S1 EP. 18 Building a Cyber Resilience Vault with Zerto, Discssions with Zerto Global Field CTO Shariq Aqil

We go to doctors to
perform our health checks.

Now we have to do the health
check of the business.

Just ask the question to your team that
in case we are attacked, what we need

to recover, who is responsible, how
will we recover, where we will recover.

Do we have the right technology in place?

When you ask those questions after
your health check is done only then

you'll be able to understand your
current state of business And are

you cyber ready or cyber resilient...

or not?

Hey, everybody.

I'm Brad Bussie, Chief Information
Security Officer here at e360.

Thank you for joining me for the State
of Enterprise IT Security Edition.

This is the show that makes
IT security approachable and

actionable for technology leaders.

I'm very happy to bring you
a special guest this week.

Field CTO, Shariq Aqil of Zerto, an HPE.

You may not know this, but
you are my very first guest.

So if you wouldn't mind, tell
our listeners a little bit

more about you and about Zerto.

Thank you.

Thank you very much, Brad.

I'm glad to be here.

And thank you.

Thanks a lot for having me.

So I'll start with my background.

So my name is Shariq Aqil.

I'm global field CTO with
Zerto, which is an HPE company.

I joined this company just over
two years ago, and before joining

HPE and Zerto, I was, with Dell.

I spent, just over five years
there with Dell and EMC.

I was part of their data
protection division.

And, then I was covering their
global alliances, for the

complete enterprise portfolio.

Before joining Dell, I was with IBM.

I spent, a few years there working
in the software defined storage.

And before that I was with Dell and
before that spent a few years as a

hands on resource in a data center.

So just over 20 plus, years in the field.

That's about me.

Awesome.

If we talk about Zerto, which is
now acquired by Hewlett Packard

Enterprise back in 2021, Zerto
came into being back in 2009.

And, it was a software that provides
customers with disaster recovery,

quick failover, failbacks, data
mobility across different platforms

and ransomware resilience.

And all of this was built on the
logics of continuous data protection.

So always on data protection that provides
customer with these three major use cases.

Awesome.

Well, thank you for being on the show,
and I wanted to talk a little bit about

cyber resiliency, so I know we're going
to get into the Cyber Resiliency Vault,

but I think for some of our listeners,
maybe just giving them an overview

of what a what is cyber resiliency
and what is the problem it solves.

So I figure I'll give them just a quick.

You know, kind of high level,
and then we can get a little bit

more into the vault side of it.

So as far as cyber resiliency, we're
referring to an organization's ability

to continue to operate effectively.

Really in the face of cyber threats
and attacks, and it encompasses what we

would consider a comprehensive strategy,
and that strategy includes things like

prevention, detection, response and the
analytical and Recovery and these are

processes that are designed to protect
as well as sustain the organization and

really it's focused on what I would say
critical operations and really the main

problem that cyber resiliency solves is
the vulnerability of, organizations to

disruptions that are caused by things
like cyber attacks, which can result

in, we'll say, significant operational,
financial, as well as reputational damage.

And by implementing, we'll say,
robust cyber resiliency measures,

organizations can minimize the impact
of attacks, ensure the continuity

of essential services, and this
is, I think, the important one,

quickly restore full functionality.

And that's really just maintaining
the trust that the business has

put in us as cyber defenders.

And really safeguarding assets in what
I think Shariq and I would consider an

increasingly hostile digital landscape.

So I think that sets the stage for like
cyber resiliency, really the problem.

And I think it would be useful
now, Shariq, if I go into like,

what is a Cyber Resiliency vault
and what problem does it solve?

And then I think what would be
good is, is just getting an idea

of how does, how does Zerto work?

Look at this whole problem and
what, what does that landscape look

like to you and, and let's see if
we match up on what I'm saying.

Does that sound good?

Yeah, that sounds pretty good.

And you know what, the way you
describe cyber resilience is

exactly what cyber resilience is.

Let's just call it.

It is an outcome.

It is an outcome.

It's not a product.

It is an outcome.

And to achieve that outcome, we have
to have, different policies in place,

right people in place, right education
in place and right products in place.

Only then we'll be able to achieve
the resilience that you were

talking about a few minutes ago.

And, when it comes to it,
there are two strategies.

One is the proactive one means
keeping the bad actors out.

And that is like having a strong
security defenses in place.

So right products, right
people, right policies, right

education for the employees.

They are well aware of what
to click, what not to click so

that we keep the bad actors out.

