“Cyber recovery. The art and science of recovering debilitating ransomware attack in a timebound manner, losing the minimum amount of data.”
We’ve looked at how to bend, not break, with a cyberattack, and to understand the very significant differences between having a disaster recovery plan versus a cyberattack recovery plan. Now let’s consider the very real advantages a cloud infrastructure offers for recovery compared to traditional legacy systems.
In a nutshell, there are some key advantages inherent to the features of a cloud environment that make for better outcomes:
- to be isolated from the production environment.
- to store a large number of point-in-time images of the servers being protected and have the storage be immutable.
- to have a software-defined network so that sections can be easily opened and closed (air gaps).
- to have servers available to analyze the point-in-time images and test.
- to have the servers to bring up a production environment that is isolated from the main data center(s) after recovery from an attack.
The ability to be isolated from the production environment
That means a different network and an ability to cut-off connection between them. In a ransomware attack, the bad actors have access to the infrastructure and spend time searching for backups and other storage that can be used for recovery purposes. If those are stored in a network that is accessible via the standard production network, or easy to access off the standard network, it puts that data at risk. If the backups can be compromised it makes recovery from ransomware without paying almost impossible.
To store a large number of point-in-time images of the servers being protected
Given that images eventually have malware inserted or executables modified, it is important to have previous images to compare for changes. It is also likely a previous, uncompromised, version of the data will need to be accessed. It may have been days, weeks or even months since the malware was inserted into a server.
A software-defined network so that sections of it can be easily opened and closed (air gap)
Even when working within an isolated environment, it’s important to be able to create other isolated sections via air gaps created with software-defined networking. These isolated sections can be used for testing of images and other activities without the potential impact of malware or actions impacting other activities in the recovery process.
Servers available to analyze the point-in-time images and test
It is important to run multiple images of a single server and test images of servers on a regular basis. All of this takes CPU power and available virtual machines. With a cloud environment, these can be created dynamically and torn down when not needed, thus delivering the horsepower necessary without over-spending when not in use.
Servers to bring up a production environment isolated from the main data center(s) after recovery from an attack
After an attack, clean images need to be created and verified. The servers that make up each application then need to be brought up and tested by the application users. This requires a large number of virtual systems that need to be created quickly and then be put into a production environment with updated security measures. Once production has resumed, a process can be started to move long term production to the appropriate location.
Cyberattacks keep getting bigger and more frequent, with ever more sophisticated approaches. It’s never perfect, but you can do a lot to prepare for the inevitable and minimize the disruption, cost and reputational damage they can wreak.
Learn more about Persistent’s Intelligent Cyber Recovery Practice.