Check out our companion blog!
Feb. 27, 2023

Could your backup system achieve Sheltered Harbor certification?

Could your backup system achieve Sheltered Harbor certification?

Sheltered Harbor is a non-profit organization dedicated to making sure financial organizations are able to recover after a cyber attack. Even if you're not a financial institution, there is a lot to learn hear. They've done a lot of work to make this standard practical in the real world. If nothing else, you can review what they ask orgs to do and see if you can apply it to your own environment. We once again have Eric Bursley to guide us through the topic. Even Mr. Backup learned something!

Mentioned in this episode:

Interview ad

Transcript
Speaker:

Hi folks.

Speaker:

This week, I learned something new.

Speaker:

We talk about sheltered Harbor certification, which is a framework for

Speaker:

financial institutions to make sure that they can recover after a cyber attack.

Speaker:

I think there's a lot to learn for all of us, not just financial institutions.

Speaker:

Hope you enjoy the episode.

W. Curtis Preston:

Hi, and welcome to Backup Central's Restore It all podcast.

W. Curtis Preston:

I'm your host, w Curtis Preston, AKA Mr.

W. Curtis Preston:

Backup.

W. Curtis Preston:

And I have with me my dust collector consultant Prasanna

W. Curtis Preston:

Malaiyandi how's it going?

Prasanna Malaiyandi:

am good, Curtis.

Prasanna Malaiyandi:

I do have to let you know I have a pretty bad allergy to

Prasanna Malaiyandi:

dust, so I may not be the right

Prasanna Malaiyandi:

person.

, W. Curtis Preston:

that makes you the perfect, but, but, but, but I have to

, W. Curtis Preston:

say, you're not doing a very good job because I keep buying and buying the

, W. Curtis Preston:

wrong, like I gotta connect this to that.

, W. Curtis Preston:

And the thing with the thing cuz

Prasanna Malaiyandi:

know, you.

W. Curtis Preston:

you

Prasanna Malaiyandi:

You know what you really need to do.

Prasanna Malaiyandi:

So for the listeners, this is Curtis is, has his wood shop up and running.

Prasanna Malaiyandi:

He has a bunch of tools which produce a lot of dust, and therefore he's

Prasanna Malaiyandi:

trying to build like a dust collection system to spare me from dying.

Prasanna Malaiyandi:

So, um, one of the things though is like each one has a different size adapter.

Prasanna Malaiyandi:

Some are one and a half inches, some are two inches

W. Curtis Preston:

One and

Prasanna Malaiyandi:

and some,

W. Curtis Preston:

two and a half, four.

W. Curtis Preston:

Uh, and, and then non-standard sizes.

W. Curtis Preston:

There's also non-standard sizes.

W. Curtis Preston:

Yeah.

Prasanna Malaiyandi:

Yeah.

Prasanna Malaiyandi:

So what you need to do, Curtis, and I think this will help you a lot, is you

Prasanna Malaiyandi:

need to draw a picture on a piece of paper with your various equipment pieces

Prasanna Malaiyandi:

with the size of those, so then you can figure out what you need and what you have

W. Curtis Preston:

Yeah.

W. Curtis Preston:

The, you know, what's that

Prasanna Malaiyandi:

planning?

W. Curtis Preston:

Yeah.

W. Curtis Preston:

Well, it's not just that, like I recently found out that D DeWalt makes.

W. Curtis Preston:

on purpose makes non-standard sized dust ports on some of their machines because

W. Curtis Preston:

they sell a dust collection system.

W. Curtis Preston:

And so they're like, well, it works with the DeWalt dust collection system, right?

W. Curtis Preston:

Which I don't even see for sale anywhere.

W. Curtis Preston:

I'm sure it is for sale somewhere, but so like half of my tools have

W. Curtis Preston:

standard size ports, although they're not all the same size.

W. Curtis Preston:

And then some of my tools like the table, and the, the sander has

W. Curtis Preston:

a total non-standard, uh, port.

W. Curtis Preston:

Um, and so this is what is, is apparently this is a problem being

W. Curtis Preston:

solved by 3D printers and Etsy

Prasanna Malaiyandi:

yep.

Prasanna Malaiyandi:

Oh, I could totally see.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

It's a little cottage industry of people selling, you know, the thing to the thing.

W. Curtis Preston:

Um,

Prasanna Malaiyandi:

You should get into this business, Curtis.

Prasanna Malaiyandi:

I bet you can get a 3D scanner, right?

Prasanna Malaiyandi:

3D scan?

Prasanna Malaiyandi:

No, no, no.

Prasanna Malaiyandi:

First you need a 3D scanner so you can scan the dust port collectors, right?

Prasanna Malaiyandi:

That you have already, and then you use that to build the adapters.

W. Curtis Preston:

you know, what I do is I go down to Lowe's and,

W. Curtis Preston:

and, you know, use a caliper.

W. Curtis Preston:

, can't you just use a caliper?

W. Curtis Preston:

Right.

W. Curtis Preston:

Um, I think I could make it happen, but yeah.

W. Curtis Preston:

Uh, this is a thing.

W. Curtis Preston:

Um, but, uh, yeah, so these are the problems that I have with my

W. Curtis Preston:

expensive, my new expensive hobby.

W. Curtis Preston:

Um, but so, you know, our, our guest that, uh, we're having on, he's a,

W. Curtis Preston:

he's a repeat guest and last time.

W. Curtis Preston:

we were talk, you know, we had him on the podcast.

W. Curtis Preston:

He threw out this phrase, and, you know, we were immediately

W. Curtis Preston:

like, what, what is, what is that?

W. Curtis Preston:

What is that thing?

W. Curtis Preston:

And so we decided to have him back, uh, just to talk about that.

W. Curtis Preston:

We'll talk about that in a minute.

W. Curtis Preston:

He's been in the industry for over 30 years, um, and, um, he

W. Curtis Preston:

is now the enterprise architect at Presidio Network Solutions.

W. Curtis Preston:

Welcome to the podcast, Eric Bursley.

Eric Bursley:

All right, Thank you Curtis, and thank you Prasanna.

W. Curtis Preston:

So

Prasanna Malaiyandi:

Glad to have you back

W. Curtis Preston:

Yeah.

W. Curtis Preston:

So this little phrase that you threw out was this Sheltered Harbor

W. Curtis Preston:

certification, which, you know, I think, I think you threw a little

W. Curtis Preston:

shade at me saying that, you know, you were a little surprised that, uh, Mr.

W. Curtis Preston:

Backup didn't know about this, backup centric, uh, thing.

W. Curtis Preston:

Uh, so why, why don't we back up a little bit and.

W. Curtis Preston:

Sort of set the stage in terms of what, you know, I always want to know

W. Curtis Preston:

how, you know, how did we get here?

W. Curtis Preston:

Um, so first off, maybe let's do what real quick, like a, you

W. Curtis Preston:

know, a 20-second overview of what Sheltered Harbor certification is.

Eric Bursley:

So Sheltered Harbor Certification is a,

Eric Bursley:

first of all, sheltered Harbor is a nonprofit organization.

Eric Bursley:

It is an independent organization that provides.

Eric Bursley:

Um, a financial institution with an assurance that they can provide back

Eric Bursley:

to their users, their customers, that their data is resilient

Eric Bursley:

against a ransomware attack.

Eric Bursley:

So, um, with that, it it, it's supposed to, um, provide them with more confidence

Eric Bursley:

that if something happens to my bank through a ransomware attack, What

Eric Bursley:

data I had available to me yesterday will be available to me once they

Eric Bursley:

recover, typically within 24 hours.

Prasanna Malaiyandi:

and.

