Could your backup system achieve Sheltered Harbor certification?

Start listening

Sheltered Harbor is a non-profit organization dedicated to making sure financial organizations are able to recover after a cyber attack. Even if you’re not a financial institution, there is a lot to learn hear. They’ve done a lot of work to make this standard practical in the real world. If nothing else, you can review what they ask orgs to do and see if you can apply it to your own environment. We once again have Eric Bursley to guide us through the topic. Even Mr. Backup learned something!


Hi folks. This week, I learned something new. We talk about sheltered Harbor certification, which is a framework for financial institutions to make sure that they can recover after a cyber attack. I think there’s a lot to learn for all of us, not just financial institutions. Hope you enjoy the episode. Hi, and welcome to Backup Central’s Restore It all podcast. I’m your host, w Curtis Preston, AKA Mr. Backup. And I have with me my dust collector consultant Prasanna Malaiyandi how’s it going?

[00:00:52] Prasanna Malaiyandi: am good, Curtis. I do have to let you know I have a pretty bad allergy to dust, so I may not be the right


[00:01:01] W. Curtis Preston: , that makes you the perfect, but, but, but, but I have to say, you’re not doing a very good job because I keep buying and buying the wrong, like I gotta connect this to that. And the thing with the thing cuz

[00:01:12] Prasanna Malaiyandi: know, you.

[00:01:13] W. Curtis Preston: you

[00:01:13] Prasanna Malaiyandi: You know what you really need to do. So for the listeners, this is Curtis is, has his wood shop up and running. He has a bunch of tools which produce a lot of dust, and therefore he’s trying to build like a dust collection system to spare me from dying. So, um, one of the things though is like each one has a different size adapter.

Some are one and a half inches, some are two inches

[00:01:36] W. Curtis Preston: One and

[00:01:37] Prasanna Malaiyandi: and some,

[00:01:38] W. Curtis Preston: two and a half, four. Uh, and, and then non-standard sizes. There’s also non-standard sizes. Yeah.

[00:01:45] Prasanna Malaiyandi: Yeah. So what you need to do, Curtis, and I think this will help you a lot, is you need to draw a picture on a piece of paper with your various equipment pieces with the size of those, so then you can figure out what you need and what you have

[00:01:58] W. Curtis Preston: Yeah. The, you know, what’s that

[00:02:02] Prasanna Malaiyandi: planning?

[00:02:03] W. Curtis Preston: Yeah. Well, it’s not just that, like I recently found out that D DeWalt makes. on purpose makes non-standard sized dust ports on some of their machines because they sell a dust collection system. And so they’re like, well, it works with the DeWalt dust collection system, right?

Which I don’t even see for sale anywhere. I’m sure it is for sale somewhere, but so like half of my tools have standard size ports, although they’re not all the same size. And then some of my tools like the table, and the, the sander has a total non-standard, uh, port. Um, and so this is what is, is apparently this is a problem being solved by 3D printers and Etsy

[00:02:53] Prasanna Malaiyandi: yep. Oh, I could totally see.

[00:02:55] W. Curtis Preston: Yeah. Yeah. It’s a little cottage industry of people selling, you know, the thing to the thing. Um,

[00:03:01] Prasanna Malaiyandi: You should get into this business, Curtis. I bet you can get a 3D scanner, right? 3D scan? No, no, no. First you need a 3D scanner so you can scan the dust port collectors, right? That you have already, and then you use that to build the adapters.

[00:03:19] W. Curtis Preston: you know, what I do is I go down to Lowe’s and, and, you know, use a caliper. , can’t you just use a caliper? Right. Um, I think I could make it happen, but yeah. Uh, this is a thing. Um, but, uh, yeah, so these are the problems that I have with my expensive, my new expensive hobby. Um, but so, you know, our, our guest that, uh, we’re having on, he’s a, he’s a repeat guest and last time.

we were talk, you know, we had him on the podcast. He threw out this phrase, and, you know, we were immediately like, what, what is, what is that? What is that thing? And so we decided to have him back, uh, just to talk about that. We’ll talk about that in a minute. He’s been in the industry for over 30 years, um, and, um, he is now the enterprise architect at Presidio Network Solutions.

Welcome to the podcast, Eric Bursley.

[00:04:21] Eric Bursley: All right, Thank you Curtis, and thank you Prasanna.

[00:04:24] W. Curtis Preston: So

[00:04:25] Prasanna Malaiyandi: Glad to have you back

[00:04:27] W. Curtis Preston: Yeah. So this little phrase that you threw out was this Sheltered Harbor certification, which, you know, I think, I think you threw a little shade at me saying that, you know, you were a little surprised that, uh, Mr. Backup didn’t know about this, backup centric, uh, thing. Uh, so why, why don’t we back up a little bit and.

Sort of set the stage in terms of what, you know, I always want to know how, you know, how did we get here? Um, so first off, maybe let’s do what real quick, like a, you know, a 20-second overview of what Sheltered Harbor certification is.

[00:05:04] Eric Bursley: So Sheltered Harbor Certification is a, first of all, sheltered Harbor is a nonprofit organization. It is an independent organization that provides. Um, a financial institution with an assurance that they can provide back to their users, their customers, that their data is resilient against a ransomware attack. So, um, with that, it it, it’s supposed to, um, provide them with more confidence that if something happens to my bank through a ransomware attack, What data I had available to me yesterday will be available to me once they recover, typically within 24 hours.

