Speaker 1: 00:11 So today Redapt and Dell are bringing you a presentation. Today's presentation is information on How to Plan and What to Consider When You're Developing a Data Storage and Protection Plan. It's a little bit less about the products or solutions to buy. At Redapt, we believe every customer's situation is unique, in that it's really hard for us to recommend something blindly, without deeply understanding our customers' challenges. Today, Matt Francis, our senior director of storage and hyperconverged infrastructure, is going to be presenting. Matt has extensive experience value engineering solutions for our customers, and that really means optimizing price performance, features, and functionality. He's here to ensure that the solutions that we sell meet your customers’ expectations and perform the way that we promise. He's really good at implementing these and helping customers really accelerate the adoption process of the solutions we bring. So, I'm going to turn it over to Matt. I'm just going to share the mouse with him and I'm going to let him drive. Take it away, Matt.
Matt Francis: 01:43 Thank you, David. For some reason it took away my mute button, but hello everybody and thanks for joining us today. As David said, I'm Matt Francis. I've been in the storage industry for over 20 years now and, over those years, I've seen a tremendous increase in the value of data for our organizations. My main mission here at Redapt is to help customers make sure the right data is in the right place, at the right time, for the right cost, and available to the right tools, to extract as much value from that data as possible. Currently, I'm helping customers with various projects, whether those be traditional applications that need standard block file protocols, to adopting cloud native object storage, whether we're working with familiar or virtualized or hyper converged platforms, or solving challenges with getting persistent storage into Kubernetes. Really, the most exciting arena is implementing the platforms and the tools that are necessary for deep analytics of all of those new sources of data we have.
And, whether these live on-premises, or on the cloud, or in hybrid cloud environments, really the challenges that they present are unique, especially whenever it comes to securing and protecting the data that is so critical to today's data-driven enterprises, which leads us into our agenda today. We'll start off by exploring why we need data protection, and then how you can start evaluating your own data protection systems, and using some of that information to develop a data protection plan for your enterprise. We'll go through some examples of different levels of data protection readiness, and, finally, we'll talk about how we can partner up to help you design, plan, and implement the tools that are necessary to be able to execute your plan.
So, starting with why we need data protection. We've all heard the horror stories in the news about breaches. According to numbers compiled by Statista, more than 160 million records were exposed through data breaches last year. There is a different number of threats that exist today, whether they be external in the form of a tax termination state, or just some kid who's really bored in their basement during COVID and has nothing better to do than hack a company. There are also internal threats, in the form of rogue employees, unprotected endpoints, lost USB keys, or even just plain, human error. But, it's important for us to understand these threats and the havoc they can cause.
Now what happens if you're hacked and you have your new products design stolen, especially from a nation state where you don't have any type of recourse? Or, what happens if your competitor gets your CRM data and your entire sales forecast and opportunity list? Have you ever seen Wall Street's reaction to a data breach? CompareTech found that share prices fell over 7% on average after a data breach occurred. What's your legal liability for a data breach? Equifax agreed to pay over $700 million in a 2017 data breach. And, probably nothing is more painful than being called out in front of a congressional hearing to explain why you jeopardized public security. In addition to data breaches, data availability is also a key concern for data protection. There have been studies out there that show 93% of companies that lost a data center for more than 10 days, due to a disaster, filed for bankruptcy within one year of that disaster.
This year we've already had more hurricanes in the Gulf than in any previous years, and the season's just beginning. We have fires in the West, floods in the East. There's always something on the horizon that threatens our systems. The University of Texas reports 94% of companies suffering from a catastrophic data loss don't survive. 43% of them never reopen and 51% of them close within two years. While data security is important, another aspect to having data and applications available is also what really keeps the lights on. For years we've already had a shift to a remote workforce enablement, but this was highly accelerated by COVID. While many companies had strategies in place for some worker profiles to deal with the remote workforce enablement, the requirement for a completely remote workforce caught a lot of organizations off guard. This presented challenges, both in security, but also in worker productivity.