Prasanna Malaiyandi:

Because it's Sheltered Harbor certification.

Prasanna Malaiyandi:

I'm guessing, do they actually own the data and the processes and everything

Prasanna Malaiyandi:

else, or are they just sort of like NIST or some of these other organizations where

Prasanna Malaiyandi:

they're like, Hey, here are the standards.

Prasanna Malaiyandi:

Here's like the best practices.

Prasanna Malaiyandi:

Here are the things you should be following in order to be able to do.

Prasanna Malaiyandi:

It's kind of like how, if you're doing credit card transaction, right, you have

Prasanna Malaiyandi:

to do like P C I certification, right?

Prasanna Malaiyandi:

In order to be able to handle credit cards.

Prasanna Malaiyandi:

Is that kind of how this.

Eric Bursley:

So yeah, Shelton Harbor is more of a framework , um, in

Eric Bursley:

place, they make some recommendations, um, that if followed, um, you

Eric Bursley:

can apply for certification.

Eric Bursley:

And if you follow their framework, um, strictly, they would be able to

Eric Bursley:

provide you with that certification saying that, yes, you are good.

Eric Bursley:

Um, and that, um, you can, uh, put our name on your website

Eric Bursley:

that your data is gonna be safe.

Eric Bursley:

Um, so what is the.

Prasanna Malaiyandi:

And that is, when you say that you can get that

Prasanna Malaiyandi:

certification, is that a customer, like a bank in your example, or is that

Prasanna Malaiyandi:

like a vendor who provides the service?

Eric Bursley:

It's typically the, the bank gets the certification, the bank

Eric Bursley:

is applying for the certification.

Eric Bursley:

Um, now in order to achieve that certification, the bank has to have

Eric Bursley:

certain things already in place.

Eric Bursley:

Um, the first of which is a data vault.

Eric Bursley:

For their backup data.

Eric Bursley:

Um, so, you know, following the traditional 3 21 rule, um, that offsite

Eric Bursley:

copy would be an immutable copy that is operationally air gapped, um, and

Eric Bursley:

also scanned for any vulnerabilities so that you would be able to determine a

Eric Bursley:

specific point in which you are clean.

Eric Bursley:

To restore, um, into an integrated recovery environment or an i r e.

Eric Bursley:

Um, so it, it's a set of processes.

Eric Bursley:

It's not just, I have tape which tape is traditionally immutable, um, but

Eric Bursley:

I am also actively scanning my data vault that is immutable so that I know

Eric Bursley:

which restore points I can restore.

W. Curtis Preston:

So, uh, yeah, so, so a lot of questions that come up there.

W. Curtis Preston:

So the first would be, what is it about banks?

W. Curtis Preston:

that make them want to be to, to, to achieve a certification like this.

W. Curtis Preston:

What you know, why isn't this just for everybody?

Eric Bursley:

Well, the, the process.

Eric Bursley:

Could be applied for everybody.

Eric Bursley:

Um, but sheltered Harbor is focusing on the financial industry in particular.

Eric Bursley:

Um, mostly because if we don't have access to our money, we can't do anything.

Eric Bursley:

Um, so that was their primary target around this.

Eric Bursley:

But the process that they have, it's solid for all in.

Eric Bursley:

and, and Presidio recommends this for all industries as well.

Eric Bursley:

Um, and, and one of my feature workshops I talk about, um, data immutability.

Eric Bursley:

And that that, uh, third copy of your data, that offsite copy should be

Eric Bursley:

in a separate authentication domain so that it is protected against

Eric Bursley:

any sort of credential compromise.

Eric Bursley:

It's immutable, but it Shelter Harbor adds onto that and says it's also

Eric Bursley:

verifiable that you know when to restore and how are you going to restore into

Eric Bursley:

a a disaster recovery environment.

Prasanna Malaiyandi:

Interesting.

Prasanna Malaiyandi:

So, yeah, like Curtis said, I have a ton of questions just like

Prasanna Malaiyandi:

popping up in my head right now.

Prasanna Malaiyandi:

Um, you talked about, one aspect that I wanna go back to is

Prasanna Malaiyandi:

like that operational air gap.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

And sort of how do they define that?

Prasanna Malaiyandi:

Because I know I've heard about, okay, strict air gap where it's

Prasanna Malaiyandi:

like physical isolation completely.

Prasanna Malaiyandi:

Sometimes we talk about virtual air gaps.

Prasanna Malaiyandi:

Is operational air gap different in some way or has some unique characteristics?

Eric Bursley:

So one of the unique characteristics is that

Eric Bursley:

it's typically firewalled.

Eric Bursley:

From the production environment, um, typically through some natted

Eric Bursley:

firewall that allows from the protected environment outbound to pull the

Eric Bursley:

data back into the environment.

Eric Bursley:

So it's not a, it's never a push, uh, environment from production

Eric Bursley:

into the backup because that has a potential for compromise.

Eric Bursley:

But if it's a pull.

Eric Bursley:

In the environment, that is schedulable.

Eric Bursley:

No firewall ports need to be opened up at any time from production in, because

Eric Bursley:

it's an outbound connection and it's able to log in to the production environment

Eric Bursley:

and through that process, pull in a specific restore point, scanning it in

Eric Bursley:

the process for known vulnerabilities, and then continually scanning it in

Eric Bursley:

the future for future vulnerabilities.

Prasanna Malaiyandi:

Gotcha.

Prasanna Malaiyandi:

And when you talk about the pull mechanism, that totally makes sense.

Prasanna Malaiyandi:

When it lands in the vault, is it sort of in an isolated spot?

Prasanna Malaiyandi:

Like, I'm just wondering in my head like it's kind of like you wanna make

Prasanna Malaiyandi:

sure whatever's in the vault is sort of.

Prasanna Malaiyandi:

valid has been verified that there are no compromises in it and you

Prasanna Malaiyandi:

can't necessarily trust the production not to have any, because you don't

Prasanna Malaiyandi:

know what the state is there.

Prasanna Malaiyandi:

And so I guess when you're transferring the data, are you sort of transferring

Prasanna Malaiyandi:

it into an isolated bucket inside of the vault that then gets scanned

Prasanna Malaiyandi:

and verified before it's sort of marked as verified, and valid.

Prasanna Malaiyandi:

So nothing bad can happen of that.

Eric Bursley:

So it is a continual process.

Eric Bursley:

The initial pull is scanned, uh, against the current known vulnerabilities

Eric Bursley:

using machine learning, ar artificial intelligence, but then future restore

Eric Bursley:

points are also scanned at those points.

Eric Bursley:

, but it's also scanned during a recovery operation, which it, it's critical to

Eric Bursley:

have that integrated recovery environment that's separate from production.

Eric Bursley:

Okay.

Eric Bursley:

Um, and through that integrated recovery environment, again, it's

Eric Bursley:

network isolated from production, you can actually determine a safe point.

Eric Bursley:

to bring things back up.

Eric Bursley:

You may be able to have, um, a, a particular application server restored

Eric Bursley:

two point B, but then pull clean data in from production to bring it more current.

Eric Bursley:

So it, it just provides you that specific point that you

Eric Bursley:

can be assured that you are.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

You know, th this brings up a, a topic that I've been looking

W. Curtis Preston:

at a lot lately, which is I, if.

W. Curtis Preston:

We're going to, um, cuz it's one thing.

W. Curtis Preston:

I don't know, there's a lot of things going on in my head.

W. Curtis Preston:

All right.

W. Curtis Preston:

So, uh, you know, I, I, I hear you talking about pre-scan and

W. Curtis Preston:

post-scan and that all sounds great.

