In late 2016, I wrote a post, Falling in love with the IRS. In that post, I provided a bit of an outline on how an Isolated Recovery Site works. In this post, I want to instead ask 3 simple questions to help you understand why you might need an IRS (or “airgapped”) environment for your business.
The Observations
Before I ask the three questions, I want to make two observations:
- Isolated Recovery Sites are not a security function.
- The decision to use an IRS is not driven by IT.
Let’s examine those two observations.
Isolated Recovery Sites are not a security function.
Sometimes when I say this, people think I’m being controversial. That’s not my intent – but what I do want to get people to understand is that security considerations, and security aspects of an IRS are a subset of the purpose of an IRS. While security is a big and complex activity, if we simplify it down to suggesting that security is about stopping malicious activity from happening, or, if it does happen, detecting and repelling it, a lot of people would agree that’s a fair assessment of security within an organisation, be it physical or electronic.
That does not describe IRS. It describes functions of an IRS, but it does not describe IRS. IRS is about “how do we survive something catastrophic”?
Security teams will obviously and importantly contribute to the overall scope of an IRS, but let’s be sure to understand IRS is not a security function. I’ll get to whose function it is in the next point.
The decision to use an IRS is not driven by IT.
In a similar vein to how an IRS includes security functionality but is not a security function in and of itself, IRS may involve IT equipment and personnel, but it is not something that can or should be driven by IT. What this means is simple: if your business has decided it doesn’t need an IRS because IT has said so, it has not fully considered the implications that an airgapped protection layer is meant to provide.
The decision to use an IRS is driven by, owned by, and governed by your corporate risk officers. The responsibility for IRS sits with them, even if implementation and maintenance is a multi-disciplinary function. (Which, it will be.)
The Questions
Actually, before I get to the questions, I also want to address a common fallacy, viz.: “I have tape, that’s airgapped”.
Yes, technically, tape is airgapped. But remember, the airgap is the protection side of things – we also have the recovery side of things to consider. More specifically, we have the disaster recovery or business continuity side of things to consider. The last time tape was substantially used for that scale of recovery was probably in the 90s, before other technology became available.
Unless your current disaster recovery plans use tape, and that’s been tested and verifiably demonstrated (and approved!) to be acceptable, then likewise, tape isn’t an airgap solution, either. The industry is replete with examples of businesses that have had to resort to their “airgapped” tape copies in the event of major disasters, and those recoveries have taken weeks or even months to complete, and that’s with people working around the clock. (And to make matters worse, there’s usually still some data loss.)
Now, onto the three questions I want to ask you. They’re all very simple questions, but they strike to the absolute heart of what an IRS is about. Let’s run through them.
What does your business do?
If I’m visiting you for my first meeting with you, I’ll have done some research first to find out what your business does (if I didn’t already know). But I don’t care what I think your business does, this is about what you know your business does. This doesn’t have to be long-winded – ideally, it shouldn’t be very long at all. I used to suggest “if your backup environment can’t be drawn on the back of a napkin, it’s overly engineered”. Now, over time the napkin may have grown a little, but it’s a similar thing here: I’m practically talking about your elevator pitch of what the business does. It really should be something that can be said in 2 minutes or less.
Hopefully, everyone who works for your business can answer that. But answering that lets you focus on the importance and implications of the next two questions. (Ideally, the person you want to hear answer that question is a C-Level executive or a senior level risk officer – but you might start elsewhere if you’re building a case.)
What happens if your business can’t do that for 24 hours?
This usually won’t be a simple case of saying “we won’t do what we normally do”. You need to consider the logical and likely flow-on effects if you can’t do what it is your business normally does. This is the start of understanding why IRS is actually a function of your risk team. What we’re really asking is what is the risk to the business if you can’t operate for 24 hours?
In ‘Massive ransomware attack’ hits companies, hospitals, schools worldwide (Costas Pitas and Alistair Smout for Sydney Morning Herald, 13 May 2017):
The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers on Friday.
That’s the sort of “flow on” effect that must be considered when you approach the question, what happens if your business can’t do that for 24 hours?
You can’t, of course, think of absolutely everything that could happen if your business was non-operable for 24 hours, but in reality you do have to think of likely first-order and second-order impacts. This isn’t something someone in IT can answer. That’s not disparaging IT, of course, but this is a business question. Remember too, this isn’t going to be a set of simple answers. You have to also consider things such as the impact of your business to society and the economy. If your business can’t operate for 24 hours, are there likely to be reporters in front of head office? Are there likely to be politicians raising it in your parliament, or doing door-stops?
This perhaps helps to explain why it’s a risk question – what’s the risk to the business, economically, socially, politically, etc., from this kind of failure?
What happens if your business can’t do that for 24 days?
Unsurprisingly, this is often treated like one of those hypothetically unpleasant questions, such as the trolley problem. In this thought exercise you can’t dodge the question, you have to answer it.
In the first 24 hours, you had to consider first and second order extrapolations of what might happen, but in 24 days, you have to consider further extrapolations. A hospital that’s down for 24 hours may have to turn patients away. It may be fully logically justifiable though to say that if a hospital is down for 24 days, there’ll be deaths as a result of it. An energy company that’s down for 24 days? Maybe the same, if it affects people who are on life-support at home.
It doesn’t always have to be a logical consequence is death, of course, but at 24 days you well and truly have to start thinking beyond the borders of your business itself. Maybe customers might go bankrupt. Maybe there’ll be a government inquiry. Maybe there’ll be riots.
Maybe your business can easily deal with systems being down for 24 hours. 24 days? Not many businesses can survive, and those that do will wear the consequences of that outage for a long time to come in the marketplace. Again, that’s why it’s a risk question, why it’s a business question.
I’m not trying to scare you
You might think the purpose of this article is to scare you, but that’s not my intent. Instead, my intent is simple: to help you understand why, if you’re say a backup administrator, that it’s not your job to think about IRS alone. Your IRS or airgap discussions aren’t the role of the backup team, the security team, or the IT team as a whole. It’s a risk discussion.
If your business is prepared to ask – and answer! – those three questions frankly, you’ll have a very good understanding of whether you need an airgapped/IRS extension to your environment.
Update on the Usage Survey: I apologise, I had fully intended to post the Usage Survey report in February. Time got away from me – I’ve had some things going on which have occupied a lot of my non-work hours, either literally, or just needing to reclaim head-space. I’m hoping to publish the survey report before the end of March, however. (That will also include me contacting the winner.)