agent-based solution. In addition, there are a number of advantages that an agent-based solution offers over an agent-less solution. For example, an agent-based solution (if implemented correctly) can operate at a low level of the OS not available to injected or remote procedure processes. In the case of StorageCraft's ShadowProtect agent this allows us to directly track changes to the disk and to function as a driver within the Windows OS resulting in fast and reliable backup images. Other systems which inject agents typically have to traverse the file system looking for changes first before they can begin processing a backup, resulting in added overhead and resources.

      As you've pointed out, both solutions can work. And to add to your comments I will point out that the effectiveness of either an agent-based or agent-less solution really depends on the underlying code and how it is implemented. So I guess we come full circle back to the beginning where we both agree that software is only as good as the person designing/using the software. We feel we've built a rock solid agent-based solution founded on Microsoft's platform but designed and implemented by our amazing developers to give our customers fast and reliable backup images which are easy to use and manage. Hopefully this message comes across in our products as well as our literature.

      I would like to personally thank you for taking the time to contribute to our forum. The life of a "white hat" has always intrigued me as you guys get to use operating systems in ways that many of us can only imagine. And I think we're grateful for your honest commentary.


  • For a "lover of words", you sure missed this:

    "The brain is so complex that we’re a long way from discovering all of its mysteries, and we might never actually know how much space has."

    Read it slowly...

  • 1 2 3 4 11