W. Curtis Preston:

Um, I'm gonna throw out a little shade and say if the pre-scan at the

W. Curtis Preston:

backup finds the ransomware, why didn?

W. Curtis Preston:

Like some regular virus scanning tool.

W. Curtis Preston:

Find it already.

W. Curtis Preston:

I don't, I, I don't, I don't know why that, why one would work

W. Curtis Preston:

and the other would not work.

W. Curtis Preston:

Um, but I'm not saying it's not a good idea to do it.

W. Curtis Preston:

I'm just, it's just, that popped up in my head.

Eric Bursley:

Well, that that speaks to the maturity model of the

Eric Bursley:

organization's security infrastructure.

Eric Bursley:

Some organizations don't have a SEIM in place.

Eric Bursley:

They don't have a current, um, Antivirus that it includes, um, artificial

Eric Bursley:

or AI ml into those technologies.

Eric Bursley:

So based on the NIST framework, they're not preventing the infection from coming

Eric Bursley:

in, and it's up to the recovery process of the NIST framework to bring you back.

Eric Bursley:

Preferably, it is a multi-faced approach like NIST calls.

W. Curtis Preston:

Yeah, it is just that, you know, as big of a fan as I

W. Curtis Preston:

am, a backup, if you're relying on your backup system to let you know you got

W. Curtis Preston:

a virus or malware of any kind, uh, I don't know what to tell you anyway.

W. Curtis Preston:

I, yeah, but I'm not saying that that doesn't happen.

W. Curtis Preston:

I'm just saying I'm not sure I agree with that plan.

W. Curtis Preston:

Um, There's been a thought that I've been thinking a lot about lately and, and, and

W. Curtis Preston:

it comes from the fact that we know, based on the stuff that's been published, that

W. Curtis Preston:

the average dwell time or the mean dwell time of malware is well over 60 days.

W. Curtis Preston:

So if, if, if the malware has been in your environment for, for a long time, and,

W. Curtis Preston:

and maybe it hasn't deployed, maybe it hasn't done anything, maybe it hasn't,

W. Curtis Preston:

um, um, you know, encrypted any data, and then it doesn't generally wreak

W. Curtis Preston:

havoc until it starts encrypting data.

W. Curtis Preston:

Um, and, but you, meanwhile you've probably created weeks and weeks

W. Curtis Preston:

and weeks of backups of the machine with the malware still on it,

W. Curtis Preston:

which you didn't notice, right.

W. Curtis Preston:

You can scan all you want.

W. Curtis Preston:

Some of this stuff isn't noticeable or, or you know, it's

W. Curtis Preston:

easy once you find it, right.

W. Curtis Preston:

Once you find it, you get the signature and then you can um, right, you can then

W. Curtis Preston:

you can scan for that specific signature.

W. Curtis Preston:

But a general scan doesn't necessarily pick it up.

W. Curtis Preston:

So then my question is, well, what does the organization do?

W. Curtis Preston:

And you know, what would be my recommendation?

W. Curtis Preston:

Um, you know, and of course then they're, they're free to do whatever they want.

W. Curtis Preston:

I know some people have talked about, well, I need to restore

W. Curtis Preston:

from before I even got infected.

W. Curtis Preston:

That is an option.

W. Curtis Preston:

But to me that if, if the dwell time is 60 days, or, or it could be, it

W. Curtis Preston:

could be as much as 120 days from what I've seen, um, that doesn't

W. Curtis Preston:

seem like a viable option to me.

W. Curtis Preston:

To start from a greenfield, restore the, the VM image from 121 days ago,

W. Curtis Preston:

and then somehow bring it, right?

W. Curtis Preston:

Because, um, it just, it gets, and you, and then you look at the, um, the

W. Curtis Preston:

complications involved with, um, all of the, um, different ways in which we.

W. Curtis Preston:

OSS and non oss, you know, things like containers, um, and applications, and we

W. Curtis Preston:

have VMs and we have physical servers and on-premise VMs on, uh, cloud-based VMs.

W. Curtis Preston:

This is just like deciding that, making that decision.

W. Curtis Preston:

Um, it just seems really, uh, a difficult one that I think

W. Curtis Preston:

environments have to decide.

W. Curtis Preston:

I know there was, there was no question anywhere in that

Prasanna Malaiyandi:

I was waiting.

Prasanna Malaiyandi:

I was like, should I tell Curtis he's on a rant?

Eric Bursley:

Right.

Eric Bursley:

So

Eric Bursley:

that, that's essentially where a partner like Presidio can come in.

Eric Bursley:

We can help advise, um, specifically leveraging a tool that, um, I help

Eric Bursley:

produce called our ransomware workshop.

Eric Bursley:

It is a free offering that we offer our clients, two and a half

Eric Bursley:

hours of discussion with one of our cybersecurity analysts, a data

Eric Bursley:

center analyst, which focuses on primary storage and backup recovery.

Eric Bursley:

And working with a C level as well as the engineers at a specific customer

Eric Bursley:

identify potential problems such as you don't have a SEIM in place, you don't

Eric Bursley:

have a current antivirus solution in place such as CrowdStrike or cyber reason.

Eric Bursley:

Um, you don't have a, a good initial protection of that.

Eric Bursley:

And then, , you know, from a backup recovery standpoint, what are you using?

Eric Bursley:

How are you backing up your data?

Eric Bursley:

Are you following the 3 21 rule?

Eric Bursley:

Do you have an operationally air gap vault for that offsite copy?

Eric Bursley:

Those are the questions that we bring up, and then we can help address some

Eric Bursley:

of those problems over time, whether it's a financial customer or not.

Eric Bursley:

Okay.

Eric Bursley:

This.

Eric Bursley:

Offered to everybody.

Eric Bursley:

Um, and then once we understand the direction you need to go with

Eric Bursley:

that vision, um, that we provide, um, we can then start chipping away

Eric Bursley:

at those questions that you have.

Eric Bursley:

Um, and we do that as an diagnostic type of service.

Eric Bursley:

So, um, outside of the vendors, we may bring up vendors in the conversation,

Eric Bursley:

but we're trying to solve that business, uh, problem and then aligning.

Eric Bursley:

Those requirements to a technology vendor,

Prasanna Malaiyandi:

I think having that process, that

Prasanna Malaiyandi:

approach totally makes sense.

Prasanna Malaiyandi:

And just going back to Curtis's rant, quote unquote rant, right?

Prasanna Malaiyandi:

I think honestly, it's going to depend, right?

Prasanna Malaiyandi:

I don't think you can say that we will always go back 121 days,

Prasanna Malaiyandi:

or the best option is always to go pick the latest copy, right?

Prasanna Malaiyandi:

I think it is going to depend on the value of the data, how long it takes to recover

Prasanna Malaiyandi:

the importance of that application, right?

Prasanna Malaiyandi:

All of these things, and I think it's sort of a recovery.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

And hopefully you've already planned this ahead of time.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

And you know, okay, this is the importance of this data, but it's sort of one of

Prasanna Malaiyandi:

those things that at recovery time, you execute your plan in your runbook that you

W. Curtis Preston:

yeah, I think it was a rant because I see a lot of people

W. Curtis Preston:

talking about, Well, we're just gonna scan, you know, we, we, our, we have

W. Curtis Preston:

backup software that will, you know, we, we can identify the, the hash, we

W. Curtis Preston:

can give the hash to the backup product.

W. Curtis Preston:

It can scan for that, you know, we know where the malware is.

W. Curtis Preston:

And then we'll just restore from before the malware hit.

W. Curtis Preston:

And, and I just wanna say, um, to 121 days ago that, that's what, that's

W. Curtis Preston:

why I just, it, it, you're right.

