S1 EP. 18 Building a Cyber Resilience Vault with Zerto, Discssions with Zerto Global Field CTO Shariq Aqil
We go to doctors to
perform our health checks.
Now we have to do the health
check of the business.
Just ask the question to your team that
in case we are attacked, what we need
to recover, who is responsible, how
will we recover, where we will recover.
Do we have the right technology in place?
When you ask those questions after
your health check is done only then
you'll be able to understand your
current state of business And are
you cyber ready or cyber resilient...
or not?
Hey, everybody.
I'm Brad Bussie, Chief Information
Security Officer here at e360.
Thank you for joining me for the State
of Enterprise IT Security Edition.
This is the show that makes
IT security approachable and
actionable for technology leaders.
I'm very happy to bring you
a special guest this week.
Field CTO, Shariq Aqil of Zerto, an HPE.
You may not know this, but
you are my very first guest.
So if you wouldn't mind, tell
our listeners a little bit
more about you and about Zerto.
Thank you.
Thank you very much, Brad.
I'm glad to be here.
And thank you.
Thanks a lot for having me.
So I'll start with my background.
So my name is Shariq Aqil.
I'm global field CTO with
Zerto, which is an HPE company.
I joined this company just over
two years ago, and before joining
HPE and Zerto, I was, with Dell.
I spent, just over five years
there with Dell and EMC.
I was part of their data
protection division.
And, then I was covering their
global alliances, for the
complete enterprise portfolio.
Before joining Dell, I was with IBM.
I spent, a few years there working
in the software defined storage.
And before that I was with Dell and
before that spent a few years as a
hands on resource in a data center.
So just over 20 plus, years in the field.
That's about me.
Awesome.
If we talk about Zerto, which is
now acquired by Hewlett Packard
Enterprise back in 2021, Zerto
came into being back in 2009.
And, it was a software that provides
customers with disaster recovery,
quick failover, failbacks, data
mobility across different platforms
and ransomware resilience.
And all of this was built on the
logics of continuous data protection.
So always on data protection that provides
customer with these three major use cases.
Awesome.
Well, thank you for being on the show,
and I wanted to talk a little bit about
cyber resiliency, so I know we're going
to get into the Cyber Resiliency Vault,
but I think for some of our listeners,
maybe just giving them an overview
of what a what is cyber resiliency
and what is the problem it solves.
So I figure I'll give them just a quick.
You know, kind of high level,
and then we can get a little bit
more into the vault side of it.
So as far as cyber resiliency, we're
referring to an organization's ability
to continue to operate effectively.
Really in the face of cyber threats
and attacks, and it encompasses what we
would consider a comprehensive strategy,
and that strategy includes things like
prevention, detection, response and the
analytical and Recovery and these are
processes that are designed to protect
as well as sustain the organization and
really it's focused on what I would say
critical operations and really the main
problem that cyber resiliency solves is
the vulnerability of, organizations to
disruptions that are caused by things
like cyber attacks, which can result
in, we'll say, significant operational,
financial, as well as reputational damage.
And by implementing, we'll say,
robust cyber resiliency measures,
organizations can minimize the impact
of attacks, ensure the continuity
of essential services, and this
is, I think, the important one,
quickly restore full functionality.
And that's really just maintaining
the trust that the business has
put in us as cyber defenders.
And really safeguarding assets in what
I think Shariq and I would consider an
increasingly hostile digital landscape.
So I think that sets the stage for like
cyber resiliency, really the problem.
And I think it would be useful
now, Shariq, if I go into like,
what is a Cyber Resiliency vault
and what problem does it solve?
And then I think what would be
good is, is just getting an idea
of how does, how does Zerto work?
Look at this whole problem and
what, what does that landscape look
like to you and, and let's see if
we match up on what I'm saying.
Does that sound good?
Yeah, that sounds pretty good.
And you know what, the way you
describe cyber resilience is
exactly what cyber resilience is.
Let's just call it.
It is an outcome.
It is an outcome.
It's not a product.
It is an outcome.
And to achieve that outcome, we have
to have, different policies in place,
right people in place, right education
in place and right products in place.
Only then we'll be able to achieve
the resilience that you were
talking about a few minutes ago.
And, when it comes to it,
there are two strategies.
One is the proactive one means
keeping the bad actors out.
And that is like having a strong
security defenses in place.
So right products, right
people, right policies, right
education for the employees.
They are well aware of what
to click, what not to click so
that we keep the bad actors out.
