Organizations are experiencing their fair share of ransomware attacks in the cloud. For instance, in “The State of Ransomware 2020,” 73% of respondents told Sophos that their data had been encrypted in the most recent ransomware attack to affect them. The security firm probed further and found that more than half (59%) of successful attacks had either encrypted their data in the public cloud or had affected both on-premises and cloud-based information.
The issue is organizations aren’t always recovering from these attacks. Complexity in the cloud appears to have something to do with it. Indeed, in its “2020 Ransomware Resiliency Report,” Veritas found that 43% of organizations with fewer than five cloud providers in their infrastructures were able to restore their business operations in less than a day. The same was true for only 18% of those with more than 20 cloud providers. Comparatively, 39% of organizations with more than 20 providers took upwards of 10 days to get back to normal, while 16% of those with less than five providers waited as long.
Complexity in the cloud didn’t just prolong some organizations’ recovery efforts. In some cases, it foiled them completely. Veritas uncovered that less than half (44%) of organizations with fewer than five cloud providers were able to recover 90% or more of their affected data. The number was less for those with 20 or more cloud services at 40%. Such data loss undoubtedly affects organizations’ ability to carry out their business as usual. If the lost data includes proprietary information, victims might need to cease operations entirely.
In response, victims might decide to pay attackers, but there’s no guarantee that they’ll get a working decryption tool. There’s also the issue that they could incur civil penalties from the U.S. government. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced in October 2020 it could impose civil penalties on individuals who send payments to ransomware and other malicious actors named on its cyber-related sanctions program. OFAC said it could levy fines with strict liability, meaning victims could be held liable for paying a ransom, even if they didn’t know they were doing something wrong.
Disaster Recovery as a Solution
Organizations must be able to recover from data destruction events in the cloud to avoid potential business losses and/or civil penalties. Thus, the need for disaster recovery and business continuity.
Understanding Disaster Recovery and Business Continuity
According to the EC-Council, business continuity amounts to an organization’s ability to maintain its critical functions during and after a disruption. These types of events could result from a natural disaster such as an earthquake, or a manmade incident such as a ransomware attack. Disaster recovery is a subset of business continuity as it “focuses more on keeping all engines of the business running despite the disaster,” in the EC-Council’s words.
As part of disaster recovery, organizations need to be able to recover their data and systems that might have been destroyed in the disruption. This could include duplicating computer operations using a two-stage process. Techopedia explains that the first stage, known as “failover,” involves the ability to automatically switch over information from an active system that’s been corrupted to a redundant or standby system. The second stage, failback, is where administrators effectively use change data, or changes made since the original system came under duress, to update the original system.
How Disaster Recovery Has Traditionally Worked (and Failed)
Previously, organizations used on-premises means to ensure their disaster recovery capabilities. This effort mainly consisted of establishing one or more physical disaster recovery sites equipped with additional data center space. In the process, organizations needed to cover the costs associated with setting up the site, purchasing the servers and maintaining that equipment with proper power and cooling capabilities.
The issue was that business continuity wasn’t guaranteed by setting up these physical disaster recovery sites. Vault Networks notes that these sites only commonly operated when organizations were actively replicating their data, or when there was a disaster. This process created a time lag that could have resulted in data loss, and undermined business continuity.
Additionally, physical disaster recovery sites didn’t necessarily start up automatically. It was common for organizations to use manual operations in order to activate these sites if the primary system experienced a disruption. This reliance on manual remediation also risked time lags and loss in business continuity.
Cloud Disaster Recovery to the Rescue
Recognizing these challenges, many organizations are now turning to cloud-based disaster recovery. Otava explains that this method of disaster recovery differs from traditional disaster recovery in that virtualization enables organizations to encapsulate an entire server in a software bundle, or virtual server. Therefore, disaster recovery in the cloud carries several benefits:
- Using virtual servers, organizations can copy, back up and spin their data up on a virtual host in a short amount of time.
- Virtual servers are hardware-independent, which allows organizations to move their applications and data to other locations without the need to install additional components. This further reduces recovery times.
- With cloud-based disaster recovery, organizations can shape their disaster recovery plans to prioritize their most critical applications. Such capabilities help give organizations the ability to keep their essential functions running rather than to treat their infrastructure as a monolith in their disaster recovery process.
Issues that Organizations Could Face along the Way
However, organizations can run into challenges in implementing cloud-based disaster recovery along the way. A Veeam-sponsored guide found that security is perhaps the biggest obstacle to this method of disaster recovery. The risk here is that someone could access the organization’s critical information while it’s being backed up offsite. In the event that organizations didn’t apply encryption to that information, a malicious actor could monetize that data, or use it to launch secondary attacks against the affected entity.
Security isn’t the only issue. Cloud-based disaster recovery isn’t a benefit if organizations still pay exorbitant costs to store their disaster recovery data, while suffering time lags in their data synchronization. They need to devise a strategy that minimizes costs while promoting continuous synchronization by the automation of failover and failback. They also need to have the resources to test their disaster recovery environment and make sure it works as planned.
How Organizations Are Handling These Challenges
Some organizations are responding to the challenges described above by developing a cloud-based disaster recovery plan on their own. To do this, they need a great deal of technical expertise. As Google explains, organizations need to figure out where they want to deploy artifacts within their recovered environment. They need to combine their application and data recovery techniques to prioritize their recovery sequency, as well as implement network controls in the disaster recovery environment that replicate the same level of security (i.e. the principle of least privilege) as those measures used in production.
In search of a more hands-off approach, other organizations are turning to Disaster Recovery as a Service (DRaaS). This iteration of cloud-based disaster recovery involves working with a third party that replicates and hosts an organization’s disaster recovery data on its own physical and virtual servers. The NewCloud blog notes this strategy helps save organizations money as they don’t have to pay for storage space they don’t need. DRaaS also benefits organizations as it connects them with reputable service providers who have experience with data security and disaster recovery planning in the cloud.
That may be true. But that doesn’t absolve organizations of the need for internal technical expertise. Regardless of their experience, DRaaS providers aren’t you. They don’t know the business like you do. They don’t have the same knowledge of the cloud’s design and architecture that someone internal might. As a result, they can’t figure out how the organization can optimize its investment in a DRaaS solution like someone internal can. And they don’t know the organization’s security and compliance obligations as well as someone who works in the organization does.
CCSP: A Certification for Navigating Disaster Recovery in the Cloud
Organizations need someone with technical expertise to navigate these cloud-based disaster recovery intricacies for them. That’s where a Certified Cloud Security Professional (CCSP) comes in. Established by ISC2, the CCSP certification demonstrates a candidate’s expertise across six security domains including compliance in the cloud, cloud data security standards, cloud application security standards and more. Individuals who achieve CCSP certification can use those vendor-neutral skills and advanced knowledge to manage the different technologies and methodologies used by their current employer, as well as to advance their career into the future.