Commvault Stance on Heartbleed

Posted 04/25/2014 by Commvault

Posted in

Phil Curran, former director of worldwide product marketing, infrastructure and operations, and Mark Bentkower, senior systems engineer for enterprise in Commvault APAC, discuss the Heartbleed bug in a Q&A format. While the Heartbleed bug does not affect Commvault’s Simpana solutions, the impact to the business community might still be significant.

In corporate IT, data security is a daily conversation. The threats are myriad and they are ongoing. And it isn’t just the threat of hacking. The Snowden case proved that we can implement the best technical solution for security we want, but if we don’t have the policies and procedures in place from a process and a human perspective, IT is still at high risk.

But every so often, the conversation happening daily in corporate IT spills out into the mainstream media and causes a sensation. The Heartbleed bug is the latest of these technical bombshells that we can put on the all-star list along with I Love You, confiker, Melissa, Code Red and much more. Of course, those were worms and viruses, whereas Heartbleed is a straightforward bug. Yet this defect could be more damaging than any of those more malicious attacks were. While Simpana solutions are not affected by the Heartbleed bug, we feel for companies dealing with the aftermath of this major security issue that is continuing to wreak havoc on corporate IT departments.

This is a very serious security hole in one of the foundational elements of the Internet for a very long period of time – OpenSSL. A lot of ink has already been spilled trying to describe exactly what the defect is in the OpenSSL protocol. But an allegorical cartoon does the best job of translating what’s going on. And now we are starting to see news of the first victims of this defect come to light – and a few early hackers are being caught. But truly, this may simply be the tip of the iceberg.

For additional perspective, we caught up on email with Mark Bentkower, senior systems engineer for enterprise, based in Sydney out of our Commvault APAC group. Mark has fielded many technical questions about Heartbleed so we decided to share below excerpts of our discussion to provide more insight on Heartbleed’s impact and Commvault’s position on it. The goal is to give you new ideas on approaching a holistic security strategy for your data:

Phil Curran: So how does Heartbleed work?

Mark Bentkower: Hackers use what’s called a 'man-in-the-middle' attack. They are spying on the data that people send back and forth across the Internet. There is no way to know if you have personally been affected or not. A smart hacker would collect your info and wait for a long time before using it without people knowing about it.

PC: Is there a remedy for this?

MB: For right now, we have to wait for the various banks, merchants and other entities to patch their SSL engines. It’s an easy and available fix. It is just a matter of them doing it. The problem now is, When do you change all of your passwords? If you do it before the fixes are all in, then you’re just giving your new password to the hackers again. So how long should you wait? Nobody knows for sure.

PC: In the meantime, there are some nifty tools starting to float around out there, such as Chromebleed and Netcraft, to give you a warning for websites you visit that have not yet addressed Heartbleed. These could be useful indicators. But tread with caution; there have been a couple of examples of companies who have released patches only to realize a few days later they didn’t quite get the job done.

MB: That’s right. Another way to combat this problem is to use a different a password for every account you have. This way, if a hacker manages to steal a password, or two or five, they can’t use it everywhere that you have a login. I suggest using KeePass or a similar kind of product as a password safe that you can access from multiple devices. I have been using them for several years now.

PC: From an enterprise data management perspective, a best practice is to implement multiple layers of security. I think most CIOs would feel pretty insecure if they realized that their only line of defense was OpenSSL – and that now they have exposed themselves to huge risk. Sadly, I suspect in the coming months, we will most likely hear of a few such cases. The good news is that most customers we work with implement data security on multiple levels.

When it comes to the data under management by Commvault Simpana software, most people are leveraging the wide array of policy-based security and encryption features deeply embedded in the software – as another layer of protection to ensure data is only accessible by those with permission to do so.

MB: This is critical, since there are several use cases where our customers may transmit data in an encrypted format over an SSL layer – most notably our Edge Data Protection and Cloud Data Protection solutions.

PC: Let’s settle the issue once and for all, are Commvault customers affected by Heartbleed?

MB: Commvault’s dev teams have been hard at work assessing the impact of the Heartbleed bug. Simpana solutions are not affected by the Heartbleed bug in any known way.

PC: That’s great to know. I would suggest the Heartbleed exploit is yet another one of those wake-up calls to all of us – CIOs and IT pros in particular – to take another hard look at how we implement security across our organizations. For instance, encryption must work with deduplication, backup and archive together to secure data in flight or at rest across any storage tier. A holistic security strategy must reduce the risk of a single point of failure, while doing the job of keeping data and information secure - whether it's on-premises, at the edge or in the cloud.