Data Protection in 2020: Reflections

Or, the world is burning but data protection goes on.

Did someone get the license plate of the year that just hit me?

Well, 2020 is drawing to a close, and it’s seemed like a very long year. It started with flaming destruction and hellish landscapes and kind of went downhill from there.

That may have been because March felt like it was at least 16 years long in itself. For many people, it’s been a particularly tough year. Many companies have buckled due to the economic stresses caused by the pandemic.

As I write this, the conservative estimate is more than 76,000,000 cases, with almost 1,700,000 dead. New Zealand has thus far weathered the storm exceptionally well, and while Australia’s ride has been at times bumpy, it’s not been as bad as others. Countries such as the United States, bereft of tangible, competent and compassionate leadership at the federal level have suffered immensely, so even as the vaccines start to roll out, those numbers will continue to rise for a while longer yet.

If you believe there’s any truth to six degrees of separation, then with the numbers above I’d wager most of us know of at least one person or family adversely affected by such a heinous year.

My husband and I count ourselves fortunate. We’ve had our personal grief to deal with, but we’ve both been able to keep our jobs and work from home. (In fact, with the stringent Victorian lockdowns introduced to stem a second wave earlier in the year, I stepped out the front door of my house but twice from the end of June through to mid-November.)

While people who lost their jobs and lost loved ones found it all the more stressful, almost everyone I know who kept their jobs (myself included) noted that this has been pretty much the most stressful year of our careers. In short: few people will come out of 2020 feeling unscathed in some way or another. On more than one occasion from mid-November onwards, I noted that I felt I was white-knuckling it to the end of the year.

Yet throughout this, the world continued to turn, and the world of data protection continued to evolve. So at this point, it seems a good time to reflect back on the year of Data Protection and consider some of the things that have happened.

Spoiler Alert

Understanding that anticipatory stress can be a real thing, I’ll start with the biggest event of 2020 in data protection.

Yes, that’s right, without a doubt the biggest event of 2020 in Data Protection was the release of the second edition of Data Protection: Ensuring Data Availability, written by – well, me. If you haven’t got your copy yet, you can check out the publisher’s store here.

Like in the first edition, I state fairly early in the book that backup is dead. Not literally dead, of course, but dead in the perspective of a singular activity. Backup by itself isn’t enough any more. In fact, no data protection technique by itself is enough any more – if it in fact ever were in the first place. (This finally seems to be catching on; I noticed a blog post elsewhere recently that sort of riffed around the same theme…)

While we’re talking about backup, it’s worthwhile revisiting the old rule that lots of people seem to have forgotten lately:

It’s only a backup if it’s been configured in the Bâckup region in France. If it’s been done elsewhere, it’s just a Sparkling Copy.

Rules of Bâckup

But I do want to talk more than just backup and recovery in this post. In fact, I’m going to step outside of my comfort zone briefly and talk about data protection in all three forms as it exists under the overloaded umbrella term: security, privacy, and data storage.

Data Protection as Security

No That Politician’s Twitter Account Was Not Hacked

I’ll start with something I’ve found particularly irksome. It’s not been unique to 2020, but as politicians increasingly access social media, 2020 has seen far more incidents than previous years.

I’m not even going to name names, because I don’t have to – this sort of thing happens all around the world.

No, that politician who liked some salacious photo or video on Twitter did not get hacked. There is no secret hacking cabal that targets politician, penetrating their Twitter accounts to like a single pornographic image or video and do nothing else. Someone operating the account liked something by mistake and no-one wants to fess up to it. But, the prudes must be appeased and so the denials keep sallying forth.

(If you believe explanations to the contrary, I have a bridge I’d like to sell you.)

Ransomwearing Business Thin

Stepping away from political figures who like odd things on Twitter late during their evenings, ransomware has continued to proliferate at an increasing pace. Rather than re-hash some of the bigger ransomware attacks of the year, I’d like to point out three key developments I’ve observed over the last 12 months:

• Ransomware attackers briefly showed a quantum of honour by stating as the pandemic kicked into full gear that they’d leave medical companies alone. However, the lure of profits eventually became too much and of late we’ve seen more than enough evidence to suggest this “humanitarian” approach has been abandoned.
• Cold-call threats – There have been instances recently where cyber-attackers have cold-called victims if their software has detected evidence of restores being performed. This takes ransomware to a new and far more sinister level. That doesn’t mean you should give up on recovering in a ransomware attack, though! If anything, it highlights the importance of having a rock-solid recovery process.
• Authorities warning about paying ransoms – It had to happen; various regulatory bodies have noted that paying a ransom to a criminal organisation in fact funds criminal behaviour, which is a no-no in more than one jurisdiction. (I’d anticipate as we roll into 2021 and this particular topic heats up, a lot of cyber-insurance policies will start dropping insurance for ransomware attacks. Either that, or they’ll continue to take the premiums but decline to pay-out.)

