David Tyler: The pandemic obviously has driven some huge changes in how business itself works - but is it one of the main drivers for Veritas as a business and for your customers in terms of challenges?
Simon Jelley: From a customer challenge perspective, COVID-19 has accelerated the move to remote working. But even before COVID we knew we were on the path to much more cloud adoption and different infrastructure and application approaches. Customers are moving towards embracing whatever their definition of a Cloud platform is. The business application owners are essentially the ones driving adoption of those cloud technologies - and for good business driven reasons. Organisations have had to make big shifts towards servicing customers and employees sitting in home offices.

At the same time we've seen the rise of ransomware threats and vulnerability overall - what we've termed the 'vulnerability lag'. We did research which revealed that some 80% of organisations say they've implemented new cloud capabilities or expanded elements of their cloud beyond what they originally planned as a response to COVID-19. So they've accelerated that, but have they looked at what that means from a regulatory or data protection perspective? What data is now being shared out there, what are the privacy and legal requirements - and do they have backups of that data? That's the vulnerability lag.

DT: So what is Veritas offering to help with these issues?
SJ: A lot of customers have deployed SaaS applications under the assumption that that just takes care of the problem for them. The reality is if you dig into the contract you've signed with Microsoft, AWS, Workday or Salesforce, they protect and provide reliability for the infrastructure they're running, but you're still responsible for your data. They don't give any guarantees around the recoverability of the data itself.

We're working hard to be part of the education aspect of that, helping customers be more aware of what are they buying into with the cloud. And then we also provide the infrastructure capabilities through software and the move to SaaS, whether it be for the protection of SaaS applications directly or for being able to manage directly from the cloud using the Kubernetes driven platform, we're trying to offer a 'single pane of glass' solution.

DT: Is there an argument to be made that some of the large as-a-service vendors might not be as open as they ought to be about where their responsibilities end and the users' responsibilities start, when it comes to data protection?
SJ: Perhaps it doesn't help these cloud firms in the selling cycle to say, 'Oh, by the way, have you considered you're going to still need to make sure you have the right security infrastructure in place? Should you be backing up this data? Are you dealing with sensitive information you typically want protected?'

In fairness though, these firms are starting to publish a shared responsibility model which makes it very clear that the infrastructure at the top of the stack is covered, with reliability goals, failover etc. - but as you go down the stack? Data? No, that's still your responsibility. If you need version control, or recoverability back X years, compliance requirements to retain data for so many years - that's all on you, Mr. Customer.

DT: Is that perhaps partly because the business itself is getting more involved in those purchasing decisions, as opposed to IT - and those people are primarily focused on the business need, not about backup and data protection?
SJ: I think that's spot on. It ties in with the consumerisation of IT, right? I like this application, I use a version of it at home and I want to see if there's a business version available. Increasingly end user teams choose the platform, they find the budget, and then they turn to IT saying 'We've bought this, can you integrate it for us?' - and only then does the IT team get to ask about security standards, privacy, and so on.

The reality is that it's always a good thing for us when there's change happening with customers. Our business is about helping customers move forward; optimise their business, their application infrastructure - we need to keep offering the protection, the security, the availability that we've been known for, for 20 plus years.

Nowadays we're much more involved with the customers' business: we act as a key advisor and partner, and it helps us get much closer to that real business purpose. And the other main challenge that's happened around this whole acceleration to cloud is in really understanding what data you have, where it's going to be located, what's the most important to protect with the highest level of availability? This has always been a challenge, always a critical problem to solve. But it's becoming an even bigger problem now as users go to not just multiple on-prem infrastructure, but multi-cloud infrastructure as well.

DT: Let's talk about some of the specific developments in Veritas products that are addressing the issues you've been talking about.
SJ: One key aspect is in providing a basic level of capability with solutions like Backup Exec for integrating these cloud workloads. Our big push with version 22 (reviewed elsewhere in this issue of Storage magazine) is integration of Microsoft 365 support, in particular, into what we already provide with Backup Exec, which is a very simple, secure and unified platform for the SMB customer. We're able to say 'Look, the platform you've already invested in will move and shift with you as you go through that shift to cloud.'

We've also made a big investment around ransomware protection and resiliency, by automated discovery of threats. Our vision is moving towards even more automated data protection, autonomous data management, as we call it. Often the IT team in particular doesn't quite understand how the business is using the data. We want to work with the application layers, and make sure that we protect those with a data protection profile that's consistent with the right data protection policy overall. We're already doing this, for example, with the Microsoft 365 capability. We can do things like policies where if you just add a new user into an AD group, we automatically protect that, whereas previously a backup admin would need to come in and create a new user and create and connect the policy - a very manual process.

In the future protection will simply have to be more autonomous, because it's impossible ultimately for one admin in a company to keep up with the level of data growth and spread. Again, this is made worse if the application owners are driving the evolution without IT's involvement. There's noone 'watching the henhouse' as it were, in terms of making sure that policies stay aligned.

DT: How will this autonomous data protection work, and how close are we to it now?
SJ: It's an evolving capability, but the reality is we already have AI and machine learning in our offerings to try and detect patterns, for instance. When it comes to ransomware, we take the attitude that it is going to happen to you: not 'if', but 'when'. It's a game wherein the attackers move forwards and the defence still plays catch-up, unfortunately.

The fact that we're seeing so many successful ransomware attacks indicates that while preventing them is a noble effort, keeping the attackers away from compromising your backup data once they're in is more important than ever. If it does enter the data stream, we can detect the patterns that suggest that the data is not something you want to recover and push back into mainstream use.

Increasingly ransomware attackers deliberately target backup vendors; they want to try to shut us down as a recovery option. So we're using AI/ML techniques to say 'Look, this latest backup compared to what we saw before as a data stream, there's something off in this, it doesn't look right.' It's about being able to move away from that world of the backup admin, or whoever is in charge of defining the policies, having to take action in order for protection to take place.

DT: Ransomware is clearly a driver for your business in a way that it never used to be - has it changed how backup is bought and sold, and how Veritas markets its products?
SJ: I think the reality is it's now being driven by policy, from C-level down in terms of taking cybercrime seriously and making sure you've got protection techniques in place. The one place you can recover from is your backups. Of course if we asked customers 'Do you have backup?', they would generally say yes. OK, but do you understand your backup policies - and do you regularly test them to ensure you can recover that particular site or that particular file? That's a whole different set of questions.

What the growth in cyber-crime has done is allowed us to showcase the capabilities that were always there, the fact that we can do recovery rehearsal drills, that we can have multiple different policy types and automate how those policies get applied to different types of data. But a lot of customers frankly weren't leveraging that. They were just saying, 'Well, I've checked the box'.

From our point of view, the uniqueness of our portfolio is that we've got very strong products within the availability and data protection piece that we're very well known for, of course. But those tie into products that look at digital compliance, and the auditing aspects. And we're bringing all this together into this autonomous data management approach. That's what we're building into the reality of our products, and Backup Exec right now is obviously the main driver for that in terms of how we're driving the SMB and mid-market segment.

More info: www.veritas.com