Backup and security one and the same for CISOs

Interview The separate IT environments of backup and security are merging to become a single operational area for Chief Information Security Officers (CISOs). This is the view put forward by Simon Chappell, the CEO of UK-based Assured Data Protection (ADP), who B&F interviewed about the state of data protection. ADP has been involved in the field since 2016 and has a relationship with Rubrik. In fact it is Rubrik’s largest global partner.

Blocks & Files: With security having an ever stronger influence on data protection and security officers wanting to control, reduce and manage their attack surface, do you think there will be a trend for organizations to reduce their number of backup suppliers and concentrate on ones who have a cybersecurity posture and can help CISOs in their work?

Simon Chappell of backup vendor Assured Data Protection
Simon Chappell

Simon Chappell: For over two decades there has been a division of focus (and budget) between security and data protection. At Assured we are seeing this division change, and the responsibility for data security is increasingly seen as a single risk that needs to be mitigated.

Essentially, there are three ways to stop attackers. You either prevent them from entering in the first place, or you detect and eliminate them if they get through the defenses. But you’ve got to have a robust recovery strategy in place if the first two fail. So it’s becoming more likely that the CISO’s who understand all three are required will opt for service providers who can deliver each layer.

However, I never envisaged having to deal with CISOs when we started out, but these days we can’t get away from them. We seem to be speaking to them all the time. It’s not surprising really, especially when you consider how much pressure they’re under to secure their organizations. So it makes sense they would want to have DR (Disaster Recovery) and backup as part of their remit. Although you must appreciate that DR and security professionals are from different sides of the tracks, we’re still developing a better understanding of each other and how we can work together.

For example, we’ve always dealt with the CTO or other IT professionals, but right now we’re working on a deployment where we’re only dealing with the CISO; it’s been quite a sea change.

Blocks & Files: Going further, do you think a need to have data protection suppliers that can cover all of an organization’s data silos and contribute to a CISO’s concerns could trigger a consolidation in the backup industry?

Simon Chappell: Potentially, yes. As previously mentioned, DR and backup address many of the CISO’s concerns, and they’re looking to work with suppliers that meet all their requirements. From an industry perspective we’re seeing aspects of cybersecurity encroaching onto the DR space and vice versa. As a result, we’re now involved in broader discussions about a more holistic approach to cybersecurity and data protection – and how we fit into that. It’s great to be part of the conversation, but it’s new territory for everyone.

However, it’s given us the chance to refine our proposition to cover all aspects of a customer’s workloads, whether they’re on-prem or in the cloud. But ultimately, I don’t envisage any major consolidation in the data protection world. There’s more likely to be consolidation in the “managed detection and response” sector.

Blocks & Files: How would you advise organizations to protect their data at edge computing sites with limited or no IT staff and, possibly, limited network connectivity bandwidth?

Simon Chappell: The great advantage of a fully managed service is that no IT staff are required, and reporting can be shared with whichever operational team members require it. We increasingly find that network connectivity is less of an issue than it used to be. There seems to be a good correlation between data sizes at edge sites and bandwidth. Assured have some well-rehearsed workarounds where the data sizes and bandwidth available are out of sync.

Blocks & Files: Some suppliers in the data protection industry have suffered data breaches, such as Rubrik via a Fortra zero-day attack, Exagrid in June 2021, and Kaseya in July 2021. How damaging are such attacks and can data protection suppliers absolutely prevent themselves getting attacked?

Simon Chappell: The world is suffering a tsunami of cyber-attacks, and no one is immune to the threat including data protection providers. Continued threats only underline the requirement for strong data security practices, irrespective of whether the data is mission-critical production data or in a development environment.

Blocks & Files: Has Assured Data Protection ever been (a) attacked and (b) had its systems penetrated by hackers? How do you prevent such penetrations of your IT systems?

Simon Chappell: We are acutely aware of the continued threat, and we practice what we preach when it comes to data security.

Blocks & Files: Do you think that ransomware and similar attacks will force a move away from daily backups or half-daily backups towards more continuous data protection so as to reduce the time window in which potential damage can be wreaked?

Simon Chappell: Not necessarily, but risk vectors have changed considerably in the last few years. Businesses need to be more diligent these days because of the persistent threat posed by breaches and ransomware.

Life felt a lot simpler when all you had to do at the end of the day was change a tape. Nowadays it seems that even a daily backup is no longer sufficient and it’s better to have real-time monitoring capabilities in place, especially for mission-critical workloads. The days of staging ad hoc disaster recovery drills are over it would seem.

We haven’t stood still, however, and we’ve responded to this by developing a continuous recovery testing model for our customers using our own proprietary software platform.

Blocks & Files: The Canadian standards institute is adopting an IT standard that says don’t make data copies for new applications. How do you think this applies to backups, which make copies? My thinking is that, if the standard is applied absolutely then all backups of new applications are forbidden – which seems crazy.

Simon Chappell: The way backup software operates is to create a different file or snapshot within the backup environment. This will be encrypted and secure, and ideally should be held in immutable storage. In this sense it isn’t an exact replica of the original file.

Blocks & Files: Oh that’s a clever take. Moving on, HYCU and Asigra are asking third parties to create API-level connectors between SaaS applications and the HYCU and Asigra backup software. What do you think of this? Should Rubrik do the same?

Simon Chappell: Rubrik is ideally positioned to expand SaaS coverage given the focus on the cloud native Rubrik Security Cloud platform. Assured’s customer base is happily served by the existing Rubrik feature set and we don’t currently see any major gaps in protection scope.

Blocks & Files: In five years’ time how will data protection processes have changed and why?

Simon Chappell: The fundamentals won’t change and will probably be very similar to today. I’ve been in this business for over 20 years, and if I’m honest five years doesn’t feel like a long time to me. The DR and backup world may think it’s going to change radically in that time, but I doubt it will change that much.

One thing that will change, though, are customer expectations. They will expect a quick response following an incident, they won’t want to be inconvenienced for long. They will assume that speed and ease of recovery will be standard across their on-prem and cloud installations. As far as they’re concerned, complex and large systems should be recoverable to any chosen point in time in a short time frame. Automation is going to play a huge part in delivering on that expectation, which is something that we’ve invested heavily in to improve our own automation platforms.