On the road, seat belt saves lives. So does the motorcycle helmet. But these 2 technologies alone are probably not well received and well applied daily unless there is a strong ecosystem and culture about road safety. For decades, there have been constant and unrelenting efforts to enforce the habits of putting on the seat belt or the helmet. Statistics have shown they reduce road fatalities, but like I said, it is the safety culture that made all this happen.
On the digital front, the ransomware threats are unabated. In fact, despite organizations (and individuals), both large and small, being more aware of cyber-hygiene practices more than ever, the magnitude of ransomware attacks has multiplied. Threat actors still see weaknesses and gaps, and vulnerabilities in the digital realms, and thus, these are lucrative ventures that compliment the endeavours.
The Cost-Benefits-Risks Conundrum of Data Management
And I have said this before in the past. At a recent speaking engagement, I brought it up again. I said that ransomware is not a cybersecurity problem. Ransomware is a data management problem. I got blank stares from the crowd.
I get it. It is hard to convince people and companies to embrace a better data management culture. I think about the Cost-Benefits-Risk triangle while I was analyzing the lack of data management culture used in many organizations when combating ransomware.
I get it that Cybersecurity is big business. Even many of the storage guys I know wanted to jump into the cybersecurity bandwagon. Many of the data protection vendors are already mashing their solutions with a cybersecurity twist. That is where the opportunities are, and where the cool kids hang out. I get it.
Cybersecurity technologies are more tangible than data management. I get it when the C-suites like to show off shiny new cybersecurity “toys” because they are allowed to brag. Oh, my company has just implemented security brand XXX, and it’s so cool! They can’t be telling their golf buddies that they have a new data management culture, can they? What’s that?
The HS(S)E culture
Many organizations today are enamoured with ESG (Environment Social Governance). It is the latest “cool” corporate buzzword. But before ESG, for me at least, there was HS(S)E. They stand for Health Safety (Security) Environment, and it has been a culture set in stone in the Oil & Gas industry. This culture was like the Ten Commandments of “Thou shalt not …” and the HSSE culture is in every Oil & Gas company I have worked with in my career.
In my Shell experience, there was a guideline on how to walk down the stairs. “1, 2, 3, Hold” relating to 3 down steps and your hand shift and hold the stairs railings. In Sarawak Shell, all cars must be reverse parked. No employee was allowed to take phone calls while driving, even if they were on hands-free.
In Schlumberger in Malaysia which was housed in the Rohas Perkasa building (the SLB guys in Kuala Lumpur know this well), there was a memo that define how to cross the road to the Beach Club side. Employees must walk to that particular island in the middle of the road and not allowed to cross the 3 lanes of the road in one crossing . Violation of this “law” was punishable with employment termination.
Outside of Oil & Gas, in my many in-and-outs of Intel® factories in Penang in the 90s and 2000s, I got whistled a couple of times by the security guards for not walking along the zebra crosswalks. I was forced to walked them again from the start, even though I wasn’t an employee.
The missing culture of Data Management
The understanding of data management is sorely lacking. And even deeper is the lack of the role data management plays in combating ransomware – prevention, protection and resilience. I picked a few incidents where the education and the awareness of data management are absolutely missing.
A couple of years ago, I was doing a demo on Easishare, a secure, private file sharing and collaboration platform. Easishare has its own file manager on the Windows desktop which was obviously more secure than the less secure File Explorer. Even though the end users were concerned about file security, they were resisting the change of switching from the File Explorer on Windows to the File Manager desktop client of Easishare.
I had this conversation with a university in China a couple of weeks back. The professor I was talking to was looking for a storage solution and demanded that iXsystems™ be contractually responsible if there was a data loss in the TrueNAS® Enterprise storage system. And he was quite forceful in his demand.
As I probed and questioned further, I realized that he has no understanding of data management. He just knows that he wants a storage that can protect his data from ransomware, since this is just a NAS requirement. He has no idea about identity access management (IAM), the backup rule-of-thumb of 3-2-1, or variations like 3-2-1-1, or 3-2-1-1-0, encryption (at the disks, TrueNAS® zpool and datasets level) and so on. He has no idea about disaster recovery, and how to ensure things like Confidentiality, Integrity and Availability (CIA). I showed him the NIST Cybersecurity Framework, and explained to him that protecting data in the NAS storage alone is not sufficient. There are so many other aspects he has to consider to fortify his data moat and overcome his phobia of ransomware threats. He has to account for the 5 pillars shown in NIST Cybersecurity Framework.
And there is no such thing as an absolute contractual guarantee of data loss. Even if he is willing to pay for it all. Plus the weakest link is not the technology. It’s the people and the process.
I hate to be that sarcastic condescending A-hole to the university professor, but I was (in a polite way). I had to shock him to bring down his ivory tower views on the data security aspects in a storage solution. The storage is just one part in the whole ecosystem. I got him to understand that data security is part of a constant and active data management culture he has to consider if he wants to keep ransomware threats at bay in his university.
While writing this blog, I took the opportunity to get the wisdom of Sharon Teo, the CEO of Inspire-Tech, the company which created Easishare. Sharon spoke about putting forth the Enterprise File Security strategy, a crucial step in fortifying data security against ransomware. After all, most employees interact with files and folders on a daily basis and a cyber hygiene culture could start with the education and awareness using a much more secure file management platform like Easishare.
Sharon also explained that the interactions between the employees and the files in the storage requires other solutions to handle the identity access, policies management, audit of activities, encryption, backup and recovery. While adding file security platforms like EasiShare, an organization would also want to simplify the process in securing, managing and governing the data. In such, data management delivers a more holistic approach to battle ransomware.
Back to the professor, I also pointed out to him to check out these few TrueNAS® blogs to get more understanding about data security:
- Using TrueNAS® in a Zero Trust architecture.
- Level up your ransomware protection with TrueNAS®.
- Combating ransomware with TrueNAS®.
Start the culture and resist the shine
I am not a cybersecurity expert. I am not a data security expert either. There are many IT professionals who are much better than me. But I start my approach from the storage infrastructure and data management side. I have probably drank more Coca-Cola (“It’s the real thing“) now in the my 30+ years career in these 2 specific technical domains to share my views on data, and managing data.
Yeah, many recognize me at that storage guy. But in my work, I almost never start a conversation or a discussion or the advisory work with storage – technology, platform, etc. I don’t usually start talking about storage just because I am that storage guy. I always have a data management mindset. I have a data framework in mind whenever I work with customer.
I have developed and refined and updated this framework for the past 23 years, and it is called A.P.P.A.R.M.S.C. I have brought this up multiple times in my previous blog postings. And they are about Data (not storage), and these are the data points.
- Availability
- Protection
- Performance
- Accessibility
- Recovery
- Management
- Security
- Compliance
Cyber-hygiene awareness and practices is becoming stronger, but we have to start with a different mindset. A cultural change. We have to start inculcating a data management culture into the cyber-hygiene education and practices if we are to combat the ransomware threat more effectively. This is why I am advocating a data management culture to combat the ransomware scourge rather than relying just on cybersecurity technologies.
Cultures last. Technologies, not always.
Pingback: Random Short Take #87 | PenguinPunk.net