Good afternoon and welcome everybody to this KuppingerCole webinar on Cloud Backup for AI Enabled Cyber Resilience. So my name is Mike Small and I'm a Senior Analyst with KuppingerCole and one of my areas of research is to do with cyber resilience and in particular data backup and why this is an important area of cyber resilience. So just to remind everybody about the housekeeping that everyone is currently muted and we will be controlling the mute. We're going to run a few polls during the webinar.
If you have any Q&A sessions, Q&A you can hold these to the end of the webinar but you can submit questions at any particular time through the control panel and the webinar is being recorded and the presentation and the slide decks and the recording will be made available in the coming days.
So I'm going to start off with a poll and the poll is basically about the steps that your organization is taking to ensure cyber resilience and in this particular poll you can select all of the ones that apply and the questions are security awareness training for all staff, implementing basic cyber hygiene, vulnerability management, malware protection and things of that nature, whether your organization is adopting a zero trust network security approach, whether you're actually doing data backup and recovery and whether you have a tested incident response plan.
So it would be good if you could take a moment or two to fill in that poll whilst the presentation is continuing. So why does all of this matter? Well what has happened over the past few years and this was to a large extent driven by the Covid epidemic is that most organizations have tried to become digitalized. They've tried to adopt as much as possible of digital technology to help them to get closer to their customers, to make it easier for their partners and suppliers to work with them and to create new kinds of products.
Now the problem with this is that the more you become digitalized the more risk you have if your digital world doesn't work and the threat actors have well recognized this as an opportunity. So earlier this year we have an example where many patients including patients with cancer treatment and so forth were unable to get treatment at a London hospital and the reason for that was that a third party who provided blood testing had been attacked with a ransomware attack.
Now the ransomware threat actors recognized the urgency of medical treatment and so they obviously believe that by attacking organizations that are related to the provision of medical treatment they're more likely to get paid and whilst the hospitals may have lots of defenses often the little third party suppliers are not so well provisioned.
Another interesting area is the British library and here is a completely different story but the British library which has many millions of pieces of literature and written works that to some extent have or to a large extent have been digitalized was attacked by a ransomware attack and this was different in the sense that they had a lot of legacy equipment and there was a review that was undertaken by the UK National Cyber Security Centre and others to understand what went wrong and one of the interesting takeaways from that was that the older the equipment that you're using the more difficult it is to recover because simply the hardware no longer exists, the software is out of date and it becomes much harder to rebuild your systems.
So interest interestingly the conclusion from that was that they would have been better to have gone to a more modern cloud-based approach so that's a second one. And in another example Change Healthcare had a ransomware which stole the medical records on a substantial proportion of Americans. So basically more and more organizations are now at risk because they have become digitalized and you need not only to be able to protect protect against these risks but also to be able to recover from them.
Now this need for cyber resilience has been recognized by governments and this started back in the 2010s with the U.S. Executive Order 14028 and in the EU in 2016 there was the EU Network Information Security Directive which has been updated to be the NIS2 and one of the interesting things about that is that it has extended the coverage of the kinds of organizations from simply the telco providers and for the internet service providers and from the cyber providers to really a wide range of organizations.
So this has then been extended to the EU digital operation resilience for the financial services regulation and this has recognized that basically if the banks and the financial services stopped working that would have a pretty disastrous effect on the whole of commerce and society.
Now one of the interesting things that has come from this is that the NIS2 regulation actually holds the organizational board responsible for implementing cyber resilience and this is a an important move forward since the boards of directors have tended to have a rather hands-off approach to the cyber area but by making them responsible this focuses the mind and is more likely to result in corporate action. So in effect these regulations are just asking organizations to implement what has become called cyber hygiene.
Now cyber hygiene is a rather interesting term because it makes it clear that in order to protect yourself against cyber adversaries you don't just have a single one-off job. You can't just say well we've configured all the network devices and we've built a perimeter job done. Cyber hygiene is a continuous process that goes on all day every day and everyone is responsible for it. So when you look at what cyber hygiene means in practice there are two things.
One is it covers a wide range of areas and on the right of this slide you can see these areas that we in Copenhagen Coal have defined and these are one of our research notes which you can find on our website and I have against these areas produced a bar chart showing from the 2023 UK National Cyber Security Centre research the proportion of organizations that had actually responded to say that they had adopted and these controls were in fact effective.
So whilst many organizations claim they have data protection and data backup very few of them less than 30 percent had a full disaster recovering planning and tested incident response.