[00:05:54] Prasanna Malaiyandi: and. Because it’s Sheltered Harbor certification. I’m guessing, do they actually own the data and the processes and everything else, or are they just sort of like NIST or some of these other organizations where they’re like, Hey, here are the standards. Here’s like the best practices. Here are the things you should be following in order to be able to do.

It’s kind of like how, if you’re doing credit card transaction, right, you have to do like P C I certification, right? In order to be able to handle credit cards. Is that kind of how this.

[00:06:22] Eric Bursley: So yeah, Shelton Harbor is more of a framework , um, in place, they make some recommendations, um, that if followed, um, you can apply for certification. And if you follow their framework, um, strictly, they would be able to provide you with that certification saying that, yes, you are good. Um, and that, um, you can, uh, put our name on your website that your data is gonna be safe. Um, so what is the.

[00:06:55] Prasanna Malaiyandi: And that is, when you say that you can get that certification, is that a customer, like a bank in your example, or is that like a vendor who provides the service?

[00:07:05] Eric Bursley: It’s typically the, the bank gets the certification, the bank is applying for the certification. Um, now in order to achieve that certification, the bank has to have certain things already in place. Um, the first of which is a data vault. For their backup data. Um, so, you know, following the traditional 3 21 rule, um, that offsite copy would be an immutable copy that is operationally air gapped, um, and also scanned for any vulnerabilities so that you would be able to determine a specific point in which you are clean.

To restore, um, into an integrated recovery environment or an i r e. Um, so it, it’s a set of processes. It’s not just, I have tape which tape is traditionally immutable, um, but I am also actively scanning my data vault that is immutable so that I know which restore points I can restore.

[00:08:19] W. Curtis Preston: So, uh, yeah, so, so a lot of questions that come up there. So the first would be, what is it about banks? that make them want to be to, to, to achieve a certification like this. What you know, why isn’t this just for everybody?

[00:08:40] Eric Bursley: Well, the, the process. Could be applied for everybody. Um, but sheltered Harbor is focusing on the financial industry in particular. Um, mostly because if we don’t have access to our money, we can’t do anything. Um, so that was their primary target around this. But the process that they have, it’s solid for all in. and, and Presidio recommends this for all industries as well. Um, and, and one of my feature workshops I talk about, um, data immutability. And that that, uh, third copy of your data, that offsite copy should be in a separate authentication domain so that it is protected against any sort of credential compromise. It’s immutable, but it Shelter Harbor adds onto that and says it’s also verifiable that you know when to restore and how are you going to restore into a a disaster recovery environment.

[00:09:46] Prasanna Malaiyandi: Interesting. So, yeah, like Curtis said, I have a ton of questions just like popping up in my head right now. Um, you talked about, one aspect that I wanna go back to is like that operational air gap. Right. And sort of how do they define that? Because I know I’ve heard about, okay, strict air gap where it’s like physical isolation completely.

Sometimes we talk about virtual air gaps. Is operational air gap different in some way or has some unique characteristics?

[00:10:15] Eric Bursley: So one of the unique characteristics is that it’s typically firewalled. From the production environment, um, typically through some natted firewall that allows from the protected environment outbound to pull the data back into the environment. So it’s not a, it’s never a push, uh, environment from production into the backup because that has a potential for compromise.

But if it’s a pull. In the environment, that is schedulable. No firewall ports need to be opened up at any time from production in, because it’s an outbound connection and it’s able to log in to the production environment and through that process, pull in a specific restore point, scanning it in the process for known vulnerabilities, and then continually scanning it in the future for future vulnerabilities.

[00:11:12] Prasanna Malaiyandi: Gotcha. And when you talk about the pull mechanism, that totally makes sense. When it lands in the vault, is it sort of in an isolated spot? Like, I’m just wondering in my head like it’s kind of like you wanna make sure whatever’s in the vault is sort of. valid has been verified that there are no compromises in it and you can’t necessarily trust the production not to have any, because you don’t know what the state is there.

And so I guess when you’re transferring the data, are you sort of transferring it into an isolated bucket inside of the vault that then gets scanned and verified before it’s sort of marked as verified, and valid. So nothing bad can happen of that.

[00:11:51] Eric Bursley: So it is a continual process. The initial pull is scanned, uh, against the current known vulnerabilities using machine learning, ar artificial intelligence, but then future restore points are also scanned at those points. , but it’s also scanned during a recovery operation, which it, it’s critical to have that integrated recovery environment that’s separate from production. Okay. Um, and through that integrated recovery environment, again, it’s network isolated from production, you can actually determine a safe point. to bring things back up. You may be able to have, um, a, a particular application server restored two point B, but then pull clean data in from production to bring it more current.

So it, it just provides you that specific point that you can be assured that you are.

[00:12:51] W. Curtis Preston: Yeah. You know, th this brings up a, a topic that I’ve been looking at a lot lately, which is I, if. We’re going to, um, cuz it’s one thing. I don’t know, there’s a lot of things going on in my head. All right. So, uh, you know, I, I, I hear you talking about pre-scan and post-scan and that all sounds great. Um, I’m gonna throw out a little shade and say if the pre-scan at the backup finds the ransomware, why didn?

