New confidence in cloud and DR (disaster recovery) plans should not lead to complacency, says AJ Thompson, pictured, CCO of the IT firm Northdoor.
Migration to the cloud has grown significantly over the past year or so. Gartner has predicted that world-wide end-user spending on public cloud services will grow 23.1 percent in 2021, to total $332.3 billion, up from $270 billion in 2020.
Much of this has been a result of the pandemic with companies having to quickly find new ways of working. Cloud computing, which for many had been on the radar but not implemented, was suddenly top of the agenda. The move to the cloud allowed companies to continue working effectively. As a result, there has been a real increase in confidence in cloud computing and more companies are moving business-critical data to the cloud. Whilst companies are realising the benefits of working in a cloud environment, there are several factors that need to be considered especially around security.
Cloud equals protected data – or does it?
The traditional road blocks that have delayed migration, such as security and worries over a loss of control of business-critical data, have on the whole, been overcome. Senior decision makers within businesses have a new-found confidence of handing their sensitive data over to third parties.
An assumption that many of these companies make when migrating data to cloud providers is that all security responsibilities are migrated across too.
There is a certain amount of naivety in this assumption. Cloud providers have T&Cs that very clearly state that the responsibility of security remains in the hands of the customer. Quite often this is missed because the details fall between the gaps within organisations. With several roles involved with the decision making around data (including disaster recovery, data protection, regulation adherence and cyber security including penetration testing), too often the responsibility is not taken internally, and therefore it is an ‘easy’ decision to leave it to the third-party cloud provider.
The increased confidence in IT has to be a good thing for both the industry and businesses. However, this confidence cannot replace the checks and balances that are needed to ensure that data remains secure, no matter where it resides.
Disaster recovery plans
Another area where some complacency has crept into this new era of IT confidence is around disaster recovery plans (DR). The rise of ransomware attacks over the past couple of years, as criminals take advantage of the pandemic and new ways of working, has seen companies looking for improved ways of protecting themselves in event of a breach.
Disaster recovery plans have been put in place to allow companies to continue working in the aftermath of an attack. However, like cloud computing, there tends to be an over reliance on such plans, and once in place companies believe that these will handle any issue.
To ensure business continuity in the event of a disaster taking place, DR plans usually involve data backup, allowing companies to re-start from a recently backed-up date. However, the nature of backups means that they too are vulnerable to cyber-attack. Malware, particularly ransomware, typically works undetected for a period, meaning that it also compromises and damages a company’s backups. With data and backups compromised, suddenly, a company is left with nothing and the rest of the DR plan is redundant.
DR plans are a critical element of protecting businesses from cyber-crime, but like cloud computing cannot be relied upon in isolation.
Increasing cyber resilience with air gaps
As we have seen, companies cannot rely on others to ensure security of their data and nor should they be completely reliant on DR plans. Potentially, it only takes one breach to allow a criminal access to all data, including any data that is backed up. The connectivity of modern systems means that whilst, undoubtedly, it has changed the way we work, it also means that once criminals have gained access to systems they are able to get to vast amounts of data relatively easily.
This is where air gaps play a critical role. Placing data in systems, that are completely separated from the rest of the infrastructure, means that it is impossible for cyber criminals to get their hands on it, even if they have successfully breached security. This level of cyber resilience means that data is in a fully isolated, highly secure and air gapped vault. Even if the worst happens and a breach impacts a company and its data backup, criminals are unable to get hold of the data and advanced workflows and tools will enable companies to recover quickly and securely.
The acceleration in cloud migration over the past couple of years is a real positive for most businesses. Likewise, the fact that many companies now have some form of DR plan and data backup in place is a sensible step in the face of an increasing cyber-security threat. However, businesses need to remain in control of their own security, to own the responsibility for it and ensure that they are implementing solutions that give them the best possible chance of recovery if they are a cyber-crime victim.
