TIPS #23: The Data Storage and Backup Dilemma

Issue: SaaS, PaaS, and other cloud services play a critical role in storing and backing up business data. However, many companies don’t properly define, balance, or support their data storage and recovery objectives for those environments- leaving them vulnerable to disruptions from ransomware and vendor outages.   

Today, most businesses depend upon third-party Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) tools for data storage and backups. While this approach can enable collaboration and improve data accessibility, it also brings unique challenges and risks:

• Business data continuity, availability, and recoverability are increasingly contingent on third-party services.
• Endpoints are tethered and synchronized to cloud data stores and services such as OneDrive and Google Drive. As a result, when malware and ransomware infect devices, they can spread into dependent data stores which hold sensitive files.
• A heavy reliance on third parties for data storage and backups increases the attack surface and the risk of contingent business interruptions when vendor services are disrupted, as discussed in TIPS 20.
• It’s difficult to avoid a single point of failure while also maintaining data visibility, availability, and security. Techniques like data federation can provide a unified view of disparate data sources while avoiding consolidation, but often the means of data federation itself can still be compromised.
• Priorities around the CIA triad must shift in response. Confidentiality (preventing unauthorized access) and Integrity (ensuring trustworthy data) were the main focus of data security over the past 20 years. Today, Availability (enabling accessible data) requires more attention given widespread SaaS and PaaS. Data must be both accessible and recoverable given the potential impact of downtime and data loss from threats like ransomware and vendor disruptions.

It’s clear that uptime, security, and recoverability are business imperatives. However, implementing secure, available, and recoverable data storage isn’t easy.

Data security, backups, and recovery

At the foundational level, data needs to be safeguarded with data security defenses like Data Security Posture Management (DSPM), Data Loss Prevention (DLP), and Endpoint Detection and Response (EDR). However, these protections must be paired with backups and remedial recovery capabilities that enable business continuity in case of data loss or theft.

It’s important to mitigate vendor disruptions which cause downtime for third-party applications and systems. It’s also critical to limit how much data and which types of data are lost due to an incident or downtime. Correspondingly, companies need to use two key metrics when considering backups and recoverability: RTO and RPO.

RTO and RPO

Recovery Time Objective (RTO) is a measure of maximum acceptable downtime. As NIST elucidates, RTO is “the overall length of time an information system’s components can be in the recovery phase before negatively impacting the organization’s mission or mission/business processes.”

Recovery Point Objective (RPO) is a measure of maximum acceptable data loss and is expressed as the time between the recovery point and the last reliable backup. Put another way, RPO measures how useful a company’s systems and applications are according to the timeliness of available backup data.

Companies must clearly define both RTO and RPO to create adequate backup policies and practices, and to invest in the recovery capabilities which align with their needs.

The problem: Balancing RTO and RPO with disrupting business performance

The challenge companies face is in how to balance cost with availability and recoverability. It’s difficult to ensure a backup strategy meets RTO and RPO objectives without dramatically increasing expenses. This is largely because RPO tends to bring high costs (conversely, RTO tends to be affordable thanks to SaaS and PaaS services). Many companies subsequently invest in RTO but do not implement robust backups because they don’t think they can afford optimal RPO. This creates high availability but low recoverability, leaving them vulnerable to vendor outages, ransomware, and other threats.

For example, if a company in a sector like retail, media, or investment services uses a SaaS data storage provider but only does weekly backups to limit RPO costs, a ransomware breach could have significant impacts. After all, a newspaper with weekly backups that loses its data will only be able to produce week-old news.

Impact: Low data recoverability increases the risk of costly disruptions and incidents. 

Companies with low recoverability can face dramatic impacts if they experience data storage disruption, data loss, or data theft. These include lost revenue, operational inefficiencies, potential brand reputation damage, and loss of customer trust. Ransomware in particular can bring business to a halt with disruptions that significantly reduce revenue. Many organizations that are hit by ransomware and don’t have secure and robust data backups never fully recover their data, even if they pay the ransom (as discussed in TIPS #3).

The following case study highlights how attackers target both data and backups to take advantage of insufficient recoverability.

WannaCry Ransomware

In May 2017, the WannaCry ransomware worm spread through computer networks globally. The ransomware exploited a Windows vulnerability called EternalBlue which was initially developed by the U.S. NSA and was later stolen and leaked by hacker group The Shadow Brokers.

WannaCry targeted Windows machines and encrypted victims’ files, demanding a ransom payment in Bitcoin. It also deleted shadow copies, overwrote metadata, and disabled recoveries, backups, and file synchronization mechanisms. These capabilities hindered victims’ ability to recover their data without paying the ransom. Major organizations including governmental agencies, the UK’s NHS, and FedEx were impacted. Microsoft quickly released a patch, but WannaCry’s impacts persisted for years.

WannaCry illustrates why it’s critical to implement secure data storage and backups. Ransomware actors can encrypt insecure local, cloud-based, and federated data, and may also target backups and recovery capabilities. They can then negotiate with victim companies by using time as an incentive. In other words: the sooner you pay, the sooner your systems and data are back online.

Action: Prioritize business impact assessments, posture management, backup governance, secure data management, and third-party and financial risk management.    

1) Business impact analysis

Perform business impact analysis (BIA) to determine the technical resources you need for recovery and continuity. Surefire Cyber offers BIAs and incident response (IR) services to help you prepare for and respond to incidents that threaten your data.

2) Posture management

Select data storage, backup, and security capabilities which align with your company’s needs. SolCyber offers a fully managed cybersecurity program and attends to your organizational security posture, helping you implement monitoring and defensive capabilities to protect critical data.

3) Secure data backups, data recovery, and data collaboration

Create backup and recovery policies and practices that meet RTO and RPO objectives. Depending on your company’s needs, this might include automated backups, file versioning, duplicate versions, external hard drives, local backups, or data backup access management.

Data storage and backups must be secured to ensure recoverability. While SaaS and PaaS tools can offer higher availability and better RTO, they still require protections to enable effective RPO.

Symmetry Systems offers data discovery and maps your data according to its functional importance, helping you align data storage and backups with recovery objectives.

4) Manage third-party risk  

Evaluate and manage third-party risk around data storage providers. ReversingLabs helps you assess vendor risk, leverage threat intelligence, and hunt for and analyze malware threats in data storage systems.

5) Manage financial risk with cyber insurance

Cyber insurance is a key protection to mitigate financial losses from lost or stolen data. Converge Insurance combines cyber insurance expertise, security, and technology to give companies cyber protection, including Contingent Business Interruption Insurance to protect against data storage vendor disruptions.