W. Curtis Preston:

It's not simple.

W. Curtis Preston:

Um,

Eric Bursley:

It's not

Prasanna Malaiyandi:

and I think Eric had brought it up earlier.

Eric Bursley:

yeah.

Eric Bursley:

You don't necessarily have to restore to 120 days ago.

Eric Bursley:

You can restore from the latest copy of just the data that is clean.

Eric Bursley:

Okay.

Eric Bursley:

Um, not everything on the system is encrypted, so you need to pull the

Eric Bursley:

data prior to the full encryption that ransomware is going to.

Eric Bursley:

That is a point, then you can start saying, okay, how did it get in looking

Eric Bursley:

for the executable in that environment and then removing it or deactivating it.

Eric Bursley:

And it's critical to look not just for static files, but also um, Shell less,

Eric Bursley:

or I should say, um, script, less sort of, um, vulnerabilities because

Eric Bursley:

they're able to actually execute some of these processes in memory

Eric Bursley:

without writing anything out to disk.

Prasanna Malaiyandi:

Yeah.

Prasanna Malaiyandi:

I think the other thing is when you're also doing that recovery, sort of

Prasanna Malaiyandi:

doing it in an isolated fashion, right?

Prasanna Malaiyandi:

Where

Prasanna Malaiyandi:

maybe you don't have that network connectivity, right?

Prasanna Malaiyandi:

So they can't call out to their C N C servers, right?

Prasanna Malaiyandi:

Their command and control servers and get additional

Prasanna Malaiyandi:

information and kickstart things.

Eric Bursley:

E.

Eric Bursley:

Exactly.

Eric Bursley:

And there are OEMs that offer these types of solutions and, and

Eric Bursley:

Presidio can recommend them all.

Eric Bursley:

And these are not a limited list of solutions either.

Eric Bursley:

Um, but they're, um, solutions that can become safe Harbor

Eric Bursley:

certified when deployed.

Eric Bursley:

Um, they're not in itself guaranteeing safe harbor.

Eric Bursley:

You still have to implement them, right?

Eric Bursley:

You still have to create your run.

Eric Bursley:

Um, and any sort of automation around it.

Eric Bursley:

Um, but they definitely give you a leg up, uh, around achieving that certification.

Prasanna Malaiyandi:

and would you get that certification?

Prasanna Malaiyandi:

, that's for a point in time.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

Is there sort of audits done things you have to show, like

Prasanna Malaiyandi:

as your environment changes, as things happen to keep up to date?

Prasanna Malaiyandi:

Or is it sort of a one and done thing?

Eric Bursley:

You do have to get re certified.

Eric Bursley:

Um, over time, um, this is because policies do change,

Eric Bursley:

recommendations do change.

Eric Bursley:

Um, technologies do change, you know, containers, for example.

Eric Bursley:

Um, how are you protecting your container workload?

Eric Bursley:

It's.

Eric Bursley:

Regardless of what the original intent of immutable containers are, people are

Eric Bursley:

persisting data in their containers.

Eric Bursley:

How are you protecting those?

Eric Bursley:

The data as well as the ecosystem of your Kubernetes or your Docker, uh,

Eric Bursley:

automation system that goes into it.

Eric Bursley:

There are strategies around that.

Prasanna Malaiyandi:

I'm gonna take Curtis's favorite question that he

Prasanna Malaiyandi:

loves to ask in topic, actually, which is, Does Safe Harbor Certification

Prasanna Malaiyandi:

talk Anything about SaaS applications?

Eric Bursley:

It is.

Eric Bursley:

I would say that it doesn't necessarily, um, Dictate one way or the other.

Eric Bursley:

It does say that you are protecting your data in this fashion.

Eric Bursley:

So if you're using a SaaS uh provider such as Microsoft 365, are you backing it up?

Eric Bursley:

And then are you storing that data in a vault?

Eric Bursley:

Um, and that you can actually do an operational recovery?

Eric Bursley:

You know, same, same thing with salesforce.com.

Eric Bursley:

They just started implementing backup through their API for salesforce.com.

Eric Bursley:

Are you protecting that data, storing it in a vault and that becomes

Eric Bursley:

that, that, you know, sort of.

Eric Bursley:

Ecosystem that that pattern.

Eric Bursley:

So they're not dictating SaaS, they're not dictating on-prem,

Eric Bursley:

they're not dictating cloud.

Eric Bursley:

What they are saying is that you have a copy of your data in a vault

Eric Bursley:

that is operationally air gapped.

Prasanna Malaiyandi:

Yeah, I was referring also mainly to like SaaS applications.

Prasanna Malaiyandi:

But you covered it, Eric, like Microsoft 365.

Prasanna Malaiyandi:

Because a lot of times Right, people are, Curtis, you and I hear this all

Prasanna Malaiyandi:

the time, it's like, Hey, Microsoft 365, there's no need to back it up.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

And I know that's one of, uh, Curtis's big pet peeves.

Eric Bursley:

It, it's one of mine too.

Eric Bursley:

I hear a lot.

Eric Bursley:

Um, every one of my customers are not backing up their

Eric Bursley:

Microsoft 365 environment.

Eric Bursley:

And I advise them that they should.

Eric Bursley:

And then I describe the differences between archive, which they do

Eric Bursley:

provide any true backup solution, which they don't provide.

W. Curtis Preston:

So, um, I should probably take notes

W. Curtis Preston:

so that I can keep track.

W. Curtis Preston:

, my questions are coming in various, in various ways, but the

W. Curtis Preston:

one that's in my head right now.

W. Curtis Preston:

So I know that you have this, this concept of, um, uh, alliance partners and I do

W. Curtis Preston:

see, you know, a couple of companies on there, obviously that I recognize.

W. Curtis Preston:

There's only one that says endorsed.

W. Curtis Preston:

Um, and I'm, and it's Dell.

W. Curtis Preston:

And it says, uh, they, they can help your financial institution expedite sheltered

W. Curtis Preston:

Harbor Data Protective certification with long name the first turnkey data

W. Curtis Preston:

vaulting solution to receive endorsement for meeting all of the requirements

W. Curtis Preston:

of the Sheltered Harbor standard.

W. Curtis Preston:

That's interesting.

W. Curtis Preston:

So there wa there there was some sort of process that they went through to

W. Curtis Preston:

satisfy someone at Sheltered Harbor.

W. Curtis Preston:

Enough.

W. Curtis Preston:

that they can say, this solution meets all of the requirements.

W. Curtis Preston:

Um, and, and the, because there are other companies, right, that are on

W. Curtis Preston:

there listed as alliance partners that would be competitors of Dell.

W. Curtis Preston:

Um, and, and by the way, before we continue a little bit farther, I'm just,

W. Curtis Preston:

I forgot to throw out our disclaimer.

W. Curtis Preston:

Uh, I work for Druva, Prasanna, works for Zoom, and uh, although

W. Curtis Preston:

we're talking about very, you know, stuff right up our neighborhood,

W. Curtis Preston:

this is an independent podcast and the opinions that here are ours.

W. Curtis Preston:

And, uh, if you wanna join the conversation, please reach

W. Curtis Preston:

out to me at w Curtis Preston.

W. Curtis Preston:

On Twitter, I'm sorry, WC Preston on Twitter or w Curtis Preston gmail.

W. Curtis Preston:

And, um, you know, and say, Hey, I got stuff to talk about in this neighborhood.

W. Curtis Preston:

Um, and uh, also be sure to rate us, um, just scroll down to the bottom.

W. Curtis Preston:

You're probably listening on Apple Podcast.

W. Curtis Preston:

Most of you are.