Like some regular virus scanning tool. Find it already. I don’t, I, I don’t, I don’t know why that, why one would work and the other would not work. Um, but I’m not saying it’s not a good idea to do it. I’m just, it’s just, that popped up in my head.

[00:13:38] Eric Bursley: Well, that that speaks to the maturity model of the organization’s security infrastructure. Some organizations don’t have a SEIM in place. They don’t have a current, um, Antivirus that it includes, um, artificial or AI ml into those technologies. So based on the NIST framework, they’re not preventing the infection from coming in, and it’s up to the recovery process of the NIST framework to bring you back.

Preferably, it is a multi-faced approach like NIST calls.

[00:14:18] W. Curtis Preston: Yeah, it is just that, you know, as big of a fan as I am, a backup, if you’re relying on your backup system to let you know you got a virus or malware of any kind, uh, I don’t know what to tell you anyway. I, yeah, but I’m not saying that that doesn’t happen. I’m just saying I’m not sure I agree with that plan.

Um, There’s been a thought that I’ve been thinking a lot about lately and, and, and it comes from the fact that we know, based on the stuff that’s been published, that the average dwell time or the mean dwell time of malware is well over 60 days. So if, if, if the malware has been in your environment for, for a long time, and, and maybe it hasn’t deployed, maybe it hasn’t done anything, maybe it hasn’t, um, um, you know, encrypted any data, and then it doesn’t generally wreak havoc until it starts encrypting data.

Um, and, but you, meanwhile you’ve probably created weeks and weeks and weeks of backups of the machine with the malware still on it, which you didn’t notice, right. You can scan all you want. Some of this stuff isn’t noticeable or, or you know, it’s easy once you find it, right. Once you find it, you get the signature and then you can um, right, you can then you can scan for that specific signature.

But a general scan doesn’t necessarily pick it up. So then my question is, well, what does the organization do? And you know, what would be my recommendation? Um, you know, and of course then they’re, they’re free to do whatever they want. I know some people have talked about, well, I need to restore from before I even got infected. That is an option. But to me that if, if the dwell time is 60 days, or, or it could be, it could be as much as 120 days from what I’ve seen, um, that doesn’t seem like a viable option to me. To start from a greenfield, restore the, the VM image from 121 days ago, and then somehow bring it, right? Because, um, it just, it gets, and you, and then you look at the, um, the complications involved with, um, all of the, um, different ways in which we.

OSS and non oss, you know, things like containers, um, and applications, and we have VMs and we have physical servers and on-premise VMs on, uh, cloud-based VMs. This is just like deciding that, making that decision. Um, it just seems really, uh, a difficult one that I think environments have to decide. I know there was, there was no question anywhere in that

[00:17:21] Prasanna Malaiyandi: I was waiting. I was like, should I tell Curtis he’s on a rant?

[00:17:24] Eric Bursley: Right. So

that, that’s essentially where a partner like Presidio can come in. We can help advise, um, specifically leveraging a tool that, um, I help produce called our ransomware workshop. It is a free offering that we offer our clients, two and a half hours of discussion with one of our cybersecurity analysts, a data center analyst, which focuses on primary storage and backup recovery.

And working with a C level as well as the engineers at a specific customer identify potential problems such as you don’t have a SEIM in place, you don’t have a current antivirus solution in place such as CrowdStrike or cyber reason. Um, you don’t have a, a good initial protection of that. And then, , you know, from a backup recovery standpoint, what are you using?

How are you backing up your data? Are you following the 3 21 rule? Do you have an operationally air gap vault for that offsite copy? Those are the questions that we bring up, and then we can help address some of those problems over time, whether it’s a financial customer or not. Okay. This. Offered to everybody.

Um, and then once we understand the direction you need to go with that vision, um, that we provide, um, we can then start chipping away at those questions that you have. Um, and we do that as an diagnostic type of service. So, um, outside of the vendors, we may bring up vendors in the conversation, but we’re trying to solve that business, uh, problem and then aligning.

Those requirements to a technology vendor,

[00:19:19] Prasanna Malaiyandi: I think having that process, that approach totally makes sense. And just going back to Curtis’s rant, quote unquote rant, right? I think honestly, it’s going to depend, right? I don’t think you can say that we will always go back 121 days, or the best option is always to go pick the latest copy, right?

I think it is going to depend on the value of the data, how long it takes to recover the importance of that application, right? All of these things, and I think it’s sort of a recovery. Right. And hopefully you’ve already planned this ahead of time. Right. And you know, okay, this is the importance of this data, but it’s sort of one of those things that at recovery time, you execute your plan in your runbook that you

[00:19:58] W. Curtis Preston: yeah, I think it was a rant because I see a lot of people talking about, Well, we’re just gonna scan, you know, we, we, our, we have backup software that will, you know, we, we can identify the, the hash, we can give the hash to the backup product. It can scan for that, you know, we know where the malware is.

And then we’ll just restore from before the malware hit. And, and I just wanna say, um, to 121 days ago that, that’s what, that’s why I just, it, it, you’re right. It’s not simple. Um,

[00:20:28] Eric Bursley: It’s not

[00:20:29] Prasanna Malaiyandi: and I think Eric had brought it up earlier.

