Black Hat: Business Continuity With Commvault’s Tim Zonca
Shira Rubinoff: Hi, this is Shira Rubinoff coming at you live from Black Hat. I’m here with Tim Zonca from Commvault. Tim, such a pleasure to be speaking with you here today and welcome to Black Hat.
Tim Zonca: Thank you.
Shira Rubinoff: Can you please share with our audience who you are and what you do for Commvault?
Tim Zonca: Sure. Thanks Shira for having me. I’m Tim Zonca. I’m VP of Portfolio Marketing at Commvault, and there’s a few different functions that includes, but it’s mainly customer marketing, so we have a really vibrant community of customers and partners and users. We have a strong kind of advocacy group within that. And so my team works directly with our customers and our partners and kind of brings the feedback and engagement that we hear with them to then the product marketing team, which is the other group within the organization that I run.
Shira Rubinoff: Excellent. And can you share with our audience a little bit about where Commvault sits in the cybersecurity sphere? It’s quite a large, vast area of cybersecurity. Love to hear where Commvault really flies.
Tim Zonca: Yeah, I think that the main place is most of the customers that we work with and CISOs or security directors, they adhere to some sort of framework or maybe it’s a Mitre or a NIST sort of thing. So if you take NIST, that last area is recovery or recovery. We excel at that, so that’s what our customers use us for. We more recently have started using a lot of the proven best practices and technologies that other security experts use, but it’s all in service of making sure that an organization can recover.
Shira Rubinoff: That’s very critical. We talk about being proactive and reactive in the cybersecurity sphere and in cybersecurity posture. So with the reactive piece is something really where you excel at?
Tim Zonca: Yeah, I think reactive insofar as making sure that people can recover. Frankly, it’s as easy as is there organization in their business up and running, and is it serving their mission? Can they serve their customers? Can they serve their patients, their partners, their employees? And so there’s a part of it that is reactive in that after there’s some sort of data incident or a cyber incident and you need to recover. Yes, that’s reactive. There’s a whole set of things that we also not only offer, but suggest people do that that’s more proactive in nature, so making sure that people have early warning, are there bad actors kind of knocking around. And so you don’t wait until it’s time to recover, but you’re always in a constant state of recovery readiness.
Shira Rubinoff: That’s critical. Proactive reactivity going hand in hand in the same strength, so it’s very excellent that you do that as well. So how has the digital landscape evolved and what challenges do organizations face in protecting their data? And that’s been a question on people’s minds and there’s lots of different answers around that, and I’d love to hear what Commvault and what your offering is and how you actually face that.
Tim Zonca: Yeah, I think there’s two really big categories of shifts in evolution that we’ve seen. I think one is, and it’s been going on for a while, is people call it the move to the cloud or whatever it is, but their data is just distributed everywhere. And there’s no future where that’s going to be any less distributed than it is today. And so is it across clouds? Is it across data centers? Is it across regions? Is it across apps, partners? It’s all of it.
Shira Rubinoff: It’s everywhere.
Tim Zonca: And that’s just made kind of good old recovery, really hard. And so I think that’s a big shift is just that data sprawl. I think then the other big shift is just the impact that the skyrocketing cybercrime has also had in light of that already complex set of processes and tasks and protection in that bad actors today are quieter than they’ve ever been, even just okay hackers can be great with off the shelf tooling. So threats are just more pervasive, they’re more autonomous. And so I think those are the two biggest sets of trends that are really shaping the conversations we have with our customers and the way that they implement our technology.
Shira Rubinoff: And when we talk about data protection and data security, what traditional data protection solutions are no longer sufficient in addressing cyber threats because a lot of organizations say, “Listen, we only have certain budgets that we could use to spend on dealing with this area.” So why are they no longer efficient and why do they have to look elsewhere in order to have that proper protection?
Tim Zonca: Well, I think it goes back to those kind of two big shifts. So if you believe that data’s distributed and it’s more and more distributed and that cyber crime is more sophisticated and advanced than ever, I think where a lot of solutions fall short in the market are you have a lot of solutions that were kind of born in a traditional world, so they’re good at managing kind of on-prem data center sorts of workloads, and then they struggle when they need to burst out and protect cloud workloads or maybe recover to the cloud. You have the opposite, which is you have more cloudy born or cloud native or cloudy solutions. They’re usually pretty proficient at helping protect data on the edge, but then vice versa, they’re not super proficient at also protecting things that are a bit more traditional.
And then you have this group that’s kind of in the middle. These tend to be vendors that have, usually their history is around an appliance for managing stuff. And so they give you some cloud management capabilities, but it’s really inefficient and hard to then burst to the cloud when you’re trying to recover fast and at scale and cost effectively. Those just come to their knees. And so the result is you have these organizations that are cobbling together a whole bunch of solutions, and it’s just painful. I mean, it’s really-
Shira Rubinoff: There’s the gap in the security there.
