Networks Generation

SHIFT Work - Moving The Cyber Goalposts

Steve Broadhead
Steve Broadhead
Broadband Testing

Back from my second (16 months apart) Commvault SHIFT event, this time set in the business Disneyland that is London’s Docklands.

Historically, within IT, there are eras where very little happens in 16 months, but that hasn’t been the case in this AI age (thought I’d get the dreaded term out of the way early – first and final mention). At the previous SHIFT event there was – naturally – more than an element of cyber security on the agenda, but it was primarily about the anti-ransomware capabilities of rolling back to previous (and clean) snapshots, both OnPren and within AWS, for example. This time around – given the ongoing high-profile breaches and the cost of these attacks – it was a primary topic of conversation.

Speaking with “senior” EMEA CTO Darren Thomson and his “junior” (but taller) CTO Mark Molyneux, it is clear that many – too many – diehard IT folks are in serious need of a wake-up call, primarily in understanding the difference between Disaster Recovery (DR) which companies have spent a lifetime perfecting and Cyber Recovery (CR) which they most certainly have not (as the past 18 months has shown). Moreover, why would they view them as isolated recoveries? As Darren noted, after a breach, how does a company know that its backups are not equally infected, so the classic, fine-tuned DR methodology simply does not apply in the event of a data breach. Let me make this clear however – the two must be seen, not as totally different remediation processes, but fundamentally joined at the data hip. In other words, DR should be a secure process, not one based on hope, while CR is simply about bringing the business back online, data et all…

In the afternoon sessions Darren talked about ResOps (Resilient Operations) and how companies must now look at their businesses with a view to “what steps do we take when we are breached” and apply methodologies (NIST2 and DORA and good starting points, there’s no need to bring in million quid consultants – sorry PwC) for a) protecting their crown jewels in the first place and b) understanding the recovery process and what their minimum viable business is in the event of a breach and then working forwards from there. One point Commvault rightly reiterated throughout the day was one I made in the blog about the previous SHIFT event: that testing CR plans can no longer simply be a “once a year” process. It  has to be effectively continuous, Let’s face it, it was bad enough in the ‘old days’ when it came to testing, in advance, that data restores actually WOULD work, rather than only finding out (often painfully) when it was necessary that they didn’t. CR takes the whole game to a very different level of potential cost and damage – i.e. business-threatening.

What seems obvious to me, as I highlighted in a recent blog, is that a major mind-shift is required in terms of cyber security strategy. The ‘bolt-on’ approach over the decades to security infrastructure deployment has led to a ‘let’s reduce the attack surface’ mentality to cyber resilience. So, the obsession with 24×7 computing has obviously driven this mentality; that plus thinking that the DR plans are always going to be a “get out of jail” card they can play, even when breached. Oh dear…

Here’s the deal: how many businesses really need continuous access, 24×7, down to the millisecond, to ALL of their IT estate? In the spirit of SHIFTs panel debate, I’ll use an analogy. When folks are moving house or ‘downsize’ they often put stuff – sometimes a LOT of STUFF – into storage. Expensive storage. And rarely on their doorstep. Then, inevitably, that storage requirement becomes larger before it becomes smaller and therefore even more expensive and more unmanageable – “we’ve got a dinner party on tonight love, where exactly did we store that boxed Victorian cutlery set?”. And yet… how many of those people stand back for a moment and think: “Do you know what? How much of this stuff – be it a settee, crockery, kitchen utensils, book collection or whatever – do we actually ever use, let alone need?” So, why not simply get rid of the unused clutter in the first place and save money and space – and start off with a minimal storage ‘surface’‘?

In a sense, that’s the world of IT – does every data source, for example, really need to be available 24×7? In most use cases the answer will be “actually, no”. So why not completely reverse the thought process: start with a ‘zero attack surface’ and make resource available on demand – remember, not so long ago, that was the “new big thing” in computing? In the days of tape-based, offline (or even nearline) backups/archives, “instant” availability might mean minutes at best and hours at worst. But now we have the technology – as I’ve noted with the Goldilock FireBreak tech tested last year, for example – to enable resource to be remotely physically disconnected from the evil IT world and reconnected remotely, on demand, in milliseconds. Connect only when needed, in other words. I mean, you don’t leave all your doors unlocked all day do you, on the off chance someone wants to drop in?

And finally… another great word that cropped up regularly during the event was “simplify”. This is getting back to my ‘Common Sense as a Service’ invention from a good few panel events ago. Use as few tools and platforms as possible, as an integrated solution, all managed from a single interface (glass pane or otherwise). And let’s get real – it’s not going to be possible  to manage every aspect of your data and security infrastructure from that one interface, but with a rethink and rationalisation, it’s possible to get closer than it ever has been. And then, for all those security tools you can’t manage from that one interface, don’t think: “I’ve spent millions of my budget on this stuff, they are therefore essential elements of our strategy”. Instead, think: “Do I really need them?”.

Go on – I dare you…