Protecting your critical infrastructure is one thing…protecting your backups is the same thing
Do you know what your recovery position really is?
Paid Feature Normally, when we have more of something, we tend to think of it as less valuable. We might even become less protective of it.
And if there’s one thing we have a lot of, it’s data. The amount of data created or replicated worldwide hit 64.2ZB in 2020, according to IDC, and will continue growing at 23 per cent CAGR over the coming years.
So, given this exponential rise in the amount of data that organisations are generating and holding, can we be a little more relaxed about looking after it? Of course not. If data wasn’t valuable, we wouldn’t have the scourge of ransomware, and tech execs wouldn’t be having sleepless nights worrying about it.
Gartner forecasts three quarters of IT organisations will face one or more ransomware threats between now and 2025. Cybersecurity Ventures estimates that a ransomware attack occurs every 11 seconds, and this will result in an estimated financial loss of over $20bn for 2021.
At the same time, “new” ransomware models are the top concern for IT execs, Gartner’s Emerging Risks Monitor shows, as ransomware organisations become “more specialised and otherwise efficient.” Some of the most worrying developments, according to Gartner are “viruses that linger and infect backup systems, do not rely on phishing as a vector, harder-to-identify viruses such as “fileless” and “crypto-jacking” attacks.”
As Gartner’s Matt Shinkman says, the consequences of a ransomware attack can be crippling, even fatal, for any organisation: “Prolonged operational delays, data loss and exposure, as well as the reputational damage that follows, present potential existential risks to an organisation that executives are all too well aware of, especially if the attacks occur as a result of inadequate cybersecurity controls.”
So, protecting data is clearly essential. But companies need to understand what data they need to protect.
Your data, yesterday and today
Veeam Software solution architect John Wood points out, “The data that you have today is obviously the most valuable data that you have.”
But that data may also feed the AI or analytics systems driving companies into the future, “Yesterday's data is just as valuable for gaining insight about where you've come from, and potentially where you're going.” And historic or archived data stretching back over years is very hard to recreate.
The problem is, as AWS data management and storage specialist Sumit Kalia explains, traditional data protection approaches weren’t developed with modern threats in mind: “The emphasis was placed on some sort of natural event, such as a flood or an earthquake, and centred on physical separation, tape shipping, and high availability between sites.”
Do these strategies really protect you against a ransomware attack? For example, how do companies ensure their secondary data centre isn’t also compromised? What should RPO and RTO guidelines be in the wake of a ransomware attack? How does restoring from tape square with getting an ecommerce business back online to minimise lost revenue?
“That's the question you need to ask the business,” Kalia advises. “And the answer ‘well, not really’ is quite often what we hear.”
So, how should you approach protecting this data? And ensuring that you can get it back up and running in the event of a ransomware – or any type of cyber - attack?
According to Kalia, companies should start with something like the NIST Cybersecurity Framework, which provides a five step playbook for identifying risks, protecting services, detecting threats, and responding to attacks. The fifth step is recovery. And this is the one that’s often neglected.
“This is becoming one of the most important areas for customers in terms of ensuring they've got an insurance policy that allows them to recover at any given point,” Kalia says. “That's the bit that helps our customers to recover quickly, whilst minimising any sort of disruption, as well as meeting any business and regulatory requirements.”
The NIST framework informs Veeam’s entire data protection workflow, Wood notes. The first step is helping customers identify what needs to be protected and securing that on immutable storage. Veeam’s platform can also be used to monitor and scan data for potential vulnerabilities or compromises, for example by detecting large changes within data sets.
But “the other half of any data protection is being able to recover in the event of an event happening, whether it be using technologies around instant recovery or secure recovery technologies.”
Veeam’s Instant Recovery provides immediate restore of workloads as VMs by running them directly from compressed and deduped backup files, without the need to extract VMs and copy them to production storage.
But have you really recovered?
Secure Restore provides the ability to scan the data for malware before it is restored into production, allowing admins to either stop the process or allow it to continue with restrictions.
And while it’s great to have a recovery plan, it’s even better to know that it actually works, so Veeam also emphasises the ability to test the recoverability of the data, in the event of, for example, a ransomware attack.
A final point, Wood says, is that it is Veeam’s duty to ensure its own processes are as secure as possible, particularly given the growing threat of ransomware being delivered through compromised supply chains, for example.
“We need to practice what we preach…making sure that our supply chain is secure, to ensure that what we're delivering to our customers has inbuilt security, so they can be assured that we're treating security as a day zero priority.”
But if designing the right process is one challenge, another is deciding where to actually carry this out.
As Kalia points out, even if companies have traditional redundant data centres, they might have to face up to the possibility that a compromise at one will almost certainly mean the secondary data centre has also been compromised.
AWS, he explains, “takes a very much a proactive approach to infrastructure security, one that doesn't rely on typical protective or reactive approaches, but instead builds security into the infrastructure from the ground up. That also includes culture.”
How can an enterprise or other large organisation hope to mimic this? “By using the same tools that AWS does... these are the same tools that are available to you today, so you can build these event driven security solutions through a variety of AWS services”
For example, AWS offers object storage with object lock capabilities, through AWS S3, effectively offering a WORM model which means customers can be sure the data has not been changed. “Whenever the business has a requirement to satisfy compliance regulations, especially in the financial and healthcare sectors, you can simply capture a golden copy of that business record.”
But if AWS can provide the foundational platform and tools for securely storing data, says Wood, “you need partners like Veeam to actually take full advantage of that capability.”
This includes making sure “the data is there in the right fashion, in the right form, but also thinking beyond just the data. How do I get it back in a timely manner? Am I storing it in the most efficient way possible? These are all the things that Veeam is actually looking at. It's not just ‘throw my data in there and it will be all okay.’”
And this is the fundamental issue. Companies have often looked at backup and disaster recovery as their last line of defence when the unthinkable happens to their critical infrastructure. This needs to be turned on its head.
Companies need to accept that they will come under attack and will do so repeatedly. This means recovery processes are no longer just a last resort, but will become, if not routine, certainly a regular occurrence.
And once you’ve made this leap the whole issue of data protection is no longer an adjunct to your critical infrastructure. Instead, backup and recovery become critical infrastructure in their own right.
Sponsored by Veeam.