The second phase comes in is like
reactive when if a bad actor is in

and they are able to cause any damage.

Now, how to respond to that, how to
detect it, how to recover and recover

very quickly because, recovery is the,
is the base that whole business will

rely on in case of a cyber attack.

There's a downtime.

Now you have to recover.

Now, how quickly you can recover
and how sure you are, what kind

of data you are recovering back.

So, this is my perspective on
cyber resilience, approaches.

That's perfect.

Yeah.

And I think talking about the whole
vault concept too will definitely help

kind of add a little bit more to that.

So essentially, like, when I look at
this, this whole piece of what we've

talked about, I look at the and you
can correct me if I'm off here, but I

think of a Cyber Resiliency Vault as...

we'll call it secure, because
that's what everybody wants to hear.

A lot of times it's air
gapped, air gapped storage.

And it's really designed to protect
critical data, as well as systems.

And it's against things like
ransomware and other forms of malware.

I think that was kind
of the initial intent.

And it ensures that stored
data remains secure.

Immutable, and that means it can't be
altered, can't be deleted, and thereby we

maintain something pretty important, which
is data integrity as well as availability,

even in the event of security breaches,
because we hear about this all the time

where organizations have been breached
and I see them down for a long time.

Weeks, if not months.

And what I'm starting to realize
is I think a lot of them have not

gotten very far into the concept of
resilient systems and a resilient vault.

So.

I think when you look at this and
having a specialized vault that can

address things and, and it's really the,
the crucial need for rapid recovery.

And this really gives an organization.

A point to restore back to and
what we're trying to do is restore

operations quickly, minimal disruptions.

And this is following an attack.

But I could almost see
this as not just an attack.

But if somebody makes a mistake, we call
this in the industry a lot insider threat.

Sometimes it's malicious.

Sometimes it's not.

Sometimes it's just somebody that
doesn't know what they're doing.

And next thing you know all of those VMs
that you had are, are gone, they're wiped.

And when you ask, well,
how did that happen?

It comes down to somebody just
didn't know what they were doing.

But I think some of the things to keep in
mind is that with a vault, you know, we're

doing things like encrypting the data.

We're isolating it from the network.

We're preventing unauthorized
access and tampering.

And really it, it fits into that broader.

That broader resiliency strategy,
that we've talked about.

And I look at this as organizations
that implement a vault really, they're

enhancing their ability to withstand
and quickly recover from an incident.

We're, we're really ensuring
that business continuity.

And the protection of sensitive
and critical data is there.

And I think that generally this,
I think this approach was looked

at for just crucial environments
where like data integrity and

availability are super important.

So if I kind of rewind, I look at this
as financial services, healthcare,

government, large enterprises.

But honestly, I think where we're at now.

Okay.

Is this should be business as usual for
organizations of all shapes and sizes.

Yeah, absolutely.

Absolutely.

Beautiful description.

And, the basic reason that these cyber
walls came into being, like cyber attacks

and these cyber attackers, what they
were doing is like, they get into the

network, they perform a network scan.

And they identify anything that is
connected anything that is storing the

data or keeping the copies of the data.

And then they attack those before
encrypting the production environment

So if you have a backup server
sitting in there because we have to

understand backups are good Backups
needs to be there for operational

recovery, but if they are sitting on
network, then they are also a target.

And we have seen these attackers targeting
the backup copies or replica copies before

they encrypt the production environment.

So because of that reason, the
requirement came to have an air gap copy

of your data so that it is if somebody
comes in and perform a network scan,

they are not able to see that copy.

And that copy has to be immutable.

And when we talk about immutability, it
has to be really immutable in a way that

once it is written, nobody's able to
tamper with it, including administrators.

So the point that you were
talking about internal attacks.

So in that case, you have to have
that protection available, uh,

Once it is written, it has to be,
it has to be immutable and nobody

should be able to tamper with it.

So we talked about isolation, we
talked about immutability, but

the third thing and that is the
important thing is like integrity

of the data that you are storing.

What is the health of the data?

How clean the data is so that in case
you are hit, you should know what is

the last known good copy I can go back
to, to start the recovery process?

So these cyber walls really provide all
three or four capabilities not only to

store the data, but to check the health of
the data as well as keeping it immutable.

Exactly.

And I think something, if I know
the listeners out there, and I know

those watching, they're probably
going to ask the question based

on, on what we've discussed.

Why do we need cyber
resiliency and Cyber Vaults?

And I think of this as kind of two pieces.

