All flash storage pioneer Pure Storage is riding the wave of hybrid cloud adoption to success both locally and globally.

Founded in 2009, the company arrived in New Zealand seven years ago and is still led by its first local employee, Stuart Blythe.

While not willing to break out local employee numbers, Blythe said the team now covers sales, presales and the channel. But it is Pure's partners that do the heavy lifting in the market.

"Globally, the company is 100 per cent channel," Blythe said. "We dont sell directly to end users. Everywhere outside of the US is two-tier via distributors."

In New Zealand, that distributor is Westcon.

"We are trying not to saturate market with resellers," Blythe told Reseller News. "It's a value based sell, but the major suspects are infrastructure and data centre focused."

Many are also users of Pure's products as well, with MSPs and SaaS vendors being the company's biggest verticals.

Pure enjoyed strong differentiation as one of first vendors to come to market with all flash products.

In the beginning it focused on customer usages and workloads that could benefit from that because flash costs back then were way more expensive than they are now, Blythe explained.

Consumption of flash is now mainstream, he said. It is just defined as "performance" storage, the Tier 1 for application workloads.

"As that has shifted, the share and visibility and opportunities we have engaged with are much broader than seven years ago," he said.

That has been helped by what he said are unique capabilities in data reduction to use raw NAND flash very efficiently.

With flash now available at lower price points, the total addressable market has also expanded into Tier 2 as well.

"When we brought all flash to market, we did it in a different way," Blythe said. "The founders realised there was a shift."

Other players were retrofitting flash-based storage into disc-based operating systems, but Pure engineered its platform from scratch with advanced data reduction capabilities.

The end-product was 1.5- to two-times more efficient.

Because it was built from the ground up on flash we were able to reimagine the customer experience from an architecture and simplicity perspective," Blythe said.

Simplicity was critical, especially to support and orchestrate the transition from on premises to cloud.

The architecture also had to be non-disruptive to enable upgrades and other changes without down-time.

That architecture also supported a new "evergreen" storage business model that eliminated lift-and-shift upgrades and a price hike every few years.

Blythe said customers can buy an array with three years of support. The gold support option included a non-disruptive upgrade including new controllers in the existing hardware with no additional cost over the next three years.

"It's still capex plus support but once you've bought the asset, you never rebuy it," he explained. "You keep buying maintenance while also subscribing to hardware and software innovation."

As of July, more than 2700 customers globally had experienced non-disruptivestorageupgrades and the average number of upgrades grew 38 per cent year-over-year for the last five years, Pure said.

There was an interesting dynamic emerging in the market with the ascent of hybrid cloud, Blythe said.

Public cloud doesnt necessarily deliver performance, availability and a commercial outcome simply by virtue of a lift and shift. Customers still want very high availability and performance.

Infrastructure-as-a-service (IaaS), for instance, is mostly focused on on-premises style workloads. It is almost a traditional technology stack rather than cloud native.

"A lot of people say going on a cloud journey but need to understand what that means," Blythe said. "It is absolutely becoming a hybrid world."

Rapid recovery, however, is the topic du jour with ransomware attacks both professionalising and proliferating. The ability to get data back very quickly was an emerging flash storage use case.

"We have customers using flash for back up," Blythe said. "It's counter intuitive for speedy recovery."

In essence, flash has spread from tier 1 all the way down to tier 4.

To address the needs of software-as-a-service (SaaS) vendor customers, Pure built an "immutable" snapshot capability into its products. Even administrators cant get access to it.

Because ransomware infiltration typically happens weeks even months before a ransom demand is made, the ability to keep point-in-time snapshots and to allow rollback and recovery at high speed is being seen as very beneficial.

Winning customers has proved key to winning partners, Blythe said.

"We have a lot of the traditional partners with long standing vendor relationships that they are happy and comfortable with and dont want to disrupt," he said.

"But when you start winning a couple of customers off them, you start being taken notice of. They come based on the success they see we are having."

In that context, customer satisfaction is key and Pure puts great store on net promoter score (NPS). That also puts the company in Tier 1, with NPS sitting at around 83.5.

Local customers include TSB, Toyota Financial Services, Ballance Agri-Nutrients, BCS Group and Kensington Swann.

Last September, Pure bought Portworx a data storage and management specialist focused on the Kubernetes market.

That delivered another set of partners with capabilities, services and value that were not based around data centre infrastructure.

"They are very much focused around concept of data mobility cloud is not a destination," Blythe said. "Portworx will give that abstraction to make data mobile in the cloud."

The goal there was to give customers both an on-premise enterprise experience that was more cloud-like and to make some cloud based infrastructure operate more like enterprise storage.