[00:20:32] Eric Bursley: yeah. You don’t necessarily have to restore to 120 days ago. You can restore from the latest copy of just the data that is clean. Okay. Um, not everything on the system is encrypted, so you need to pull the data prior to the full encryption that ransomware is going to. That is a point, then you can start saying, okay, how did it get in looking for the executable in that environment and then removing it or deactivating it.

And it’s critical to look not just for static files, but also um, Shell less, or I should say, um, script, less sort of, um, vulnerabilities because they’re able to actually execute some of these processes in memory without writing anything out to disk.

[00:21:25] Prasanna Malaiyandi: Yeah. I think the other thing is when you’re also doing that recovery, sort of doing it in an isolated fashion, right? Where

maybe you don’t have that network connectivity, right? So they can’t call out to their C N C servers, right? Their command and control servers and get additional information and kickstart things.

[00:21:43] Eric Bursley: E. Exactly. And there are OEMs that offer these types of solutions and, and Presidio can recommend them all. And these are not a limited list of solutions either. Um, but they’re, um, solutions that can become Sheltered Harbor certified when deployed. Um, they’re not in itself guaranteeing Sheltered harbor. You still have to implement them, right?

You still have to create your run. Um, and any sort of automation around it. Um, but they definitely give you a leg up, uh, around achieving that certification.

[00:22:18] Prasanna Malaiyandi: and would you get that certification? , that’s for a point in time. Right. Is there sort of audits done things you have to show, like as your environment changes, as things happen to keep up to date? Or is it sort of a one and done thing?

[00:22:33] Eric Bursley: You do have to get re certified. Um, over time, um, this is because policies do change, recommendations do change. Um, technologies do change, you know, containers, for example. Um, how are you protecting your container workload? It’s. Regardless of what the original intent of immutable containers are, people are persisting data in their containers.

How are you protecting those? The data as well as the ecosystem of your Kubernetes or your Docker, uh, automation system that goes into it. There are strategies around that.

[00:23:11] Prasanna Malaiyandi: I’m gonna take Curtis’s favorite question that he loves to ask in topic, actually, which is, Does Sheltered Harbor Certification talk Anything about SaaS applications?

[00:23:24] Eric Bursley: It is. I would say that it doesn’t necessarily, um, Dictate one way or the other. It does say that you are protecting your data in this fashion. So if you’re using a SaaS uh provider such as Microsoft 365, are you backing it up? And then are you storing that data in a vault? Um, and that you can actually do an operational recovery? You know, same, same thing with They just started implementing backup through their API for Are you protecting that data, storing it in a vault and that becomes that, that, you know, sort of.

Ecosystem that that pattern. So they’re not dictating SaaS, they’re not dictating on-prem, they’re not dictating cloud.

What they are saying is that you have a copy of your data in a vault that is operationally air gapped.

[00:24:30] Prasanna Malaiyandi: Yeah, I was referring also mainly to like SaaS applications. But you covered it, Eric, like Microsoft 365. Because a lot of times Right, people are, Curtis, you and I hear this all the time, it’s like, Hey, Microsoft 365, there’s no need to back it up. Right. And I know that’s one of, uh, Curtis’s big pet peeves.

[00:24:47] Eric Bursley: It, it’s one of mine too. I hear a lot. Um, every one of my customers are not backing up their Microsoft 365 environment. And I advise them that they should. And then I describe the differences between archive, which they do provide any true backup solution, which they don’t provide.

[00:25:09] W. Curtis Preston: So, um, I should probably take notes so that I can keep track. , my questions are coming in various, in various ways, but the one that’s in my head right now. So I know that you have this, this concept of, um, uh, alliance partners and I do see, you know, a couple of companies on there, obviously that I recognize.

There’s only one that says endorsed. Um, and I’m, and it’s Dell. And it says, uh, they, they can help your financial institution expedite sheltered Harbor Data Protective certification with long name the first turnkey data vaulting solution to receive endorsement for meeting all of the requirements of the Sheltered Harbor standard.

That’s interesting. So there wa there there was some sort of process that they went through to satisfy someone at Sheltered Harbor. Enough. that they can say, this solution meets all of the requirements. Um, and, and the, because there are other companies, right, that are on there listed as alliance partners that would be competitors of Dell.

Um, and, and by the way, before we continue a little bit farther, I’m just, I forgot to throw out our disclaimer. Uh, I work for Druva, Prasanna, works for Zoom, and uh, although we’re talking about very, you know, stuff right up our neighborhood, this is an independent podcast and the opinions that here are ours. And, uh, if you wanna join the conversation, please reach out to me at w Curtis Preston.

On Twitter, I’m sorry, WC Preston on Twitter or w Curtis Preston gmail. And, um, you know, and say, Hey, I got stuff to talk about in this neighborhood. Um, and uh, also be sure to rate us, um, just scroll down to the bottom. You’re probably listening on Apple Podcast. Most of you are. Just scroll down to the bottom there.

Click, click five stars. Hey, give us six stars. I’m fine with that. And, uh, give us a comment. We love that. Um, so yeah, so I see that like some companies are, are listed as alliance partners, but only one is listed as endorsed, which surprised me honestly. Uh, organizations like this don’t tend to endorse it, actually uses that word.

Uh, any thoughts on that?