One, the way we've described it, cyber
resiliency focuses on the broader

strategy of preparing for and responding
to and recovering from a cyber attack.

While the Cyber Resiliency vault,
is it's a specific and we'll call it

a tactical tool that is supporting
the the strategy and that's that's

essentially by safeguarding the data.

What do you think?

Is that a pretty accurate assessment?

Accurate, pretty accurate.

And I'll just give you an example.

There are like five different pillars
you already talked about, identify,

protect, detect, respond, recover.

So usually the first three pillars
usually lies with the security teams.

Identify, protect, detect is like keeping
the bad actors out, stopping the attacks

even before they cause any damage.

So they are doing a very good job.

They have best tools in place and
they are keeping the bad actors out.

But if a bad actor is in, and if
there is any corruption, Now, the

question is who owns the recovery
of the data after that corruption?

Is it security team?

Or is it someone else?

If it is a storage team, now the question
is, do they have the right infrastructure

deployed to be able to perform that
kind of recovery from a cyber attack?

And this is where, exactly where you
need the vault to help complement

your cyber resilience strategy.

I agree, because I end up seeing
organizations that often point in

different directions when you say, well,
who's responsible for for this recovery?

And I think I think having a vault
definitely starts to simplify

and having the strategy overall
is, I think, pretty important.

So what I'd like to talk about
is specifically like how do you

do this vault concept with Zerto?

So I would think of this as,
as building a Cyber Resiliency

vault with the Zerto technology.

I'm just super interested in,
in what that looks like and kind

of the approach that you take.

And then I figure what I could do is
talk about how we look at this from

a program perspective and tooling is
always great for supporting the program.

So I think let's go tools first and then
let's talk a little bit about program

Sure thing.

So before going into the details of
our solution, I want to talk about the

market landscape quickly, which was
there before we launched our product.

So there were many cyber world
offerings out there in the market.

But one thing that was common in all
those solutions, all those solutions

were based off of backup software.

Right.

The backup software writing the
data and then you are vaulting it.

And one reminder that our customers never
relied on backup software to provide

them with mass recovery of the data.

Nothing to do with anything.

It is some technology
limitations are always there.

They use something like a storage
replication, something like Zerto

to provide them with the ability
to quickly fail over, fail back

and do the mass data recovery.

Because the backup, first of all,
it takes long time to recover.

Right.

Right.

Right.

Plus you only perform backup once a day.

So there's a data loss window.

If we talk about data loss of 24 hours
plus the recovery time of a couple

of weeks, that's a long, a long time.

And we saw that as a gap in the
market, that all these solutions

are based off of this technology.

So what we did with our
solution is, we brought the data

mover Zerto into the picture.

And coupled it with HPE hardware
to come up with the solution where

we provide a cyber vaulting, not
based off of backup, but based

off of continuous data protection.

So any point in time recovery
that is getting replicated

to our vault, number one.

The second thing is as we are replicating
the data, now we are performing the

scan of the data to identify any
anomalies, any traces of the encryption.

So within three to five seconds, you are.

You know that the data copy is
clean or not, instead of you perform

backup, wait 24 hours and then start
the scan and then you know that you

have a right, a clean copy or not.

So we combined it.

So this is how we move the data.

As we are moving the data, we are scanning
it, then we are making it immutable,

but we are not leaving it there.

From there on, we are creating an air
gap copy of that data into our wall zone.

And that is totally based off
of decentralized architecture.

So there is no single manager of it.

If there is no single manager, there
is no single point of compromise.

The whole architecture is
built on zero trust principles.

So the data mover component does
not know about the retention policy.

The retention policy holder does not
know about the replication policy.

So there are many things
that we considered.

And the beauty of this architecture is
that it is continuous data protection.

So it does any point in time
recovery for up to whatever

retention duration you want.

Plus the recovery time for petabytes
of data came down from weeks or

months So that's one part of the
recovery of the data loss window.

We brought it down from like 24
hours down to three or four hours.

Recovery time, we brought it down from
like 30 plus days down to two hours.

So that's the business
impact that we reduced.

The third thing that people don't
usually talk about, we always talk

about vaulting the data, but we
never talk about recovering the data.

Because if you have, if you are under
cyber attack means your production is

compromised, might not be accessible.

So now you have the data copy,
where will you recover it?

You will need a clean room.

So what we did in our architecture,
we combined the vaulting and clean

room in one solution to be able to
not only store the data, keep it safe,

but also in case of attack, we will
be able to recover it, perform tests,

do the forensic, do the cleansing, and
then move the data back to production.

