DRJ Spring 2020

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 32, Issue 4

Full Contents Now Available!

Wednesday, 28 September 2016 00:00

Top Security Missteps and Misconceptions of Disaster Recovery

Written by  Lilac Schoenbeck

At long last, disaster recovery initiatives are no longer doomed to the proverbial back burner as IT and business executives finally begin to align on the importance of business continuity initiatives.

It's been an uphill battle for many IT teams, but the C-Suite simply can't ignore the endless headlines that spotlight damages wreaked by omnipresent business threats – from power outages to cyberattacks, to human error to infrastructure failures and natural disasters. Risking downtime and data loss is not an option, particularly as the impact to business is measured in thousands of dollars per minute. One need not look further than the recent Delta and Southwest outages to make a case for implementing a proven and tested disaster recovery plan.

The result? More companies are exploring cloud-based backup and disaster recovery services (DRaaS) as a fast, cost-efficient option to protecting business. The technology has evolved significantly in recent years, and there is no shortage of solutions.

Gartner Inc.'s 2016 "Magic Quadrant for Disaster Recovery as a Service" reports, "Disaster recovery as a service is now a mainstream offering that is supported by more than 250 providers. ... In recent years, IT disaster recovery as a whole and DRaaS specifically have gained momentum for small and midsize organizations due to improved affordability and functionality. ... In addition, DRaaS interest has grown significantly among large enterprises during the past year, as Gartner witnessed a 77 percent increase in inquiries from these organizations throughout 2015."

But in the race to implement such a plan, many teams struggle to navigate options and fully test a solution to ensure it will work when they need to pull the trigger. Perhaps surprising to some, security is a corner too frequently cut, misunderstood, or mishandled.

Companies should be wary of these top stumbling blocks:

'It won't happen to us ... and certainly not twice'
"Disaster recovery" is one of the most unfortunate hyperboles in the tech space, because it evokes images of devastating hurricanes, tornadoes, and wildfires that many feel will never affect them. In reality, a simple human error can be a disaster to an organization, and this acknowledgement has driven many to take the first step of adopting a DR solution.

Still though, the "it won't happen to us" mentality exists when it comes to cyber threats. While teams adopt DRaaS to ensure they can fail over in case of an issue, they often overlook the security of the cloud they are moving to. That means even if they thwart the initial disaster, their workloads are still at risk because the cloud they rely on may be vulnerable to malicious attacks.

It's important for teams to understand the security functionality of a DRaaS cloud. After all, you may be on that platform for days, weeks, or even months. Services vary greatly in terms of embedded security features, reporting, and support.

Blind trust
According to a recent study by analysts at Enterprise Management Associates (EMA), too many cloud security strategies rest on blind trust. The study polled experienced cloud infrastructure and DRaaS customers throughout North America and revealed 47 percent of security personnel "simply trust" their cloud providers are delivering on security agreements, rather than corroborate it independently or through a third party.

This is a risky practice not only because it potentially leaves a company open to cyber threats, but also because it complicates compliance efforts when it comes time to prove proper security measures were in place. Companies should trust, but verify, claims of using DRaaS. Don't fall too hard for marketing and an assortment of compliance logos or branding.

Tools are only as good as your ability to manage them
Many teams try to address security by throwing technology at the problem. In fact, the same EMA survey found 48 percent more security technologies are deployed in the cloud than on-premise. At first glance, the figure is promising as it implies companies recognize security risks and are trying to do something about it.

However, despite this glut of technology, companies continue to struggle with security due to skills and staffing shortages. The tools can only do so much. Overall, respondents called for more assistance from cloud providers when it comes to integrating security technology (52 percent), improving security reporting (49 percent) and improving security analytics (44 percent).

Teams must be self-aware, identifying areas where they require help and evaluate accordingly. Get a clear understanding of what level of support is included. How easy is it to generate a security report? What level of automation is available? Are alerts customizable and do they include recommended remediation?

Compliance doesn't apply
EMA's study also uncovered a significant gap in IT's understanding of compliance requirements and related workloads. While 96 percent of security professionals acknowledge their organizations have compliance related workloads in the cloud, only 69 percent of IT teams identified the same. The reality is most organizations have workloads subject to corporate and/or industry compliance.

Misconceptions around compliance could become exposure if IT were to fail over compliance-bound workloads to a non-compliant cloud provider. So what is the lesson? Again, don't put all of your faith into the compliance logos thrown on a website. Verify the dates of certificates to ensure they are still valid and ask if you can speak to a provider's compliance team. See the compliance audit paperwork of the cloud provider. A little up-front validation can prevent a very unpleasant audit experience later on.

Compliant does not mean secure
On the flip side, healthcare, financial, and other regulated industries place huge emphasis on compliance, and rightfully so. Standards and regulations are designed to play an important role in protecting a company and its customers. However, organizations continue to incorrectly equate compliance with security. Any why not? Many of today's compliance audits are extremely rigorous, requiring third party assessors that need tangible evidence specific measures are in place – not the "check the box" inquiries of the past. The headache of one of those audits seems like it should be enough.

However, the reality is that industry standards only provide a foundation for protection. Companies must build upon that foundation to address an organization's unique set of requirements – from infrastructure to business practices. It is next to impossible for a governing body to anticipate all of the variables at each and every company that could generate risks. It's up to individual organizations to fully assess vulnerabilities and not settle for compliance alone.

'It was their responsibility'
For day-to-day IT activities, sharing responsibility is common – even required. But when it comes to security, teams must know exactly "who has the ball" to make sure nothing gets dropped. This applies to understanding responsibilities internally and with DRaaS.

The responsibility matrix begins with configuration and implementation and moves through to declaring a disaster. Some will gladly trigger the failover for you, while others are hands off, even as you are in the midst of the struggle. But, when security alarms are raised, it is important to clarify who has the ball.

Some security technologies trigger at data center or cloud-level issues – like vulnerability scanning or physical security. Others happen within a virtual machine, like antivirus or antimalware. Some have automated remediation and quarantine. Others require attention and decisioning.

Clarifying who has the ball with different types of alerts, events, and even reporting is key to a smooth experience in the cloud, whether in a disaster or during normal operations.

DR is about response, not prevention
At this point, most teams working on disaster recovery initiatives recognize the importance of testing to make sure everything will run smoothly if they have to trigger a failover in response to an issue. However, more companies are beginning to leverage DRaaS to proactively test for security vulnerabilities to get ahead of cyber threats.

By conducting failovers into a cloud with integrated security features like antivirus and malware protection, vulnerability scanning, intrusion detection and prevention and file integrity monitoring, teams can investigate weaknesses and identify possible blind spots – non-intrusively on an isolated, exact copy of their systems.

In the end, speed of recovery is irrelevant if a company opens itself up to additional risks due to inadequate security. While business and IT have made great strides in prioritizing DR and addressing security issues, there is work to be done. In the face of staffing shortages, resource restrictions and shrinking deadlines, teams must be able to rely on DRaaS to take on more of the heavy lifting. But they must be smart about it, resisting the temptation to blindly trust and finger point.


Schoenbeck-LilacLilac Schoenbeck is vice president of marketing at iland. Schoenbeck has nearly 20 years of experience with product management, marketing, strategy, business development and software engineering in the grid, virtualization, and cloud domains. Prior to her role at iLand, she led cloud and automation marketing for BMC Software and has worked for IBM, Fortisphere, Innosight, and the Globus Alliance. Schoenbeck holds an MBA from MIT Sloan School of Management and a computer science degree from Pacific Lutheran University.