Isolated Recovery: Modern Data Protection Against the New Breed of Cyber Threat

Peter Gerr

In the first part of this three-part series we looked at the rapidly changing cyber threat landscape and how traditional data protection strategies may fall short in protecting against them. In this part, we look at a promising new option called isolated recovery.

In today’s data-driven always-online world, having real-time access to critical business applications is not an option – customers, employees and partners demand it. In industries like financial services and healthcare there is added pressure to protect regulated data, such as personally identifiable information (PII), from being accessed by unauthorized parties.

The Data Protection Gap

Traditional data protection strategies like backup and disaster recovery can’t adequately protect your critical data against insider attacks or the newer and more-malicious breeds of ransomware and malware. Those protections were created before such threats were as common and sophisticated as they are today.

As I discussed in my previous post, most organizations backup to servers configured as nodes on the network with a constant connection and continuous operation. Being dependent upon internal networks for data movement leaves organizations vulnerable to insider attacks on both the production and backup/remote copies, as was the case in the 2014 Sony attack. That makes backup essentially useless.

Anatomy of a Cyber Attack

Common ransomware variants like WannaCry, Locky, Cryptolocker, and CryptXXX have already evolved from targeting production applications and data to deleting local backups made with Windows’ Volume Shadow copy utility, thereby preventing users from restoring data from an earlier snapshot. Backup servers are also favorite targets of malicious intruders who gain administrative access to corporate networks and embed such data-stealing programs as keyloggers and rootkits into the company’s IT infrastructure.

Once malware has infiltrated backup, it’s nearly impossible to eradicate without extensive human effort by data recovery or forensic specialists that come with a high cost. That’s on top of the short-term costs of downtime and the longer-term impact of lost customers and reputational damage. Three months after being hit by a massive ransomware attack, the city of Atlanta is still struggling to assess the damage. Recovery costs are $9.5 million and climbing.

Enter Isolated Recovery

There’s a new and effective approach to protecting data from cyberattacks that keeps critical data out of harm’s way. It’s called “isolated recovery,” and you can think of it as backup with the added security of an air gap. Essentially, air gapping involves isolating critical systems, networks and data from external connections, which create attack routes. While air gapping can be an effective first step in protecting data from cyberattacks, it doesn’t protect against insider threats, since backup systems may still be located on-premises.

Taking isolated recovery to the next level involves further isolating critical data by copying it across a private, secure, encrypted network to a remote, offsite location. To improve the effectiveness further, your “cloud data vault” should be managed and monitored by a trusted third party with expertise in both physical and logical security.

Access to the vaulted, or “fail safe,” copies should be limited to authorized personnel with proper clearance. As a further level of protection, you should maintain control of the encryption keys that “unlock” these data sets.

An additional protective measure you can take is to schedule remote copies to be made at random intervals. At all other times the isolated recovery system is fully offline and unavailable to other network nodes. This minimizes the risk that an intruder or malicious insider can anticipate when the remote copies will occur, helping to thwart a planned attack.

It’s All About Recovering Your Data

Having a secure computing “sandbox” co-located within the remote data vault provides a dedicated, “clean” environment for inspection and validation of the data’s integrity to ensure that it’s free from dormant malware or otherwise compromised. Once validated, the fail safes can be quickly restored via the same secure networks to the production environment – and you’re back in business. Literally.

Tipping the Odds in Your Favor

While it is impossible to completely defend your business and your data from a motivated hacker, remote isolated recovery offers your organization the best possible chance to preserve and recover critical data should an attack occur.

That said, research shows that only 18% of organizations employ physical or remote isolation today – but modern data protection solutions, and especially those built upon a secure cloud model offer cost-effective ways to protect critical data without the high-cost of purchasing and managing the necessary hardware and software yourself.

Because of the technical sophistication and need for dedicated resources, an isolated recovery environment is generally used only to protect an organization’s most critical data. For non-mission-critical files, conventional backup is usually just fine. With the cost of a typical data breach now measured in the millions of dollars, adding isolated recovery to your portfolio of backup and disaster recovery solutions increasingly makes good business sense.

It really is all about the data, and if you agree that data is the lifeblood of your business, doesn’t it make sense to do everything you can do to protect your “crown jewels?” Isolated recovery gives your business the best possible chance to ensure you can stay in business despite the efforts of those looking to do it harm.

In the final part of this series, we’ll look at isolated recovery options for your business, including cloud-based solutions like Iron Cloud CPR and on-premises packages like Dell/EMC’s CyberRecovery Solution.


More in Privacy & Security