So that's on a high level
Brad, that's our architecture.

I love it...

Honestly, when I look at this, I mean,
I, I feel that this is in some cases, the

only chance that an organization would,
would have to recover because of just

how attacks are starting to ramp up.

And, I think, you know, tools are
tools are fantastic, but when I've

noticed is after watching a lot of
these recovery events of organizations

that have been compromised, I found
really the kind of the weakest link

is the people in preparation and the
ability to act when the event occurs

like your technology is fantastic.

It's, it's there to be leveraged.

But when I start talking to an
organization and I, I just ask one simple

thing, what needs to come up first?

Let's say you're, you're completely down.

What does that actually look like?

And I have a bunch of people staring at
me and they don't know the answer to that.

So what, what I think would be
interesting is if we talk through

kind of the, the programmatic approach
and how we could then leverage Zerto.

In this type of scenario where we've
been compromised, either systems

are down, all systems are down.

Active directory has been impacted.

There's some form of event
that is, that is happening.

So the first thing that, that I
ask clients is Let's try to get in

front of this before it happens.

That's the big thing.

But first, ask yourself and your
organization today, can your business

recover without major financial loss?

And I would say in 80% of
organizations that are asked that

question, the answer is maybe.

It's not a no.

It's not a yes.

People just aren't sure.

So what what we've done is we've
we've kind of looked at this as

a cyber resiliency framework.

So the first thing that I would ask is
if that's a maybe for your organization,

consider this framework, and I'm going
to just kind of rapidly go through it.

First aspect is making sure
you understand the mission.

What?

What is the mission of your organization?

The implementation of your technology and
identify technology requirements overall.

When do things need to come up?

In what order?

What service accounts?

There's a lot of things that go into that.

I make it sound kind of easy, but there's
a lot of work that needs to happen.

Second is revenue as well as brand equity.

So this, this essentially supports.

Enables your overall business strategy
because as we've seen with some of

these cyber attacks recently, not only
is it a revenue impact to the business

'cause they're, they're down and they're
unable to provide the service that they

are implementing in the first place.

They brand takes a significant impact
and customers may not be as comfortable

coming back and doing business with an
organization that's been compromised So.

Asking yourself that question.

Third, what what are the core
business functions and aligning

those with security to protect
critical systems as well as data?

And then I think this is where some of
that vaulting technology comes into play.

And fourth, There's the internal
operations and administrative functions.

And this is where I see a lot of
organizations really struggle, because

what I'm asking you to do is map
technology to business functions.

And that's essentially the only way
you're ever going to recover from.

A large scale cyber event.

What do you think of that?

Do you think that's, that's pretty solid
as far as a framework and approach?

It's pretty high level.

That's a really, really,
very strong approach.

And you covered it again.

You covered it very well because you
cannot achieve resilience with one thing.

You have to have the
right people identified.

You have to have right policies in place.

You have to have right products in
place to be able to support that.

But not only, not only these three P's,
but you also, also need to consider.

That, in, in case you are attacked,
what are the minimum viable business

components that you are recovering?

So, it will start with identification.

As you explained it very well.

Identify what you want to protect.

Identify the interdependencies
of those components.

So that you are not just recovering
the data, but you are recovering

the complete ecosystem that is
required to serve that data.

Exactly.

Right.

So you have to identify that.

Then when you have identified, then
you move it, then you protect it

using a product, but then you need
to have right processes in place

and right people identified that
who will be able to test that data.

What should, should be
the access mechanism?

What are the policies about it?

And.

After that, what, how can, how can you
perform the testing of whatever you have

identified to be protected and whoever
is required to, to test the data and

actually perform the recovery testing?

That's a big one.

Yeah, that's a big one.

I see a lot of organizations
struggle where they haven't tested

and what they bring back is not
what they needed to bring back.

, that's, that's something

that.

Yeah,

because that, that testing will really
compliment when in case of a cyber

attack, when you are down, you will
need to go through not only like just

bringing data backup, you might have to
go through like data forensics first.

So do you really want to have a
solution in place that supports

you so that supports you to perform
testing so that you've been.

You perform the testing, you'll be able
to test all of your tools right there on

the set of the data to perform forensic
analysis, cleansing, and a rehearsal

to move the data back to production.

So these are the important things.

So identification.

Identification, protection, testing.

Totally agree.

And Shariq, something I always like to do
in the podcast is I like to give a kind

of a wrap up, of an I never liked to use
the word expert, but it comes out of my

mouth often, like an, an expert opinion
and some pro tips when it comes to.