Error: Please check your email address.

Tags storageflash storagePure Storagehybrid cloudCloud

Link:
Pure Storage rides the hybrid cloud wave to growth in NZ - Reseller News

No longer is it just a matter of time until an Upper Valley institution, business or town gets hit with a ransomware attack. Its already happened. Cybersecurity experts say it will keep happening, and anyone who depends on a computer network to run their business, school or town in other words, everyone should be prepared.

Yes, theyve happened. Can I talk about them? No. But they happen, said Ray Coffin, founder of All-Access Infotech, a Fairlee information technology consultant who builds and manages IT systems for small and medium businesses in the Upper Valley. Its at the forefront of every conversation were having.

Unless youve been living off the grid (and some do in the Upper Valley) and are blissfully unaware, barely a day passes when a business if not an entire industry is held hostage by a ransomware attack. Its a thriving extortion racket: One study estimates that a total of $406 million in ransom money was paid out to perps in 2020, up 337% from 2019.

The M.O. is familiar: A shadowy group many are said to emanate from inside countries like Russia, Iran and North Korea who are hostile to the U.S. seizes control of a targets computer networks and demands money be paid before supplying the key that unlocks the seized network.

Prominent recent ransomware examples include the attack on the Colonial Pipeline, which carries gas to the East Coast and was shut down until the operator paid $4.4 million. Another attack on JBS, which processes 20% of the countrys meat supply, led to a payment of $11 million to bring its plants back online.

When I thought about which businesses in the Upper Valley might be smart about mitigating against the risk of a ransomware attack, Hypertherm was the first to come to mind.

The Hanover-based, employee-owned company is a world-class manufacturer of plasma and waterjet cutting technology.

Hypertherm sells a hefty percentage of its products in the international market and relies upon a global supply chain for materials, thereby raising its risk profile because bad actors could have numerous entry points into its networks.

And, I learned, Hypertherm was an early ransomware victim.

Back in 2010, we were hit three times in less than a year, and it took down production for a half a day, said Robert Kay, IT chief at Hypertherm. We did not pay any ransom and were able to use our backups to restore operations, but it became clear this was a problem we had to address.

The ransomware attack, Kay said, kicked off an action plan that reviewed everything from the companys IT infrastructure to employee interactions with company systems that elevate risk. Kay declined to name specific measures, but one of the actions it has taken is to bring on a security expert with advanced training who has been qualified to join in FBI briefings on cybersecurity threats.

The in-house cyber specialist is also a certified ethical hacker that allows them to be trained in the latest hacking techniques and skills in order to penetrate the companys computer operations to discover vulnerabilities and fix them.

We get attacked often, Kay said. But so far, thanks to the seriousness in which Hypertherm has responded to the threat, we havent been impacted.

The company also carries ransomware insurance, he said.

In a scenario perhaps most relevant for the Upper Valley, the computer system of Leonardtown, a small town in rural Maryland, was shut down after it was exposed to a ransomware attack through the vendor that operated the towns IT system, which in turn relied on software of a targeted company.

Although the town itself was not directly attacked, the incident destroyed the data files the town used to meet its payroll and send out quarterly utility bills to its 3,000 residents.

Lebanon City Manager Shaun Mulholland said that kind of situation is one of the reasons he prioritized switching IT firms and beefing up the citys internal IT department shortly after he took over in Lebanon in 2018.

After an assessment of the citys IT infrastructure found significant weaknesses, they had to totally revamp the whole system, said Mulholland, a former police chief in Allenstown, N.H.

The city spent $750,000 to upgrade IT security, including a new computer system that operates the citys water and sewer plants.

There were a lot of things people could hack into, he said.

And although Mulholland said Lebanon has not been the target of ransomware attack, the city is regularly inundated with so-called phishing attacks that attempt to trick city employees into revealing their passwords in order to hack into email and other accounts.

Now that Lebanons cybersecurity has been improved nobody is 100% secure, Mulholland acknowledged the next step will be to conduct tests with city employees by a cybersecurity firm that will check how on guard city workers are about protecting passwords and information that could result in a bad actor hacking into the citys computer networks, Mulholland said.

Mulholland explained the testing will be to ensure city employees are following protection protocols and to coach them if they make mistakes and not to discipline anyone over errors.

Nobodys going to get into trouble, he said.

Most small, mom-and-pop businesses do not have Lebanons budget to plug holes in their computer systems, but there are still things they can do to minimize the risk of a ransomware attack, according to IT consultant Coffin.

Make sure all your data is backed up on a cloud provider and cloud storage, Coffin said, explaining that if a business finds it is locked out of its data files it can easily pivot to the backup files and will not be compelled to pay the attacker for the key to get the data back. The only data the business would lose is the data since the last backup procedure.

