During 2017, the United States experienced 16 catastrophic weather events, including three of the five costliest and most destructive hurricanes on record. These storm events cost hundreds of billions of dollars and massive outages. And that’s just hurricanes; tornadoes, cyclones and extreme temperatures are also increasing in intensity and frequency. The U.S. government’s National Climate Assessment expects this trajectory to continue, damaging infrastructure, ecosystems and more.
So what does this have to do with storage, disaster recovery and security? Plenty, according to Greg Arnette, technology evangelist at Barracuda Networks, a security and data protection company.
ITPro Today: The relationship between data storage, disaster recovery and climate change seems fairly obvious: Data storage consumes energy, and severe weather can threaten existing data protection/disaster recovery strategies. But what is the relationship between data security and climate change?
Arnette: Severe weather events that cause unexpected disruptions and operations could lead to potential security vulnerabilities. For example, if a primary location is unavailable and the disaster recovery location has to be pulled into action to maintain operations, there is often a period of upheaval—a period when hackers could probe for vulnerabilities that may not normally exist when everything is in standard, non-disaster recovery mode.
ITPro Today: What is typically going on within an organization during this time of upheaval?
Arnette: During a crisis, people who are focused on protecting primary systems can be distracted. They are reeling from having to bring mainline systems back online just to preserve the status quo. That gives people who want to do harm time to take advantage of the situation. It gives them time to probe and identify weaknesses in the overall architecture of the organization’s infrastructure technology.
ITPro Today: Can you give me some examples of how these gaps can cause data security vulnerabilities?
Arnette: Take an organization with employees who mainly work from physical facilities like an office building. During a major weather event, that office is likely to be impacted, so the DR site, which has to be located somewhere geographically distant from the primary location, comes alive. Employees are working from home, from sites that have been stood up very quickly, and often from their mobile devices. It's possible that the networking infrastructure won't have all the heightened security that would normally be in place during normal business operations. So the area where hackers could gain access is increased. Perhaps a security requirement that focuses on two-factor authentication or single sign-on is relaxed during this period of time.
ITPro Today: How could hackers take advantage of this situation?
Arnette: All it takes is one unprotected entry point for a hacker to gain access to information behind the virtual corporate firewall. This type of situation might also mean that an organization isn’t requiring remote employees to access network systems via a VPN as usual. That could allow a hacker to gain access inappropriately. A lot of things can happen in an atmosphere when organizations are in a rush to get basic systems up and running, which causes them to relax other security measures.
ITPro Today: Some organizations seem to be more on top of disaster recovery and security than others. Wouldn’t the right combination of people, processes and technology protect them?
Arnette: Even if an organization has all of the latest and greatest implemented--like multi-factor authentication, thoughtful firewall rules, good policies and procedures, good training of employees--it happens. When an organization is subjected to the stress of an event that disables operations at some level, all of this stuff tends to be pushed aside.
ITPro Today: So what can organizations do to ensure that data doesn’t inadvertently become vulnerable during a severe weather event?
Arnette: It could be that the mirror image of the organization’s state-of-the-art security system used in normal operations isn’t quite the same in the disaster recovery. It’s complicated to keep a mirror image of a robust secure architecture ready to jump online at any given moment. It’s also about maintaining rigorous standards on software versioning and control. For example, when an organization has to fire up the DR systems, they might realize that their software doesn’t have the latest patches. So it doesn’t come online smoothly. Also, companies should make sure that the DR site and all of the software and configuration settings are sized correctly to handle the workload that would be experienced during the period of outage.
ITPro Today: What about the physical location of the disaster recovery site?
Arnette: Given today’s climate situation, companies might want to rethink the location. Organizations used to focus on locating their DR site in a region without the same flood plain or susceptibility to earthquakes, tornadoes or hurricane activity. But it may be time to think more broadly: don’t just put your DR site a few states over, but consider putting it on the other side of the country or even outside the country if your organization allows it. Another option is using public cloud infrastructure, maybe in the disaster recovery as a service (DRaaS) model. These solutions typically leverage the massive infrastructures provided by public cloud vendors, which allows organizations to specify the right geographic area for their DR system. They also deal with the sizing issue very effectively.