Per-Tenant Data Security Service at Provider Scale
Constrained by resources, companies are struggling to combat ever-increasing cyber threats. Service providers are ideal partners in the quest to keep sensitive data safe. And while more than four of every five service providers today offer backup and recovery services, a majority still rely on vulnerable and inefficient legacy products. Your managed service doesn’t have to.
This blog introduces next-generation data management from Cohesity. It features a modern security approach, marking the dawn of new business opportunities for service providers. With Cohesity, it’s simpler to differentiate your managed services by offering new high-value data security to the managed backup and recovery. Here’s why.
What’s Wrong with Legacy?
We know from Smokey the Bear how a little spark can quickly explode into a wildfire in a parched forest. That’s also what can happen fast with a breach followed by a hidden ransomware attack in an environment counting on a legacy data management product.
In legacy architecture, there are two primary security gaps:
Implicit trust – Today’s network access is based primarily on implicit trust. It falls short because there are no fences within the networks to safeguard valuable targets. Anyone and anything, including ransomware, can roam about laterally once it’s inside the network.
Lack of ransomware detection – Once bad actors identify valuable targets, ransomware will encrypt production data, destroy backups, and archived data. Essentially, it renders the time-honored 3-2-1 rule of data protection invalid (that’s the three copies of your data on two different media with one copy off-site for disaster recovery [DR]).
The crux of the problem is legacy data management’s architecture is siloed. It’s a patchwork of single-purpose products, including backup, target storage, NAS storage, and archives. The whole setup has to be duplicated for business continuity and DR. And you have to add specialized DR software on top.
Ransomware thrives in silos. If ransomware slips through a sprawl of disparate systems, the damage is simply uncontainable. Ransomware will spread like wildfire.
And in a service provider’s environment with multi-tenancy and downstream customers further compounds the problem. This happened last summer with the Kaseya cyberattack incident, where the impacts were magnified when tens of thousands of customers were affected.
What Makes Cohesity Helios a Great Solution for Providers?
The Cohesity next-generation data management platform is anchored on Cohesity Helios which supports multi-tenancy. Recently, Cohesity added a suite of security capabilities, in a Threat Defense framework, that allows service providers to offer new high-value data security to managed backup and recovery services.
Next-generation data management eliminates silos by consolidating services and fortifying entry with explicit trust access and ransomware detection built-in. With Cohesity, these capabilities are standard — within the multi-tenant Helios platform — resulting in a very secure and scalable solution.
Cohesity introduced the ability for Helios to support multiple tenants on the same infrastructure and scale two years ago. Today, service providers deliver backup-as-a-service (BaaS) and disaster-recovery-as-service (DRaaS) offerings with integrated, multi-layered security on top of per-tenant isolation with Cohesity Helios.
Cohesity is uniquely differentiated by the following capabilities:
Service provider scale: The Cohesity software-defined, converged platform is purpose-built to be web-scale, similar to Google’s hyper-scale Distributed File System.
Multi-tenancy with network segmentation: Cohesity supports multiple customers’ backups and data sources on the same platform with secure namespace isolation and per-tenant encryption — both for data-at-rest and data-in-flight protection with VLAN for network segmentation.
Self-service tenant domain, provider authorized: Cohesity allows service providers to configure role-based access controls (RBAC) for authorization to employees within each tenant organization. Pre-built integrations for all backup workloads include VMware vCloud Director, ServiceNow, and VMware vRealize Suite.
Ransomware detection per-tenant: Helios includes machine-learning algorithms that continuously monitor changes in the backup data ingestion rate and data entropy across private and public clouds. If any of the periodic snapshots go out of the historical data normal range, Helios flags it as a potential ransomware attack and provides actionable alerts for rapid restores of virtual machines (VMs), files, and application objects from the last healthy snapshot.
Zero Trust principle with multi-factor authentication (MFA) and least-privilege access: In accordance with Zero Trust principles and best practices, we include MFA and RBAC functionality. Before granting access, MFA challenges each user to enter a unique passcode sent to a personal device to prevent a user’s impersonation before granting network access.Cohesity’s second security enforcement then kicks in. Using RBAC and best practices, you can ensure that every person can access only what’s necessary and nothing more, consistent with the Zero Trust principle of “enforcing least privilege”. There’s also a continuous audit of user activity. If something is out of the ordinary, Cohesity will flag the unauthorized attempt and deny the access right.Note: Cohesity provides the option to use third-party MFAs from popular IDP providers including Okta, Ping, and Cisco Duo.
World Governments Are Counting on Service Provider Participation
Because the U.S. and 30 other governments understand the severity of threats and the importance of combating ransomware, they’ve banded together to prevent further cyber damage.
In May 2021, the Biden administration released an Executive Order on Improving the Nation’s Cybersecurity. It requires all federal agencies to collaborate with service providers to develop plans to modernize cybersecurity infrastructures focusing on the two security gaps highlighted above.
A series of proposals with calls to action have since followed, including:
August 2021 –The White House released a federal strategy, drafted by the Office of Management and Budget (OMB) together with the Cybersecurity and Infrastructure Security Agency (CISA), to move the U.S. Government towards the Zero-Trust Security architecture (a.k.a. Least Privilege).
While the urgency from the highest office in the U.S. is very much welcome, it is also an indirect acknowledgment that nations’ security postures must evolve to next-generation data management for digital resilience.
Take the Next Step to Differentiate Your Managed Provider Business
A great majority of organizations are leaning on service provider services to fill IT skill gaps (e.g., cloud, networking, etc.), to reduce CapEx spending, and to boost data security. For global service providers, the introduction of next-generation data management presents an upgrade opportunity to differentiate your service values and scale your business.