Of course, a business has to pay a cloud storage provider like Amazon or Microsoft and, ranging in cost anywhere from less than a hundred dollars per month to $1,000 per month depending on the amount of the data to be stored, that can be a large expense for a small company, such as a farm stand or handcrafts maker with an online sales platform.

But skimping to pay for protection may only lead to bearing a steeper cost later.

It should be looked at like rent, one of those expenses in the budget line, Coffin said.

Contact John Lippman at jlippman@vnews.com.

See the original post here:
Bottom Line: When will ransomware attacks hit the Upper Valley? They already have - Valley News

Boards across the world now recognise that nothing short of an audit renaissance will make them feel satisfied about their oversight on cybersecurity challenges. The feared trillion-dollar number has entered the fear factor gauge as infrastructure breakdowns, halting of operations, ransomware demands and egregious data leakages have grabbed headlines all over the world. Some of the most sensitive organisations in the world have fallen prey, despite massive investment in cybersecurity!

The basic three-part renaissance required can be summarised as follows:

1. Raise global awareness about the subject: Use examples, videos, drawdowns from repositories, sessions by experts and a cutting-edge self-study module available for widespread free usage.

2. Build a culture of safety: Nothing short of global cooperation will work. All incidents, patches, clever attempts to steal, closed down operating assets and restarting strategies must be uploaded to a global repository. Access to the repository must be authorised, universal and uninterrupted. Custodians for this repository should be Central banks of the largest 10 nations on earth, by rotation. All tools, protocols and frameworks that create safety must also be universally shared.

3. Build human and mechanical competence to detect early and counter threats: No lags in continuous monitoring and auditing should be tolerated by the system. Any post facto checks can only be useful as future learnings about attempted attacks. Any breach is too costly to afford and therefore must immediately be uploaded to the repository. As the repository is a true universal asset, it will acquire the status of being protected, curated and shared universally.

Only an establishment with infrastructure of this quality will support unstoppable enhancement in computer power, as quantum computing comes online. Storage and retrieval systems will also have to be constantly kept in a state of accelerated improvement. The battle between the forces of good and the evil will have to be transported to cyberspace. Knowledge and vigilance must trump greed and fear!

I invited three organisations whose boards I chair, to share their policies and practices. Am here, sharing these practices which have evolved over years of effort to serve as examples how all can learn and improve by sharing:

Lessons from Blue Star Limited

Cybersecurity risk management is a process of swift detection of emerging risks, assessing their potential impact, and determining how to respond in an agile manner if those risks materialise. A cybersecurity management strategy is kept refreshed at all times, as experience builds.

Effective cybersecurity risk management happens on a continuous basis, both at cultural and operational levels.

Blue Star has enhanced its cyber risk management framework through the following initiatives:

Establishing Culture

While developing a cybersecurity risk management programme, the first thing to initiate is embedding it in the companys culture. The average cost of a cyberattack is approximately $1 million, and 37 per cent of organisations attacked have had their reputation tarnished as a result of the attack. This is why a cybersecurity-focused culture must be established at all levels in the organisation, to prevent loss.

An important aspect is guarding against vulnerable human behaviour. This is done by adequate training and awareness to recognise phishing emails and other social engineering attacks.

Security Operations Centre (SOC)

Blue Star implemented Security Operations Centre services that house an information security team responsible for monitoring and analysing the security posture on an ongoing basis. The SOC team works closely with the organisation incident response team, to ensure that security issues are addressed quickly upon discovery.

Benefits of SOC to Blue Star:

1. Monitoring of security-related incidents round the clock and correlating them with global emerging threats.

2. Proactively hunting for targeted attacks, advance threats, and campaigns.

3. Developed the ability to ward off a ransomware attack

4. Reduction in the incident investigation and remediation time.

Vulnerability Assessment and Penetration Testing (VAPT)

Periodic comprehensive VAPT testing is a strictly disciplined activity. This includes Application Security review, Wi-Fi Penetration testing, Infrastructure Penetration Test, Endpoint Security Review and Secure Configuration Review for Servers & Networks.

Secured Websites

Deployed SSL certificates for web portals; security standard compliance extended to software partners.

Information Security Policy

A set of policies and procedures has been formulated to ensure users understand and comply with a set of guidelines on handling of information stored within Blue Stars network and systems.

Information Rights management tool

Data residing in unsecure locations is accessible to individuals who must not have access to it. This is a common use case within any organisation, where unintended user groups gain access to data. Such a situation may cause data leakage to parties which do not have the organisations best interests in mind.

