In today’s world, consumers expect businesses to be always-on, but 24/7/365 availability – for both data and applications – comes with specific information security challenges.
“The most significant challenges often exist in both ensuring and providing attestation of data protection for customers” personal information,” says Danny Allan, VP, Cloud & Alliance Strategy at Veeam Software.
Ongoing vulnerability disclosures and zero-day vulnerabilities have proven that it is essential to have a security awareness and education program, a comprehensive and consistent patch management program, a data availability strategy, and an incident response and forensic team.
“But even with all this in place, a very tightly coupled challenge is ensuring compliance with the myriad and complex security compliance and privacy regulations that exist for customer protection,” he adds. “These challenges are exponentially elevated as organizations are delivered in a multi-cloud environment – some coming from SaaS providers, some internally from the corporate datacenter, and some from the public cloud.”
The availability challenges also change as a company grows in size and its customer base gets larger. These changes are based on both internal and external factors.
The former are typically associated with growth and scale-out and scale-up as systems grow and data increases, and the challenges that come with them are associated with the complexity of the hosting environment that spans multiple clouds and infrastructures, and also with ensuring that data protection activities can fit within the small windows of time available for this function.
Threats that impact constant availability
“External challenges are also increased as organizations grow their business and customer base and become a more significant target for malicious intent. This elevation of profile results in a more attractive attack surface,” he notes.
Defining and measuring the threats facing availability include factors such as financial impact, number of affected users, historical prevalence, and the scope of the threat surface – such as discoverability of the problem and how easy it is to reproduce. Most organizations could expect to face these challenges on hardware failure, but it could also be the intentional deletion of data by a disgruntled employee.
Different types of availability
For CISOs whose organization is about to release a new product that depends on constant availability, it is important to differentiate and have a strategy in place for both high availability and business availability.
High availability is about ensuring redundancy of systems to account for system failures. This might include such practices as load balancing and clustering of data and application components.
“Business availability is far more broad in nature and takes into account a plan for both intentional and accidental human error. This could include incidents such as malicious data deletion, or misconfiguration of systems which lead to downtime for the system,” he says.
“Business availability requires having a 3-2-1 policy in place that ensures three copies of the data, on two different media types, with one copy being saved offsite. It should also include a GFS (grandfather-father-son) structure that includes tiering of data copies based on age and relevance.”