In the latest installment of the Java with Otava video series, Senior Solution Architect Mike Caldwell talks best practices and recommendations for securing and preparing your cloud infrastructure. Check out more Java with Otava videos on our YouTube page.
MIKE CALDWELL: Hello and welcome to the Java with Otava video series. Today we’ll be talking about cloud infrastructure preparedness. My name is Mike Caldwell, I’m a senior solution architect with Otava. Grab a cup of coffee and let’s jump right in. Our agenda today covers three main points. First, we’ll talk about why it’s important to pay attention to cloud infrastructure from a security standpoint. Second, we’ll review some facts and statistics to validate the threats we face and finally, we’ll cover some recommendations on preparedness.
So why should we pay attention to plot infrastructure preparedness; well let’s define the concept. Preparedness is all about making sure our cloud infrastructure can mitigate threats from a variety of external risks. Ideally, we want to prevent all possible threats, but in the real world we know that we have to design our infrastructure around the assumption that something will happen. Attacks from hackers, malware, ransomware can pose serious ramifications to your business, so it’s critically important to recover as quick as possible. I want to present some industry statistics around malware and ransomware and, as you can see, we still have a lot of room to improve as a country. I want to highlight the last sentence, the average cost of downtime is fifty-six hundred dollars per minute, that’s insane. I also want to highlight that ransomware does not affect a specific vertical or industry, all companies are affected, maybe not equally, but we all share in the risk of ransom. I’m going to cover three main areas where we can improve preparedness. The first we’ll talk about, network segmentation. Second, we’ll discuss encryption and third, we’ll discuss disaster recovery and off-premise backups.
Let’s talk about segmentation. The goal of segmentation is to separate our public facing servers from our private facing ones. In a typical use case, we’ve separated our web servers, which are publicly facing, from the back-end databases they rely on. When we implement segmentation, we introduce a firewall in between those two servers allowing us to restrict what type of traffic, if any at all, can flow between them. Let’s go over an example. In our example we have two servers, one is a web server that’s exposed to the Internet and the other is a back-end database. The servers are in a separate virtual network with the firewall deployed between them. We’ve set up a final rule to only allow SQL traffic between the two servers. All of the traffic is blocked in this case. Let’s assume that we’ve discovered that our web server has malware on it. Due to the fact that we segment our network properly, malware was unable to spread from the web server to the database server because it could not make the jump through the firewall between the virtual networks. Let’s move on to encryption. Encryption is an essential part of hardening our environments. Most organizations store very sensitive information such as healthcare records or credit card numbers. So, our first line of defense fails and our systems break down, our information stolen. Encryption prevents that data from being read or used. You’ll want to make sure that you’re encrypting your data at rest and in transit. Encryption at rest, we want to think about physical encryption, sans [and] hard drives that are self-encrypting; that way if somebody comes in and takes a hard drive and runs it on the data center, your data is protected and it’s unusable to that person. With encryption in transit, we want to think about using technologies such as SSL VPN or IPSec VPN tunnels to encrypt the data we’re sending over the internet, either to the public cloud, a private cloud provider, or a different data center.
Let’s move into talking about DR [disaster recovery] and backups. One of the most important aspects of any cloud preparing strategy is going to be time to recovery, in other words how long does it take the backup to be back up and running from a security or disaster event. At Otava, we have two measurements, RPO [Recovery Point Objective] and RTO [Recovery Time Objective]. RPO, being you how old is your data at the point of recovery and RTO being the time it takes to restore services in DR. Earlier we covered how each minute of downtime could cost the average company fifty-six hundred dollars a minute. In order to reduce the financial impact of that event, or any event, we needed a DR product that can provide us with a real-time replication of our data and extremely quick recovery. In addition, especially from infections such as malware or ransomware, we want a DR product to have what’s called a point in time recovery. You might have heard of it as a journal history. This allows organizations to failover to exactly the point in time before an infection occurred. Could be as quick as a couple seconds before that infection occurred, to allow you to restore to your DR environment without any risk of further infection. For more information on disaster recovery services, please watch the disaster coverage on the Java with Otava video that covers the subject in greater detail.
Working together with a DR solution, off-premise backup is the other half of a business continuity strategy. While DR is meant for a quick recovery, it’s not designed for long-term retention and this is where backup comes in. It’s where they work in concert together. It’s important to have multiple copies of your backup data in different locations. If you only store your data backups in the same location as your production environment, you know what happens when your production environment is lost from fire or an act of god. But, what if malware infects the production data center, deletes all of your local backups? Any well-designed backup strategy is going to consist of three different copies of your backup data. Two of those copies are two different types of media, so disk and tape, with one of those three copies being stored off-site [with] either a different location or a third-party provider like Otava. This is known as a three to one rule in backup. It’s important that your backup technology includes a way to protect that off-site copy against ransomware. So, at Otava we offer a Cloud Connect service that’s powered by Veeam and it allows you to store your off-site copy in our cloud and we provide you a seven-day ransomware protection for that data. We store it for you in case of attack. [Here is] an example of a Veeam implementation at Otava. We follow the three to one rule for this scenario. Imagine the left pane is your datacenter, you’re using Veeam today and you are protecting your virtual environment and your physical environment with Veeam. Your first copy of data is Veeam on disk, you are then copying that data to tape. Perhaps you’re shipping that tape to a different location. But we recommend also having a second copy, or your third copy would be a second copy of disk backups you would store with Otava. With that third copy, we can restore to our cloud, we could restore it back to your on-premise, or anywhere you like us to restore.
Finally, it’s important to go into a little bit more detail about the why backup and disaster recovery are different and why you need those. As we talked about a little bit, backup focuses on long-term retention of data, it is not meant to restore quickly. On the flip side, DR is meant for a quick recovery, but typically only has 12 to 48 hours of history for you to restore to. If we were restoring from backup, your data could be as old as 24 hours if we’re doing daily backups and that’s not acceptable in a lot of cases. We need both solutions to have a successful strategy and [that’s] why both are important to preparedness in case all of our other security designs fail and we have to fail over to DR. With that being said, that’s the end of my topic. I wanted to let you know how Otava can help. As you can see on the screen, our main business is hybrid cloud, DR, backup. We do colocation, but we also do cloud readiness assessments, professional services and a whole lot more. If any of this interests you, if you have anything we can help, with we’d love to have a conversation. You can you can reach us at the number shown on the screen, you can also email [email protected] and it’s been a pleasure to go over this with you. I thank you for watching and I hope to talk to you soon. Have a great day