If you’re worried about ransomware and cyber attacks, you should keep in mind that Dell EMC’s Cyber Recovery vaulting solution is the first such solution to be endorsed by the US Sheltered Harbor program.

Trusting Trust

The real gorilla-in-the-room in terms of security though this year has been the revelation of systemic supply-chain attacks affecting a number of countries.

For more than half a century, governments all over the world trusted a single company to keep the communications of their spies, soldiers and diplomats secret.

…

But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company’s devices so they could easily break the codes that countries used to send encrypted messages.

“How the CIA used Crypto AG encryption devices to spy on countries for decades“, Greg Miller, Washington Post, February 11, 2020.

In 2018, Bloomberg ran a story (that they’ve still not walked back from) about secret chips installed in systems during manufacture, an audacious supply-chain hack that left companies all around the world exposed. Except, under every possible form of examination, the story seemed to be an elaborate shadow reality of what-ifs and it-could-bes that had nothing to do with the actual systems being shipped.

Supply-chain attacks are chilling – the idea that a supplier or vendor might be compromised, and through that compromise, hundreds, thousands or more businesses and customers who make use of those products might also be compromised.

If 2018 was the year of fake supply-chain attack stories, 2020 was the year of true supply-chain attack stories. It started in February with the Washington Post’s exposé of how the CIA and BND had run a trusted crypto device company for decades, and as a result read with impunity ‘secure’ messages from a number of countries around the world.

Oh, but when I started talking about supply-chain attacks you were probably thinking of the on that happened at the end of the year, right?

FireEye, normally the first company that cyberattack victims will call, has now admitted it too has fallen victim to hackers, which the company called a “sophisticated threat actor” that was likely backed by a nation-state.

“Cybersecurity firm FireEye says it was hacked by a nation-state“, Zack Whittaker, TechCrunch, December 9, 2020.

However, within a few days, it seemed the FireEye attack was just the tip of the iceberg. It turned out SolarWinds had been compromised – and with SolarWinds software used by tens of thousands of companies around the world (including dozens of US government agencies), this was a true supply chain hack.

Russian hackers are being accused of carrying out the biggest cyber-raid against the US for more than five years, targeting federal government networks in a sophisticated attack, according to American officials and sources.

“Suspected Russian hackers spied on US federal agencies“, Luke Harding and Dan Sabbagh, The Guardian, December 14, 2020.

The hack began as early as March, when malicious code was sneaked into updates to popular software called Orion, made by the company SolarWinds, which monitors the computer networks of businesses and governments for outages.

“What you need to know about the biggest hack of the US government in years“, Kari Paul, The Guardian, December 16 2020.

The compromise of SolarWinds software, distributed to a large number of its clients, meant that a plethora of other companies have advised they were affected. Perhaps the biggest name thus far has been Microsoft, though it’s certainly not the only one. Microsoft certainly responded to the hack with speed and power:

Through four steps over four days, Microsoft flexed the muscle of its legal team and its control of the Windows operating system to nearly obliterate the actions of some of the most sophisticated offensive hackers out there.

“Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach“, Christopher Budd, GeekWire, December 16, 2020.

There is no doubt there was a strong level of sophistication in the orchestration and scope of the attacks carried out. However, these breaches served as a reminder that you’re only as strong as your weakest link:

Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”.

“Hackers used SolarWinds’ dominance against it in sprawling spy campaign“, Raphael Satter, Christopher Bing and Joseph Menn, Reuters, December 16 2020.

Hmmm.

It’s perhaps reassuring to know that it’s not just the backup and recovery industry that keeps revisiting the same arguments time and time and time and time and time and time and [you get the picture] again. For security specialists, it’s “use a strong password” – for me, it’s this:

The more things change, the more they stay the same

There are some key security lessons to draw from this year in data protection:

• Ransomware is getting worse.
• Supply-chain attacks are out there.
• Lax approaches to security can happen anywhere.
• It’s important to remember the story of trusting trust.
• That politician’s Twitter account wasn’t hacked when it liked something salacious.