So when it comes to cyber resiliency,
as well as vaulting, I kind of want

to give the listeners a couple of high
level things to consider, because I think

sometimes this can seem a little complex.

So I'll start with just a couple.

And then I think we can, we can wrap
it up with, with kind of your, your

pro tips or, or overall thoughts
when it comes to a Resiliency Vault.

So I think if you're looking at this
today, I would start with getting

a clear understanding of what
your critical assets actually are.

I think it's actually one of my
mentors, John Kindervog has said "it

is defining your protect surface.

It's not necessarily your
attack surface because.

That's pretty much everywhere now, but
it is start with that clear understanding

of what it is that you're going to
protect, which is your critical asset."

I would say ensuring the
vault is properly air gapped.

So I liked the discussion that we had
about the zero trust implementation

and keeping things separate as a cyber
practitioner, I would say, encrypt

everything as often as possible, whether
it's in transit at rest in a vault,

encrypt everything that you possibly can.

And then I would say, implement those
strict access controls and and adopt

least privilege, wherever possible.

And then I would say, and this is
just good cyber hygiene, you know,

regularly update and patch systems.

I think the one that stuck with
me from this conversation is

test your recovery process.

And I would stay, I would say, stay
compliant as well as audit regularly

the entire process, not just for your
cyber program, but the audit slash

recovery process for your cyber vault.

That's a great description again,
but, one thing that we have

learned from these cyber attacks in
almost all type of cyber attacks.

There was a requirement for having a clean
infrastructure in place before you can

perform the recovery because production
was compromised, DR was compromised,

and they were, our customers were not
able to use existing infrastructure.

So you need to have a clean
set of equipment available.

For you to perform the recovery and
perform the testing and you can, and that

will actually enable you to perform the
regular testing because now you have a

dedicated infrastructure that's clean.

So identification, identify it, have a
detailed incident response plan in place.

Because now, now it will not be only
the security teams doing the forensic.

It will be the storage team
providing them with the data.

It will be networking team,
bringing the networks back.

And then all these teams
have to work together.

So you need to have the right
incident response plan in place that.

Product is providing you with a copy
of the data, but everything else

that is serving the data has to be in
place before you go back to normal.

So identification, then
documenting it, having this

incident response plan in place.

And again, I'll come back to..

Test it.

Perform the testing.

Have a testing exercise, testing
rehearsal plan for your teams to like

coordinate and test everything beforehand.

All right.

Couldn't agree more.

I think, if there's, if there's two
things that I want our listeners to, to

take away from this, it's always what's
the action that, that they should take

after listening to something like this?

So we spent, you know, 25, 30 minutes,
I would say going pretty, pretty

high level on this, but there's a
lot more conversation to be had.

So from an organizational standpoint,
what, what should their action be?

And I would say.

Two things.

One, I would implement a cyber resiliency
review, so I'm a big fan of discover and

assess before you do much of anything.

So I would say, conduct that review, and
it's really looking at current trends.

Cybersecurity strategies and systems
and second, once you've done that and

you have some good information that
comes back from it, then it's time

to adopt a Cyber Resiliency Vault.

And I think that's where you can
invest and adopt, vault technology.

And I think Zerto is a great,
great solution for that.

Yep.

Thank you.

Thank you for, for that, feedback,
but, you nailed it right there.

We go to doctors to
perform our health checks.

Now we have to do the health
check of the business.

Just ask the question to your team that
in case we are attacked, what we need

to recover, who is responsible, how
will we recover, where we will recover.

Do we have the right technology in place?

When you ask those questions after
your health check is done only then

you'll be able to understand your
current state of business And are

you cyber ready or cyber resilient...

or not?

And from there on we can
take the discussion further.

There are many technologies.

It's not just HPE.

It's not just Zerto.

There are many technologies out there.

They all have unique benefits.

So I think, once you identify what is
your requirement, our customers should

talk to all these providers of these
components so that they can take the

discussion forward, understand what
is available and be able to make the

right decision for their environment.

Excellent.

All right, Shariq, I really
appreciate you spending some time

with us on the podcast today.

And, thanks again.

I hope our listeners have a
great rest of their day or night

or whenever you're listening.

And, enjoy the content.

Thank you.

Thank you very much, Brad.

S1 EP. 18 Building a Cyber Resilience Vault with Zerto, Discssions with Zerto Global Field CTO Shariq Aqil
Broadcast by