Many data protection “start-ups” are now rebranding as security companies, presumably in an attempt to gain more market traction and increased TAM for their solutions. What does this say about current security threats and how we should be protecting our critical data in the future?
Back in the early 2010s, data protection was in a depressing state. There had been little or no innovation over the previous decade, save perhaps for the transition to disk-based backups and data-deduplication appliances. CDP turned out to be a busted flush, as end users realised the misalignment between a transaction and block-based storage updates.
The industry was sorely in need of some innovation when up pop two companies with radically different approaches to backup. Rubrik and Cohesity appeared within six months of each other, using the benefits of virtualisation and VADP (as it was known at the time) to extract image snapshots from VMware vSphere deployments. The significant change in the data protection process for both solutions was to remove manual legacy scheduling (think Veritas) to be replaced by a system of policies and outcomes. All this was then packaged in scalable appliances.
As we’ve discussed previously, the data protection industry has taken in an eye-watering amount of money in the last ten years. In 2019 we reported that nearly $2 billion had been invested in just four companies. Since then, Cohesity’s investment has doubled ($410 million to $805 million), Rubrik has increased by another $30 million, Actifio has been acquired (Google), and Veeam Software disappeared into private equity for around $5 billion.
In addition to those reported at the time, HYCU has raised $140 million, Druva has taken $475 million, Clumio has raised $186 million, Commvault has been re-energised with the success of Metallic, while the traditional vendors (Dell, Veritas, IBM, Microfocus) haven’t gone away. All in all, this is a competitive market with lots of vendors looking to justify big investments in what is perhaps a $100 billion market. Don’t forget, though, that the current growth engine for new applications is the public cloud and those platforms have embedded backup (although we don’t recommend them), which makes the market all the more competitive.
Data Security Evolution
It’s not hard to argue that data protection should come under the banner of data security and the CISO within an organisation. Traditionally, data protection (in the form of backup and restore) has been in the domain of the storage teams, mainly because physical storage and data recovery were intrinsically linked. However, the advent of ransomware and the opening of previously walled-garden networks means protecting and recovering data is just another aspect of building out a cybersecurity framework. This doesn’t mean the CISO team has to be responsible for the day-to-day operation of backups, but in practical terms, oversees the scope and policies associated with safely protecting data.
This leads us on to what a cybersecurity framework should look like. As usual within IT, there are plenty to choose from (and most are common sense). However, a good example is the NIST Cybersecurity Framework from the US National Institute of Standards and Technology (you may remember them from the discussion around the definition of Cloud Computing).
The NIST framework highlights five steps, generally drawn in a circular fashion to highlight the need to revise and review cybersecurity policies continually. The steps are:
- Identify – quantify what’s at risk, including everything from systems, people, assets, and data.
- Protect – Develop safeguards to secure those assets, including Identity and Access Management, Zero Trust security (and networking), data security (access controls, encryption), systems management (patching, maintenance) and backup.
- Detect – identify when issues occur, using network traffic pattern analysis, data anomalies (changes to backup sizes, for example), honeypot traps, excessive login failures and attempts.
- Respond – How to address an attack or issue, including network lockdown, credentials revalidation, resetting access keys and temporarily shutting down critical systems.
- Recover – The process of returning to normal operations, including recovering and restoring data, invoking a disaster recovery plan, and resetting IAM systems.
Of course, this list is meant to reflect the issues of a cyberattack, but data protection is about much more than this. Data loss occurs due to human error, malicious attacks (including from inside an organisation), hardware failure and natural disasters (fire and flood). Cybersecurity is part of an overarching data loss prevention strategy that should encompass the following steps:
- Prioritise Issues (what to protect, why, the relative importance of systems)
- Building a scope of remediation/implementation (RTO, RPO, SLAs and SLOs)
- Risk Assessment
- Create a “Desired State” plan
- Gap Analysis
Data and applications evolve and change over time, so data loss prevention plans need to do the same.
None of the above is a single technology solution. In practical terms, data security and loss prevention are an holistic approach of many technologies. We’ve highlighted four layers at which protection needs to be established and monitored.
- Network – the first level of defence, implementing strong credentials management techniques, zero trust and a high degree of traffic analysis.
- Systems – zero trust security, credentials management at the server, system, and application layers.
- Data – at the file system layer, implementing encryption for data in flight and at rest, monitoring file system growth, protecting data with snapshots and application backups and a high granularity of change tracking.
- Backup – protection of backups against attack, secure encryption of backup and expiration policies, fast recovery of data in the event of an attack.
Now, we’re not claiming to be data security experts, and this list was created after only a few minutes of work. However, we know that defence in depth is an accepted strategy that can effectively slow down an attacker, if not completely defeat them.
We would highlight here that prevention is always better than cure, so robust implementation of the first three steps (network, systems, data) should not be ignored on the assumption that the fourth step (backup) will solve the problem. Backup is a safety net when everything else has failed. It has one Achilles’ heel, and that is the restore process will almost certainly result in loss of some data, depending on when the attack occurred and was identified and when the last known good copy of data was taken.
We should also be wary of relying on using only the backup image as a reference point for observability. If a threat or attack is identified through changed data, then the attack has already occurred. However, some systems can detect malware and other anomalies that foretell an imminent attack is about to be initiated, in which case remediation steps can be taken.
The Architect’s View®
What does this all mean for the current crop of data protection companies that are slowly rebranding as data security companies? First, it would be a shame if the innovation in data protection itself was to stop. We still need an evolution from the current mapping process of physical entities like servers (or their virtual equivalents) to one that references applications as first-class citizens. Snapshots are a poor substitute for application-focused backups, especially when data is becoming more mobile in a hybrid multi-cloud world.
We believe that data security (including ransomware mitigation) should be table stakes for all data protection solutions. As we said earlier, prevention is better than cure, so these technologies form only a small part of a data security framework. However, when you want to grow your TAM (total addressable market), reframing around the current hot topic is a popular strategy. After all, it wasn’t that long ago that data protection companies were claiming data management credentials. Back in August 2022, we highlighted how Cohesity, for example, needs to increase its addressable market to grow past current revenue projections. Being framed as a data security company is one avenue to follow.
A cynical person might think that rebranding as a data security company could offer the ability to raise money against a new set of customer requirements, and maybe there’s a plan there. We can’t say, as we have no insight into the strategy of any data protection company. However, we can say that cybersecurity and data loss prevention is about much more than the last line of defence.
In 2023, we will be looking at the broader security market to see how zero-trust technologies and other techniques can be used to build out a more comprehensive protection strategy. Keep following us for more insights and research.
Copyright (c) 2007-2022 Brookend Limited. No reproduction without permission in part or whole. Post #0d8f.