Data Protection as Privacy

Juggling Privacy in a Pandemic

In terms of privacy, 2020 has been a challenging year for data protection. As governments around the world rushed to introduce COVID tracking and tracing applications and processes, privacy considerations were often given short shrift.

Now, I’m going to admit this is a fine line to tread. I’ve been a strong proponent of the view that in a pandemic, some things we’d prefer to take for granted may have to be relaxed. But, there’s relaxed, and there’s aren’t going to get the attention they should.

Privacy is something that gets too little attention in software design. You might have even hoped that by 2020 there could have been a Privacy First approach to software architecture so ingrained in the behaviour of developers that this would not have been such an issue.

But, here we are.

Even when Apple and Google released updates to the smartphone operating systems to allow better and more secure contact tracing, not all governments would listen. Including, of course, the Australian government, which has for years employed a thuggish approach to privacy for anyone other than elected members of parliament.

Governments and Facebook Never Met A Data They Didn’t Want Access To

Privacy continues to be attacked by a number of governments and institutions around the world, and 2020 has been no different. The Australian Government has continued its multi-pronged attack, and Facebook again continues to be a privacy cesspit. Still, proving some Australian agencies might stir in the right direction on privacy, the Australian Competition and Consumer Commission (ACCC) has started court proceedings against Facebook over its “Onavo” VPN software which seemed to exist only to provide Facebook unfettered access to personal information from users. In fact, as you’d expect, Facebook attracted ire all year over privacy and other issues.

In my opinion, even as someone who is relatively open in terms of what I say online, I’d suggest that privacy is an ongoing dumpster fire that will continue to get worse before it gets better. If it gets better.

Accessing emails, mobile phone calls, and, most recently, social media appears to offer a richer source of information about private intercourse. As earlier chapters have argued, all those committing their thoughts and feelings to communication technologies have run a more or less conscious risk of the messages falling into the wrong hands.

“Privacy, A Short History”, David Vincent, Polity Books, 2016, 978-0-7456-711-30.

Indeed, I’d suggest that the only person who is going to be truly invested in your right to privacy is yourself, and you’d do well to remember that when you vote. It’s a little like climate change: you can continue to exercise a short-term myopic approach to electing officials who promise it’s not a problem, or you can play a longer perspective in the hopes that things can be fixed.

Data Protection in Storage

I’ve been doing this for a while now

As you might imagine, this is the big swathe of data protection for me. 2020 marked my 20th year as as data protection specialist, though even as a system administrator I’d focused on data protection for four years prior. (Yes, that means next year will be a quarter century of me working with NetWorker.)

The Power to Protect

PowerProtect Data Manager has come along in leaps and bounds in 2020. Data Manager 19.3 came out just at the end of of 2019, and in 2020 we’ve seen 19.4, 19.5 and most recently, 19.6 released.

Data Manager now provides protection for a swathe of workloads including VMware, SQL, Oracle, Kubernetes, SAP HANA, etc., and can be run on-premises as well as within Azure and AWS.

If you’re wanting to see some of how Data Manager installs and works, you can check out my latest videos here.

Everyone Gets an Update

It wasn’t just PowerProtect Data Manager that got updates in 2020 though. NetWorker and Avamar had their 19.3 and 19.4 releases as well. Over the course of the two release, Avamar got additional functionality – with just a few standouts including:

• Enhanced scalability for NDMP backups
• FLR support for dynamic disks in Windows Virtual Machines
• FIPS mode
• A completed Avamar HTML5 UI (AUI)
• vSphere 7 support

NetWorker’s updates were equally impressive, with some including:

• Global indexing support for GPFS filesystems – used to great effect by allowing a full backup of an Isilon with 836TB in one hour.
• Support for vSphere 7
• Support for 300 concurrent VMware image-based backups
• A NetWorker HTML5 UI (NWUI) progressing in leaps and bounds
• Enhanced GDPR compliance
• Block-based backup support for XFS filesystems
• Volume move functionality

In short, regardless of which direction you go with Dell Technologies data protection products, you’ve had a pile of updates with enhanced functionality.

But it’s not always about what functions are functionality checkboxes. The advanced REST API and flexibility within the products allows for all sorts of extensions. Ugo Bellavance developed an automated VMware image-based recovery test script using the REST API. (Even late last year I showed how you could protect S3 buckets using both NetWorker and Avamar.)

Cloudy with Deduplication

Data Domain Virtual Edition became supersized. Running in the public cloud and using object storage for the deduplication pool, DDVE now scales to 256TB in each of AWS, Azure and GCP. Even at a modest 20:1 deduplication ratio, that’s over 5PB of logical storage in a comparatively tiny footprint, costing less than complex and expensive competitive solutions that deliver a Frankenstein’s monster that pretends to do deduplication in cold archive storage.

