So far this year, we’ve looked at seven topics in data storage and how we predict these focus areas will evolve. In this post, we examine how data protection will need to change to meet business requirements during the remainder of the decade. Previous posts:
- Storage Predictions for 2023 and Beyond (Part I – Media)
- Storage Predictions for 2023 and Beyond (Part II – Systems)
- Storage Predictions for 2023 and Beyond (Part III – SDS)
- Storage Predictions for 2023 and Beyond (Part IV – CNS)
- Storage Predictions for 2023 and Beyond (Part V – Open Source)
- Storage Predictions for 2023 and Beyond (Part VI – Public Cloud)
- Storage Predictions for 2023 and Beyond (Part VII – Protocols)
Background
Data protection (and more specifically, backup and restore) has been a part of IT since the inception of commercial computing in the 1950s. Until the early 2000s, the traditional backup process used tape media and tape drives. This market evolved from manually mounted reel-to-reel media to tape cartridges and the enormous, automated tape libraries (ATLs) from the likes of StorageTek, IBM and Spectra Logic (many of which I installed, maintained and operated).
By the early 2000s, a new set of technologies emerged, including VTLs (emulated tape devices and libraries) and disk-based backup pioneered by Data Domain. With high levels of efficiency (driven by data deduplication), tape usage began to recede as the practical benefits of disk-based backup exceeded the flexibility of tape-based solutions.
Throughout that time, though, data protection software didn’t change that much. Deduplicating appliances simply provided a different target into which backups were written. In those days before the widespread adoption of x86 server virtualisation, data protection still focused on agents, schedules, policies and completing backups within a prescribed window (generally outside the working day).
Data Diversity
It’s reasonable to say that in the 1980s, data protection didn’t have the business focus it does today. If a backup failed, it would eventually get retried (sometimes, that meant just waiting for the next backup cycle). If a restore failed due to a broken tape, then the previous backup would be tried instead.
Businesses could get away with a more lackadaisical approach to data protection because data volumes were much smaller than they are today. Data existed elsewhere in the company and could be (eventually) recreated if some of it were lost. The risk of ransomware didn’t exist because IT systems weren’t generally open to external connectivity. In the 1980s, the World Wide Web didn’t exist, and the Internet was a niche solution used by academic and government institutions. Large enterprise organisations used dedicated networking links for connectivity, which made hacking almost impossible. The biggest threat for IT was insider theft or malicious data destruction.
Today, we can’t imagine operating IT without network connectivity that extends from corporate data centres to the public cloud, edge/remote devices, and home working. About ten years ago, I drew the diagram shown in figure 1 (redrawn in 2021). This shows how our closed networks have evolved to be widely diversified, with technology used from myriad sources. This diagram now needs updating to highlight the massive adoption of storage-as-a-service and the disparate nature of data that could be spread across tens or hundreds of platforms and locations.

Data Assets
In the modern enterprise, data is a critical asset. Moreover, most, if not all, of that data will be electronic, and a vast majority will be created by non-human sources. Much of this content can’t be recreated if it is lost. IT systems hold personally identifiable information (PII) that is subject to increasing regulation. The escalating incidences of ransomware attacks and data theft make it clear why these regulations are required. Modern society trusts and depends on electronic information, from how we manage our money to healthcare and social interactions.
Data Loss Prevention
While we generally use terms like “backup” and “data protection”, we should be focusing on data loss prevention (DLP). This term encompasses two areas. First, ensuring data assets are backed up, protected, and can be recovered. In this respect, we need to consider both data protection and disaster recovery to cater for large-impact events. We can think of this as “loss of access”. Second, we need to consider data security from the aspect of unauthorised access and exfiltration. This is “loss of control”.
In respect of DLP, the industry isn’t standing still. Many companies have pivoted to talk about nothing but security, while others have introduced technology to both frustrate and provide early warning of intrusions. As any doctor will tell you, prevention is better than cure, and that’s absolutely true in the world of data management.
Observability

Of course, without a clear understanding of the data within an organisation, there’s no chance of protecting it. The diversification in applications (particularly with up to 16,000 SaaS solutions available in the US alone) means that gaining a picture of what’s critical to the business can be hmore challenging than ever. There’s a classic xkcd meme (we’ve shown here) that highlights how one tiny piece of code can be the foundation of entire systems.
Similarly, businesses may have critical data, the loss of which could have a significant impact. It’s essential, therefore, to be able to identify and classify all data assets using a methodology that accepts data will become more or less valuable over time (rather than previously, where value declined with age).
Predictions
So, what can we predict for the next decade of data protection evolution? Some of these predictions are more what we should aspire to rather than what will happen. We hope that the aspirational suggestions do manage to gain a foothold, as they’re critical to advancing the industry.
- Data protection becomes a CISO responsibility. This scenario may already be the case in many organisations; however, we see this positioning increasing in focus. Data protection and backup is the fallback position when other forms of security defence have failed, so the security teams will want to know the failsafe is available and working successfully.