Blue Star has deployed Seclore software, to protect sensitive information flow. This helps to protect sensitive data that is shared between internal users and user groups m. Pre-defined permission policies to documents stored in file repositories and file server folders are in place. When a document is added to the repository or the folder, permissions for print, copy, forward are attached to the document. Only certain groups of users are allowed access to sensitive documents.

Protection during Internet Access

Data on employees laptops are protected at all times. Even when employees are outside the Blue Star network i.e. when they are accessing the Internet over less secure and vulnerable public Wi-Fi connections or from home. An intelligent guard is installed carefully to protect against malicious websites, viruses, worms and Trojans. This is especially important when almost all of our organisation is working remotely.

Also, there might be incidents when some of us inadvertently access links that may be malicious. This is where the Zscaler Cloud Proxy tool kicks in to guard employees machines while accessing the Internet. The tool also offers a dashboard that provides important MIS on overall security and usage.

Backup and restoration

Blue Star has enhanced its data protection by introducing an enterprise class back-up and restoration tool to retrieve data during any cyber or other disruptions.

Insurance Policy

Cyber Insurance Policy has been obtained, to protect the company from loss incurred from corruption of its data from unauthorised software, computer code or third-party data, wrongful appropriation of network access code, disclosure of third-party data by the companys employees etc.

Cybersecurity insight from L&T Financial Holdings Ltd

The potential data loss from a hack per company could run into millions per year. One failure to defend against a hack can spell disaster. Most of the attempts get repulsed at the external firewall-level itself.

Key aspects of defence (It is more or less like Army defence of land):

1. Be aware of possible avenues of breach. Examples are third party APIs, vendor access to systems etc. These are more vulnerable.

2. Invest proactively to strengthen the posture of defense.

3. Create awareness among all employees on Cybersecuritys importance and reduce chances to accidentally or intentionally leak information outside. Access control and development codes are held in code repository instead of individual machines.

4. Have multi-layered architecture to ensure that the attacker, if successful, does not get deep within.

5. Everyone has a role to play in defence and it is not only the cybersecurity teams job. While that team leads the effort, others have to complement.

6. Regular sharing of practices among companies. This builds overall environment against attackers and they get less encouragement.

System malfunction is curtailed. Despite security checks which may increase the per transaction time taken are weeded out continuously as new techniques become available.

Access controls might deny usage option to genuine users sometimes. Potential mitigants that we apply are as under:

1. Sanity testing of production systems before making it live.

2. Performance testing post implementation of information security controls with simulated traffic in pre production environment.

A critical aspect is: How exactly does information security get staffed? For most of the evolved functions, a separate layer which conducts audit is deployed i.e. internal audit and statutory auditors. Information security must avoid inherent conflict of interest, as providing security and audit are separated.

Information security is a new function but slowly Internal audit function is being beefed up through reskilling Statutory auditors also have to pick up the slack as they get into ESG and technology driven continuous audits.

Insights from NSDL e-Governance Infrastructure Limited

There are six pillars around which IT security has been thought through. They are :

IT Infrastructure security

Application security

Endpoint security

Third-party risk assessment

Business resilience and

Security governance.

1. IT Infrastructure security - covers aspects like server patching, network security, firewalls, access etc. for both cloud and on-premises infrastructure. This is a monthly activity to update all patches and secure all bases.

2. Application security - covers all APIs, mobile applications and all existing workflow applications. All changes have to be first cleared through information security and the testing of production environment is also done.

3. Endpoint security - since we are BYOD company, basically this operates under zero-trust policy. Tools are deployed to ensure the checkpoint between device and our network layer. Also, monitoring of end device is in place.

4. Third-party risk - we have a large ecosystem of third parties comprising of fintechs, bureaus, call centres, vendors and other technology partners. We try to have controls over them through either direct control using audits, or we give them pointers for self-certification. Self-certification is used in case of large companies only.

5. Business resilience - basically, around ensuring applicability of DR or ensuring that applications are in high-availability mode to ensure business continuity in case something goes wrong.

6. Security governance - last but not the least, regular review on our status. Monthly security posture review by CDO and CRO. In addition, this also gets reviewed at Board committees of RMC and IT strategy.

Some of the important cyber and digital security measures deployed are:

1) Global Standards and frameworks that are most widely and successfully used. A yearly update is mandatory.

2) Multilevel, defenceindepth security architecture deployment. Data traffic is subjected to at least 4-5 levels of scrutiny / checks (using different methods) before it reaches the main system.

