Insights > Blog

Watch The Webinar: Identifying & Developing a Data Storage Protection System

By Redapt Marketing | Posted on September 8, 2020 | Posted in Featured, Security & Governance

In this webinar, Redapt expert Matt Francis discusses how your enterprise can put in place systems that ensure your data is always backed up and protected.

 

Get your free eBook

Always Be Prepared: An In-Depth Guide to Developing a Rock-Solid Disaster Recovery Plan for Business Continuity

CLICK TO DOWNLOAD
Backup_and_Cloud_Disaster_Recovery_preview img-1 Backup_and_Cloud_Disaster_Recovery_preview img-2 Backup_and_Cloud_Disaster_Recovery_preview img-3

Video transcription:

Today Redapt and Dell are bringing you a presentation. Really today's presentation is information on how to plan, and what to consider when you're developing a data storage and protection plan. It's a little bit less about the products or solutions to buy, at Redapt we believe every customer's situation is unique, in that it's really hard for us to recommend something blindly without really deeply understanding our customer's challenges today. Today Matt Francis, our Senior Director of Storage and Hyper-converged Infrastructure is going to be presenting. Matt has extensive experience, value engineering solutions for our customers. And that really means optimizing price performance and features and functionality. He's here to ensure that the solutions that we sell meet your customer expectations and perform the way that we promise.

He's really good at implementing these and helping customers really accelerate the adoption process of the solutions that we bring. So I'm going to turn it over to Matt, who's going to share the mouse with him and I'm going to let him drive. Take it away, Matt.

Thank you David. Hello everybody, and thanks for joining us today. As David said, I'm Matt Francis. I've been in the storage industry for over 20 years now. And over those years, I've seen a tremendous increase in the value of data that has for our organizations. My main mission here at Redapt is to help customers make sure the right data is in the right place, at the right time, for the right cost, and available to the right tools to extract as much value from that data as possible. Currently I'm helping customers with various projects, whether those be traditional applications that need standard block file protocols to adopting cloud native object storage, whether we're working with familiar virtualized or hyper-converged platforms, or solving challenges with getting persistent storage into Kubernetes.

But really the most exciting arena is implementing the platforms and the tools that are necessary for deep analytics of all of those new sources of data that we have. And whether these live on premises or on the cloud or hybrid cloud environments, really the challenges that they person are unique, especially whenever it comes to securing and protecting the data that is so critical to today's data driven enterprises. Which leads us into our agenda today. So, we'll to start off first by exploring why we need data protection, and then how you can start evaluating your own data protection systems and using some of that information to develop a data protection plan for your enterprise. We'll go through some examples of different levels of data protection readiness. And finally, we'll talk about how we can partner up to help you design and plan and implement the tools that are necessary to be able to execute your plan.

So, starting with why we need data protection. We've all heard the horror stories in the news about breaches, according to numbers compiled by a statistic of more than 116 million records were exposed through data breaches last year. There are different number of threats that exist today, whether they be external in the form of attacks from a nation state, or just some kid who's really bored in their basement during COVID and has nothing better to do than at the company. There's also internal threats in the form of rogue employees, unprotected endpoints, lost USB keys, or even just playing human error. But it's important for us to understand these threats and the havoc that they can cause.

What happens if you're hacked and you have your new products design stolen? Especially from a nation state where you don't have any type of recourse. Or what happens if your competitor gets your CRM data in your entire sales forecast and opportunity list? And have you ever seen Wall Street's reaction to a data breach? Right? Compare attack found that share prices fell over 7% on average after a data breach occurred. What's your legal liability for a data breach? Equifax agreed to pay over $700 million in a 2017 data breach. And probably nothing is more painful than being called out in front of a congressional hearing to explain why you jeopardize the public security. In addition to data breaches data APL ability is also a key concern for data protection. Now, there's been studies out there that show 93% of companies that lost a data center for more than 10 days due to a disaster, file for bankruptcy within one year of that disaster.

And this year we've already had more hurricanes in the Gulf than in any previous years. And the season's just beginning. We have fires in the West, floods in the East. There's always something on the horizon that threatens our systems. And the University of Texas reports 94% of companies suffering from a catastrophic data loss don't survive. 43% of them never reopen, and 51% of them close within two years. And while data security is important, another aspect to having data and applications available, is also what really keeps the lights on. And for years we've already had a shift to re a remote workforce enablement, but this was highly accelerated by COVID.

