Part II: It’s Time To Rethink Your Risk Mitigation Strategy

By Doug Chando

Prevention Is Hard-Ening

This is the second blog in a five-part series on risk mitigation and how Commvault can help.

In our last blog in the Risk Mitigation series, we talked about how old methods and thinking around disaster recovery are really inadequate, or won’t necessarily prepare you for the new and evolving threats to your data – specifically threats like ransomware. In today’s world, we need to think more along the lines of threat mitigation. By doing so, we then will focus on 1) prevention of threats or events, which will ultimately safeguard you from these malicious attacks as much as possible, but equally important,  2) the response to the threat when it does occur – and again, in all likelihood you will be impacted – or at least you should be thinking that way.

In this post, we are going to be considering more on the prevention side of the house. When we look at risk mitigation, you can almost liken prevention as being the roof on a house that shelters you from unwanted weather. And in order to have a roof, you need a solid supporting structure. One of the supporting structures for prevention is the “hardening” of the systems that you will rely on in the event of a disaster or attack – typically your backup and recovery systems.

Imagine if the very systems that you rely on in a recovery situation were compromised; you would for all intents and purposes be out of commission. So how do you effectively harden, or fortify your backup environment, and what components should be considered as needing hardening?

Well, let’s consider four areas that we consider critical to “hardening,” as well as questions you might ask yourself about your current data management and data protection systems to see if you are adequately fortified:

  1. System control hardening: Does your data management system(s) have built-in controls that enable hardened security models (e.g., strengthened authentication, granular and role-based security?)
  2. Site(s) hardening: Can your systems be configured in a way to minimize and contain the spread of a malicious attack at a site or location level?
  3. Storage layer hardening: Can you lock down your secondary storage systems and identify when something outside of your data protection services is attempting to access and potentially write foreign data? Can you use AI and MI to enhance this?
  4. Network Hardening: Can your data management solution provide you with encryption schemes that secure your data, as well as the ability to create air gaps, so that unwanted access to the systems are prevented?

If you answered “no,” or even “maybe,” to any of these questions, then you could be leaving your backup and recovery systems dangerously exposed. And as we spoke about earlier, if they are exposed – even just one of the elements – it could mean the difference in recovering, or not recovering, from a system-wide event. 

Although it might seem it, this isn’t a message of doom and gloom. It certainly is not intended to keep you up at night – in reality, it’s a message of hope! How is that? Well, all of the questions that we just considered around system hardening are all things that Commvault has already built into our platform. We understand the increasing value of data, and we also understand the various threats to it, which is exactly why these needed layers of control and protection were developed.

The interesting part is that most of the controls have been available within Commvault for years! In an environment where most people are growing increasingly concerned with risks and the downtime associated with them, Commvault customers have reported a 62 percent reduction in downtime as compared to their previous solution(s). This is no doubt due to our customers having a safe and modern data protection solution that is properly designed for today’s changing and evolving threats.

Next in the series we will be covering the extremely important area of “monitoring and alerting,’ and how they make up another necessary structural component of prevention in a risk mitigation strategy.