I'm very rarely shocked when we record these episodes.

But it happened in this episode.

Uh, I ask a really important question of our guests who is a storage and

backup and recovery security expert.

Uh, and I was shocked by his answer.

If you care at all about the security of your backup and recovery

system, this is the episode for you.

I hope you enjoy it.

Hi, and welcome to Backup Central's Restore it All podcast.

I'm your host, W Curtis Preston, aka Mr.

Backup, and have with me a guy that I'm not sure fully filled me in.

On everything that I was in for when I bought my Tesla Prasanna

Malaiyandi how's it going?

Prasanna?

Oh no.

What did I do this time?

I don't know.

As you know, I've been incredibly happy with my new car.

Um, I, I, I've, I've put a thousand miles on it already.

Um, Which is more than you probably put in your entire first year.

But the, um, I think the, my one disappointment, and it is, it

truly is a disappointment, is that Tesla doesn't have tech support.

Right.

Given that it's essentially like, you know, that they've sold me this really

expensive computer on wheels and it has all these interfaces and there's

all this conflicting information about.

Things about the car based on when you bought it, which you

know, which model you have.

So I have the L F P battery, which is the newer battery, which, which apparently

according to the manual, as opposed to be charged to a hundred percent.

Um, and you know, I just have questions that I would like to

hear answers directly from Tesla.

There's no phone number or email address for me to contact

so have you gone into the app and gone to,

have you gone into the app, gone to support and said other issue?

other that, because the only thing I've seen

is, is schedule service call

Yeah.

Uh, yeah.

So if you do schedule service, I think you can also do other, and

then just enter your, your questions.

So you're saying my greatest disappointment doesn't exist.

Is that what you're telling me?

I,

You're looking at the, you're looking at the

app right now, aren't you?

I am looking at the app right now.

Yes, I am.

Um, I think it could work.

I, so I've never done this.

Yeah.

I mean, if I could just, if I could, yeah, if I could just have an email chat.

Cuz a lot of 'em are just like, you know, You know, questions, right?

Like, I'm, I'm like, I can't find this thing, right?

I'm looking for the thing and I can't find the thing because there's

37 menus and, um, you know, I need

You know there's a search now, right?

Yes.

I, I know there's a search, but it doesn't

always find, there's a search.

First world problems.

Curtis First World

never ending, the, the, the never ending search for

looking for what I'm trying to find.

Um, yeah, I did find the most important app though.

You know, I, we've discussed this already, the, the admission

testing app, otherwise known

Prasanna Malaiyandi:

Otherwise known as Spart

fart noise.

Oh,

could, you could literally, you, you,

you can configure it so that.

Whenever you push a button on the steering wheel, it makes a random fart noise,

uh, to other passengers in the car.

By the way, my wife not a big fan, not a big fan of the fart

Curtis, are you like a little kid in a candy store?

I am inside, inside, every grown man is a five-year-old boy,

just, just begging to get out and, uh, I'm a five year old boy with a $40,000 car.

That wants to, that wants to try every little part, right?

The only difference between men and boys is the price of their toys, right?

uh, yeah.

So tomorrow it'll be, it'll be a week, uh, that I've had my, my lovely

new car and, uh, yes, I've put a

Prasanna Malaiyandi:

And, and oh, we should.

Prasanna Malaiyandi:

We should, yeah.

Prasanna Malaiyandi:

We should also tell the listeners also about your, uh, experience

Prasanna Malaiyandi:

going through a car wash.

I went to a car wash and you know, it's one of

these things, things that you take for granted when you drive, uh, you

know, what I now call an ice car?

That's a internal combustion engine.

A gas car is, you know, you just, it's super easy to put into neutral and,

and, and Tesla's super easy to put into neutral if you know how to do it.

And, uh, so I'm sitting there and I had rolled up to the, to the thing

where the, you know, where the.

The, the, I don't know, the conveyor belt's gonna grab my car.

And then the guy's like, you know, he's pointing to the thing up there

that says, you know, put it in neutral.

And I'm like, oh yeah, I'm supposed to put it in neutral.

I shut down the whole thing.

I shut down the whole car wash because I had no idea how

to put my car into neutral.

And then I thought I had it into neutral.

They turned it on again.

Nope, shut it down again.

Um, the, the only, the only nice thing I can say is thank

God my wife was not in the car.

She would've just been flipping out.

Uh, but yeah, I, I did, luckily the manager was like, you know, rolled

down the window and he's like, um, go to the menu and it's car wash mode.

I'm like, sweet.

Um,

not the first time that this has happened at that

I am not the, I'm not the first idiot with a brand new

Tesla to take it into a car wash and not know how to put it in neutral.