W. Curtis Preston:

Just scroll down to the bottom there.

W. Curtis Preston:

Click, click five stars.

W. Curtis Preston:

Hey, give us six stars.

W. Curtis Preston:

I'm fine with that.

W. Curtis Preston:

And, uh, give us a comment.

W. Curtis Preston:

We love that.

W. Curtis Preston:

Um, so yeah, so I see that like some companies are, are listed as alliance

W. Curtis Preston:

partners, but only one is listed as endorsed, which surprised me honestly.

W. Curtis Preston:

Uh, organizations like this don't tend to endorse it, actually uses that word.

W. Curtis Preston:

Uh, any thoughts on that?

Eric Bursley:

Well, the Dell Cyber Recovery Solution was one of the first

Eric Bursley:

to market, um, with their solution.

Eric Bursley:

It is a very strong solution that is powered by their Power Protect gated

Eric Bursley:

domain product, um, that can provide you with an immutable, um, solution.

Eric Bursley:

Um, the cyber recovery vault, leveraging all of Dell's technology.

Eric Bursley:

Dell PowerEdge, Dell Switch.

Eric Bursley:

Um, partnership with Sonic Wall Firewall, um, as well as Avamar

Eric Bursley:

or Networker or the Power Protect, uh, data Protection Appliance.

Eric Bursley:

Um, it, it's an all-encompassing solution.

Eric Bursley:

So Sheltered Harbor was able to say if implemented via this process, it

Eric Bursley:

gives you that leg up, making it super simple to achieve our certification.

Eric Bursley:

They were one of the first to market to do that.

Eric Bursley:

, um, since, um, that happened, we've had this thing called a pandemic that

Eric Bursley:

shut down a lot of those processes.

Eric Bursley:

Um, and Shelton Harbor couldn't go through, um, some of the other OEMs, um,

Eric Bursley:

that wanted to achieve this certification.

Eric Bursley:

Um, And one of those processes, uh, like I said, was the ability to

Eric Bursley:

pull the data into the vault rather than pushing it into the vault.

Eric Bursley:

Um, w with that, um, since the pandemic is nearing at its end, um, other

Eric Bursley:

products are becoming, um, able to achieve the certification, although they

Eric Bursley:

haven't been fully endorsed by Sheldon.

W. Curtis Preston:

Gotcha.

W. Curtis Preston:

Gotcha.

W. Curtis Preston:

Um,

Prasanna Malaiyandi:

I think that was why in the beginning I was wondering, Eric,

Prasanna Malaiyandi:

around sort of that certification, right?

Prasanna Malaiyandi:

If it was the customer, like the bank, or if it was a vendor who was actually

Prasanna Malaiyandi:

getting the certification, right.

Prasanna Malaiyandi:

Um, I could see that in the case of Dell is like, Hey, we have everything

Prasanna Malaiyandi:

packaged together so it becomes easier for the bank or the customer

Prasanna Malaiyandi:

to just start, deploy and use it.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

But that's why I was wondering like where it actually ends up being.

Eric Bursley:

Right.

Eric Bursley:

And yeah, the sheltered harbor is granted by the financial

Eric Bursley:

institution that is seeking it.

Eric Bursley:

Um, there's actually a process that they go through.

Eric Bursley:

They have to register as a client of Sheed Harbor and based on how much.

Eric Bursley:

Money their institution has, they pay to that specific level and then they

Eric Bursley:

go through that process to validate that they have the solution in place.

Eric Bursley:

Um, there are definitely other solutions outside of the cyber recovery vault

Eric Bursley:

from Dell that can achieve this.

Eric Bursley:

It, it's not just limited to that product.

W. Curtis Preston:

Uh, I, I'm assuming, um, , you know, if somebody want, if

W. Curtis Preston:

a, if a financial organization wanted to join, there would be, there's some

W. Curtis Preston:

sort of fee that you need to provide to achieve certification, given that there's

W. Curtis Preston:

gonna be a cost involved with somebody

Eric Bursley:

Right.

Eric Bursley:

Yes.

Eric Bursley:

The, there is a, uh, stair stepped approach based on the financial holdings

Eric Bursley:

that the, uh, financial institution has.

Eric Bursley:

Um, and, and that is published on their website.

Prasanna Malaiyandi:

I look at it similar to like when an organization

Prasanna Malaiyandi:

goes through like a SOC two audit, right?

Prasanna Malaiyandi:

It's kind of like that, right?

Prasanna Malaiyandi:

You're getting certified that yes, everything's in place,

Prasanna Malaiyandi:

everything's good to go with the solutions that you've chosen,

Eric Bursley:

Right.

Eric Bursley:

E.

Eric Bursley:

Exactly.

Eric Bursley:

And this actually would help with the insurance organizations as well, because.

Eric Bursley:

Many insurance companies are saying you need to have certain things in place

Eric Bursley:

in order to get, you know us to pay for

Eric Bursley:

an incident.

Eric Bursley:

Right, exactly.

Eric Bursley:

To get a rate.

Eric Bursley:

If a financial institution goes to an insurance provider and say, Hey,

Eric Bursley:

we just received this Safe Harbor certification, the insurance company

Eric Bursley:

can actually come back and say, you've done all these check boxes.

Eric Bursley:

So we're gonna give you a lower rate, or we're gonna offer you a policy

Eric Bursley:

where if the financial institution didn't have this, then they would have

Eric Bursley:

to go manually check that themselves.

Eric Bursley:

So it, it can streamline your insurance process as well.

W. Curtis Preston:

Yeah, it's it.

W. Curtis Preston:

What do you think it or, or have you heard that it could

W. Curtis Preston:

also assist in lower rates or

Eric Bursley:

That would be up to the insurance company, but I would

Eric Bursley:

imagine so because it's gonna be less likely that you're unable

Eric Bursley:

to recover in a timely fashion.

Eric Bursley:

That's one of the things that the insurance company wants to do is

Eric Bursley:

ensure that you get back to operational effectiveness as soon as possible.

Eric Bursley:

Um, get back to business achieving this certification.

Eric Bursley:

Can't assure you that you would be able to be back up and running within 24 hours.

Prasanna Malaiyandi:

It's like I, like Curtis said at the start of this,

Prasanna Malaiyandi:

right, it was like the first time we had heard about this term, right?

Prasanna Malaiyandi:

In being in the backup space.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

And I'm wondering like, is it more common?

Prasanna Malaiyandi:

Like, is this a well known certification in like the financial institutions

Prasanna Malaiyandi:

and in the insurance business?

Prasanna Malaiyandi:

Or is this something new and upcoming that is going to take, um, time to achieve

Prasanna Malaiyandi:

critical mass, but it is like a future standard that everyone's looking toward.

Eric Bursley:

Say that it's more of a future standard at this point.

Eric Bursley:

I was just talking with a financial customer yesterday.

Eric Bursley:

He was unaware of Shelton Harbor.

Eric Bursley:

He actually had to go look it up, and then he was extremely intrigued, uh,

Eric Bursley:

around the framework that it offers.

Eric Bursley:

Um, and we're gonna have a follow up conversation, um, with him regarding

Eric Bursley:

our ransomware workshop that we have so that he can understand the value.

Eric Bursley:

You know, protecting his data more with the data vault, um, and how

Eric Bursley:

we would implement that so that he can achieve sheltered harbor.

Eric Bursley:

Um, I also gave him a reference of one of my larger financial customers that

Eric Bursley:

is currently in the process of getting Sheltered Harbor certification so that he

Eric Bursley:

can have a one-on-one conversation with.

Prasanna Malaiyandi:

Nice.