Tim Zonca: Well, and then I think that totally widens the gap because you have multiple interfaces, multiple approaches for frankly doing the same thing, which is my data resilient and is it recoverable? And so I think it just exposes additional risk.
Shira Rubinoff: Yeah. Well, there’s a lot of organizational talk about overlaying different technologies on each other, but then there’s also the security area and the security factor. When you look at that and putting cobbling, as you mentioned, once security solution over the other, there’s gaps in the security, but also you have to really keep an eye on every single little piece. One goes down. It all goes down. So can you talk a little bit about the recovery, just how that really would work a step-by-step guide maybe to our audience, so they could really understand what that would look like.
Tim Zonca: Yeah, I mean, I think there’s a few fundamental attendance. I think even before you recover, one of the things that we also really think a lot about recovery readiness. And so before an incident occurs, do you have layers of your recovery processes and your backups ready to go? Do you have versions that are kind of immutable and indelible and are they stored in an air gaps cloud fashion so that you can ensure that you’re recovering those? Are you confident that they’re clean? And so do you have a clean recovery point? There’s notions of just constant verification or validation rather that we think are important. That starts even before you need to get to the point of recovery.
Shira Rubinoff: This is like training, somewhat training.
Tim Zonca: I think it’s training, maybe it’s just my bias having come from kind of a DevOps world, but it’s just like that kind of, they have CICD in a software production context. It’s like this notion of continual testing and continual integration. Are you always ready to go and when you need to, are you ready to go that you can always, when things in the software you need to push to production when you’re ready to go and you need to go and back up. Do you know what it is? Are you sure it’s clean and are you backing up just what you need to, not everything that becomes costly and slow as well, and kind of just confusing.
Shira Rubinoff: Also there’s extra data out there that you really don’t need, and having that extra data out there, it could also be a security risk for organizations. So cleaning up that data is important as well.
Tim Zonca: And that’s a big challenge I think a lot of organizations face, going back to one of your early questions, which is what’s challenging when you have all these point solutions because if each one’s doing it a different way, and one of the unfair advantages our customers have is some of the just unique capabilities we allow for having that precision. So you’re backing up just what, I’m sorry, restoring just what you need. Whereas with many other technologies, you got to do it all and slow, expensive and just really inefficient.
Shira Rubinoff: Sure, sure. And when we talk about the cybersecurity world itself and what CISOs are struggling with and they’re struggling with budgets, they’re struggling with getting the right solutions implemented, proactive and reactive cybersecurity posture, being worried about ransomware attacks and the like. What advice can you give CISOs when they look at it and say, where do we even begin? Where do we begin to expend our dollars?
Tim Zonca: I think I am going to speak with the obvious bias of coming from kind of a recovery world. So they wouldn’t want to listen to me on like, Hey, what should we be doing? It’s some other aspect of let’s say network protection or something like that, but where I think the CISOs that I work with, what I’ve heard from them, so I’m kind of just parroting them. It’s like, look, if we don’t have a strong recovery plan in place, it’s like walking across the Grand Canyon on a tightrope with no safety net. And so prioritizing that as part of their portfolio of high priority investments, we think is just critical. And the CISOs I work with think it’s silly to not do that or irresponsible whatever your word is for that. So I think prioritizing a strong recovery practice.
And I think the second thing related to that is the security and data protection ecosystem is so strong now and it’s really straightforward to integrate with different solutions. And so prioritizing recovery, but then prioritizing the ability for systems to talk to one another so that you don’t have multiple single panes of glass. Then you have, but the right apps are talking to the right apps so that people are able to work in their context, keep their data safe and recoverable without having to skip across a lot of interfaces. I think that’s what I would put as a second tier priority within that recoverability.
Shira Rubinoff: That’s reasonable. Certainly. And if you had to speak to our audience and say, how does Commvault stand apart from its competitors and why is it something that you really need to look at? Can you explain that to our audience a little bit as well?
Tim Zonca: Yeah, I think there’s a few things that we do that are unique and when our customers look to us is, I think the first thing is that we deploy security capabilities in the context of recovery. So one of them is early warning. So I think it’s tempting for threat actors to say, “I’m not going to go kick around in production because there’s tripwires all over the place and I don’t want to make any noise.” A lot of times they’ll go and they’ll target the backup and recovery environments and infrastructure where there may be fewer trip wires there. So one of the things that we do is we give customers early warning that spans both of those kind of production and kind of backup areas. So it really makes sure you have a strong moat around that and so that if someone comes knocking, you are ready.