Anyway, uh, so enough test Tesla talk for the day, gonna bring on our guest.

He's been specializing in it, uh, for over 30 years and specializes

in storage and backup and security as well as it architecture.

He's now the CTO at Continuity Software.

The industry's only cybersecurity solution for enterprise storage and backup systems.

Welcome to the pod, Doran Pinhas.

Hi.

Good to be here.

So you're, you're currently in Israel, right?

Doran?

Yep, that's true.

What, what, what, what?

It's, it's still sunny.

What, uh, what part are you in?

it's 7:00 PM over here.

Uh, just, you know, it's a very, very small country.

It's the, the size of New Jersey maybe.

So, uh, anywhere you put your finger, it's where I am.

So

yeah.

in the area of Tel Aviv.

Yes.

So give or take, which is in the middle of the country.

I've been to, I've been to Tel Aviv,

uh, Jerusalem, and, uh, a lot.

I went and did scuba diving there, uh, which was very, very nice.

Um, scuba diving in the

a good start for a first visit.

Yeah, absolutely, absolutely.

I wanna do our usual disclaimer, uh, Prasanna and I work for different

companies, and this is an independent podcast and is the opinions that you

hear are ours and don't necessarily reflect the opinions of our employers.

Also, if you, uh, like the show, please rate us, go to your favorite pod catcher

and give us all the stars and comments.

We'd love to hear comments from you, and also if you'd like to

join the conversation or just send us, you know, Kudos or whatever.

Uh, you can reach me at w Curtis Preston gmail or uh, uh, WC Preston on Twitter

or linkedin.com/in/mr backup Um, so, you know, when I, when I saw your, you know,

I went to the Continuity's website and the first thing that popped up, Was this, uh,

paper that you've done recently, which it looks like you've been doing for a couple

of years on, uh, that that basically is a study of, uh, what, why don't,

why don't you tell, tell us about it?

That this paper,

Oh, you mean the storage and backup?

Um, you know, state of the industry

yes.

Yes.

That's the one.

Yeah.

Okay.

So it's the tradition.

We started several years back.

Uh, we were fortunate enough to meet, you know, we are in the IT business as a

whole and, and generate, uh, management tools for, uh, large enterprises.

We can talk about that later if there's any interest.

Uh, and we were fortunate enough to get about with some of the

world's largest enterprises, and we started talking years back about

securing storage and backup systems.

Lo and behold, and uh, it's dawned on us eventually that there is

no standard research that tests the maturity level of the market.

As it were, so several years back we started, uh, running surveys.

We have a technology that then collect that can collect configuration,

data, off storage and backup devices, appliances, media servers and stuff like

Mm.

and then review the configuration to see

if it's done well or not.

That's pretty easy.

So we collected data from, uh, everyone we talked with and many of

those organizations were gracious enough to allow us to anonymize

the data and generate reports.

So to cut a long story short, um, this year we scanned the around 10,000 storage

devices in around 250 large enterprises.

Most of them are relatively large.

Organizations with north of 10,000 people.

Some of them has half a million employees.

So it's a interesting demographics.

60% in the United States, almost 40% in the eu, and some in Asia Pacific.

Um, and we did find that, uh, the majority of environments.

Did have grave misconfigurations that relate to storage and backup systems,

Shocked

means that, you know, we're not shocked, but now we have

the proof, the writing is on the wall.

We can't ignore it anymore.

We knew in this secret of our heart that things might go wrong, but

now we know they are not great.

And, you know, stored and backup means are awesome at so many things.

They know how to increase capacity and deal with ever shrinking backup

windows and you know, ingest new technologies and move from on-prem to

cloud storage and all that fun stuff.

But there are not necessarily security experts.

And it is important to become more knowledgeable about security

because the outcomes of two lacks security in restorative

backup system can be devastating.

You know, that's something I'd love to be able to talk about and then

maybe, uh, we can have some practical advice around how can you do better?

You know, once people get convinced, it is important.

Yeah, so just a quick question.

Um, When you were, uh, looking at these backup and storage systems,

what sort of things were you looking for when you're evaluating

figure out were they secure or not?

So there, there are several dimensions to establishing

where whether, uh, uh, storage and backup infrastructure are secure.

So all the way from the very mundane, for example, are those,

uh, pieces of equipment and software laying around patched.

So surprisingly enough, uh, you know when people look at backup software

like Veeam and Veritas and you know, forgive me for all the rest and

Rubrik and others, these are piece of commercial software vendors will discover

security vulnerabilities, whether the code they have created or third party

libraries they use, everyone does that.

And they will write security bullet, public security

bulletins and issue patches.