Well, many companies had strategies in place for some worker profiles to deal with it. There were remote workforce enablement, the requirement for a completely remote workforce caught a lot of organizations off guard. This presented challenges both in security, but in also in worker productivity. There are now multiple number of endpoints to secure new services like Cloud Sync and Shares that are being utilized sometimes with, or a lot of times without a company's oversight. With data being spread out, how do you ensure that it's secure? And how do you ensure that it backed up?

Which will transition into, how do we evaluate what our current data systems look like? Two simple easy questions that you can ask yourself is, how much of your data can you afford to lose? And how long will it take your business to resume normal operations if a major disaster occurs? Additional in terms of security, do you even know the cost of a breach to your organization? And are you 100% sure that you have the measures in place to effectively combat every type of threat that presents to you? If you can't answer these questions or only hazy estimates about them, you need to thoroughly examine your data protection measures. To drill down a little deeper, every customer in companies should be having their own data protection assessment internally.

This data protection assessment should include an exhaust to discovery cataloging of all of your data, all of your storage platforms and your endpoints. You really need to know what you have, especially as the types of data and the sources that we're getting them from are constantly emerging. You need to determination of the types and uses of data that you have. Do you have personally identifiable information on your organization like Social Security numbers or credit cards, and how do you handle and secure that? Especially whenever it comes to compliance requirements, a lot of organizations fall under different regulations, whether that be Sarbanes-Oxley or HIPAA or PCI or even GDPR, all of these have very different requirements for organizations for both the security and retention of their data, that are causing a lot of organizations now to rethink how they do their storage and the policies and procedures that they put in place.

You should also include a full audit of the data governments in your security metrics that you currently have in place. What are those measures? Are they effective? Have they been tested? And you need a comprehensive list of all the potential threats, both internal and external. And finally, you should be reviewing your business continuity plan to make sure that it actually meets your resiliency and your recovery requirements. It should be able to clearly explain what happens if a server or a cloud instance goes down, or what happens if an entire rack or availabilities on the cloud goes down. How would an entire data center or region? Each one of these have separate responses that you need to be prepared for whenever you are enacting your plan.

When it does come time to develop a plan, there's a couple of different aspects that we'll want to look at. First off, there's several keys that most customers will have even though these plans will vary by organization. First off, do you have secure network access solutions? Whether we're talking about next generation firewalls or intrusion prevention systems, secure VPNs. Do you have your network properly segmented? Do you have the ability to prevent DDoS attacks? Do you have strict governance measures in place to ensure proper access to your data sets? A very tight ID and access control system, implementing the principle of least privilege access, where you only give people the exact amount of access that they need and not anything above and beyond that.

Do you have good data classification standards that allow you to use policies to enforce the access and distribution of your data? Are you consistently modern treating your workloads that use? There's some cool new trends in this arena for behavioral analytics that can detect anomalies inside of your workforce to determine that if an actor is acting with some malice or some ill intent. Is there an immutable audit log so you know what's been accessed and by who, which can also act as a deterrent to bad behavior. And finally for your backup and recovery plan, do you have a good understanding of what your recovery point objectives and your recovery time objectives are? Do you understand application priorities and interdependencies? Do you have good air gapped backup systems that help protect against ransomware?

And one high level way that we like to talk about this is in terms of a maturity model. And a maturity model is really something that we developed together with our clients based off of their individual needs, but we can take each aspect of security and data protection and break them into their separate subcategories, and then start defining exactly where a customer is on the immaturity continuum, and the importance of moving to the next step and the priority for each of those steps.

So, as an example, if we're talking about data classification, level one means I don't have any idea of what I have, what it belongs to, whether or not it has any personal identifiable information in there. Where level two, maybe role, I'm classifying and I know that certain systems handle Social Security numbers, so anything in that system I'm going to go ahead and classify it as personally identifiable. Whereas level three means, you know what? I don't have to rely on, I'm just knowing where it may be, but I actually have a system that can automatically detect Social Security numbers or credit cards in my system and tag those records and tokenize them and place them outside into an external encrypted repository. And level four, could be doing that same thing, but also adding an extra layer of automatically preventing it from leaving a corporate firewall, if it has the appropriate tags on it.