That whilst culture responsibility and training is something that all organizations say matters not everyone and not every organization indeed was engaged fully in that and one of the interesting areas is to do with asset management and asset management includes your data and this has become much more difficult because more and more of the assets that your organization is using are in the cloud and they are ephemeral.
They are created as needed and destroyed when no longer used that they can be created by actors within your organization for perfectly legitimate reasons but without necessarily the organization fully knowing and fully protecting and you can only protect what you know you have. So it looks from this that the state of play with cyber hygiene is good in parts but like the cure-all's egg nonetheless unpleasant to eat.
So one important area is incident response and the purpose of backup is in fact to be able to restore and recover your organizational assets if indeed there is a problem and so it is very important to implement good strong controls to protect and to prevent cyber incidents but today it's no longer a question of if it's a question of when you will be attacked and how badly you will be able to respond and so we need to make sure that the tested recovery plan which involves cyber security backup is fully implemented and that plan includes a lot more than just technology it includes a team those team being prepared and understanding what their roles are when something happens that you are able to contact them when something happens that your organization understands what to do and who is responsible for what and that you have a way of communicating.
Now all of that might sound pretty trivial but I've come across organizations that have told me that well when they had a cyber incident the first place that the cyber attackers went for was the active directory and that meant that they couldn't get into the building because their building access cards were connected to the active directory. Even if you can get into the building if your active directory has been attacked you may not be able to get at any of the normal mechanisms that you use to communicate like teams email slack and and so on and so forth.
So all of that is is a major problem but fundamental to all of this is having the data that defines your environment and being able to restore that data in order to recover your systems. So data resilience is critically important and it has become more and more important because of the nature and the way in which we actually deliver IT systems that whilst everyone has known for a long time that your business depends upon your business data there's a lot more there's a lot more that your business now depends upon and it is now in the form of data.
If you're using virtualized environments if you are using the cloud if you are using a software defined network then all of that is defined in data and in order to restore all of this it's not simply a question of being able to walk into pc world and buy another computer it becomes a question of being able to restore the exact configuration of all of those different elements that make it up the databases the the routers the load balancers the compute servers the kubernetes containers and so on in order to be able to get the applications running again and so what this boils down to is that if you don't have in the data then you're not going to be able to restore your data and your service and so data resilience is now a critical element of cyber resilience and we also have machine learning.
Now machine learning has some great opportunities that a lot of organizations are now being able to do things that were really either much more cheaply or were indeed unheard of that you're almost certainly chatting to a friendly robot whether you like it or not when you phone up a supplier nearly everybody now has some kind of co-pilot type of help system that allows you to look at things so gen ai machine learning and deep learning are in fact tremendous enablers and they can be used and indeed data backup vendors are already using them and have been using them they've been used in the cyber security area to help to detect abnormal behavior to detect abnormal patterns of data to detect abnormal network traffic and indeed this is moving on from that kind of thing into helping to understand how best to configure your products and to optimize your processes and indeed to lead you through the process of recovery however gen ai involves more data and more services and so many organizations are in the same state with gen ai as they were with the cloud 15 years ago that it's being used but nobody knows that it's being used they don't understand what it is that is being used and so it's not being protected and one of the key things is that gen ai is intimately linked with data because gen ai helps you to get insights from and to exploit all this data that you have now if if you don't protect it if you don't make sure that you can recover it then you're going to be stuck and much of this data now resides in what would at one time have been considered rather exotic data stores which people may not have been including in their data backup plans which often focused on unstructured data and major databases now in the future we may arrive at a point where gen ai is all we need and all we need to do is to speak to the friendly robot and say I want to be able to put in place this frequency of recovery points and this time to recover and I can't spend more than this amount of money and kindly design and implement a system that's needed.
So now we have another issue to consider since many organizations are now using the cloud there is still a belief among some that if we're in the cloud we don't need backup however the However the responsibility for security is shared and the customer is invariably responsible for their security and when you see these wonderful lists of certifications and attestations that the cloud security providers give you one of the things that those certifications and attestations depends upon is a thing called these CUECs this Complementary User Entity Controls which the auditor assumes that the tenant has and implements in order to protect the elements for which they are responsible.