So the question is, do you update your software?

Now when it comes to the software bit, That's a little easier because

the traditional vulnerability management engine you might

already have on on, on the floor.

We'll probably catch that.

Uh, but when you look at the stored and backup ecosystems, there are

all sorts of bizarre components there that are never scanned, right?

So we have, if you have a large shop, you have a sun fabric, and you have N

dmp and you have NetApp, and you have, uh, whatever storage, OSS and various

mix, no, HP and LMC and ibm, and.

Pure.

Um, these devices are never scanned by vulnerability managed engines.

And so, but it's pretty easy to determine if they are exposed or not.

So one of the trivial bits we've done is just retrieve the configuration baseline

of all the devices we have scanned.

Where there is are backup appliances and archiving appliances.

And shockingly you'll find that, uh, patches have been out there

for things like log four j.

That can impact the storage arrays.

Definitely can.

So, uh, but they haven't been patched.

And when you talk to professionals, say, oh, I didn't

know that I have that exposure.

I've run my scan with one of the big names, whatever, tenable Ines and Rapid

Seven and others, and they're all great companies, but they just don't scan.

The storage ecosystem to that level of detail, and people have

a blind spot and it's, it's bad.

So one thing is, that's mundane, right?

So, and, and around that category, I can count several other aspects.

Like, you know, you want to have your software patch, you want to have some

of the ridiculous stuff cleaned up.

Like, you know, you, you buy a backup appliance, it has a default

factory account like Root, root.

Did you close that account?

Oops.

So many organizations fail to do those.

Very simple, you know, it's not just the root root account.

There are service accounts.

There are default called home configurations that by and large, Are

not restricted to specific IP addresses.

And if I'm a hacker, I can spoof those.

So there are basic things you can do when you get a device, whether

that's a medial library or whatever, an archiving appliances or set up

a softer element that you can do to do the basics of hardening them.

So, so this is one area.

Another relates to a little bit more convoluted best practices.

You know, vendors will publish best practices for security, but by and

large it gurus tends to ignore them.

We want to go to the meet, how can we set up our first job?

But there are things, uh, that should be done.

Again, some of them are pretty mundane, right?

I'll give you just one example and you tell me if I'm going to, uh,

No,

uh, technical too quickly.

But, um, you know, time.

We all know about time it passes, right?

So, but when you set up a storage or a backup appliance, you

need to set up so it up with an authoritative time server, right?

Um, if I'm a hacker and I, uh, realize that it didn't harden the time

settings, I can spoof the time server and then I can issue all sorts of

attacks, like time's up attacks where, you know, I persuade your archiving

appliance that 12 years have passed.

Just in the span of a minute.

Of course, you can defeat that by setting up an authorized time server and using

authentication and stuff like that, but it's not set up out of the box.

Now if I'm not setting up my time correctly.

Of course, encryption keys can go stale and elapse, you know,

really bad stuff can happen.

So this is a trivial thing.

If you look at, uh, at reality from the security wearing the security hat or

security glasses, you'll realize that you have to harden some basic, uh, components

like time services and dns, and you have to close default accounts and set

up centrally managed authentication.

All of these are best practices.

Vendors will publish.

They will also tell you that, Hey, we are shipping this box

out of the gate with some initial security configurations like we.

Do allow you to decide if you want to configure SIFs one, two, whatever.

Uh, which Cipher Suites do you want to support?

Do you support in Fs version three and four and above?

Do you want to limit some of those?

So it's your job to decide, you know, we are selling you a Tesla.

You need to drive it out of the factory and you need to

do it as safely as you can.

You can of course drive it's hard, but you can try, you can

still force it into a tree.

So, The vendors will tell you, you may want to consider to

close some of the protocols.

If you're not using nfs, close it please.

If you're using nfs, maybe you want to disable NFS version three.

So we want to review some of those settings and follow

the vendor best practices.

So we start to see a picture emerging.

So we check for the basic vulnerabilities and the locking down of default

accounts, and then we go ahead and read the various vendor recommendations and

make them into a structured library of.

Things you should be looking into, and we just have a platform

that can automate those checks.

Now there, there are some other components to that.

For example, there are several standards that are today not legally binding,

but there are standards out there to regulate how stuff can be secured, right?

So we have the NIST framework.

We have the ISO framework.

Within NIST and iso.

There are families of, uh, uh, documents that regulate various aspects of security,

but specifically in recent years, there is more guidance for storage.

Right?

NIST has published, uh, the special publication 802 0 9, which

talks about storage and backup systems, security guidelines.

Right.

Just.