There is now a multiple number of endpoints to secure new services like cloud sync, and shares that are being utilized, sometimes with, or a lot of times without, a company's oversight. With data being spread out, how do you ensure that it's secure and how do you ensure that it's backed up? We'll transition into: how do we evaluate what our current data systems look like? Two simple, easy questions that you can ask yourself are: how much of your data can you afford to lose and how long will it take your business to resume normal operations if a major disaster occurs? In terms of security, do you even know the cost of a breach to your organization and are you 100% sure that you have the measures in place to effectively combat every type of threat that presents itself to you? If you can't answer these questions, or only have hazy estimates about them, you need to thoroughly examine your data protection measures.
To drill down a little deeper, every customer and company should be having their own data protection assessment internally. This data protection assessment should include an exhausted discovery and cataloging of all of your data, all of your storage platforms, and your endpoints. You really need to know what you have, especially as the types of data and the sources we're getting them from are constantly emerging. You need a determination of the types and uses of data that you have. Do you have personally identifiable information in your organization like social security numbers or credit cards, and how do you handle and secure that? Especially whenever it comes to compliance requirements, a lot of organizations fall under different regulations whether it be Sarbanes–Oxley, PCI, or even GDPR. All of these have very different requirements for organizations, for both the security and retention of their data, that are causing a lot of organizations now to rethink how they do their storage and the policies and procedures they put in place.
You should also include a full audit of the data governments and your security measures that you currently have in place. What are those measures? Are they effective? Have they been tested? And you need a comprehensive list of all the potential threats, both internal and external. Finally, you should be reviewing your business continuity plan to make sure it actually meets your resiliency and recovery requirements. It should be able to clearly explain what happens if a server or cloud instance goes down, or what happens if an entire rack or availability zone in the cloud goes down. How about an entire data center or region? Each one of these have separate responses that you need to be prepared for whenever you're enacting your plan.
When it does come time to develop a plan, there are a couple different aspects that we'll want to look at. First off, there are several keys that most customers will have, even though these plans will vary by organization. First off, do you have secure network access solutions, whether we're talking about next generation firewalls, or intrusion prevention systems, secure VPNs, do you have your network properly segmented? Do you have the ability to prevent DDoS attacks? Do you have strict governance measures in place to ensure proper access to your data sets? A very tight ID and access control system, implementing the principle of least privileged access where you only give people the exact amount of access that they need, and not anything above and beyond that. Do you have good data classification standards that allow you to use policies to enforce the access and distribution of your data? Are you consistently monitoring your workloads that use data?
There are some cool new trends in this arena for behavioral analytics that can detect anomalies inside of your workforce to determine if an actor is acting with some kind of malice or some kind of ill intent. Is there an immutable audit log so you know what's been accessed, and by who, which can also act as a deterrent to bad behavior? And, finally, for your backup and recovery plan, do you have a good understanding of what your recovery point objectives and your recovery time objectives are? Do you understand application priorities in interdependencies? Do you have good air-gapped backup systems that help protect against ransomware?
One high level way that we like to talk about this is in terms of a maturity model. A maturity model is really something that we develop together with our clients, based on their individual needs. But, we can take each aspect of security and data protection and break them into their separate subcategories, then start defining exactly where a customer is on the maturity continuum, the importance of moving to the next step, and the priority for each of those steps. As an example, if we're talking about data classification, level one means I don't have any idea of what I have, what it belongs to, or whether or not it has any personal identifiable information in there. Where level two, maybe while I'm classifying and I know that certain systems handle social security numbers, so anything in that system I'm going to go ahead and classify as personally identifiable.
Whereas level three means, you know what? I don't have to rely on just knowing where it may be, but I actually have a system that can automatically detect social security numbers or credit cards in my system and tag those records, tokenize them, and place them outside into an external encrypted repository. And, level four could be doing that same thing, but also adding an extra layer of automatically preventing it from leaving a corporate firewall if it has the appropriate tags on it. Some basic examples of data protection models that could go along the concept of a security model of a maturity model would be for security. You have little to no classification of your data. You don't really have good identity and access controls, or everybody just gets administrative access. You have very limited monitoring and auditing capabilities. In terms of backup, you're not regularly conducting backups. You don't really have a plan for disaster recovery, or data restoration if an event occurs.
