The holidays are over and New Year’s Resolutions have been made. Alongside the personal goals of health and happiness, what can you do to improve your organization’s business continuity and data management plans in 2018? Dave Packer makes six suggestions…
Resolution one: plan for ransomware recovery early
The amount of money raised by ransomware attacks has grown massively over the last two years. According to research by Cybersecurity Ventures, the spend on ransomware grew from $325 million in 2015 to an estimated $5 billion in 2017, while security firm Trend Micro blocked 82 million ransomware attacks over a six month period. The profitability of ransomware attacks will mean that further growth in such attacks will take place in 2018.
For business continuity teams, adequate backup and recovery plans should make it easier. However, ransomware attacks are being designed to target backups as well, so that the attackers can increase their likelihood of getting paid. Planning ahead can therefore keep one step ahead of the attackers.
Using separate services that can go back to specific points in time before a malware attack took place can help. Similarly, using offsite services that can provide data isolation, like cloud, can provide a shield to prevent ransomware from compromising backup systems. By being more strategic in your backup approach, you can help prevent security problems in the future.
Automating file checking process can help even further - by utilising machine learning and looking for peculiar patterns in data usage, like a sudden change in the number of encrypted files, your data protection strategy could help provide an early-warning system, to aid in stopping ransomware attacks from spreading broadly across the organization’s systems. Knowing what ‘good behaviour’ looks like - and equally, what bad or unexpected behaviour appears as - can help keep large volumes of data protected.
Resolution two: understand how GDPR will force better data management practices, but won’t break your recovery
This year, the European Union’s General Data Protection Regulation will enforce new standards on data protection, privacy and security. GDPR comes into force from 25th May 2018, and all companies holding data on customers that live in the European Union will have to follow the rules on handling data.
As part of this, all companies will have to bring in new rules on managing requests from customers for copies of their data. Alongside this, companies will have to comply with their customers’ ‘right to be forgotten’, where all data on them is deleted.
For business continuity professionals, this may be troubling. Would the right to be forgotten extend to archive or backup data as well? Well, the text in the regulation reads as follows:
Article 65, GDPR: “In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation.”
However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.
Data can therefore be held for archiving of public data and for legal compliance reasons. What is important to consider is that this data should be managed as an archived copy. If it is needed for recovery, then care should be taken to respect any right to be forgotten requests that have come through in the past. As part of the recovery process, these customer records should be easily identifiable and removed from the backup sets before recovery into production.
This process should be simple if you take regular backups or use continuous data protection methods; if you backup data on a less frequent basis, then keep a separate record so that any requests can be respected.
Resolution three: understand how cloud can be an important part of your protection strategy
According to our research, around 54 percent of companies have already started moving their business continuity and backup plans to the cloud. Around 63 percent of companies are planning to move all their secondary storage - backup, archival and recovery - over to Amazon Web Services. By consolidating data into the cloud, these companies are aiming to save money and improve their data recovery processes.
Using cloud, it’s possible to run services in the event of a disaster and protect information more efficiently, wherever it happens to be. Whatever approach you take it is worth bearing in mind the old maxim of ‘2n + 1’: this refers to the number of copies of data that should be kept, as well as the mediums on which this data is stored. Using cloud, it’s easy to store data across multiple zones, or even across multiple cloud service providers.
Resolution four: work on knowing where you have to protect your use of cloud
Most companies are moving to cloud-based applications. The success of Microsoft, Google, Salesforce and others has shown that the cloud model can work well for large enterprises down to the smallest businesses.
However, these applications are often provided without data protection services as standard. While it might be possible to recover data, the expense and time to carry this out may be well outside your data protection service level agreements (SLAs).
Looking at your cloud contracts, what is included and what is additional is therefore a necessary step for 2018. Understanding how you can manage protecting data held in cloud applications - apps that are otherwise beyond your control - should be a priority.
Resolution five: look at your approach to data management
Disaster recovery and business continuity planning fulfil essential roles within IT security and data protection strategies. However, these areas tend to focus on the infrastructure elements and meeting compliance rules, rather than how to enable the business to do new things. New technologies like cloud can make data work harder for you and produce more positive results alongside meeting compliance goals.
Alongside ensuring compliance with new regulations like GDPR, looking at wider issues around data management can help you to start taking on more business responsibility alongside the IT infrastructure responsibility you currently hold. What’s more, this ability to build up more business background information can help justify further investment in the future. Rather than being a necessary cost, business continuity skills can be used to help improve data management in general.
Resolution six: look at migrating your virtual instances to the cloud
Traditionally, virtualization was used in your data centre / center while cloud instances were run by the big public cloud providers. However, that is changing. VMware and AWS struck a deal for official support in 2017, while Microsoft also announced support for VMware on Azure bare metal instances. This change in approach can make it easier to consolidate your IT.
For those using VMware as part of their recovery strategies, these deals can help reduce costs for secondary sites and hardware while still keeping the familiar approach in place. Using public cloud services for data protection can help reduce costs, while changes in relationships between companies can be used to your advantage.
In our research, we found that many VMware admins are looking to move to cloud: around 90 percent of those surveyed stated they were planning to move by 2020, while 47 percent stated that AWS was their preferred destination. Around 78 percent of organizations will have a hybrid environment with both on-premise IT and public cloud services.
For business continuity professionals, the sheer volume of data that companies create can be overwhelming. Information is created in more places, by more people, and using more devices than would previously be possible. For this year, look at how you can streamline these processes so that the right data remains protected and secure without straining budgets or risking data loss. Deploying cloud, checking contracts and automating processes can all help.
Dave Packer is vice president corporate and alliances marketing at Druva. Dave has more than 20 years of experience in the enterprise technology space, primarily focused on information management and governance. At Druva, Dave heads Corporate and Product Marketing, which serves an integral role leading product definition and direction. Previously, Dave held executive positions at Autonomy Corp., Interwoven Inc., and Silicon Graphics. He was also instrumental in the product and market definition of the first widely deployed mobile device, Tablet PC, while at Uppercase, Inc., (acquired by Microsoft in 2000).