The second phase comes in is like
reactive when if a bad actor is in
and they are able to cause any damage.
Now, how to respond to that, how to
detect it, how to recover and recover
very quickly because, recovery is the,
is the base that whole business will
rely on in case of a cyber attack.
There's a downtime.
Now you have to recover.
Now, how quickly you can recover
and how sure you are, what kind
of data you are recovering back.
So, this is my perspective on
cyber resilience, approaches.
That's perfect.
Yeah.
And I think talking about the whole
vault concept too will definitely help
kind of add a little bit more to that.
So essentially, like, when I look at
this, this whole piece of what we've
talked about, I look at the and you
can correct me if I'm off here, but I
think of a Cyber Resiliency Vault as...
we'll call it secure, because
that's what everybody wants to hear.
A lot of times it's air
gapped, air gapped storage.
And it's really designed to protect
critical data, as well as systems.
And it's against things like
ransomware and other forms of malware.
I think that was kind
of the initial intent.
And it ensures that stored
data remains secure.
Immutable, and that means it can't be
altered, can't be deleted, and thereby we
maintain something pretty important, which
is data integrity as well as availability,
even in the event of security breaches,
because we hear about this all the time
where organizations have been breached
and I see them down for a long time.
Weeks, if not months.
And what I'm starting to realize
is I think a lot of them have not
gotten very far into the concept of
resilient systems and a resilient vault.
So.
I think when you look at this and
having a specialized vault that can
address things and, and it's really the,
the crucial need for rapid recovery.
And this really gives an organization.
A point to restore back to and
what we're trying to do is restore
operations quickly, minimal disruptions.
And this is following an attack.
But I could almost see
this as not just an attack.
But if somebody makes a mistake, we call
this in the industry a lot insider threat.
Sometimes it's malicious.
Sometimes it's not.
Sometimes it's just somebody that
doesn't know what they're doing.
And next thing you know all of those VMs
that you had are, are gone, they're wiped.
And when you ask, well,
how did that happen?
It comes down to somebody just
didn't know what they were doing.
But I think some of the things to keep in
mind is that with a vault, you know, we're
doing things like encrypting the data.
We're isolating it from the network.
We're preventing unauthorized
access and tampering.
And really it, it fits into that broader.
That broader resiliency strategy,
that we've talked about.
And I look at this as organizations
that implement a vault really, they're
enhancing their ability to withstand
and quickly recover from an incident.
We're, we're really ensuring
that business continuity.
And the protection of sensitive
and critical data is there.
And I think that generally this,
I think this approach was looked
at for just crucial environments
where like data integrity and
availability are super important.
So if I kind of rewind, I look at this
as financial services, healthcare,
government, large enterprises.
But honestly, I think where we're at now.
Okay.
Is this should be business as usual for
organizations of all shapes and sizes.
Yeah, absolutely.
Absolutely.
Beautiful description.
And, the basic reason that these cyber
walls came into being, like cyber attacks
and these cyber attackers, what they
were doing is like, they get into the
network, they perform a network scan.
And they identify anything that is
connected anything that is storing the
data or keeping the copies of the data.
And then they attack those before
encrypting the production environment
So if you have a backup server
sitting in there because we have to
understand backups are good Backups
needs to be there for operational
recovery, but if they are sitting on
network, then they are also a target.
And we have seen these attackers targeting
the backup copies or replica copies before
they encrypt the production environment.
So because of that reason, the
requirement came to have an air gap copy
of your data so that it is if somebody
comes in and perform a network scan,
they are not able to see that copy.
And that copy has to be immutable.
And when we talk about immutability, it
has to be really immutable in a way that
once it is written, nobody's able to
tamper with it, including administrators.
So the point that you were
talking about internal attacks.
So in that case, you have to have
that protection available, uh,
Once it is written, it has to be,
it has to be immutable and nobody
should be able to tamper with it.
So we talked about isolation, we
talked about immutability, but
the third thing and that is the
important thing is like integrity
of the data that you are storing.
What is the health of the data?
How clean the data is so that in case
you are hit, you should know what is
the last known good copy I can go back
to, to start the recovery process?
So these cyber walls really provide all
three or four capabilities not only to
store the data, but to check the health of
the data as well as keeping it immutable.
Exactly.
And I think something, if I know
the listeners out there, and I know
those watching, they're probably
going to ask the question based
on, on what we've discussed.
Why do we need cyber
resiliency and Cyber Vaults?