[00:27:29] Eric Bursley: Well, the Dell Cyber Recovery Solution was one of the first to market, um, with their solution. It is a very strong solution that is powered by their Power Protect gated domain product, um, that can provide you with an immutable, um, solution. Um, the cyber recovery vault, leveraging all of Dell’s technology.

Dell PowerEdge, Dell Switch. Um, partnership with Sonic Wall Firewall, um, as well as Avamar or Networker or the Power Protect, uh, data Protection Appliance. Um, it, it’s an all-encompassing solution. So Sheltered Harbor was able to say if implemented via this process, it gives you that leg up, making it super simple to achieve our certification. They were one of the first to market to do that. , um, since, um, that happened, we’ve had this thing called a pandemic that shut down a lot of those processes. Um, and Shelton Harbor couldn’t go through, um, some of the other OEMs, um, that wanted to achieve this certification. Um, And one of those processes, uh, like I said, was the ability to pull the data into the vault rather than pushing it into the vault.

Um, w with that, um, since the pandemic is nearing at its end, um, other products are becoming, um, able to achieve the certification, although they haven’t been fully endorsed by Sheldon.

[00:29:14] W. Curtis Preston: Gotcha. Gotcha. Um,

[00:29:16] Prasanna Malaiyandi: I think that was why in the beginning I was wondering, Eric, around sort of that certification, right? If it was the customer, like the bank, or if it was a vendor who was actually getting the certification, right. Um, I could see that in the case of Dell is like, Hey, we have everything packaged together so it becomes easier for the bank or the customer to just start, deploy and use it.

Right. But that’s why I was wondering like where it actually ends up being.

[00:29:40] Eric Bursley: Right. And yeah, the sheltered harbor is granted by the financial institution that is seeking it. Um, there’s actually a process that they go through. They have to register as a client of Sheed Harbor and based on how much. Money their institution has, they pay to that specific level and then they go through that process to validate that they have the solution in place.

Um, there are definitely other solutions outside of the cyber recovery vault from Dell that can achieve this. It, it’s not just limited to that product.

[00:30:16] W. Curtis Preston: Uh, I, I’m assuming, um, , you know, if somebody want, if a, if a financial organization wanted to join, there would be, there’s some sort of fee that you need to provide to achieve certification, given that there’s gonna be a cost involved with somebody

[00:30:32] Eric Bursley: Right. Yes. The, there is a, uh, stair stepped approach based on the financial holdings that the, uh, financial institution has. Um, and, and that is published on their website.

[00:30:44] Prasanna Malaiyandi: I look at it similar to like when an organization goes through like a SOC two audit, right? It’s kind of like that, right? You’re getting certified that yes, everything’s in place, everything’s good to go with the solutions that you’ve chosen,

[00:30:55] Eric Bursley: Right. E. Exactly. And this actually would help with the insurance organizations as well, because. Many insurance companies are saying you need to have certain things in place in order to get, you know us to pay for

an incident. Right, exactly. To get a rate. If a financial institution goes to an insurance provider and say, Hey, we just received this Sheltered Harbor certification, the insurance company can actually come back and say, you’ve done all these check boxes.

So we’re gonna give you a lower rate, or we’re gonna offer you a policy where if the financial institution didn’t have this, then they would have to go manually check that themselves. So it, it can streamline your insurance process as well.

[00:31:46] W. Curtis Preston: Yeah, it’s it. What do you think it or, or have you heard that it could also assist in lower rates or

[00:31:56] Eric Bursley: That would be up to the insurance company, but I would imagine so because it’s gonna be less likely that you’re unable to recover in a timely fashion. That’s one of the things that the insurance company wants to do is ensure that you get back to operational effectiveness as soon as possible.

Um, get back to business achieving this certification. Can’t assure you that you would be able to be back up and running within 24 hours.

[00:32:27] Prasanna Malaiyandi: It’s like I, like Curtis said at the start of this, right, it was like the first time we had heard about this term, right? In being in the backup space. Right. And I’m wondering like, is it more common? Like, is this a well known certification in like the financial institutions and in the insurance business?

Or is this something new and upcoming that is going to take, um, time to achieve critical mass, but it is like a future standard that everyone’s looking toward.

[00:32:56] Eric Bursley: Say that it’s more of a future standard at this point. I was just talking with a financial customer yesterday. He was unaware of Shelton Harbor. He actually had to go look it up, and then he was extremely intrigued, uh, around the framework that it offers. Um, and we’re gonna have a follow up conversation, um, with him regarding our ransomware workshop that we have so that he can understand the value.

You know, protecting his data more with the data vault, um, and how we would implement that so that he can achieve sheltered harbor. Um, I also gave him a reference of one of my larger financial customers that is currently in the process of getting Sheltered Harbor certification so that he can have a one-on-one conversation with.

[00:33:41] Prasanna Malaiyandi: Nice.

[00:33:42] W. Curtis Preston: Yeah, I, I will say, you know, when I first heard about it, and you know, just the first few words, my first worry, which doesn’t appear to be the case, but my first worry was that this was just, even though it’s a nonprofit, I mean, anybody can start a nonprofit. That it was just a marketing arm, marketing leg, whatever, you know, that, you know, like, like in this case it would, I, I would accuse Dell of it since they were the first one to get endorsed, right.