And just some basic examples of data protection levels that could go along the concept of a security model of a maturity model would be for security. You have little to no classification of your data. You don't really have good identity and access controls, or everybody just gets administrative access. You have very limited monitoring and auditing capabilities. In terms of backup, you're not regularly conducting backups. You don't really have a plan for disaster recovery or data restoration if an event occurs. Whereas level two, you're becoming a little bit more mature. You've actually started to be able to manually classify and secure some of your most critical data systems. You now have some basic audit logs for when people are accessing the system or are accessing the network. In terms of backup and recovery, you have your RTOs and RPOs defined for your most critical systems. You're starting to back those up regularly, although you may not have a firm plan in place for being able to do the restoration of those backups.

In model three, you have followed best practices when it comes to security and governance. So you now have the principles of least privilege access implemented. You have tight authorization and access systems available to you. You're automatically able to detect, analyze and defend from any type of unusual network acts. So, in terms of backups they're now fully automated, you no longer whenever workload spins up have to worry about manually installing agents to be able to take care of backing it up. You have a verifiable plan and for your organization's resiliency whenever it comes to dealing with failures and the outages. And then I think that panacea in terms of... since I'm a storage person, is actually being able to take the data that you're backing up, and mining it for new and additional insights and opportunities that you can get out of it.

I would like to talk about partnering with Redapt. So, when you partner with us we really take a hands on approach with the vast majority of our customer is to help them do the initial audit development charity models, and develop action plans to make sure that their data is always properly governed, secured, backed up and accessible. We have extensive experience with developing security and availability strategies with customers based on those individual needs. Our experience started in the data center, but now spans from the edge through the fog into the cloud, we highly believe in automation to help reduce human error. We can even go into rearchitecting the applications to adapt to cloud or hybrid cloud deployments. Understanding cloud ER and setting strategies for a web application is very different than if you're dealing with an application that you're dealing with on premises.

But a lot of new scenarios are developing where you may have on premises applications, where you can fail over the web tiers and the application tiers to the cloud, while keeping your database tier secured inside of a colocation facility that still meets all of your regulatory requirements. One customer that I think that is a good example of business that we have publicly facing is a customer called Avanti Markets. For those of you not familiar them, if you've ever been in an office building where they have the ability to go up inside of a little kiosk that has all the different snacks you could possibly want, take the snacks, self-service yourself, scan them, pay for it with your credit card or with an application, and go back to work.

We helped this company go in and actually create their application and all the loyalty programs around it, but in doing so, they have over 5,000 different remote terminals, and we helped them deal with the security challenges with those remote terminals, as well as all of the compliance requirements that are necessary in order to handle credit card transactions. We'll see more case studies about this on our website. I please encourage you to visit those and take a look. And finally, for today, please reach out to us if you need help evaluating your data protection systems, or coming up with a plan to best use those best practices, or if you need help implementing your plan and selecting the right tool sets and implementing those tools for you. That being said, I would like to go ahead and open it up for any questions.

Hey Matt, a question just came in, with working from home, are you seeing any trends in how organizations are dealing with locally store, like clients stored files?

Yeah, absolutely. So, one of the larger trends is to try to have remote employees not store files locally. So, I would say the version of local files is going to be the number one strategy. So, having a comprehensive system that allows you to be able to store files, whether it be in a cloud resource, or through a company SharePoint site is the number one trend that I see there.

But also for a lot of applications we've helped customers lock down their endpoint systems. For instance, with mobile phones, we a lot of times have or email applications on there, and if you lose your phone that would expose the company to risk, so we have a lot of strategies to help companies with dealing with remote wiping of phones in case their systems are compromised or lost.

And then another one here, just in regards to ransomware or some of the solutions that we're proposing, are they good defense against that?

Yeah, absolutely. And then there's several ways to handle ransomware, whether it be locally through basic snapshots, a lot of attacks have become more mature than that though, as they sit on the network for a very long time. So, what we're finding most effective now is creating air gapped backup systems that are completely removed from a customer standard network, so even if their network is compromised for a long time, still having irrigate backups will prevent the ransomware attack or not prevent the attack but help you recover from the attack.

Okay. Great. I don't see any other questions coming in, so I think it's... Wait, there's another chat here. No, I think there's no other questions, so I think we'll shut it down. And thanks everyone for attending. I really appreciate it. And if you have individual needs, please reach out to Redapt and we'll connect you with Matt Francis and his team of subject matter experts. Thank you very much.