And I think of this as kind of two pieces.
One, the way we've described it, cyber
resiliency focuses on the broader
strategy of preparing for and responding
to and recovering from a cyber attack.
While the Cyber Resiliency vault,
is it's a specific and we'll call it
a tactical tool that is supporting
the the strategy and that's that's
essentially by safeguarding the data.
What do you think?
Is that a pretty accurate assessment?
Accurate, pretty accurate.
And I'll just give you an example.
There are like five different pillars
you already talked about, identify,
protect, detect, respond, recover.
So usually the first three pillars
usually lies with the security teams.
Identify, protect, detect is like keeping
the bad actors out, stopping the attacks
even before they cause any damage.
So they are doing a very good job.
They have best tools in place and
they are keeping the bad actors out.
But if a bad actor is in, and if
there is any corruption, Now, the
question is who owns the recovery
of the data after that corruption?
Is it security team?
Or is it someone else?
If it is a storage team, now the question
is, do they have the right infrastructure
deployed to be able to perform that
kind of recovery from a cyber attack?
And this is where, exactly where you
need the vault to help complement
your cyber resilience strategy.
I agree, because I end up seeing
organizations that often point in
different directions when you say, well,
who's responsible for for this recovery?
And I think I think having a vault
definitely starts to simplify
and having the strategy overall
is, I think, pretty important.
So what I'd like to talk about
is specifically like how do you
do this vault concept with Zerto?
So I would think of this as,
as building a Cyber Resiliency
vault with the Zerto technology.
I'm just super interested in,
in what that looks like and kind
of the approach that you take.
And then I figure what I could do is
talk about how we look at this from
a program perspective and tooling is
always great for supporting the program.
So I think let's go tools first and then
let's talk a little bit about program
Sure thing.
So before going into the details of
our solution, I want to talk about the
market landscape quickly, which was
there before we launched our product.
So there were many cyber world
offerings out there in the market.
But one thing that was common in all
those solutions, all those solutions
were based off of backup software.
Right.
The backup software writing the
data and then you are vaulting it.
And one reminder that our customers never
relied on backup software to provide
them with mass recovery of the data.
Nothing to do with anything.
It is some technology
limitations are always there.
They use something like a storage
replication, something like Zerto
to provide them with the ability
to quickly fail over, fail back
and do the mass data recovery.
Because the backup, first of all,
it takes long time to recover.
Right.
Right.
Right.
Plus you only perform backup once a day.
So there's a data loss window.
If we talk about data loss of 24 hours
plus the recovery time of a couple
of weeks, that's a long, a long time.
And we saw that as a gap in the
market, that all these solutions
are based off of this technology.
So what we did with our
solution is, we brought the data
mover Zerto into the picture.
And coupled it with HPE hardware
to come up with the solution where
we provide a cyber vaulting, not
based off of backup, but based
off of continuous data protection.
So any point in time recovery
that is getting replicated
to our vault, number one.
The second thing is as we are replicating
the data, now we are performing the
scan of the data to identify any
anomalies, any traces of the encryption.
So within three to five seconds, you are.
You know that the data copy is
clean or not, instead of you perform
backup, wait 24 hours and then start
the scan and then you know that you
have a right, a clean copy or not.
So we combined it.
So this is how we move the data.
As we are moving the data, we are scanning
it, then we are making it immutable,
but we are not leaving it there.
From there on, we are creating an air
gap copy of that data into our wall zone.
And that is totally based off
of decentralized architecture.
So there is no single manager of it.
If there is no single manager, there
is no single point of compromise.
The whole architecture is
built on zero trust principles.
So the data mover component does
not know about the retention policy.
The retention policy holder does not
know about the replication policy.
So there are many things
that we considered.
And the beauty of this architecture is
that it is continuous data protection.
So it does any point in time
recovery for up to whatever
retention duration you want.
Plus the recovery time for petabytes
of data came down from weeks or
months So that's one part of the
recovery of the data loss window.
We brought it down from like 24
hours down to three or four hours.
Recovery time, we brought it down from
like 30 plus days down to two hours.
So that's the business
impact that we reduced.
The third thing that people don't
usually talk about, we always talk
about vaulting the data, but we
never talk about recovering the data.
Because if you have, if you are under
cyber attack means your production is
compromised, might not be accessible.
So now you have the data copy,
where will you recover it?
You will need a clean room.