And that’s a sophisticated set of capabilities. So we just embed it in the daily workflow of a typical data protection engineer. So for example, you’re spinning up a new environment, I need to back up my M365 environment like, Hey, do you want to throw some early warning out into these environments? Here’s what it looks like. Here’s your recommended density. It’s just part and parcel with what they’re doing anyway. So that’s something that only we do. So no one else does that.
And then I think the second thing is as you are protecting your estate, in this distributed world no one covers the breadth of that estate like we do. We don’t care if it’s in the cloud, if it’s a SaaS app, if it’s on-prem if you think, well, hey, I’m guarding this and protecting this on-prem, but I want to be able to burst to the cloud and recover there, we got you covered. So the portability is also just unparalleled. And I think those are a couple of the main things that our customers look to us for. And I think then the third and final is just what we’ve always historically been known for is we recover faster, more efficiently, and at the lowest TCO by at least a factor of three compared to any other provider out there.
Shira Rubinoff: Well, that’s excellent. And I actually like the way that you highlight the backup and recovery, that is it clean. A lot of organizations, and when we talk about in the cybersecurity world, we talk about the data, are you protected? What are you doing? Is it up to snuff in different areas? But no one’s really focusing or I haven’t really heard people focus about the clean data that you need to be when you recover. Is that clean? Do you know that you’re not putting in problems when you have to recover? So I think that’s very important that you highlighted that and you spoke to that. And I’d love for you to speak a little bit further on that topic itself about clean data and making sure it’s clean and how that is done.
Tim Zonca: Yeah, I mean, I think it goes back to something we were just talking about, which is if you’re a bad actor and you are looking to compromise an organization, going and kicking around and making noise in production is a really risky thing. So if you can embed yourself into what’s going to get recovered after an incident, if an organization isn’t set up well enough and they don’t have as many trip wires listening for that sort of activity, if they aren’t looking for anomalies, I mean, encryption has gotten so quiet and that it’s hard to detect those sorts of things. There’s living off the land attacks. And so if a bad actor can go in and embed malware or whatever the attack is into a recovery, the backup data, and then they could just go knock over production, well, and then what do you have to do? You have to recover.
I mean, that’s why it’s so important to make sure that you understand and have a high degree of confidence that indeed you have a clean recovery point, you’re recovering to a clean location. And you could do that if you were planning on doing that to let’s say an on-prem data center, your private cloud, and you need to do it in the cloud, you should be able to do that on the fly. And I think that’s where the importance of cleanliness, indelible storage and capabilities like that I think are really paramount to have a really strong, healthy, and I think just highly confident and resilient system.
Shira Rubinoff: No, well, thank you for that. That’s important. And I guess another question that’s always on people’s minds is how easy is it to implement your solution? What does it take for an organization to do that?
Tim Zonca: So I don’t want to knock on all the marketing people that might be listening, but I’m a marketing person. I was able to do it in a matter of a couple minutes. So it’s as easy as signing up and getting going. And what I did is easy M365 environment, or maybe it’s Kubernetes or something like that. So you can spin us up in a matter of moments. And then we have really sophisticated installations with customers where it is distributed data and it’s across multiple clouds and multiple regions and multiple private clouds, and we kind of span the gamut. So it’s anywhere from someone like me doing it in a matter of moments to a really sophisticated setup and anywhere in between.
Shira Rubinoff: Excellent. And any other cybersecurity points or helpful hints you’d like to share with our audience? I always like to ask the people that I speak to. What else can you share with our audience, even in the cybersecurity world itself, some pointers or some helpful hints?
Tim Zonca: I think the biggest one, to me, again, it has the bias of coming from of a vendor that leads the resilience and recovery space is going back to your question around the role that recovery plays in security. It is kind of disheartening to see a lot of just the confusion out there because it’s attractive to talk about what you do from a security perspective. And I think when that gets confusing is when you have vendors that actually don’t really do security labeling themselves like “We do security”. And it does a disservice to the security and the IT teams that are trying to protect their organizations.
And so I guess my guidance is as you flesh out and you evolve your recovery plans, of course it fits a security framework like a NIST or something like that. And you’re going to hear about things like early warning and risk analysis and threat scanning and anomaly detection and things like that. But at least for Commvault, we do that in service of your recovery. And so I think the guidance is to just make sure that you understand where your providers, their sweet spot is and where they fit across what’s a pretty sophisticated and complex landscape of myriad vendor offerings across a wide gamut of practices.
Shira Rubinoff: Of course. That’s such sound advice. Well, Tim, thank you so much for your time today.
Tim Zonca: Thank you.
Shira Rubinoff: And I’m really happy we were able to talk today, today during Black Hat.
Tim Zonca: Yeah, I appreciate it.
Shira Rubinoff: And for our audience, please stay tuned and we’ll be coming back at you live shortly. Thank you.