That Dell went and started this. So that they could give themselves certification. I’m not accusing Dell of anything. I’m just saying I was worried that I would, that that’s what I would find is that I would find a marketing driven organization. And that does not appear to be the case. It appears that it, this is led by the financial industries or the, the financial institutions and the associations, uh, thereof.

Does that, does that sound about.

[00:34:41] Eric Bursley: That would be correct, Curtis.

[00:34:44] W. Curtis Preston: Yeah. Um, and the, the worry of

[00:34:48] Prasanna Malaiyandi: your other worry?

[00:34:49] W. Curtis Preston: well, well, that, that the worry came from the fact that there is this dual certification, right? The certification is for the company, but then there’s also this potential endorsement of the vendors. And, uh, so I was worried that this was just a big ruse for the vendors to have a, to put another badge on their.

but it doesn’t appear to be the case. Um

[00:35:14] Eric Bursley: Yeah. For Dell to come out and say that they were endorsed, it is not, you know, checking the box and say you’re certified if you have it. . You can be certified if you have it, but you also have other processes that you have to implement around your enterprise maturity to ensure that you have this process in place.

Dell gives you a leg up with their solution.

[00:35:39] W. Curtis Preston: Yeah.

[00:35:39] Eric Bursley: but like I was saying, there are other solutions that can do this as well. Now it’s just a matter of time before they also get endorse.

[00:35:47] W. Curtis Preston: Yeah. Actually, the fact that the website is kind of a little behind, sort of backs up the fact that this isn’t a marketing driven thing, , because if this was marketing driven, this would be up to date with all those other companies, right? Um, and they, they, they throw as much money as they need to, to, to get it updated.


[00:36:08] Prasanna Malaiyandi: The

[00:36:08] W. Curtis Preston: Go ahead.

[00:36:09] Prasanna Malaiyandi: the one, the other question I had though is I think this is a great certification. I just feel it’s yet another isolated, separate process rather than thinking holistically and integrating into some other existing framework. Uh, to elaborate a bit, right? This is just focused on backup. Can you recover your data, right?

Rather than sort of encompassing, okay, do you have the appropriate cybersecurity measures in place? And thinking from, let’s start from who or let’s look holistically at your environment. Make sure you’re just not looking at authorization and login in, in that environment, but also across your entire infrastructure.

Right? Do you have the right level, sort of the. things, Curtis, that we’ve talked with Snorkel 42 about, right. It’s do you have like lease privilege set up and do you have those front end cyber monitoring tools to look for malware on production?

[00:37:06] W. Curtis Preston: MFA

[00:37:06] Prasanna Malaiyandi: like just, and mfa, right? It’s just seems like this is just such a small portion of things that can go wrong.

It’s a great effort, no doubt about it, but it just feels a little isolated and siloed really, when people should be thinking. Broadly across their entire organization.

[00:37:23] Eric Bursley: Well, e Exactly. And that’s where Presidio would talk about the NIST framework so that you can, uh, identify, protect, detect, respond, and then recover. In the terms of the NIST framework, this is addressing the recovery operation. Are you able to successfully recover? Um, but I agree with you that they have to have other processes in place and that leads to their enterprise maturity around do they have the right authorization, authentication systems in place?

Are they monitoring? Do they have two factor authentication? Um, do they have geolocation? Turned on in their Azure ad, for example. Um, how are they protecting their users, um, from a user, um, education standpoint? Um, you know, are they using products like no before and other similar products that actually educate users and test users on their functional, um, day-to-day operations that they don’t get a ransomware infection to begin?

[00:38:31] W. Curtis Preston: So I’m gonna not push back or argue with you persona, necessarily with the comment. I, I, I, I agree. And yet, as a backup guy, I’m saying, well, at least somebody’s looking after the backups because so many, so much of the anti. Ransomware and malware efforts is all on the online stuff, and no one’s paying any attention to the backups, which is something that, you know, we talk about a lot on this podcast where we’re saying, Hey, they are coming for your backups, or they’re directly attacking your backup system.

[00:39:07] Prasanna Malaiyandi: It’s a starting point,


[00:39:09] W. Curtis Preston: My, my only thing when I look at, it’s like, well, it would be nice if organizations who weren’t financial organizations could, could get a similar level of attention to their backup environment. Right. Um, and they specifically say, you’re only welcome to join and get certification if you’re a financial institution.

Um, and I’m like, Hey, you know, there. I don’t know, a couple of hundred other industries I can think of that could really benefit from that as well.

[00:39:38] Eric Bursley: There’s nothing stopping the, um, other industries from using the framework that Sheltered Harbor has. It’s just a matter of, you know, getting the certification. Right now, it is just a financial industry. Um, you know, they may extend that out at some point in the future. Um, that would be up.

[00:40:01] W. Curtis Preston: Yeah. And who and who is them, by the way?

[00:40:06] Eric Bursley: Shelter

[00:40:07] W. Curtis Preston: no. I know you meant sheltered harbor. There are people who, where, where do these people work? Are they, are they, do they work for Shelter Harbor? Do they work for banks? And this is like their side gig. What? You know, because

[00:40:22] Eric Bursley: Yeah, I, I don’t get into that, so I don’t

know. Um, I believe that they’re an independent organization outside of the banking industry that’s assisting the banking industry. Um, reading their backstory, they came from the banking industry and financial industry.