So what we did in our architecture,
we combined the vaulting and clean
room in one solution to be able to
not only store the data, keep it safe,
but also in case of attack, we will
be able to recover it, perform tests,
do the forensic, do the cleansing, and
then move the data back to production.
So that's on a high level
Brad, that's our architecture.
I love it...
Honestly, when I look at this, I mean,
I, I feel that this is in some cases, the
only chance that an organization would,
would have to recover because of just
how attacks are starting to ramp up.
And, I think, you know, tools are
tools are fantastic, but when I've
noticed is after watching a lot of
these recovery events of organizations
that have been compromised, I found
really the kind of the weakest link
is the people in preparation and the
ability to act when the event occurs
like your technology is fantastic.
It's, it's there to be leveraged.
But when I start talking to an
organization and I, I just ask one simple
thing, what needs to come up first?
Let's say you're, you're completely down.
What does that actually look like?
And I have a bunch of people staring at
me and they don't know the answer to that.
So what, what I think would be
interesting is if we talk through
kind of the, the programmatic approach
and how we could then leverage Zerto.
In this type of scenario where we've
been compromised, either systems
are down, all systems are down.
Active directory has been impacted.
There's some form of event
that is, that is happening.
So the first thing that, that I
ask clients is Let's try to get in
front of this before it happens.
That's the big thing.
But first, ask yourself and your
organization today, can your business
recover without major financial loss?
And I would say in 80% of
organizations that are asked that
question, the answer is maybe.
It's not a no.
It's not a yes.
People just aren't sure.
So what what we've done is we've
we've kind of looked at this as
a cyber resiliency framework.
So the first thing that I would ask is
if that's a maybe for your organization,
consider this framework, and I'm going
to just kind of rapidly go through it.
First aspect is making sure
you understand the mission.
What?
What is the mission of your organization?
The implementation of your technology and
identify technology requirements overall.
When do things need to come up?
In what order?
What service accounts?
There's a lot of things that go into that.
I make it sound kind of easy, but there's
a lot of work that needs to happen.
Second is revenue as well as brand equity.
So this, this essentially supports.
Enables your overall business strategy
because as we've seen with some of
these cyber attacks recently, not only
is it a revenue impact to the business
'cause they're, they're down and they're
unable to provide the service that they
are implementing in the first place.
They brand takes a significant impact
and customers may not be as comfortable
coming back and doing business with an
organization that's been compromised So.
Asking yourself that question.
Third, what what are the core
business functions and aligning
those with security to protect
critical systems as well as data?
And then I think this is where some of
that vaulting technology comes into play.
And fourth, There's the internal
operations and administrative functions.
And this is where I see a lot of
organizations really struggle, because
what I'm asking you to do is map
technology to business functions.
And that's essentially the only way
you're ever going to recover from.
A large scale cyber event.
What do you think of that?
Do you think that's, that's pretty solid
as far as a framework and approach?
It's pretty high level.
That's a really, really,
very strong approach.
And you covered it again.
You covered it very well because you
cannot achieve resilience with one thing.
You have to have the
right people identified.
You have to have right policies in place.
You have to have right products in
place to be able to support that.
But not only, not only these three P's,
but you also, also need to consider.
That, in, in case you are attacked,
what are the minimum viable business
components that you are recovering?
So, it will start with identification.
As you explained it very well.
Identify what you want to protect.
Identify the interdependencies
of those components.
So that you are not just recovering
the data, but you are recovering
the complete ecosystem that is
required to serve that data.
Exactly.
Right.
So you have to identify that.
Then when you have identified, then
you move it, then you protect it
using a product, but then you need
to have right processes in place
and right people identified that
who will be able to test that data.
What should, should be
the access mechanism?
What are the policies about it?
And.
After that, what, how can, how can you
perform the testing of whatever you have
identified to be protected and whoever
is required to, to test the data and
actually perform the recovery testing?
That's a big one.
Yeah, that's a big one.
I see a lot of organizations
struggle where they haven't tested
and what they bring back is not
what they needed to bring back.
, that's, that's something
that.
Yeah,
because that, that testing will really
compliment when in case of a cyber
attack, when you are down, you will
need to go through not only like just
bringing data backup, you might have to
go through like data forensics first.
So do you really want to have a
solution in place that supports
you so that supports you to perform
testing so that you've been.
You perform the testing, you'll be able
to test all of your tools right there on
the set of the data to perform forensic
analysis, cleansing, and a rehearsal
to move the data back to production.
So these are the important things.
So identification.
Identification, protection, testing.
Totally agree.
