Copy Data and Security: Fewer Copies = Fewer Attack Surfaces

Security is a hot topic. It has a lot in common with auto safety. We want assurances that it’s there when we need it and then hope we never do.  But we still want to be clear on the basic facts.

copy dataMany of our customer conversations still start with data protection or agility solutions – they are looking for solid technology assurances for fast backup and disaster recovery, accelerated development operations, and effective copy data management.  Make sure that nothing breaks or gets corrupted and that redundancy is there in case of any manmade misfortune or natural disaster. But there’s another critical challenge faced by every CIO – what happens if someone decides to get malicious. Even more of a concern for federal CIOs with threats from foreign governments, terrorists, and even insider attacks from Snowden types.

So we start with the basics.

Data has to be both accessible and secure. It’s a tricky balancing act. But it’s all the more difficult with those excess copies we talk about. Now, most customers don’t see how copy data impacts security, until they think about it – that more data copies increase the “attack surface”. That gives the bad guys more opportunity to get at it.   So, if you create fewer copies you theoretically decrease the number of security targets.

It’s not that we present Actifio as a formal security layer so much as a common sense means to manage potential vulnerabilities. This is one way to impact the span of protection required. Fewer copies can decrease the chance somebody will walk off with your privileged information. (Or find the opportunity to make their own copy of a copy, which is apparently what Snowden did.) Once that surface area is reduced, next place we suggest a look is at technical standards and special security compliance attributes.

For example, what about audit logs and access controls?  The Defense Department has something called Secure Technical Implementation Guide (STIG) that details specs for a compliant hardened operating system. Because we deal with the US Government, we follow these and several other security protocols.

Courtesy of the government, commercial businesses also get the benefits of cryptography, intrusion detection and integrity monitoring. (Sounds like spy stuff but it isn’t.) What’s essential is to know that the system incorporates all key technical standards and multiple levels of data security.

Don’t forget that all of this has to address physical, virtual and hybrid environments too. It has to be simple enough for the IT team to understand and operate. It needs to integrate with the data management system. It has to be fast, can’t be intrusive, and shouldn’t be costly. That’s how we talk about security.

While we are not a security appliance, another thing to know is that Actifio can also be used as reference point in time.  Suppose you have a suspected security breach.  You can mount a point-in-time of the system in a known-good state and compare it to a state after an intrusion is suspected.  Because Actifio operates at a block level, all forensics tools will work perfectly.

We also hear another level of concern about managing legitimate system access. How is the system protected from things like bugs, trap doors and outside snooping?  What happens when unforeseen vulnerabilities crop up?  How do patches get applied? What about system maintenance? What happens with new releases? While Federal high-security installations tend not to use these remote service features, commercial users want the convenience – but with solid safety commitments.

This is where Actifio’s secure remote access capability is operationally essential. One customer told us it was his deciding factor in choosing Actifio. More than a phone-home system, it’s a means of assurance.  It alerts us of system problems and it gathers routine metrics for support. It can detect, dial in, and fix a problem – even before a customer knows it has happened. And we provide customers confidence that data is protected, permissions are controlled, and that staff are well trained and security cleared.

All of this helps to reinforce broader enterprise security strategies. Frustrating bad guys is just a bonus.

Photo Credit: grittycitygirl

Recent Posts