How does Azure Backup differ from Azure Site Recovery?
Both Backup and Site Recovery are important to an effective disaster recovery solution as both services capture data and offer restore semantics. Backup ensures that your data is safe and recoverable while Site Recovery keeps your workloads available when/if an outage occurs.
- Backs up data on-premises and in the cloud
- Have wide variability in their acceptable Recovery point objective. VM backups usually one day while database backups as low as 15 minutes.
- Backup data is typically retained for 30 days or less. From a compliance view, data may need to be saved for years. Backup data is ideal for archiving in such instances.
- Because of a larger Recovery point objective, the amount of data a backup solution needs to process is usually much higher, which leads to a longer Recovery time objective.
Azure Site Recovery
- Coordinates virtual-machine and physical-server replication, failover, and fullback.
- DR solutions have low Recovery point objectives; DR copy can be behind by a few seconds/minutes.
- DR needs only operational recovery data, which can take hours to a day. Using DR data for long-term retention is not recommended because of the fine-grained data capture.
- Disaster recovery solutions have smaller Recovery time objectives because they are more in sync with the source.
- Remote monitor the health of machines and create customizable recovery plans.
October means the month of Oktoberfest for everyone who loves a beer. But for those of us in technology, October is really a time to party because it is National Cyber Security Awareness Month! WooHoo!
Okay, maybe it doesn’t sound so fun, but for those of us in the business, maybe we can think of this as a time to avoid deep and lasting pain. Sounds fun?
To make this even more fun, answer this question: How do you know when you are getting old? Answer: When you take cyber security seriously. This actually gives us a leg up on Millennials with regard to something technical. They all pretty much ignore it.
They key to understanding cyber security is to simply be interested. You can understand and manage this from a high level. Make sure your company follows the 10 basics, below, and you will have earned the title, “Top 1% Cyber Executive.”
1. Use Two Factor Authentication for Business and Personal email. You log in to your account, for the 1st time with each new device, and receive a PIN to your phone that must be entered in to register that device. No one else can use their device to access your email. This must be a corporate policy for all employees, for both personal and business accounts. How can you prescribe such an invasion of personal privacy? Because, sooner or later, everyone does something for their work on their personal device.
2. Enable HTTPs on Your Company Website(s). HTTPs websites have a certificate that encrypts all data transmitted from your website. This helps visitors know that your site is actually run by your company and not an imposter (i.e. phishing site).
3. Use Strong Passwords, Don’t Re-Use Them, and change at least every 90 days. Most experts would say change every 30 days. A password with upper and lower case plus a number plus a symbol is a strong password. The one you are using now is a terrible password! Sorry to criticize you but toughen up, you cyber sissy.
4. Run All Software Updates. Hacked companies, usually get hacked because known vulnerabilities have been left unattended for YEARS! All your IT people have to do is update the software. This is the simple truth where most vulnerabilities lie: True for servers, true for personal computers and phones, and true for security appliances (Firewalls). Run the operating and security software updates and you most probably are safe.
5. Make sure your security software and devices are turned on! For one reason or another, IT turn these things off, or open an unsecure port in a security device to solve some problem or allow temporary access for a particular purpose. Then they leave them open. Periodically ask your people, “Are there any unsecure ports in our firewall. Are we running all of our updates? All of them?? All??? Are you sure?” That’s how you do it.
6. Make Sure Employees Look for the S in HTTPs When Searching the Web.
7. Encourage Senior Leadership to your Spearhead Cybersecurity Culture.
8. Generate Phishing Simulation Tests to Keep Staff Alert. Hire a 3rd party to test and train your people. This can be a mostly automated service, so it does not have to cost much.
9. Conduct a 3rd Party Cyber Security Audit. Depending upon your company size, this doesn’t have to be expensive, but it may be if you have more than fifty employees. What you don’t know definitely will hurt you. Take the results seriously and do every single thing recommended.
10. Make Sure Your Company Is Cyber-Insured. Standard insurance policies don’t normally cover the loss of data; or cyber crime. This is where cyber-insurance comes into play. Know your industry exposure, from a punitive perspective. Think about business interruption. Next week will be dedicated to Cyber Insurance.
Now that you are one of the top 1%, get back to that beer and enjoy Oktober secure in the knowledge that you!
Brian Desrosier has been serving the Greenwich community for over thirty years as the owner of local technology powerhouse, Lighthouse Technology Partners.
There is so much happening in the Cyber Security front. It affects you. You can learn from it. As a bonus, you can rant along with me. Hardly anyone takes the time to read insurance policy fine print. Likewise, few business people really want to deal with cyber security. Dig in and understand it.