Spell it out differently, but you know, uh, and we were fortunate enough

to take part in shaping, uh, this particular piece ISO are publishing.

Um, there is a, a document called, uh, ISO 27 0 40, which, uh, outlines,

uh, guidelines for storage security.

So the current version is dated 2015.

Uh, it was great at the time.

It's not great anymore, but they are working on a new release.

Which is going to come out any week now, and we are fortunate enough

to see some of the drafts and even comment and it's awesome, right?

So we have guidance around what could serve as a framework for having better

security for storage and backup.

Um, so the last, maybe that's the last source.

We also, uh, review all of those guidelines and then we pick the

ones that are relevant to the average user and turn them into a

comprehensive automated checklist.

If you're curious, we have about whatever, three to 4,000 automated checks.

So when

gonna say, yeah.

go, go ahead and collect the configuration, you

know, we just need read only access.

That's how we work with, uh, the organizations.

We advise.

We ask them to let us, uh, have a readonly role.

We collect the data, we keep it in, it doesn't have to leave.

We run our tool and it's just create a dashboard and score cards saying This is

what you're doing well and here is where you, uh, can improve or might have failed.

And now, uh, uh, uh, many of those organizations are really gracious

allowing us to take the stats out.

So that's how we came across with a sample of around 10,000 components and component

could be a media server, archiving device, master server storage appliance.

And when, when you talk about backup, of course everyone realizes today

that the, when you want to recover something, you have multiple.

Layers of defense.

So the, the quickest recovery can be done from live on disk storage,

whether that's snapshots or replicas.

Uh uh, and then you have a progressing line now where you know the list quick

recoveries from offsite and you know, offline, maybe even offline tapes.

So we have a progression of, uh, mediums and when we want to protect backup, we

have to look at all those two components.

So we want to protect our.

A master server or media servers or archiving appliances, our online

storage, the snapshots, the replica engines, all of these have to be hardened

and there is a bit more than that.

Uh, so, uh,

Prasanna Malaiyandi:

that's very comprehensive.

Yeah.

Yeah.

So to, this was a very long-winded way of saying, yeah.

So these, these are some of the areas we gather together

to compile that list of checks.

And that's how we can come about with a.

Pretty comprehensive set of, uh, scores and in the report we, we try to make

it easy and friendly to the user.

We divided the findings into the top.

Five categories that were common in almost all environments.

We also, uh, dedicated the section to some of the less frequent issues

that are extremely lethal, as it were.

So, you know, not many people do that, but if you do, that can be devastating.

So you might want to watch out.

And I think what can be really actionable if, if I'm interested to see

that, just take that list of the top five or top six and ask yourself, I.

Am I free from those?

You probably will find that for some of those, even in your own organizations.

There is something here to take a closer look at, uh,

which I think can be valuable.

This is why our way of sharing, um, the generosity of the organization

work with, in, in, in freely sharing what they do well and what they don't.

So, you know, everyone can actually, uh, use that as a benchmark.

I, I, I really like that Doran.

Um, in fact, the, the, the, you know, we're recording this

in the middle of June, the.

The episode that went live this morning was, uh, an se that was sort

of bemoaning the fact that companies don't share, um, security, especially

when a security incident happens.

They don't share with the rest of the world what happened, why it happened.

Basically, you know, information that can help people.

And I think in this case, this is really helpful, uh, in that.

Uh, there's two things in here.

One, one, you know, I, I, you know, early in the said, I sh I said, shocked.

Shocked.

I am, uh, I, I, you know, I'm not shocked, right?

Because of the, the, um, you know, because, you know, I've been in the

back space for a while and storage and backup due kind of get the back of the

bus status for, for a lot of reasons.

They just don't get the, many of the tools aren't looking at that.

Many of the people aren't thinking about that.

And the, but the reality is storage and backup.

That's where it's at.

That's where the data is, right?

It, it's the, it is the thing that you're protecting.

In fact, um, you know, in this episode that went live, um, uh,

today we, you know, we were talking about, well, we're not really.

I, I don't think of myself as a cybersecurity person.

I think of myself as a backup and, and data person.

And, and he made the point of saying, well, without data, there's

no point in having cybersecurity.

Right.

Uh, which is, which is, which is really good.

Right.

Um, I, I am curious, w with this survey that you did, um, or study whatever,

whatever you'd like to call it, what.

When you went out there, can you speak at all to like the percentage

that you would find, like if you, if you were at a hundred companies,

how many of them had something that you would consider truly scary?

Uh, a misconfiguration that was

Are you sitting tightly?

Uh, I'm sitting tightly.

Yeah.

Well, you know, pretty much all of them.