W. Curtis Preston:

Yeah, I, I will say, you know, when I first heard about it,

W. Curtis Preston:

and you know, just the first few words, my first worry, which doesn't appear to be

W. Curtis Preston:

the case, but my first worry was that this was just, even though it's a nonprofit,

W. Curtis Preston:

I mean, anybody can start a nonprofit.

W. Curtis Preston:

That it was just a marketing arm, marketing leg, whatever, you know,

W. Curtis Preston:

that, you know, like, like in this case it would, I, I would accuse

W. Curtis Preston:

Dell of it since they were the first one to get endorsed, right.

W. Curtis Preston:

That Dell went and started this.

W. Curtis Preston:

So that they could give themselves certification.

W. Curtis Preston:

I'm not accusing Dell of anything.

W. Curtis Preston:

I'm just saying I was worried that I would, that that's what I

W. Curtis Preston:

would find is that I would find a marketing driven organization.

W. Curtis Preston:

And that does not appear to be the case.

W. Curtis Preston:

It appears that it, this is led by the financial industries or

W. Curtis Preston:

the, the financial institutions and the associations, uh, thereof.

W. Curtis Preston:

Does that, does that sound about.

Eric Bursley:

That would be correct, Curtis.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

Um, and the, the worry of

Prasanna Malaiyandi:

your other worry?

W. Curtis Preston:

well, well, that, that the worry came from the fact that

W. Curtis Preston:

there is this dual certification, right?

W. Curtis Preston:

The certification is for the company, but then there's also this

W. Curtis Preston:

potential endorsement of the vendors.

W. Curtis Preston:

And, uh, so I was worried that this was just a big ruse for the vendors to

W. Curtis Preston:

have a, to put another badge on their.

W. Curtis Preston:

but it doesn't appear to be the case.

W. Curtis Preston:

Um

Eric Bursley:

Yeah.

Eric Bursley:

For Dell to come out and say that they were endorsed, it is not,

Eric Bursley:

you know, checking the box and say you're certified if you have it.

Eric Bursley:

. You can be certified if you have it, but you also have other processes

Eric Bursley:

that you have to implement around your enterprise maturity to ensure

Eric Bursley:

that you have this process in place.

Eric Bursley:

Dell gives you a leg up with their solution.

W. Curtis Preston:

Yeah.

Eric Bursley:

but like I was saying, there are other solutions

Eric Bursley:

that can do this as well.

Eric Bursley:

Now it's just a matter of time before they also get endorse.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

Actually, the fact that the website is kind of a little behind, sort of backs

W. Curtis Preston:

up the fact that this isn't a marketing driven thing, , because if this was

W. Curtis Preston:

marketing driven, this would be up to date with all those other companies, right?

W. Curtis Preston:

Um, and they, they, they throw as much money as they need

W. Curtis Preston:

to, to, to get it updated.

W. Curtis Preston:

Um,

Prasanna Malaiyandi:

The

W. Curtis Preston:

Go ahead.

Prasanna Malaiyandi:

the one, the other question I had though is I

Prasanna Malaiyandi:

think this is a great certification.

Prasanna Malaiyandi:

I just feel it's yet another isolated, separate process rather than thinking

Prasanna Malaiyandi:

holistically and integrating into some other existing framework.

Prasanna Malaiyandi:

Uh, to elaborate a bit, right?

Prasanna Malaiyandi:

This is just focused on backup.

Prasanna Malaiyandi:

Can you recover your data, right?

Prasanna Malaiyandi:

Rather than sort of encompassing, okay, do you have the appropriate

Prasanna Malaiyandi:

cybersecurity measures in place?

Prasanna Malaiyandi:

And thinking from, let's start from who or let's look

Prasanna Malaiyandi:

holistically at your environment.

Prasanna Malaiyandi:

Make sure you're just not looking at authorization and login in,

Prasanna Malaiyandi:

in that environment, but also across your entire infrastructure.

Prasanna Malaiyandi:

Right?

Prasanna Malaiyandi:

Do you have the right level, sort of the.

Prasanna Malaiyandi:

things, Curtis, that we've talked with Snorkel 42 about, right.

Prasanna Malaiyandi:

It's do you have like lease privilege set up and do you have those front

Prasanna Malaiyandi:

end cyber monitoring tools to look for malware on production?

W. Curtis Preston:

MFA

Prasanna Malaiyandi:

like just, and mfa, right?

Prasanna Malaiyandi:

It's just seems like this is just such a small portion of things that can go wrong.

Prasanna Malaiyandi:

It's a great effort, no doubt about it, but it just feels a

Prasanna Malaiyandi:

little isolated and siloed really, when people should be thinking.

Prasanna Malaiyandi:

Broadly across their entire organization.

Eric Bursley:

Well, e Exactly.

Eric Bursley:

And that's where Presidio would talk about the NIST framework so

Eric Bursley:

that you can, uh, identify, protect, detect, respond, and then recover.

Eric Bursley:

In the terms of the NIST framework, this is addressing the recovery operation.

Eric Bursley:

Are you able to successfully recover?

Eric Bursley:

Um, but I agree with you that they have to have other processes in place and that

Eric Bursley:

leads to their enterprise maturity around do they have the right authorization,

Eric Bursley:

authentication systems in place?

Eric Bursley:

Are they monitoring?

Eric Bursley:

Do they have two factor authentication?

Eric Bursley:

Um, do they have geolocation?

Eric Bursley:

Turned on in their Azure ad, for example.

Eric Bursley:

Um, how are they protecting their users, um, from a user, um, education standpoint?

Eric Bursley:

Um, you know, are they using products like no before and other similar

Eric Bursley:

products that actually educate users and test users on their functional, um,

Eric Bursley:

day-to-day operations that they don't get a ransomware infection to begin?

W. Curtis Preston:

So I'm gonna not push back or argue with you persona,

W. Curtis Preston:

necessarily with the comment.

W. Curtis Preston:

I, I, I, I agree.

W. Curtis Preston:

And yet, as a backup guy, I'm saying, well, at least somebody's

W. Curtis Preston:

looking after the backups because so many, so much of the anti.

W. Curtis Preston:

Ransomware and malware efforts is all on the online stuff, and no one's

W. Curtis Preston:

paying any attention to the backups, which is something that, you know,

W. Curtis Preston:

we talk about a lot on this podcast where we're saying, Hey, they are

W. Curtis Preston:

coming for your backups, or they're directly attacking your backup system.

Prasanna Malaiyandi:

Speaker:

It's a starting point,

Prasanna Malaiyandi:

Speaker:

right?

W. Curtis Preston:

My, my only thing when I look at, it's like, well,

W. Curtis Preston:

it would be nice if organizations who weren't financial organizations

W. Curtis Preston:

could, could get a similar level of attention to their backup environment.

W. Curtis Preston:

Right.

W. Curtis Preston:

Um, and they specifically say, you're only welcome to join and get certification

W. Curtis Preston:

if you're a financial institution.

W. Curtis Preston:

Um, and I'm like, Hey, you know, there.

W. Curtis Preston:

I don't know, a couple of hundred other industries I can think of that

W. Curtis Preston:

could really benefit from that as well.

Eric Bursley:

There's nothing stopping the, um, other industries from using

Eric Bursley:

the framework that Sheltered Harbor has.

Eric Bursley:

It's just a matter of, you know, getting the certification.

Eric Bursley:

Right now, it is just a financial industry.

Eric Bursley:

Um, you know, they may extend that out at some point in the future.

Eric Bursley:

Um, that would be up.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

And who and who is them, by the way?

Eric Bursley:

Shelter harbor.org.

W. Curtis Preston:

no.

