Cyber Resilience Recovery is the ability to recover safely and become operational after a cyber-attack such as ransomware. Here are some questions we posed to Jerome McFarland, a Google Cloud Solutions Manager for Infrastructure Modernization.
Q1: How is recovering from a cyber attack different from traditional backup/DR?
A1: Cyber attacks are fundamentally intentional attacks. Historically, traditional backup/DR use cases have been focused on supporting recovery from user errors, natural disasters, etc. events that might be unpredictable, but which were also typically unintentional (or, at minimum, non-malicious). With preparing for intentional attacks, organizations have to account for the additional complexities that those attacks can present. For example, attackers may leave installed ransomware in an inactive state for days, weeks, or months before triggering an attack, which has implications on recovery, since the most recent backups may still carry the ransomware files. When preparing for cyber attacks organizations have to consider such unfortunate realities, which may be very different from the considerations they factored into their backup/DR strategies.
Q2: What are the biggest challenges you hear that customers are facing when it comes to Cyber Resilience Recovery?
A2: Here, I’ll highlight two key themes that I’m seeing. First, organizations are seeking ways to better secure their recovery data from access/attack. In many cases, recovery data is residing on-premises alongside production infrastructure, which can leave it readily exposed to the same attack that compromised the production location.
Second, and crucially, organizations are seeking to dramatically reduce the downtime associated with cyber attacks. They need to resume business operations as quickly as possible to mitigate the negative impact on their business. It’s also worth noting that the damage can extend well beyond the immediate financial implications for the organization itself. Extended downtime can have a reputational impact, and can also impact an organization’s end customers and partners.
Q3: Why is a public cloud the best target for saving server images when preparing to recover from a Ransomware attack?
A3: Storing recovery data in the cloud is a great way to create isolation from the on-premises production environment. Leveraging cloud identity and access management (IAM) controls, recovery data can be stored remotely in cloud and with access tightly restricted to only the roles/users who truly need it.
Also, in addition to hosting the recovery data, cloud infrastructure can often be leveraged as a destination for recovery of critical application stacks, including the associated Compute resources. This can enable organizations to recover critical workloads in cloud, thereby allowing critical business operations to resume while the compromised on-premises infrastructure is being cleaned and validated for resumed usage.
Q4: If there was one best practice you would like to share regarding preparing to be able to recover from a ransomware attack, what would that be?
A4: Test and validate in advance. Too often organizations are caught off guard when ransomware attacks occur, leading to a chaotic, time-consuming scramble spanning multiple teams. Periodically testing and validating a predefined recovery strategy can help mitigate the impact of a successful attack by enabling better coordination across teams and facilitating more informed decision-making, thus saving massive amounts of time.