top of page
  • Writer's pictureFaisal Ch

A New Kind of Data Protection: Cyber-Recovery

Updated: Apr 25, 2023

Disaster Recovery (including DRaaS) has numerous shortcomings when used for ransomware recoveries. - Source IDC

Cyber Recovery is a new segment of Data Protection (DP)

Data protection includes a range of techniques to safeguard data against loss, attack, and corruption while also enabling the ability to recover the data to a usable state in the event that something goes wrong.

Historically, the phrase "Data Protection" has included technologies and solutions geared to deal with the more well-known type of disasters or failures. The challenge today is the higher likelihood of having to recover from a cyberattack as opposed to a natural disaster, which was explored in the last blog.

This new segment of Data Protection (DP) extends the DP portfolio, use cases, and architectures for existing DP products. It is no longer adequate or practical to only take into account conventional Disaster Recovery type scenarios in the Data Protection (DP) domain. DP must have the ability to safeguard data from any hazard including cyber-attacks and warfare.

Disaster Recovery Vs Cyber Recovery

The use and architecture of Data Protection based products to safeguard against and recover from either a Disaster Recovery (DR) or Cyber Recovery (CR) scenario will vary, and unless one is familiar with the subject of cyber-attacks or has previously been a victim, the assumption is that standard DR-based procedures are sufficient. This assumption is incorrect. A cyber-attack differs from a physical attack in terms of how it is carried out and, more crucially, its primary target, which is the data/system(s) and even the recovery systems.

Figure 1 lists terminologies and architectural similarities and differences between DR and CR

DP: Disaster Recovery (DR) terms, tools and use case

DP: Cyber Recovery (CR) terms, tools and use case

Physical destruction. Data loss is a consequence.

​A direct attack on systems, data, backups, and recovery systems

Recovery Target: The same or different

Recovery Target: The same or different. Must guarantee hardware safety, before restoring.

Recovery by restoring or rebuilding, or Failover to an alternate location (on-premise or the Cloud).

Recovery by restoring/ rebuilding.

​Replication-based technologies: Synchronous, Asynchronous, Stretch clusters NB Stretch clusters have a distance limitation due to latency requirements


Backups, snapshots

​Backups, snapshots


Air Gap: volumes stored on-premises or in the Cloud.

backups can be stored off-site

The vault area functions to isolate backups from the attack surface


Attack detection/ AI/ML


Immutable : data can not be changed


Zero trust networks (cyber security)

Figure 1

Protect for Disaster, Attack, or both ??

The key difference between a traditional disaster and a cyberattack is that the actual data or system is the main target in the second situation. The destruction or loss of data is not a consequence, as is the case with a traditional disaster and so a DP-architected solution for cyber-attack should account for scenarios such as below:

Attack the Recovery Systems

Attackers seek to disable any linked recovery systems because they know that if the backups are unavailable, they will have a better chance of receiving a ransom. Systems for backup and recovery are the main target. Gaining control or forcing a ransom payment in exchange for release is the goal.

Sleeper and Repeat Attacks

Attacks don't always occur immediately. “Sleeper Attacks” involve malware that has been installed but remains dormant until the attack begins, possibly months later. Malware can also be restored from a previous backup, used during recovery. Then a 'Repeat Attack' occurs.

Dual Attack: Natural Disaster and Cyber Attack

Natural calamities can also be used as an advantage by Cyber threat actors. During a natural disaster, Cyber threat actors exploit the situation to target infrastructure. Indiana and a number of other States within the U.S. have held drills of this scenario.

As an illustration, an earthquake strikes a city, and the water system then fails which all assume is due to the earthquake. Cybercriminals had taken advantage of the chaos caused by the disaster, and attacked and infiltrated the water system. Here we have a mixture of both DR and CR scenarios.

Data Protection solutions and products require designs and architectures capable of protecting and recovering in all of these types of scenarios. From the above example, DP solutions may have to account for both natural disasters and cyber-attacks at the same time!

Example of a Data Protection blueprint for Cyber Attack

According to the Wall Street Journal, Cyber Recovery is a method of Data Protection that “takes essential backups and business data and stores them in segregated, secured, and immutable form” in preparation for cyber attacks. In Figure 2 we see an example of how to architect DP-based products to protect and recover from an attack.

Figure 2

An overview of Figure 2, from left to right:

1: We start with the data we want to protect from our production network/systems.

2: Software on a host, extracts or backs up data. This software can also manage various other aspects.

3: The data needs to be copied to a Source storage/device.

4: Cyber recovery software manages the data moving from thesource device to the Target /destination device.

5: The Air-Gap bridges the Production and Vault areas. It can be either physical or logical and is a break in the connection, similar to a drawbridge over a castle moat. The airgap is usually logically configured by using a mixture of network policies and firewalls.

6: The data will be moved or synchronised into a vault area and copied to the target storage/device within the Vault. The Vault is isolated from the attack area. This can be held at a separate location including within the cloud. A separate location does tend to be the preference.

7: Immutability is applied to data, backups, and snapshots within the vault, so can no longer be changed.

8: An analytics/indexing host with data-analysis software for anomaly/ attack detection will continuously check what is being written to the target device within the vault. If the backup data was attacked, we want this detected.

9: The recovery area or sandbox within the Vault contains either physical or virtual hosts for recovery testing.

Comparison with a Data Protection blueprint for Disaster Recovery

Below is an example of a DR-based solution (Figure 3). In general, this kind of design is employed to safeguard against and recover from meteorological events, earthquakes, and explosions.

The use of replication is a significant departure from Figure 2. For DR-based protection and recovery, this is extensively utilized and highly effective. Once a disaster has been declared, it provides the ability to "flip" or fail-over to a DR site in the worst-case situation. The alternative site can be in the cloud, another building, a different city, or a different country.

The risk associated with cyberattacks is that malware may replicate to other sites. Attackers will target these areas in an effort to thwart any chances of recovery. Additionally, there is no vault area and no intelligence system for identifying attack signatures.

Backups are often made and kept at an offsite location, as seen in Figure 3, but the Vault architecture in Figure 2 is a more sophisticated setup. A Vault area as in Figure 2, could be combined with the design in Figure 3, which then accounts for both DR and CR scenarios.

Figure 3

An overview of Figure 3

1: Software to extract/backup data.

2: Backups are stored off-site. This can either be an automated or a manual procedure.

3; Point in time copies created by the host operating system (OS) or h/w appliance.

4: The Primary site/production to protect

5: Replication is used to copy data across. This can be hardware-based or a function of the host OS. The network configuration can include software-defined network components to facilitate recovery at an alternate location.

6: The secondary/DR site. This can be changed to the Primary site by running through documented and tested failover procedures.

Opinions expressed in this article are entirely our own and may not be representative of the views of DELL Technologies/VMware Inc.

This article has jointly been written by Faisal Choudry from DELL and Shreyash Nalamwar

at VMware.

Faisal Choudry has experience and a real interest in implementations of Data Protection and Recovery. He has worked on a number of large implementations of DR and failover (audited) testing and has written a number of papers on the topic. Faisal also worked on the engineering, development, and early implementations of a number of products including VxRail and VCF on VxRail, vBlock, SAP HANA.

Shreyash Nalamwar has 18+ years of experience in cloud and datacenter technologies. Currently working as a Staff Solution Architect at VMware and is one of the founding members of the VCF team, focused on providing design and deployment guidance for VCF customers across the APJ region.

Recent Posts

See All


bottom of page