I knew you were

the average, right, so, so the average device on average, A

device, and again, we define a device as either truly physical device, like a

sand fabric switch, or a storage array or back backup appliance or archiving

appliance or stuff like that through a media server, which is a, you know, hosted

a piece of software and a master server.

Each one is a device, so the average device will have 14.

Risks out of which three are critical or major, meaning that if I'm a hacker,

I, I can get in and take your data out.

So it's, that's not to say that 100% of the organizations were, uh, in a poor

situation, you know, maybe two or 3%.

Did actually better than others, but by and large, I think the state of the

industry is not great yet to be mild.

And if you want to be more brutal, it's dismal.

Do you feel though that some of this is because storage and

backup, it's kind of like a web, right?

A very complex tangled web that no one really knows how everything

is all connected together, which leads to some of these issues?

Or do you think it's some other situation why companies are doing poorly?

Yeah, I'd love to debug that notion by the way that it's a

web, which is too complex for the human intellect to grasp, right?

You didn't say that exactly.

Like I'm, uh, but, but, uh, no.

So there, there is a way to put structure on top, you know, roll up

your sleeves and you can apply a clear methodology to, to be much better.

It's actually.

Not very difficult.

We, you know, if time allows, we can talk a little bit about what

you can do to be much more secure.

So, uh, I and I object to making it something really intangible

that's, you know, incomprehensible.

It's just a little bit of work.

We have all the foundation.

So what, but what are your, to

Prasanna Malaiyandi:

oh, sorry, sorry, sorry.

Prasanna Malaiyandi:

Uh, my question though wasn't necessarily about security guidelines being complex,

Prasanna Malaiyandi:

it was more the infrastructure that are deployed in customers environments

Prasanna Malaiyandi:

such that maybe when you're backing up, you don't know necessarily how all

Prasanna Malaiyandi:

the devices are connected together.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

Or the different IT groups or things like that.

Yeah.

So you, you do have a point.

And I'll give an example, but it's still no reason not to, uh, you know,

uh, get a good handle of things, right?

So it can be complex, right?

So let's first prove your point, right?

Um, and I, again, I'm thinking like a hacker, right?

I want to attack your, uh, favorite backup software.

Mm.

And there are many ways I can go about it if it's not patched.

We mentioned some I can use, uh, default accounts maybe didn't really separate.

There was a principle of separation of, uh, authorities.

You don't want to have an admin account that can actually

manage, uh, the backup server.

You have to separate those entities into separate planes.

Some will argue that the, uh, backup admin should be part of active directory.

There are merits to that line of thought.

Um, you know, but it has to be strictly separated because the

first thing a hacker will do once they, they, they first get in.

Now they do a little bit of a, uh, uh, reconnaissance eventually, you

should assume they'll get admin level, uh, credentials, domain

admin level cred that will happen.

So when they do that, they should not be able to attack the backup software.

So now we can do that.

But let's say you did a really good job.

I'm at a loss now you talked about convoluted uh, dependencies.

Well, you know, in many cases, probably people have something like VMware.

VMware has a trust relationship with the backup software because when

we want to take consistent backups, every piece of software does that.

We use APIs for the Visser infrastructure to tell us when it's ready.

To, uh, back up consistently, whatever a vm.

Or a volume or whatever to do federated consistency.

Uh, in some cases we want to even delegate the infrastructure, the ability to tell

the backup software when to start a job, what would be the content of the job.

So we have some sort of a federated trust relationship Most.

Organizations we talk with don't really do that, uh, granularly.

So you, you, you have to think zero trust.

So they don't do that.

And if I can attack the vSphere infrastructure, let's say, if that hasn't

been secure, I can maybe use that to stop the backup jobs to alter the backup jobs.

So think about it, you're using immutable backup.

I really want to destroy it because I want to encrypt your files and demand my

ransom, and I want you to have to pay.

But you have immutable backups.

Ah, I can't really delete that.

Of course, there are ways to actually delete that.

If you didn't set it up, if you didn't set up immutability correctly, you didn't

enable retention log and stuff like that.

And I can maybe tamper with your system, but let's say you've done a good job.

Um, so I want to actually, my last research, which is very effective,

is to poison your backups.

How do I do that?

I break into vSphere.

I.

I find that it has the ability to alter the backup job, so I alter the content.

I'm starting to back up.

Instead of actual production VMs, I'm backing up jump my

temp directory, my swap file.

I just wanna make sure it's the same amount of data go that goes nightly.

So, Now I wait for two or three months.

So the backup jobs continue to run.

The backup admins, is that the job?

If you're not alert enough to find that the content has been changed, it's

successful, and after 90 days or whatever I deem necessary, I lock your files.