W. Curtis Preston:

I know you meant sheltered harbor.

W. Curtis Preston:

There are people who, where, where do these people work?

W. Curtis Preston:

Are they, are they, do they work for Shelter Harbor?

W. Curtis Preston:

Do they work for banks?

W. Curtis Preston:

And this is like their side gig.

W. Curtis Preston:

What?

W. Curtis Preston:

You know, because

Eric Bursley:

Yeah, I, I don't get into that, so I don't

Eric Bursley:

know.

Eric Bursley:

Um, I believe that they're an independent organization outside

Eric Bursley:

of the banking industry that's assisting the banking industry.

Eric Bursley:

Um, reading their backstory, they came from the banking

Eric Bursley:

industry and financial industry.

W. Curtis Preston:

Oh, uh, this says it's actually a

W. Curtis Preston:

nonprofit subsidiary of FS Isaac.

W. Curtis Preston:

So that's the Financial Services information sharing and analysis

W. Curtis Preston:

Center for those of you that don't live banking world.

W. Curtis Preston:

Um, and devoted to the coordinating the development

W. Curtis Preston:

of the Shelter Harbor Standard.

W. Curtis Preston:

I like that.

W. Curtis Preston:

Um,

Prasanna Malaiyandi:

Is there framework available online, do you know?

Prasanna Malaiyandi:

Or do you have to

W. Curtis Preston:

I've been, I've been scrolling around.

W. Curtis Preston:

I didn't see the framework anywhere.

Eric Bursley:

Right.

Eric Bursley:

So you have to become one of their clients to get all of

Eric Bursley:

the requirements, um, in place.

Eric Bursley:

Um, the OEMs have those requirements, um, so that, you

Eric Bursley:

know, they can tell you what it is.

Eric Bursley:

But when you apply for membership, then you're going to get the

Eric Bursley:

actual certification requirements to go and check the box.

Prasanna Malaiyandi:

See, this is what annoys me though, is that it's

Prasanna Malaiyandi:

like, this is a great framework.

Prasanna Malaiyandi:

We want everyone to use this.

Prasanna Malaiyandi:

I know they want the financials, but it's broadly applicable, and yet

Prasanna Malaiyandi:

you have to jump through all these hoops just to even try to get to

Prasanna Malaiyandi:

see the list of, hey, what's there?

W. Curtis Preston:

yeah.

W. Curtis Preston:

So I'm gonna, I'm gonna have to disagree with what you said earlier, Eric,

W. Curtis Preston:

when you said there's nothing stopping them from implementing the standard.

W. Curtis Preston:

Uh, yeah, it is.

W. Curtis Preston:

They don't even, I can't even find out what the standard is if they can't join.

Eric Bursley:

on their website they tell you that you need to

Eric Bursley:

implement a data vault and that you have to have a resiliency plan in

W. Curtis Preston:

Right.

Eric Bursley:

Um,

Prasanna Malaiyandi:

Or, or I would say that you could work with

Prasanna Malaiyandi:

the company like Presidio, right?

Prasanna Malaiyandi:

Who knows these standards and who's providing a more holistic thing, right?

Prasanna Malaiyandi:

So it is possible,

Eric Bursley:

Right.

Eric Bursley:

It is

Prasanna Malaiyandi:

but it's not as easy for anyone to be like, Hey, what is there?

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

I think that's my problem is it shouldn't be a secret

W. Curtis Preston:

And, and yeah.

W. Curtis Preston:

And I don't think it's secret per se.

W. Curtis Preston:

I, I agree with you, Eric.

W. Curtis Preston:

I mean, I'm looking, they have like why Sheltered Harbor?

W. Curtis Preston:

And they, they've got a nice little page on the, the different stuff.

W. Curtis Preston:

Um, I don't know, maybe the, somewhere between where they are and I don't know.

W. Curtis Preston:

I, I don't know why they would, I, I think maybe there could be a, these are.

W. Curtis Preston:

20 things you need to do.

W. Curtis Preston:

I think they're giving a high level plan.

W. Curtis Preston:

Perhaps they could do a low level plan.

W. Curtis Preston:

Perhaps they could say, Hey, you can't join, but hey, for a hundred

W. Curtis Preston:

bucks you could have the, whatever, whatever it is we're missing.

W. Curtis Preston:

Um, but, uh, or maybe we're not missing that much.

W. Curtis Preston:

I don't know.

W. Curtis Preston:

, we don't know what we don't know.

W. Curtis Preston:

Um, yeah, but it, I applaud the, I applaud the effort to make backups

W. Curtis Preston:

more resilient, uh, and to, and.

W. Curtis Preston:

also, what I'm seeing here is the resiliency plan.

W. Curtis Preston:

That's what it's really about, right?

W. Curtis Preston:

It's, it's almost less about what backup product that you use.

W. Curtis Preston:

It is definitely about how you use it, right?

W. Curtis Preston:

Um, but it's about what, earlier we had this discussion about

W. Curtis Preston:

how are we going to, with the.

W. Curtis Preston:

Scenarios that you, that you've got in terms of infection and encryption

W. Curtis Preston:

and what decisions are you gonna make.

W. Curtis Preston:

That's what you need to discuss upfront, right?

W. Curtis Preston:

Okay.

W. Curtis Preston:

We've got aws, we've got VMware, we've got physical machines, we've

W. Curtis Preston:

got these kind of application servers, we've got a file server.

W. Curtis Preston:

Here's what we need to make the decision upfront, what we're gonna

W. Curtis Preston:

do with all those various things.

W. Curtis Preston:

Right?

W. Curtis Preston:

Given there are different.

Eric Bursley:

What Well, exactly, and, and part of their framework, they talk

Eric Bursley:

about an incident management plan.

Eric Bursley:

You know, do you have an incident response process?

Eric Bursley:

Um, and it, it can be as simple as, you know, filling out a ServiceNow ticket

Eric Bursley:

and, um, either an automated or a manual process kicks off a, a security.

Eric Bursley:

, um, as we call it here, um, which is different than your operational

Eric Bursley:

or disaster recovery re restore of your application following

Eric Bursley:

that incident response plan.

Eric Bursley:

You know, calling the insurance carrier, Hey, so-and-so was infected.

Eric Bursley:

It took down this specific system.

Eric Bursley:

We are in the process of recovering it and they know from their incident

Eric Bursley:

response plan that they have to have that current system isolated so that it

Eric Bursley:

can be investigated for future forensic.

W. Curtis Preston:

Yeah.

Eric Bursley:

um, a proper communications plan.

Eric Bursley:

Who's talking to who, who's making decisions?

Eric Bursley:

Um, you know, how are you going to get back to normal operations?

Eric Bursley:

Because if you fail over to that isolated recovery environment,

Eric Bursley:

eventually that's going to cost you more money than you would like.

Eric Bursley:

So how do you bring that back into your production

Eric Bursley:

environment, which may be on pre.

Eric Bursley:

and your, uh, i r e, your integrated, uh, recovery environment could be up in aws.

Eric Bursley:

Um, are you testing your backups?

Eric Bursley:

Something that many of my customers don't do regularly.

Eric Bursley:

Um, I wish they would, but, um, they're not testing their environment to verify

Eric Bursley:

that one, are their backups good?

Eric Bursley:

But are they operationally?

Eric Bursley:

um, not just, I have my exchange server or SQL server backed up, but I'm able to

Eric Bursley:

bring it back up, test it with your active directory, verify ports are functional,

Eric Bursley:

verify that I'm able to send and receive messages, and then shut it down.

Eric Bursley:

Is this is a valid restore point.