And Shariq, something I always like to do
in the podcast is I like to give a kind
of a wrap up, of an I never liked to use
the word expert, but it comes out of my
mouth often, like an, an expert opinion
and some pro tips when it comes to.
So when it comes to cyber resiliency,
as well as vaulting, I kind of want
to give the listeners a couple of high
level things to consider, because I think
sometimes this can seem a little complex.
So I'll start with just a couple.
And then I think we can, we can wrap
it up with, with kind of your, your
pro tips or, or overall thoughts
when it comes to a Resiliency Vault.
So I think if you're looking at this
today, I would start with getting
a clear understanding of what
your critical assets actually are.
I think it's actually one of my
mentors, John Kindervog has said "it
is defining your protect surface.
It's not necessarily your
attack surface because.
That's pretty much everywhere now, but
it is start with that clear understanding
of what it is that you're going to
protect, which is your critical asset."
I would say ensuring the
vault is properly air gapped.
So I liked the discussion that we had
about the zero trust implementation
and keeping things separate as a cyber
practitioner, I would say, encrypt
everything as often as possible, whether
it's in transit at rest in a vault,
encrypt everything that you possibly can.
And then I would say, implement those
strict access controls and and adopt
least privilege, wherever possible.
And then I would say, and this is
just good cyber hygiene, you know,
regularly update and patch systems.
I think the one that stuck with
me from this conversation is
test your recovery process.
And I would stay, I would say, stay
compliant as well as audit regularly
the entire process, not just for your
cyber program, but the audit slash
recovery process for your cyber vault.
That's a great description again,
but, one thing that we have
learned from these cyber attacks in
almost all type of cyber attacks.
There was a requirement for having a clean
infrastructure in place before you can
perform the recovery because production
was compromised, DR was compromised,
and they were, our customers were not
able to use existing infrastructure.
So you need to have a clean
set of equipment available.
For you to perform the recovery and
perform the testing and you can, and that
will actually enable you to perform the
regular testing because now you have a
dedicated infrastructure that's clean.
So identification, identify it, have a
detailed incident response plan in place.
Because now, now it will not be only
the security teams doing the forensic.
It will be the storage team
providing them with the data.
It will be networking team,
bringing the networks back.
And then all these teams
have to work together.
So you need to have the right
incident response plan in place that.
Product is providing you with a copy
of the data, but everything else
that is serving the data has to be in
place before you go back to normal.
So identification, then
documenting it, having this
incident response plan in place.
And again, I'll come back to..
Test it.
Perform the testing.
Have a testing exercise, testing
rehearsal plan for your teams to like
coordinate and test everything beforehand.
All right.
Couldn't agree more.
I think, if there's, if there's two
things that I want our listeners to, to
take away from this, it's always what's
the action that, that they should take
after listening to something like this?
So we spent, you know, 25, 30 minutes,
I would say going pretty, pretty
high level on this, but there's a
lot more conversation to be had.
So from an organizational standpoint,
what, what should their action be?
And I would say.
Two things.
One, I would implement a cyber resiliency
review, so I'm a big fan of discover and
assess before you do much of anything.
So I would say, conduct that review, and
it's really looking at current trends.
Cybersecurity strategies and systems
and second, once you've done that and
you have some good information that
comes back from it, then it's time
to adopt a Cyber Resiliency Vault.
And I think that's where you can
invest and adopt, vault technology.
And I think Zerto is a great,
great solution for that.
Yep.
Thank you.
Thank you for, for that, feedback,
but, you nailed it right there.
We go to doctors to
perform our health checks.
Now we have to do the health
check of the business.
Just ask the question to your team that
in case we are attacked, what we need
to recover, who is responsible, how
will we recover, where we will recover.
Do we have the right technology in place?
When you ask those questions after
your health check is done only then
you'll be able to understand your
current state of business And are
you cyber ready or cyber resilient...
or not?
And from there on we can
take the discussion further.
There are many technologies.
It's not just HPE.
It's not just Zerto.
There are many technologies out there.
They all have unique benefits.
So I think, once you identify what is
your requirement, our customers should
talk to all these providers of these
components so that they can take the
discussion forward, understand what
is available and be able to make the
right decision for their environment.
Excellent.
All right, Shariq, I really
appreciate you spending some time
with us on the podcast today.
And, thanks again.
I hope our listeners have a
great rest of their day or night
or whenever you're listening.
And, enjoy the content.
Thank you.
Thank you very much, Brad.