Um, now you go to the backup environment and say, oh, fine,

I have 90 days full of backup.

But none of them, it's all crap.

So the only valid backup you have if youre a bank is 90 days old.

Imagine you're calling your bank to say, where are my funds?

And they're saying, Hmm,

Sorry.

do you have a paper receipt?

Sorry, we don't know.

Um, so that can be bad, right?

So I can.

To your point, they are convoluted.

Trust, relationship, API gateways and services.

To name a few examples, we scan an environment and we find, you

know, you can find the management APIs of management consoles.

You just scan for the REST API and through IP address and you find,

you find, they say we have one management console and you find three.

One of them is, is in the lab.

Where they used to do testing two years ago, they never shut down that instance.

And it's not protected.

And it's, there is no time server, there is no cookie session cookie timeout,

and it still can control production.

So we want, so there are, it is convoluted, so I totally agree.

The only thing I, um, I would suggest is that you can become good at fi thinking

like a criminal, uh, or expecting what a, don't think like a criminal, but expect,

you know, be able to expect what I do.

And if you are at a loss, you can refer to some of the guidelines I've provided.

Go and go ahead and read the NIST Guide.

Go ahead and read.

The coming is a guide.

Snia has a lot of good re amazing resources around storage,

security, and you'll find you can.

Pretty easily compile a checklist of the i questions you should ask.

And these are relatively straightforward questions.

Where are my, where, where is, you know, one of the big areas is the control plane.

How do I control all that stuff?

Like we have API gateways, we have management consoles, we

have, uh, URLs, the, I lock it down, it boils down to a list of.

Finite amount of questions.

So you have to roll up your sleeve and do that.

Um, and, and as just, I don't want to talk much.

It's not an advertisement to our company.

We have tools that allow you to automate some of that stuff, so that

might prove useful, but, As always in life, you don't have to use our tools.

If you know what you're doing, you can do a good job with

manual tools, it's still okay.

Um, you know, woodworking, myself, you know, there are a lot of things

you can do with manual tools.

Power tools can save you some effort and increase predictability, but you know,

it can, you do a fine job manually.

So that's, that's,

still fine.

So, to her question, it's complex, but it's possible to, to actually

build a framework to add it your environment in, in a more, uh,

Comprehensive way and, and, and, and reduce the attack surface noticeably.

The, cuz I, you know, you were saying, you know, you don't

necessarily want to plug your company, but at the same time that, that's where I

wanted to go next because I, I'm curious.

So you, you're able to do this, um, you know, this, uh, automated check

to check all of these settings.

I, is that the service that your company provides or what, what else do

you, you know, where, where do you go

yeah, so ultimately one of those days, you know, we

hope that organizations that want to automate a framework to check.

On a daily basis or an ongoing basis or after exchange that

they're always locked down.

They might be looking into something like what Continuity provides, which is an.

Engine that automates all of those checks that gets automated.

It's like an antivirus if you want it, or like a vulnerability management tools.

It gets automatic updates where all the vendor best practices, the latest

CVEs, the latest recommendations from framework like NIST and niso

and PCI and HIPAA are implemented.

And you, you can get automated compliance reports and if you've done something

wrong, you'll know what went wrong.

What is this syntax I need to use to fix the problem?

And you can start over.

So you, you know, we provide those tools to automate a frequent

mode of validation, right?

So that's something, uh, that can be helpful and we advocate that.

Uh, so, so that's how we make our living.

But we are also working with organizations to do one-off assessments.

Uh, no strings attached.

If you want to understand how material you are.

You know, we can definitely talk and first of all, share with you.

We'll happily do that because we learn so much from the, those interactions.

And we want to give some of that back, right?

So, uh, if you want to just run a one-time scan, you can approach us.

You can even approach your, uh, trusted, uh, security consultant and

ask them if they can do a scan for you.

Um, there are not too many options.

We are, we know, pretty unique, but they can use our software.

A lot of, uh, um, uh, there are many consultant firms out there that

have access to our technology and can use it to run a scan for you.

And even if that's a one time scan, you will understand.

What you're doing well, where you have issues, what are the

priorities of those issues?

What does it mean to your business in terms of, you know, not adhering

to industry standards and regulations If you are in a regulated segment,

uh, sometimes that's enough.

That's just, that's a starting point that can, uh, get you going

because now you have a better clarity instead of understanding that,

you know, I'm probably not good.

You'll know exactly what works well for you and where do you have issues.

So that's, In a sense, this is what our, uh, product does, and we make a living

out of selling it to those organizations.

Choose to be standardized 24 7 and be accountable.

We hope, uh,

For what it's worth, uh, you know, I'm a fan of that, right?