All up, it’s been a great year for data storage protection, and as a bit of a teaser I’ll say this: I’ve seen chunks of the roadmap for 2021, and it’s just going to keep getting better.

Reading and Listening

It wouldn’t be an end to a year if I didn’t mention some of the things I’d been listening to and reading this year. Technically this isn’t data protection, but you might find a gem or two here.

Music for my Eyes

I’ve been reading a lot this year, and often I found myself turning to science-fiction and fantasy. They’re my favourite genres to be sure, but escaping reality this year hasn’t necessarily been a bad thing. (Unless, of course, you’re a delusional orange commander in chief.)

Some of the books/series I’ve read this year that I’d recommend include:

• Peter Hamilton’s Salvation series: I love Peter Hamilton, and the final book in the series (“Saints of Salvation”) came out a few months ago. Definitely look up all three (Salvation, Salvation Lost, Saints of Salvation) if you’re after a cracker science-fiction trilogy.
• On the Peter Hamilton front, I finally got around to reading Great North Road this year as well. If you’re sometimes averse to reading multi-book series, and instead would like to read a book that’s long enough to be a multi-book series, make sure to check out this brilliant long-read.
• I picked up the 6-volume omnibus of J.J. Green’s Space Colony One and stormed through it over a month or so. It’s not on-par with anything from Peter Hamilton (few books are), but it’s good run-of-the-mill science-fiction.
• I grumbled my way through Christopher Paolini’s To Sleep in a Sea of Stars. I think it had some really interesting concepts, but at times the story-telling was a bit twee, too. I think it works well as teenager fiction, but as an adult, I found it a little lacking at times. That said, it was OK.
• I was lucky enough to discover that Apple Books now carried The Tin-Pot Foreign General and the Old Iron Woman, by Raymond Briggs. I remember reading this as a kid and finding it hilarious. But while it’s got the appearance of a kid’s book, and can work for kids, for adults, it’s a far more serious (brief) comic book. The illustrations are glorious, and the message both sombre and still appropriate today.
• I’ve been also making my way through the Rivers of London series by Ben Aaronovitch. I still have a few books to go on this as I’ve been taking a break while reading some other bits and pieces, but if you want something that mixes magic and police procedural (who’d have thought?), this is the one for you.
• And finally, I’ve been also making my way through The Three-Body Problem by Liu Cixin. Being a translation it has at times a different cadence than I’m expecting in a science-fiction story, but it’s at times quite unique and usually pretty gripping. I’m about two-thirds of the way through the second of three books, and I’m looking forward to seeing where the series goes.

Music for my Ears

At home, going no-where for most of the year has certainly been one way to listen to a lot of music, and Apple Music seems to be getting to know me more with each passing day, so I’ve discovered a lot of artists this year I may not have otherwise sought out. I’ve also stumbled across some great artists through movie soundtracks.

• A month or so ago I watched the movie Stage Mother, starring Jacki Weaver. I’d recommend it in its own merit, but the musical discovery for me was the end-credits, where a song called “Queer Things” by Ruth Wallis played. I’d never heard of Wallis before, but it turns out she had a career reputation of singing risque (for the time) songs. I’ve subsequently listened to her “Boobs” album dozens of times.
• It seems Apple Music has decided that I like modern folk music, and I’m not against the suggestion. It suggested Caamp to me at some point in the year and I’ve been enjoying them ever since. (For example, Vagabond.)
• My musical styles often go in different directions, as evidenced by the discovery of Jonny McGovern and his often satirical gay-themed music, such as Sexy Nerd. (As a gay geek I admit I snorted the coffee I was drinking when I heard the line “I need a man to talk dirty to me in HTML code”.)
• Barns Courtney did not disappoint. I’ve found Dopamine to be practically an anthem for me for 2020.
• Zayde Wolf’s “Golden Age” album was recommended to me this year as well, and it hit the spot. Check out Hustler here.
• And while I could keep naming songs for months, I’d finish with Ruelle’s Good Day for Dreaming, which may just presage a bit of hope going into 2021.

Wrapping Up

So that’s been 2020! It’s even been the sort of year that drove me to go back to CSS and PHP. (See here and here.)

It’s been a big year in data protection to be sure, but it’s also been a full-on year for just about everyone. So I’d leave you with one final thought, or wish: may any remaining surprises for you in 2020 be good ones.