Eric Bursley:

It So having that, um, resiliency plan in place, I think is probably the more

Eric Bursley:

important part of having Shelter Harbor certification than just the data.

Prasanna Malaiyandi:

And

W. Curtis Preston:

Yeah.

Prasanna Malaiyandi:

And is a lot of this, I'm guessing, is automated as well, right?

Prasanna Malaiyandi:

Because I can't imagine doing this sort of verification and recovery processes.

Prasanna Malaiyandi:

In a periodic fashion, like given the scale of some of this data.

Eric Bursley:

Well, some of the products that are offered such as, uh, VMware's

Eric Bursley:

Cloud, disaster Recovery, or Cohesity Fort Knox, or, um, rubrics, um, solution,

Eric Bursley:

um, that they call a cloud vault, actually automate that testing for you.

Eric Bursley:

They can actually spin up an environment from time to time and validate those

Eric Bursley:

solutions in place in their cloud.

Eric Bursley:

Which is isolated, validate the solution and then shut it back down

Eric Bursley:

again, not costing you any money.

Eric Bursley:

So there are solutions like that.

Eric Bursley:

The Dell solution, it, it's something that you would have to manually spin up.

Eric Bursley:

You could probably automate that process.

Eric Bursley:

Um, but even products like Veeam that by itself couldn't achieve this.

Eric Bursley:

They have the solution built in with their data labs.

Eric Bursley:

Functionality to automate the testing of backup.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

Yeah, and, and you know, and I would be remiss.

W. Curtis Preston:

If I, if I didn't say that Druva has a, has a similar capability,

W. Curtis Preston:

um, the, the question, the, um, no, I'm just, it should, this is such

W. Curtis Preston:

a, I, I think the biggest thing is.

W. Curtis Preston:

We need to have this discussion upfront.

W. Curtis Preston:

, right?

W. Curtis Preston:

So many people, they wait until they get that ransomware attack

W. Curtis Preston:

and, and then they have, and then they have the meeting, right?

W. Curtis Preston:

They're like, oh yeah, we got, we got good backups, we got it,

W. Curtis Preston:

we got it in the cloud, right?

W. Curtis Preston:

We got a copy in the cloud, or we got, you know, whatever it is that they're

W. Curtis Preston:

doing, whatever it is that they're doing.

W. Curtis Preston:

And even if they've got a, uh, an air gap copy, if they're not

W. Curtis Preston:

having this discussion upfront.

W. Curtis Preston:

Of how are we going to do, what, what are we gonna do?

W. Curtis Preston:

Like, you, you know, you, you talked about Eric quite a bit about like, who's

W. Curtis Preston:

gonna make, who makes the decision, who talks to whom, who communicates to the,

W. Curtis Preston:

to the stakeholders, all of those things.

W. Curtis Preston:

Um, if you, if you don't have that plan set in advance, uh, it's gonna

W. Curtis Preston:

be a, it's gonna be a really bad day.

W. Curtis Preston:

Um, and you're gonna have, you know, I, I, I hate to.

W. Curtis Preston:

We won't use the, we won't use their name,

Prasanna Malaiyandi:

Who do you wanna pick on?

Prasanna Malaiyandi:

Yeah, who do you wanna pick on today?

W. Curtis Preston:

well, okay.

W. Curtis Preston:

Maybe I'll throw their name out.

W. Curtis Preston:

Rackspace, right.

W. Curtis Preston:

You look at, you look at what Rackspace did when, when they had their outage.

W. Curtis Preston:

Then they tested their recovery plan and it was three weeks

W. Curtis Preston:

before they got the first.

W. Curtis Preston:

Uh, exchange server up and running and you know, and because they had made

W. Curtis Preston:

the quick, uh, and I'm not even saying whether a decision or wrong or right,

W. Curtis Preston:

but the fact that they had made the decision to go over to Microsoft 365

W. Curtis Preston:

because exchange was down and then, and then they restored the exchange

W. Curtis Preston:

servers and it took them two to three weeks to get the exchange servers up.

W. Curtis Preston:

And then it's like, okay, well how do we get the, the email out of

W. Curtis Preston:

these exchange servers over to 360?

W. Curtis Preston:

Oh, well the only way we can do that now is PSTs it.

W. Curtis Preston:

just felt like the whole thing was shooting from the hip the entire

W. Curtis Preston:

time and this was never planned.

W. Curtis Preston:

Um, if it was planned, uh, not a good plan.

Prasanna Malaiyandi:

Poor planning

Eric Bursley:

Right.

Eric Bursley:

Well, I,

W. Curtis Preston:

So yeah, just gotta have that.

W. Curtis Preston:

You just gotta have that decision upfront.

W. Curtis Preston:

Um,

Eric Bursley:

can't say what their recovery plan was now, but when I worked

Eric Bursley:

at Rackspace many years ago, they, they had a plan that was more valid.

Prasanna Malaiyandi:

Mm.

Prasanna Malaiyandi:

Things have changed maybe over time.

Eric Bursley:

yeah, things have changed since I, I left there.

Eric Bursley:

I, I was on the sales side of things and I was able to talk about their

Eric Bursley:

operational and disaster recovery processes that they had in place

Eric Bursley:

because at the time it managed, hosted exchange was one of their main features.

Eric Bursley:

Since then, Microsoft 365 has been stealing their market share.

Eric Bursley:

Um, Obviously because of this event, they didn't have a well-documented process.

Prasanna Malaiyandi:

Yeah.

Eric Bursley:

Um, and my wife was actually affected by that . It was

Prasanna Malaiyandi:

Oh no.

Eric Bursley:

yeah, it was not fun for her company for a couple of weeks.

Prasanna Malaiyandi:

Oof.

Prasanna Malaiyandi:

Well, hopefully they got their emails.

Eric Bursley:

Um, they're still working on it is my under.

Prasanna Malaiyandi:

Oh man.

Prasanna Malaiyandi:

That is crazy.

Prasanna Malaiyandi:

It's been like two months almost.

Eric Bursley:

Yeah, there, um, she had to manually type in calendar

Eric Bursley:

entries, um, for the majority of her

Prasanna Malaiyandi:

Oh my gosh.

Prasanna Malaiyandi:

Crazy.

W. Curtis Preston:

All right, well, uh, we're starting to have technical

W. Curtis Preston:

issues, so I need to shut this puppy down, but it sounds like, you know,

W. Curtis Preston:

we, we all agree that this is something that people should do, whether

W. Curtis Preston:

they're financial institution or not.

W. Curtis Preston:

They should look at these requirements, like definitely the air gap copy and,

W. Curtis Preston:

uh, and, and testing and decision making and planning way upfront specifically

W. Curtis Preston:

for a cyber recovery plan, not a disaster recovery plan, because, you know, it's

W. Curtis Preston:

a, it's a very, very different thing.

W. Curtis Preston:

Well, um, I'm sitting here in the blind and so I'm gonna

W. Curtis Preston:

thank Eric for joining us.

Eric Bursley:

All right.

Eric Bursley:

Thank you.

W. Curtis Preston:

And thanks for, uh, I don't know what to say with this technical

W. Curtis Preston:

problems that we're having today.

W. Curtis Preston:

But thanks for being here.

Prasanna Malaiyandi:

Yeah, I Anytime Curtis, and thanks Eric

Prasanna Malaiyandi:

for teaching me something new that I'd never heard about before.

Prasanna Malaiyandi:

I'm gonna have to go look up Sheltered Harbor

Eric Bursley:

All right.

Eric Bursley:

Thank you.

W. Curtis Preston:

And thanks to our listeners, uh, we would be nothing

W. Curtis Preston:

without you and remember to subscribe so that you can restore it all.