Those always include the tenant is responsible for who can access the system and for their data so for example an AWS S3 bucket which has an enormous durability until you delete it if you delete it the data's gone that's your choice you did it it's gone and for example the office automation systems like office 365 or M365 will retain the deleted data for 30 days but when you after the 30 days or if you delete it from the recycle bin it's gone and although the cloud services provide multiple availability zones these are only any use if you use them and a lot of organizations found this out when a data center of a a cloud service provider burnt down in Paris a couple of years back that although there were a set of resilience zones within that particular data center they were all affected by the one fire so you have to use physically separated areas and it's your responsibility to do it.
So now let's look at the issue to do with recovery.
Once upon a time the disaster recovery solution providers said great we'll give you this re-image which is a quick way of bringing everything back so re-image is really good if all you want to do all you want to do is to bring back a single server but then they realized well actually if you're running something like a database or an application it's not sufficient you actually have to rebuild that and to rebuild that even in a conventional environment meant you had several servers that you had to recover and several databases that you probably had to recover that all had to be brought back to the same point in time and that was a little bit more difficult.
We now have container-based apps which are running in the cloud where everything is totally software defined where the whole of the application structure in this rapid DevOps world is changing if not minute by minute hour by hour as people are making adjustments.
So in order to bring that back you need to not only have images of the individual servers you also have to have a coordinated set of backups of the configuration of all of this infrastructure as code all of these software defined entities that you can bring back concurrently and only then when you have all of that can you restore this service and go through the checks to know that it's properly working and so this complex modern data defined virtual environment is much more difficult for organizations to recover. So how would you choose a solution for this?
What are the capabilities to look for? Well indeed we've actually just recently released a leadership compass which describes this and in a sense there are three basic dimensions which is you need to understand what it is you need to protect and in the modern hybrid multi-cloud world it's more than just services that live at the edge or on premises it almost certainly includes some software as a service as well as apps running in infrastructure as a service so the backup systems ideally need to cover all of those things. Then you can consider where are you going to hold this protected data.
Traditionally this was held on tape and tapes were sent around the world in order to protect them that evolved to appliances that were highly secured and highly protected which allowed you to do things more quickly and to multiply back the thing up to different physical locations and now the cloud has provided yet another opportunity and most of the modern backup solutions will give you a choice of those things and since many organizations are running significantly in the cloud being able to back your data up within the cloud with all the protection that I described of choosing where it is is important.
Finally there is the question of recovery. Are you going to do it yourself? Are you buying a disaster recovery as a service or are you looking for a managed service where some managed service provider is going to bring this in for you and indeed if you are a managed service provider then you need another variety of capabilities within those backups. So all of those are the capabilities that you need.
Now when you look at what we assessed here are some of the areas that we assessed for a particular vendor and this shows you our opinion on how that vendor performed against those different areas shown on this radar chart and I think that's fairly self-describing so I don't need to go through it but it helps enormously to have some kind of a chart like that for each of the vendors that you might be considering and finally you need to understand what your use cases are. I mean you may have multiple use cases. Is it simply that you're concerned about defending against cyber attacks?
There is also has always been the problem of unexpected data corruptions including ransomware but not limited to ransomware. You know there are other reasons applications can go wrong, data storage devices can fail. Are you actually trying to protect against outages in data centers? Are you trying to protect against cloud service being down which is actually something that can happen and it's also incredibly useful when you want to do a system upgrade or to do a data migration and indeed all of this is described in yet another one of our documents.
So data resilience is what is needed for ransomware proof and for AI enabled data resilience. So now I'd like to just ask another question of the participants, the audience. How would you best describe the cyber resilience solutions that you use? Are you using multiple backup solutions for different systems and environments or do you have a single backup solution covering all our systems and environments? Do you use backup with disaster recovery as self-service? Do you have backup solutions with managed recovery services or would you say you've got a complete data resilience solution?
So please would you respond to that and now I'm just going to wrap up by summarizing what I've talked about today. The digitalization of organizations has increased cyber risks and these are the standard risks of loss of business continuity, data breaches and compliance failure. That cyber resilience is an essential element of digital transformation and this is based on good cyber hygiene and you're almost certainly going to fall within the scope of the increasing range of regulations that make you responsible for cyber resilience.
That cyber resilience implicitly define depends upon data resilience because IT services have now become data defined and if you don't have the data in a coordinated manner you won't be able to restore those services and so data resilience is about all of these things together. That recovery is hard, that cloud native apps are complex to restore and that machine learning and gen AI have become part of the problem and it can also help. So with that I'll say thank you very much and open the floor for questions. So if there are any questions I'd be very pleased to see them.
Otherwise if there are no questions I'll simply say to everyone thank you very much for your participation and I wish you a very good rest of your day. Thank you.
