How to align your agency with the cyber EO and NIST framework
June 18, 202110:07 am
5 min read
This content is provided by Veeam.
President Joe Biden’s recent cybersecurity executive order (EO) was met with a great deal of anticipation and acclaim from both the public and private sectors. While the EO only directly applies to government agencies and their suppliers, it’s likely that it will become a guiding factor across industry at large. In fact, a great deal of vendors who work with the federal government are already following many of these practices, both because their capabilities can help agencies reach their goals and for the sake of good cyber hygiene itself.
“At Veeam, long before the EO, we’ve had a very focused effort on supply chain security, using trusted third party vendors to establish provenance over the integrity of our products (such as Veeam Backup & Replication) and code that we’re developing and delivering to government customers,” said Gil Vega, Chief Information Security Officer at Veeam Software Solutions. “Customers want to know that the solutions they are using meet the intent of the EO so the actions we have already taken ensure this. It delivers confidence and is important to getting our US government missions completed.”
But Veeam’s alignment with the new EO doesn’t stop there. Veeam is the leader in backup, recovery and data management solutions that deliver Modern Data Protection. Providing a single platform for cloud, virtual, SaaS, Kubernetes and physical environments, Veeam intimately understands the need to safeguard data in a cyber threat landscape where the wise always assume a state of perpetual compromise. That’s why it embraces the zero trust architecture outlined in the EO. And Veeam also sits on the board of the IT Information Sharing and Analysis Center, helping to share threat information among the IT sector.
In addition to the provisions of the cyber EO, Veeam has also adopted the tenets of the National Institutes of Standards and Technology’s (NIST) Cybersecurity Framework. Again, it’s a natural fit with Veeam’s focus on data management, backup and recovery.
“It really organizes the way companies and government agencies think about protecting their entities,” Vega said. “It’s an opportunity to have a shared lexicon and to be able to carry the conversation from the tech world into the boardroom. You don’t need to be a technology expert to understand how the NIST Cybersecurity Framework works and how it’s protecting your government agency or company.”
That shared lexicon also makes it easier for Veeam to outline to government customers how it can contribute to that protection of government agencies, particularly through its new Veeam Government Solutions (VGS) independent subsidiary. The NIST framework approaches cyber security as a continuous 5-stage cycle: Identify, Protect, Detect, Respond and Recover. And while VGS touches on all the stages of the cycle, its key strengths as a backup and recovery solution lie in the protect and recover stages.
“Data protection is what we do best. We’ve done it really, really well for a long time – supporting more than 400,000 customer across the globe – including some capabilities that are unique in the market around verifying that backups are usable when you take them’” said Jeff Reichard, senior director for enterprise strategy at Veeam. “Not just hoping for the best, but actually being able to non-disruptively test them. One of the powerful capabilities of Veeam’s platform is a reporting product called Veeam One that doesn’t just report on Veeam operations, but on the overall health of your environment. That especially applies to malware.”
Veeam One can learn what the normal disk write patterns are on a system, and alert someone when it senses anomalous behavior.
For the recovery part of the framework, Veeam was the first product on the market that allowed the recovery of production workloads directly from the backup.
“In other words, you can start running a virtual machine directly from backup while you restore on the back end, which is what we call instant recovery,” Reichard said. “We did that first for vSphere. And we’ve extended that to other platforms, as well as to things like network attached storage or databases. You can do exactly the same thing for database workloads with SQL and Oracle or from NAS workloads as of version 11 of Veeam Backup & Replication, Veeam’s flagship data protection product.”
And as the NIST framework has evolved over the years, Veeam has evolved along with it. When it first came out, most organizations were heavily focused on the Identify aspect: learning and understanding every asset in the environment. Then the focus shifted to protect, and the moats were dug deeper and the walls built higher. But recently, especially with the changes sparked by COVID-19, the advent of zero trust, and the recent malware epidemic, that focus has shifted more toward the Detect, Respond and Recover domains.
“Your security posture is not going to be just having a backup tool, even a really good one,” Reichard said. “It’s going to involve anti-malware, it’s going to involve firewall, and it’s going to involve advanced detection, utilities that you run either on your network directly or from the cloud. So there’s always going to be this notion of defense in depth and a layered toolset that you’re going to use. But the thing about Veeam is that we offer a broad solution in that space, because we don’t just respond in the Protect and Recover areas; we do a lot more.”