- Data discovery and cataloguing will be critical tasks. As with any asset, data needs to be identified, catalogued, and valued. This work is more complex than it may seem, as many enterprises have dumped offline media (like tapes) into vaults for long-term retention, and with little idea of the contents. Although an overhead, businesses must learn to curate data assets, including timely deletion.
- Data archiving will make a comeback. Archiving is simply the process of moving inactive data out of production applications to improve performance, save space, cost, and backup effort. Many archives are lazily implemented by long-term retention of backups. As we focus on efficiency and the speed of recovery from ransomware events, production data will evolve to encompass only what’s needed to be immediately available.
- Data deletion will make a comeback. As data storage costs declined rapidly during the last two decades, while the ubiquity of analytics increased, many businesses implemented a “retain forever” model for data. What might have been seen as a rich seam to be mined for future value could now be a toxic waste dump of data governance risk, compliance, and cost. We envisage data deletion policies making a return, with a focus on risk mitigation, cost reduction and sustainability.
- Ransomware goes exponential. The threat of ransomware now includes state-sponsored attacks as well as groups looking for financial rewards. Ransomware attacks are being used to disable access to data but also steal data assets that could be used tactically in the future. As we’ve seen with the Royal Mail ransomware attack, the impact is felt far and wide by individuals and businesses. Hedging against a ransomware attack could quickly become uninsurable.
- Backup software gains the highest level of hardening and security controls. Backup platforms will need enhanced security features to deliver multi-factor authentication, multi-factor signoffs, and greater workflow audits and controls, all to mitigate the risk of direct attacks on the backup system.
- Customers will demand ransomware certification. We can envisage that businesses (then possibly consumers) will require companies to demonstrate both ransomware coverage for insurance and for certified protection policies (proof of recovery). Of course, this stance could be a double-edged sword, with hackers attacking vendors that claim to have a gold standard of protection. However, governments may choose to specifically weave certification and compliance into existing legislation such as GDPR, making this approach the default.
- Data protection is enabled by default in the public cloud. In a similar process to the way enhancements were made to AWS S3 (removing public access and enabling encryption by default), we can see public cloud vendors enabling backup by default across storage, virtual instances, and PaaS, and only permitting customers to opt out by exception.
- Zero Trust gains widespread adoption. This prediction is definitely aspirational. We think that the current walled garden operated by most organisations is no longer fit for purpose. The ability for intruders to gain access through social engineering, phishing or unknown exploits is so high that zero-trust architectures must be the default. However, we also recognise this is a considerable engineering challenge for most organisations and will take time to be realised.
- Encryption everywhere. Data encryption in flight and at rest is already used widely across the enterprise. We envisage greater use of encryption within applications, such as MongoDB’s client-side field level encryption. The edge is another area where encryption and credentials management will be critical for data protection and ransomware prevention. For example, to validate external data sources at the edge are trusted, known devices. We should also expect more tokenisation of PII.
- Air-gapping and immutability become table stakes. Backup without logical or physical air gaps will be mandatory, as will immutability. We can see a new role for tape systems incorporated into workflow management solutions like Spectra Logic Vail, where tape systems provide the scale for archiving and immutability.
- Data protection companies become data security partners. We’ve already seen data protection companies branding themselves as data security companies. However, we believe the better approach is to partner with security experts and use that pooled knowledge. We could see further acquisitions as data protection and security become further entwined. Also, expect to see AI provide both the solution and the challenges for data protection as vendors and hackers use the technology from both sides.
- SaaS data protection will emerge as a hidden issue. With so many SaaS applications in use and with such a diversity of SaaS platforms to protect, SaaS solutions providers will need to address their own data protection shortcomings. A new approach is required in order to solve this problem, as backup vendors simply can’t cope with onboarding thousands of SaaS solutions.
- Data protection solutions evolve to visualise data, not infrastructure. In a move we’ve been pushing for some time, data protection solutions will transform to visualise protected assets at the data level, not infrastructure. In a future hybrid/multi-cloud world, data may exist in many locations over time, especially as it transitions through data pipelines. It makes much more sense to present data assets with a timeline of their current and historical locations than to show fixed infrastructure.
- SaaS data protection solutions will become the dominant market choice. For many organisations, operating a backup system that must cater for a diverse set of applications will be too onerous. The answer is to use SaaS vendors such as Druva, HYCU and Metallic. This model will be the driver for future growth of the backup industry.
The Architect’s View®
We’ve covered an enormous number of potential predictions, most of which follow a theme of improved security, zero trust and platform hardening. Data Loss Prevention needs to be the new focus of today’s data protection. With more data created now across a greater diversity of platforms than ever before, the challenges for the data protection industry couldn’t be greater or more interesting to watch.
Copyright (c) 2007-2023 – Post #124c – Brookend Ltd, first published on https://www.architecting.it/blog, do not reproduce without permission.

