The SNIA Cloud Storage Technologies Initiative began 2021 discussing the topic that has been on everyone’s mind for the last year – COVID-19. But rather than talking about positive cases or vaccine availability, our experts, Eric Hibbard and Mounir Elmously, explored how COVID has increased cybersecurity concerns and impacted the way organizations must adapt their security practices in order to ensure data privacy and data protection. If you missed our live webcast “Data Privacy and Data Protection in the COIVD Era” it’s available on-demand.
As expected, the session raised several questions on how to mitigate the risks from increased social engineering and ransomware attacks and how to limit increased vulnerabilities from the flood of remote workers. Here are answers to the session’s questions from our experts.
Q: Do you have any recommendations for structuring a rapid response to an ongoing security threat?
A: When considering rapid responses to threats, an organization must develop an incident response plan. Waiting to do this in the middle of an incident all but guarantees mistakes and inadequate responses (and possibly liabilities). As part of this planning, we’ve seen some companies form a rapid response security team. This consists of IT and business managers, security teams, communications and public relations personnel, and potentially legal representatives. The goal of the teams is to assemble in response to an emergency to cut across different responsibilities and make faster decisions. This would enable a mix of responses such as isolating infected areas of the network, putting business continuity plans in place, and even potentially securing physical assets or sending teams to update systems. In addition to mitigating problems, the organization may need to handle public and/or regulatory disclosures.
Q: Isn’t there a tension between a continuously connected backup and ransomware protections? Are there other conflicts with regulations or policies that could reduce or compromise data security?
A: In security, there will always be some aspect of compromise. For instance, the fact that your backup system is connected to the network and continuously updating places it at risk for being involved in a ransomware attack. This can be mitigated with additional offline backups. But the value of the connected backup is the recovery time involved in resetting your environment. There are always conflicts in a complex security scheme, and care should be taken to examine all vectors of attack to mitigate risk. It is worth noting that the National Institute of Standards (NIST) in it recently published NIST SP 800-209 (Security Guidelines for Storage Infrastructure) recommends that cyber-attack recovery (e.g., due to a ransomware attack) be handled independently of non-malicious recovery (i.e., the backups for each type of recovery are completely separate).
Q. What about air gapping the backups in the vault?
A. Air gapping the backup in the vault is a valid option, however most IT shops provide end users with access to backups in case they experience limited data loss. Applying air gap to such backup will result in taking this capability away from users. on the other hand, air gapping database backups will have a significant pay off since no user access is provided except for a very limited admin group.
Q. Is ransomware a good reason to go back to real tape backup or at least some form of unconnected archive?
A. Tapes provide an excellent air gap media that is extremely cost effective. On the other hand, managing tape has proven to be a very cumbersome process that has been rejected by most IT shops. Even if you decided to use tapes as air gaps, do not abandon your backup to disk since this is your first line of defense. Tape should be a tertiary copy of backup and ideally you should not consider moving it off site due to potential multiple tape handling problems.
Q. Is the current threat landscape larger or smaller with all the distributed work from home efforts ongoing?
A. The current threat landscape has increased by multiple folds due to:
1- Internet of things
2- Exponential growth of work from home-remote users
3- Bring your own device
4- 5G connectivity
Q. I often hear IT pros say something like, “It’s secure enough, let’s deploy.” Once deployed, how often should security be re-assessed, and do you have any methodologies for that?
A. As was discussed in this presentation, no matter how much you invest in the police and associated technology, there will be a bad actor confident that he can get away with the crime. Similarly, the threat landscape is evolving almost by the minute, and ransomware has proven to be an excellent way to make money, so consider that you should revisit your security as frequently as your budget permits, keep your security tools updated as soon as an update is available, and create a strict patch update schedule to your environment including OS, database, drivers.
Q. The information presented at this session was pretty basic. I thought it would be more in-depth.
A. Since the level of expertise of our audience varies widely and with the potential of first-time attendees, we needed to start with a foundation to ensure no ambiguity on the subject. As more follow up webcasts will occur on related topics, we will start from where we left off in the previous session. We expect to continue this discussion. Follow us on Twitter @SNIACloud so that you don’t miss any announcements on upcoming events.