Originally published by Professional Security Magazine Online
Financial services organisations should be preserving unalterable copies of critical data, writes Tom Richards, Practice Lead – Systems and Storage for Northdoor plc, a corporate IT consultancy firm.
Recent papers from the Bank of England make it clear that regulations around business continuity are likely to be tightened in the near future. Financial services companies need to improve their readiness, and backup is a great place to start. By introducing a solution that guarantees the immutability of backed-up data, financial institutions will always be able to rely on a known good copy of data from which to recover operations in the event of a disaster.
In a July 2018 discussion paper (DP01/18), the Bank of England and the Financial Conduct Authority (FCA) set out their views on the opportunities and threats of technology with regard to the operational resilience of the UK financial system. While the paper seeks only to “commence a dialogue with the financial services industry”, the topic is clearly presented as being of fundamental importance to the overall stability of the financial markets in the UK and beyond.
The discussion paper states that a key requirement for firms and financial market infrastructures (FMIs) is to have both preventative measures and capabilities to adapt and recover when operational systems go wrong. The authors note that “operational resilience (…) is a priority for the supervisory authorities (…) no less important than financial resilience”. Clearly, we can expect to see stronger regulations around how banks and other financial institutions manage cyber risk and business continuity.
Challenges to continuity
As the authors of the discussion paper observe, the interconnected nature of financial activity makes it vital for all players to have robust operational procedures and systems in order to avoid contagion. Managing cyber risk is presented as an important element of operational resilience, but the paper takes a broader view, looking at how service continuity can be maintained in the event of individual or systemic disruption.
Given the goal of aiming for “the safe resumption of critical operations within two hours of a disruption,” we need to consider disaster recovery and the enterprise data backups on which it depends. For most organisations, backup is a necessary evil that has become increasingly costly, complex and hard to manage. The use of multiple on-premises and cloud-based platforms means that firms must maintain multiple skillsets, and high failure rates mean that technical staff are so occupied in getting backups to run that they have little or no time to test that the data is actually recoverable. Any changes – intentional or accidental – to backed-up data can render it useless, so many firms are looking for easy and cost-effective ways to protect their backups against loss, damage and ransomware.
Based on Cobalt Iron Adaptive Data Protection (ADP) – itself built on IBM Spectrum Protect technology – companies need to look at implementing Backup-as-a-Service solutions that provide Write Once Read Many (WORM) capabilities by default and at no additional cost. This type of solution consolidates all enterprise backup tasks and schedules across all platforms into a single intuitive front-end and protects all data through read-only permissions by default. Administrators can set up the solution to automatically maintain recoverable copies of data in complete isolation from the enterprise network, and built-in data auditing ensures the validity of backed-up data.
Taking advantage of the ADP solution’s core Cyber Shield functionality, a Backup-as-a-Service solution protects and securely isolates all backed-up data. The entire backup infrastructure is automated and made hands-free, effectively eliminating the risk of intentional or accidental damage to data.
This also makes it faster, easier and more cost-effective to test the recovery of critical systems on virtual infrastructure in the cloud, so that financial markets firms can be confident that their data and systems can actually be recovered in a timely fashion. The solution works with enterprise platforms such as IBM i on IBM Power Systems servers and offers full support for WORM tape media and multi-site relocation/media management.
The financial regulatory authorities consider that operational resilience is most effectively managed when firms focus on business services, rather than on systems and processes. In addition, the challenges they identify to building operational resilience include skills gaps, obsolescence, and system complexity.
Addressing both of these topics simplifies and automates enterprise data backup so that IT personnel can focus on the bigger picture rather than getting bogged down in low-level technical detail.