According to Microsoft, in companies with less that 250 employees, 75% use the same two to four passwords on nearly everything. In fact, 87% of senior managers have unwittingly leaked corporate data; 57% sent it to the wrong person. Top executives and administration officials alike, use personal email accounts for official business. Do not be like them. (Go back and read the last two week’s columns to learn how to save yourself, if you can’t wait until next week: Would You Know if You Had Been Hacked? and An Ounce of Data Loss Prevention is Worth a Pound of Cure) Did you know, on average, over 200 days pass before organizations realize their data or network has been hacked? More than 300,000 new malicious files are created every day. Cut this article out. It’ll make great cocktail party conversation. Everyone loves to talk about how “scary it is!”
Does your organization have a “diligence in depth” plan to combat these vulnerabilities? Today, every company can afford to take advantage of fantastic protection tools. Pay attention and spend just a little.
What’s been happening lately?
According to FedEx, a June 27 “Petya” attack cost them $300,000. DLA Piper, one of the world’s largest law firms, was crippled for over three weeks this summer, and continues to reel in the devastation of lost revenue and client confidence. Princeton Hospital was forced to scrap and replace its entire computer network this summer. These were all ransomware or faux-ransomware attacks. Avoidable, all of it.
You are lucky if your breach is just about a ransom payment. Maybe your data is worth more.
Take Equifax. The Wall Street Journal reports, “Hackers roamed undetected in the Equifax computer network for more than four months.” Experts believe bad guys gained entry simply because DinosaurFax hadn’t patched their systems. Even a small company can do that, right? (See how I am giving you hints along the way?) On Tuesday, CEO Richard Smith resigned as I predicted. Last week, the SEC announced hackers penetrated their systems, and may have even traded, undetected, for over a year!
This of course came from the institution that allowed big traders pre-knowledge of market disclosures – ahead of the rest of us. I think it is better they get hacked and embarrassed than be allowed to operate with total impunity. Gosh, they don’t even have to disclose their breaches like the rest of you. Sorry to rant. SEC Chairman, Jay Clayton, cannot discuss the details due to, “an ongoing enforcement probe.” Sounds very official. Accounting firm Deloitte just reported a hacker accessed “very few” client records, and there was “no disruption of client business.” Sounds like a huge cover-up to me. The “Krebs on Security” website quoted a Deloitte insider who indicated the hacker, through their email system, accessed all of their internal systems and all administrative accounts.
This week, the Commodity Futures Trading Commission advocated significantly reduced fines for companies who report breaches. The idea being, breached companies would be more likely to come forward if they didn’t face such huge punitive penalties. But that won’t work because most breaches occur because of gross negligence, and nobody wants to admit to their customers, shareholders, and the world at large that they are inept executives. Especially not a “master of the universe.” Just ask Richard Smith, though he is certain to be paid handsomely for his fine work not paying attention and obscuring the truth. You see, protecting against most threats is not “high cyber science,” just common sense and fundamental management. This is what explains the lies we read each week. I guess it is easier to lie than do your job.
Bet you didn’t know that the SEC applies its cyber security rules in mysterious ways. Jay Clayton, now a beacon on this subject, says recent cyber security lapses have, “highlighted the importance of cyber security…to market participants.” Why then, doesn’t Congress and the Commission work toward changing application and adherence to Reg SCI. Reg SCI is a requirement that, if it applies, requires complete, deep procedures to ensure robust and resilient technological trading systems and controls are in place. This is a rather vague regulation and is applied to exchanges and certain trading venues. Not all. It doesn’t apply to Morgan Stanley, Charles Schwab, E-Trade, Scottrade, or Citadel, who handles over one-third of all trades executed in the United States. Nor does the SEC publish a list of who needs to comply. This sort of reminds me of “double secret probation” in the movie, “Animal House.” I guess it really matters, but we don’t need to know who is cyber secure or not?
To wrap all this directionlessness (new word just invented) up, according to a recent Wall Street Journal headline, “In Today’s Cyber War, Everyone Is a Target.” The FBI agrees, threats against small business are growing at an escalating rate (over 35% annually). So, if these large outfits, with all sorts of resources can’t keep out the bad guys, should smaller outfits even try?
Yes, and yes, bad things will happen to your company if you don’t. The reason small companies are a target is they pay even less attention to security than your higher paid brethren. Bad actors can gain access to your best customers (who are much bigger than you) through you. Sound like a good deal? It is much worse than you think. In spite of all you read, most cybercrime is not reported. Again, business executives don’t like advertising they are unconscientious. You might even say unconscious. I think it was Dan Quale who said, “What a waste it is to lose one’s mind. Or not to have a mind is being very wasteful. How true that is.”
Sorry, we used up too much space ranting today. Next week we will discuss what you can do, without breaking the bank, to protect your business and critical customer relationships. In half the space! In the meantime, do worry about it, and what you will do if a weather disaster strikes our area again.
Brian Desrosier has been serving the Greenwich community for over thirty years as the owner of Lighthouse Technology Partners.