3) Daily automated scanning of application systems and infrastructure is done to early detect any new known vulnerabilities. Findings are reviewed / verified and an action plan defined to fix these vulnerabilities. Counter-measures such as Web Application System (Machine learning based) are deployed for preventing the exploitation of vulnerabilities that need time to fix (due to upgradation of version or application dependency).

4) Security posture (attack surface assessment) and benchmarking against the peers in the industry is carried out using automated platform-based services. A real-time dashboard helps regular monitoring and planning of action to maintain / enhance the posture.

5) Zero trust approach Role-based access is followed. Internal users also dont get to access the system directly. Firewall rules determine who will be allowed access. Privileged users dont have access to credentials. Intermediate system logs using securely stored credentials and each action is logged/ anonymised.

6) Industry standard key strengths and algorithms are adopted. This applies to all three phases, data in motion, data at rest and data in use.

7) Unstructured data is monitored based on the policy defined by the respective data owners. Data leak prevention systems block the data, disallowing its transfer through any channel (removable storage, web based storage, print or email).

8) Emails contain critical information, as these are the most preferred channels of communication. Therefore, email on mobile is provided only through separate secured container within users' mobile devices. This provides features such as disallowing copying data attachments outside the container, taking screenshots etc. If email is forwarded, DLP rules would apply.

9) Data traffic of all the above technologies / devices is monitored 24 X 7 with help of state-of-the-art tools and fine-tuned processes and skilled resources. Correlating events, detecting anomalies and triggering a ticket to resolver group is an automated process.

10) Well-thought-out cybersecurity / information security policy and process are deployed to ensure uniformity of action to meet the organisation security objectives. Continuous review and finetuning is undertaken to ensure robustness. Review is done up to the board level for critical cybersecurity policy.

11) Continuous security awareness training is provided to all the employees of all levels. Awareness sessions are conducted for top management and board members.

12) All these controls are audited on continuous bases by internal auditors / independent experts as well as the certification auditors and reported to the audit committee of the board.

Cybersecurity is receiving adequate attention at the highest levels and awareness is getting widespread. The battle is on. Winners will be the diligent and vigilant.

The writer is a corporate leader based in Mumbai. He is a chartered and cost accountant and writes regularly on the Indian economy and public policy

Read the original:
Shailesh Haribhakti discusses audit renaissance and the deployment of cyber and digital security measures - Free Press Journal

For Arnab Mitra, the CEO of homegrown cloud storage solution platform Digiboxx, there hasnt been a better time to move to cloud storage. With the world adapting to the work-from-home culture, the usage of smartphones has increased leading to an increase in the demand for cloud storage, he tells indianexpress.com about what he calls an extremely future-focused industry.

Launched in December last year, Indian cloud-storage service Digiboxx offers both free and paid cloud storage plans for individuals and businesses and has already crossed a million users. The service competes with Google One, Microsofts OneDrive and Dropbox by offering relatively affordable plans.

Mitra explains that their success can be attributed to understanding what most Indian customers need when it comes to cloud storage. Most of the people in India do not communicate in English and fail to understand a very complex platform. The majority of them just want a basic service that will allow them to sync their phones, upload photos, videos, chats, and backups, he states, adding that most essentially, people want something that just fits into their pocket.

Digiboxx went live around the time Google announced the end of its unlimited storage space for Photos.

While Google One subscription with storage plan starts at Rs 130 per month for 100 GB, DigiBoxx offers the same 100 GB at Rs 30 per month, along with other packages for storage upto 2TB. Meanwhile, its free plan has 20GB storage, in comparison to the 15GB storage that Google offers.

But Digiboxx isnt just targeting individual users. It has plans for Small and Medium Businesses (SMBs) starting at Rs 999 with up to 50TB storage and a 10GB maximum file size.

Mitra explains that cloud storage is more flexible than traditional physical storage thanks to its ability to create a more tailored solution for individuals as well as businesses. The package can be customised as per the need of the company, number of employees, etc, he adds.

Cloud storage also makes elements like data recovery more likely for individuals and businesses. Depending on the cause of the problem, it takes longer for traditional storage solutions to recover. Sometimes one can even lose files completely for a physical storage solution but on cloud storages thats impossible, he claims.

Apart from lucrative pricing, Digiboxx also boasts of local storage, with all of its data stored within Indian borders. DigiBoxx has connection encryption and all the files stored on its platform are encrypted at a database level. The service offers support for SSL file encryption.

We are working with multiple Indian Data Centres to assure that the data is being sorted within the countrys borders only, Mitra states, adding that the platform is the first of its kind Make in India, Store in India digital asset management SaaS product that is in line with the countrys national security and data localisation priorities.

View post:
Indians want basic cloud storage that fits their pockets: Digiboxx CEO - The Indian Express