I'm a fan of automation.

I'm a fan of, uh, you know, I mean, I, I like the fact that you

have the check first off period.

Right?

I'm a fan of that.

The idea, and, and, and those are good, right?

Those, those one time checks are good.

It's good to have a consultant look at your stuff once in a while to make

sure that you're doing the right stuff.

But there's nothing like just having something continually checking because,

you know, um, there are always new CVEs, there are always new vulnerabilities

and things that you need to patch.

I think patching is the thing that most people get behind on the most, right?

There's that one time configuration of making sure we separate this and that

and we're using MFA and we're using.

Um, you know, the, the proper, uh, usernames and passwords and not

using root root, you know, you, that should hopefully be a one-time thing.

I think it's the, the patch management, uh, and other things,

maybe recommendations change over time.

Uh, that, that's the one where it's like, it, it would be nice to have something

that just tells me, Hey, a new CBE came out, you know, and, and, uh, you know,

the vendor has patched it already.

You need to go, you know, you need to go patch it right

away or else you're at risk.

Yeah.

I think

So you, you'll get that.

Yeah, go ahead,

Yeah.

I think the other thing, Curtis too, and I

know we've talked about this in previous podcasts, is like people's

environment is never static, right?

You're always getting new devices in some group or another, right?

New applications being spun up, right?

New deployments, new servers, and so having that ongoing check where it's

like, Hey, we can now make it more efficient for you to bring online these

applications rather than going through sort of the entire security audit

and everything else that you might.

Have to do, which might elongate the time you need by weeks.

Right.

The other thing also I was thinking is there's also, from what I've read, and

I don't know, Darron, if your product supports, I'm guessing it supports

public clouds as well as endpoints.

Yep.

Okay.

Right.

So as people are looking to go to the cloud, right, sometimes they're also

looking at multi-cloud strategies.

Right where maybe they're an expert at AWS and they're trying to figure

out, can I use Azure GCP for certain workloads or because of regionality

or services being available and, but they're not the experts.

And so to get up to speed and learn, okay, what is the mapping and what are the

best practices in AW or in GCP or Azure takes time and they're not the experts.

They don't have the resources.

And having a tool like this that can automate.

And say like, Hey, here are your best practices.

Are you doing things in the right way or not?

And giving you that guidance and be like, yep, this is how you should be doing

things, I think can go a long way as well.

Yeah, I totally agree, and I just want to add that over the

course of running a business, right, I've been in this position for 17 years.

I'm proud of that.

You know, people stay at an organization for years and over the span of years.

You know, if you take a look at the, if you're running a, an IT shop

and you take a look at how you have run your business five years ago.

Four years ago, three, two years ago.

You'll see that there are sometimes, there are tectonic

changes over those spans, right?

We change one of our major vendors.

We move from one backup vendor to another.

We change from tapes to discs.

We start adding cloud.

Tertiary copies now, each one of those, and, and if you look three, four years

back, you'll see tectonic changes.

But each one of those steps, they happen on a monthly basis.

You know, we throw away our own library and bring in a new vtl and,

you know, something like, and, and.

And we have like five of those.

So you know, they live like four or five years.

So, you know, every year we change one and we have tapes and we have

discs, and we've, every new release, we have different frameworks, we have

new releases, management consoles.

Every four or five years the architecture changes.

So whenever something like that happens, for me, it's new.

But if you are relying on an industry backed whatever, uh, library of

checks that, you know, should cover everything, and we learn a

lot from our, uh, user community.

They'll tell us, oh, we started looking into this.

Are you familiar with it?

Say, Hmm, interesting.

Let's take a look.

Let's take a look together.

What did you find?

Some of them are, so there is a sort of a community feedback here and uh,

maybe it's new for your organization, but it's probably not new for others.

And there is definitely an opportunity to have a much better starting point.

So, you know, I'm deploying.

Uh, a cloud target backup, you know, and I wanna make sure that I pass

all of the checks so I run a quick scan when it's not yet production,

and I find what I'm doing well.

And if there is room for improvement, usually there is.

So, you know, an ounce of prevention is worth, uh, a pound of KiOR, right?

So think about your, uh, immune system.

Let's say it would've run once a year for a day, and then it would stop shut

down for a day the rest of the year.

That's not great.

It's better than nothing, but so that's so, so to, to Curtis's point.

Yeah.

One time scan is awesome.

It's important to know if something is wrong, but you know you have to

be, or it's better to be continual.

Yeah.

W. Curtis Preston:

Yeah, I like that a lot.