[00:40:39] W. Curtis Preston: Oh, uh, this says it’s actually a nonprofit subsidiary of FS Isaac. So that’s the Financial Services information sharing and analysis Center for those of you that don’t live banking world. Um, and devoted to the coordinating the development of the Shelter Harbor Standard. I like that. Um,

[00:41:00] Prasanna Malaiyandi: Is there framework available online, do you know? Or do you have to

[00:41:05] W. Curtis Preston: I’ve been, I’ve been scrolling around. I didn’t see the framework anywhere.

[00:41:09] Eric Bursley: Right. So you have to become one of their clients to get all of the requirements, um, in place. Um, the OEMs have those requirements, um, so that, you know, they can tell you what it is. But when you apply for membership, then you’re going to get the actual certification requirements to go and check the box.

[00:41:34] Prasanna Malaiyandi: See, this is what annoys me though, is that it’s like, this is a great framework. We want everyone to use this. I know they want the financials, but it’s broadly applicable, and yet you have to jump through all these hoops just to even try to get to see the list of, hey, what’s there?

[00:41:51] W. Curtis Preston: yeah. So I’m gonna, I’m gonna have to disagree with what you said earlier, Eric, when you said there’s nothing stopping them from implementing the standard. Uh, yeah, it is. They don’t even, I can’t even find out what the standard is if they can’t join.

[00:42:04] Eric Bursley: on their website they tell you that you need to implement a data vault and that you have to have a resiliency plan in

[00:42:11] W. Curtis Preston: Right.

[00:42:12] Eric Bursley: Um,

[00:42:13] Prasanna Malaiyandi: Or, or I would say that you could work with the company like Presidio, right? Who knows these standards and who’s providing a more holistic thing, right? So it is possible,

[00:42:26] Eric Bursley: Right. It is

[00:42:27] Prasanna Malaiyandi: but it’s not as easy for anyone to be like, Hey, what is there? Right. I think that’s my problem is it shouldn’t be a secret

[00:42:34] W. Curtis Preston: And, and yeah. And I don’t think it’s secret per se. I, I agree with you, Eric. I mean, I’m looking, they have like why Sheltered Harbor? And they, they’ve got a nice little page on the, the different stuff. Um, I don’t know, maybe the, somewhere between where they are and I don’t know. I, I don’t know why they would, I, I think maybe there could be a, these are.

20 things you need to do. I think they’re giving a high level plan. Perhaps they could do a low level plan. Perhaps they could say, Hey, you can’t join, but hey, for a hundred bucks you could have the, whatever, whatever it is we’re missing. Um, but, uh, or maybe we’re not missing that much. I don’t know. , we don’t know what we don’t know.

Um, yeah, but it, I applaud the, I applaud the effort to make backups more resilient, uh, and to, and. also, what I’m seeing here is the resiliency plan. That’s what it’s really about, right? It’s, it’s almost less about what backup product that you use. It is definitely about how you use it, right? Um, but it’s about what, earlier we had this discussion about how are we going to, with the.

Scenarios that you, that you’ve got in terms of infection and encryption and what decisions are you gonna make. That’s what you need to discuss upfront, right? Okay. We’ve got aws, we’ve got VMware, we’ve got physical machines, we’ve got these kind of application servers, we’ve got a file server. Here’s what we need to make the decision upfront, what we’re gonna do with all those various things.

Right? Given there are different.

[00:44:15] Eric Bursley: What Well, exactly, and, and part of their framework, they talk about an incident management plan. You know, do you have an incident response process? Um, and it, it can be as simple as, you know, filling out a ServiceNow ticket and, um, either an automated or a manual process kicks off a, a security. , um, as we call it here, um, which is different than your operational or disaster recovery re restore of your application following that incident response plan.

You know, calling the insurance carrier, Hey, so-and-so was infected. It took down this specific system. We are in the process of recovering it and they know from their incident response plan that they have to have that current system isolated so that it can be investigated for future forensic.

[00:45:09] W. Curtis Preston: Yeah.

[00:45:09] Eric Bursley: um, a proper communications plan.

Who’s talking to who, who’s making decisions? Um, you know, how are you going to get back to normal operations? Because if you fail over to that isolated recovery environment, eventually that’s going to cost you more money than you would like. So how do you bring that back into your production environment, which may be on pre.

and your, uh, i r e, your integrated, uh, recovery environment could be up in aws. Um, are you testing your backups? Something that many of my customers don’t do regularly. Um, I wish they would, but, um, they’re not testing their environment to verify that one, are their backups good? But are they operationally?

um, not just, I have my exchange server or SQL server backed up, but I’m able to bring it back up, test it with your active directory, verify ports are functional, verify that I’m able to send and receive messages, and then shut it down. Is this is a valid restore point. It So having that, um, resiliency plan in place, I think is probably the more important part of having Shelter Harbor certification than just the data.

[00:46:28] Prasanna Malaiyandi: And

[00:46:29] W. Curtis Preston: Yeah.

[00:46:32] Prasanna Malaiyandi: And is a lot of this, I’m guessing, is automated as well, right? Because I can’t imagine doing this sort of verification and recovery processes. In a periodic fashion, like given the scale of some of this data.