Whereas level two, you're becoming a little bit more mature. You've actually started to be able to manually classify and secure some of your most critical data systems. You now have some basic audit logs for when people are accessing the system, or accessing the network. In terms of backup and recovery, you have your RTOs and RPOs defined for your most critical systems. You're starting to back those up regularly, although you may not have a firm plan in place for being able to do the restoration of those backups. And, at level three you have followed best practices when it comes to security and governance. You now have the principles of least privileged access implemented. You have tight authorization access systems available to you. You're automatically able to detect, analyze, and defend from any type of unusual network access. In terms of backups, they're now fully automated. You no longer, whenever workload spins up, have to worry about manually installing agents to be able to take care of backing it up. You have a verifiable plan for your organization's resiliency whenever it comes to dealing with failures and outages.
I think that, since I'm a storage person, actually being able to take the data that you're backing up and mining it for new and additional insights and opportunities you can get out of it. And I would like to talk about partnering with Redapt. When you partner with us, we really take a hands-on approach with the vast majority of our customers to help them do the initial audit, develop maturity models, and develop action plans to make sure that their data is always properly governed, secured, backed up, and accessible. We have extensive experience with developing security and availability strategies with customers based on those individual needs. Our experience started in the data center, but now spans from the edge, through the fog into the cloud. We highly believe in automation to help reduce human error. We can even go into re-architecting the applications to adapt to cloud or hybrid cloud deployments.
Understanding cloud DR and setting strategies for a web application is very different than if you're dealing with an application that you're dealing with on-premises. But, a lot of new scenarios are developing where you may have on-premises applications where you can fail over the web tiers and the application tiers to the cloud while keeping your database tier secured inside of a colocation facility that still meets all of your regulatory requirements. One customer I think is a good example of this, that we have publicly-facing, is a customer called Avanti Markets. For those of you not familiar with them, if you've ever been in an office building where they have a little kiosk that has all the different snacks you could possibly want, you can take those snacks, self-service yourself, scan them, pay with your credit card, or with an application, and go back to work.
We help this company go in and actually create their application and all the loyalty programs around it, but, in doing so, they have over 5,000 different remote terminals and we help them deal with the security challenges with those remote terminals, as well as all of the compliance requirements that are necessary in order to handle credit card transactions. We'll see more case studies about this on our website. I encourage you to visit those and take a look. Finally, for today, please reach out to us if you need help evaluating your data protection systems, or coming up with a plan to use those best practices, or if you need help implementing your plan, selecting the right tool sets, and using those tools. That being said, I would like to go ahead and open it up for any questions.
Speaker 1: 18:17 Hey Matt, a question just came in. With work from home, are you seeing any trends in how organizations are dealing with locally stored, client stored files?
Matt Francis: 18:52 Yeah, absolutely. So, one of the larger trends is to try to have remote employees not store files locally. I would say a version of local files is going to be the number one strategy. So, having a comprehensive system that allows you to be able to store files, whether it be in a cloud resource, or through a company SharePoint site is the number one trend that I see there.
Speaker 1: 19:19 Yeah.
Matt Francis: 19:19 But, also for a lot of applications, we've helped customers lock down their endpoint systems. For instance, with mobile phones, we a lot of times have our email applications on there and, if you lose your phone, that would expose the company to risk. So we have a lot of strategies to help companies with dealing with remote wipings of phones, in case their systems are compromised or lost.
Speaker 1: 19:45 Okay. Then another one here, just in regards to ransomware. Some of the solutions that we're proposing, are they a good defense against that?
Matt Francis: 20:00 Yeah, absolutely. And there are several different ways to handle ransomware, whether it be locally through basic snapshots. A lot of attacks have become more mature than that, though, as they sit on the network for a very long time. So, what we're finding most effective now is creating air-gapped backup systems that are completely removed from a customer's standard network. Even if their network is compromised for a long time, still having air-gapped backups will prevent the ransomware attack. Not prevent the attack, but help you recover from the attack.
Speaker 1: 20:35 Okay. Okay, great. Yeah, I don't see any other questions coming in. Wait, there's another chat here. No, I think there's no other questions. So I think we'll shut it down and thanks everyone for attending. I really appreciate it and if you have individual needs, please reach out to Redapt and we'll connect you with Matt Francis and his team of subject matter experts. Thank you very much.