W. Curtis Preston:

Um, so the, you know, I'd, I'd like to wrap up, but what I, what I am curious

W. Curtis Preston:

about early on, you alluded to, I mean, we've kind of discussed some of the

W. Curtis Preston:

things that you recommend that people do.

W. Curtis Preston:

Besides obviously running the continual scan.

W. Curtis Preston:

Um, are there some other things that you recommend people do to secure

W. Curtis Preston:

their storage and backup environment?

Yeah, sure.

So I think.

The first thing to do is to get to know a little bit more about I, I would even read

a little bit about the business threats.

What can possibly go wrong, right?

So maybe, uh, I'm not sure we'll have time to go there today.

Why is it important?

Really get a good grasp.

Uh, it's not a difficult read.

If you go to the Snea site, you go and, uh, take a look at the NIST or IZO guide.

You'll have a framework for, in the NIST guide, there are about

30 different areas you should be looking into, get familiar with.

What are the components you need to consider to build.

Secure framework, choose.

So, you know, so the first step is, you know, get a little bit more

knowledge about storage security.

Five years ago, it was not accessible to datas.

There are plenty of resources in our site, you know, it's

www.continuitysoftware.com resources.

You'll find a library of research and guidelines and advice and

useful links to other sites.

So there is plenty of material out there to get educated.

The second thing I would encourage to do is to define, at least at

a high level, a set of security standards you'd expect to have.

And you can draw, uh, um, uh, intuition or, or, or guidelines from the set

documents, either or NIST or other frameworks, build a set of baselines

like, so I want to lock down devices, I want to have password complexities.

I want to whatever, set up session cookies or session timeouts.

I want to, you know, these are my baselines.

Mm-hmm.

Define those baselines and then, you know, find a way to

periodically review your settings.

You know, it's, um, it takes a little, uh, doing, but all the

building blocks are out there.

If you want to use automation, then we would be very happy

to help you achieve that.

You can even script that yourself, right?

So it's not everyone has to buy a power saw, right?

You can rent it.

Right?

So, but you know, Close the knowledge gap, understand what is there to check.

It's a finalist.

There are 13 different areas.

There are different ways to look at it.

It's structured.

Pick and choose the, the things that are important to your business

and find a way to put repetition into validating that you're clean.

This way whenever you roll out something new and it always happens,

you have a, at least a point where you can, you know, validate your design.

So these are three things that you can easily do.

Um, and again, our sites has a lot of nice videos that simulate

how, you know, how hackers thinks.

What they can do in a specific scenario.

Uh, when you start thinking like that, uh, it can be even interesting

is to to think a little bit like a hacker and, and build better designs.

If you want to make your house burglar proof, you should just take

a look outside and think critical and say, I can get in through here.

What about the basement door?

What about my Tesla keys?

And so on.

So, uh, I can hide in the Tesla.

Uh, yeah, back seat and wait for you to open the garage doors.

Yeah, I,

that, that's my advice.

It's pretty straightforward, so.

yeah, I like the, um, I, I think, uh, we'll put some

links in the show notes, uh, to the, to the things that you talked about.

I like that idea a lot.

Um, basically just make yourself more knowledgeable.

Is, is the key.

Cuz I, I do think that, you know, our folks tend to be backup centric,

um, security, you know, they're learning security and a lot of backup

folks are often junior folks, right?

The, this is the job they were able to get.

And mainly because nobody else wanted it, right?

Um, yeah.

I mean, that's how, that's how I got my first job in backup.

And so yeah, this is definitely the part of that, the part of the world

that you really need to go to, right?

You really need to increase your cybersecurity knowledge.

If you don't have that, if you were listening to this episode and these,

uh, acronyms that, that, uh, we were, you know, rattling off like nist, if

those are foreign to you, Definitely follow the links in the show guides

to, um, to, to learn more about that.

Well, uh, Doran, I want to thank you for, for coming on the show

Perfect.

It was my pleasure.

Thank you for having me.

and Prasanna.

You, uh, continue to get all the blame for my Tesla, but,

uh, I'm glad you're here anyway.

Yeah.

Thanks Curtis and nice to meet you Doran, and thanks for

answering all the questions.

I think it's a very compelling, uh, solution, right.

And solves a very specific problem that I think there's, like you mentioned, right?

There's a huge blind spot to this.

So I think it's very valuable.

And Curtis, I hope one day that you will thank me that, that you bought your Tesla.

So I'll just, uh, I'm not gonna hold my breath for that day, but.

There's this, there's this other person in my

house that is still blaming you, but, uh, we'll, we'll, we'll see.

Maybe, maybe one day.

Uh, well, anyway, I, I want to thank our listeners.

You know, you, you are why we do this, and remember to subscribe