[00:46:49] Eric Bursley: Well, some of the products that are offered such as, uh, VMware’s Cloud, disaster Recovery, or Cohesity Fort Knox, or, um, rubrics, um, solution, um, that they call a cloud vault, actually automate that testing for you. They can actually spin up an environment from time to time and validate those solutions in place in their cloud.

Which is isolated, validate the solution and then shut it back down again, not costing you any money. So there are solutions like that. The Dell solution, it, it’s something that you would have to manually spin up. You could probably automate that process. Um, but even products like Veeam that by itself couldn’t achieve this.

They have the solution built in with their data labs. Functionality to automate the testing of backup.

[00:47:48] W. Curtis Preston: Yeah. Yeah, and, and you know, and I would be remiss. If I, if I didn’t say that Druva has a, has a similar capability, um, the, the question, the, um, no, I’m just, it should, this is such a, I, I think the biggest thing is. We need to have this discussion upfront. , right? So many people, they wait until they get that ransomware attack and, and then they have, and then they have the meeting, right?

They’re like, oh yeah, we got, we got good backups, we got it, we got it in the cloud, right? We got a copy in the cloud, or we got, you know, whatever it is that they’re doing, whatever it is that they’re doing. And even if they’ve got a, uh, an air gap copy, if they’re not having this discussion upfront. Of how are we going to do, what, what are we gonna do?

Like, you, you know, you, you talked about Eric quite a bit about like, who’s gonna make, who makes the decision, who talks to whom, who communicates to the, to the stakeholders, all of those things. Um, if you, if you don’t have that plan set in advance, uh, it’s gonna be a, it’s gonna be a really bad day. Um, and you’re gonna have, you know, I, I, I hate to. We won’t use the, we won’t use their name,

[00:49:07] Prasanna Malaiyandi: Who do you wanna pick on? Yeah, who do you wanna pick on today?

[00:49:09] W. Curtis Preston: well, okay. Maybe I’ll throw their name out. Rackspace, right. You look at, you look at what Rackspace did when, when they had their outage. Then they tested their recovery plan and it was three weeks before they got the first. Uh, exchange server up and running and you know, and because they had made the quick, uh, and I’m not even saying whether a decision or wrong or right, but the fact that they had made the decision to go over to Microsoft 365 because exchange was down and then, and then they restored the exchange servers and it took them two to three weeks to get the exchange servers up.

And then it’s like, okay, well how do we get the, the email out of these exchange servers over to 360? Oh, well the only way we can do that now is PSTs it. just felt like the whole thing was shooting from the hip the entire time and this was never planned. Um, if it was planned, uh, not a good plan.

[00:50:11] Prasanna Malaiyandi: Poor planning

[00:50:12] Eric Bursley: Right. Well, I,

[00:50:13] W. Curtis Preston: So yeah, just gotta have that. You just gotta have that decision upfront. Um,

[00:50:17] Eric Bursley: can’t say what their recovery plan was now, but when I worked at Rackspace many years ago, they, they had a plan that was more valid.

[00:50:29] Prasanna Malaiyandi: Mm. Things have changed maybe over time.

[00:50:33] Eric Bursley: yeah, things have changed since I, I left there. I, I was on the sales side of things and I was able to talk about their operational and disaster recovery processes that they had in place because at the time it managed, hosted exchange was one of their main features.

Since then, Microsoft 365 has been stealing their market share. Um, Obviously because of this event, they didn’t have a well-documented process.

[00:51:02] Prasanna Malaiyandi: Yeah.

[00:51:03] Eric Bursley: Um, and my wife was actually affected by that . It was

[00:51:08] Prasanna Malaiyandi: Oh no.

[00:51:09] Eric Bursley: yeah, it was not fun for her company for a couple of weeks.

[00:51:14] Prasanna Malaiyandi: Oof. Well, hopefully they got their emails.

[00:51:21] Eric Bursley: Um, they’re still working on it is my under.

[00:51:26] Prasanna Malaiyandi: Oh man. That is crazy. It’s been like two months almost.

[00:51:30] Eric Bursley: Yeah, there, um, she had to manually type in calendar entries, um, for the majority of her

[00:51:37] Prasanna Malaiyandi: Oh my gosh. Crazy.

[00:51:42] W. Curtis Preston: All right, well, uh, we’re starting to have technical issues, so I need to shut this puppy down, but it sounds like, you know, we, we all agree that this is something that people should do, whether they’re financial institution or not. They should look at these requirements, like definitely the air gap copy and, uh, and, and testing and decision making and planning way upfront specifically for a cyber recovery plan, not a disaster recovery plan, because, you know, it’s a, it’s a very, very different thing. Well, um, I’m sitting here in the blind and so I’m gonna thank Eric for joining us.

[00:52:22] Eric Bursley: All right. Thank you.

[00:52:24] W. Curtis Preston: And thanks for, uh, I don’t know what to say with this technical problems that we’re having today. But thanks for being here.

[00:52:31] Prasanna Malaiyandi: Yeah, I Anytime Curtis, and thanks Eric for teaching me something new that I’d never heard about before. I’m gonna have to go look up Sheltered Harbor

[00:52:38] Eric Bursley: All right. Thank you.

[00:52:40] W. Curtis Preston: And thanks to our listeners, uh, we would be nothing without you and remember to subscribe so that you can restore it all.

Join the discussion

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: