Estimated reading time: 6 minutes
Despite some seasonal declines, ransomware is still a serious security threat, especially for those who underestimate it . It is often thought that to protect yourself from ransomware it is enough to have a backup copy of your data. This point of view does not take into consideration various aspects. One of them is the relationship between ransomware and NAS ( Network Access Storage ), where you often store a backup copy of the server, thinking it is enough.
Ransomware attacks are capable of rendering entire disks unusable by encrypting the file system . Network disks are at risk, which can also be encrypted, reducing the effectiveness of a backup stored on a NAS.
Definition of Ransomware
Ransomware, as we have seen in other articles, is a form of malware that encrypts the victim’s files. The attacker then demands a ransom from the victim to restore access to data against payment .
Users are shown instructions on how to pay a fee to obtain the decryption key. Costs can range from a few hundred euros to thousands, payable to cybercriminals in Bitcoin.
Once the malware gets executed, it’s almost always too late. In fact, often the victim does not notice until the ransom demand is made or when the entire disk has been completely encrypted.
How ransomware works
There are several ways that ransomware can take to access a server. One of the most common delivery systems is phishing . Some attachments arrive at the victim’s computer in an e-mail message, masked from a harmless file.
Once executed, these software masquerading as harmless files can take control of the victim’s computer, especially if they have social engineering tools built in which trick users into allowing administrative access . Tracing back to the server isn’t as complicated as it might seem.
Some other more aggressive forms of ransomware, such as NotPetya , exploit security holes to infect computers without the need to trick users.
There are several things malware could do once it has taken over the victim’s computer, but by far the most common action is to encrypt some or all of the files it has access to. If you want to get into the technical, here’s more information on how encryption takes place.
The most important thing to know is that at the end of the process, files cannot be decrypted without a mathematical key known only to the attacker . The victim is presented with a ransom note and explained that without a payment, the files will remain inaccessible.
Regardless of the requests and how the ransomware is unleashed in the first place, the thing to note is that there is no data that can be saved. So, if your customers’ data is on a server, they can be involved in such an attack.
If the ransomware encrypts file systems and not just individual files, the problems could multiply.
Ransomware, NAS and backups
One of the ways to mitigate the risk is to have a backup available with which to restore the data without having to surrender to payment. The best practices for management backups do not want there to be backups on the same machine, so it is possible that they are kept on network disks, always accessible from servers. But in fact those disks are part of the machine, as they are accessible.
These disks, called NAS (Network Access Storage), are great solutions for managing files on a network, but they can become as useless as the server in the event of a ransomware attack. If the attack encrypts the file systems, it is possible that finding the remote folders on the NAS encrypts those as well, rendering the backup unusable.
The targets of a ransomware
There are several ways attackers choose which organizations they target with ransomware attacks. Sometimes it’s a matter of opportunity – for example, attackers might target universities because they tend to have smaller security teams and a disparate user base that share many files, making it easier to penetrate their defenses.
On the other hand, some organizations are tempting targets because they seem more likely to pay a ransom quickly. For example, government agencies or medical facilities often need immediate access to their files. .
Law firms and other organizations with sensitive data may be willing to pay to keep news of a compromise hidden , and these organizations are often particularly sensitive to a data exfiltration threat.
However, it has been noted that some ransomware is capable of spreading itself on the network . In fact, no one is completely safe, especially if the data stored on the servers is sensitive.
Ransomware and NAS: how to manage backups
As we have seen, ransomware is no small threat to the data stored on corporate servers. Now let’s see what precautions you can take to protect your data and servers.
Do not use NAS for backups
Se il ransomware arriva a un NAS, quasi certamente lo cifrerà rendendo il backup inaccessibile. Evitare questo problema è facile: usare il cloud!
The server provider should offer the ability to store machine backups on the cloud . This means that the backups are not always reachable by the server and therefore the software is unable to encrypt them.
This is the standard of our VPS service . In case of compromise, in fact, it is sufficient to restore the virtual machine to an earlier state through one of the backups stored in the cloud .
Alternatively, you can backup on premise , ie locally, physically in the company. Using the Acronis Backup service you can perform a backup on an external disk not connected to the network.
Another solution, hybrid of the previous ones, is to create a backup through Acronis and store it in the cloud and not locally. You maintain the advantage of having a remote backup that is not connected to the server constantly.
Finally, it is correct to mention that there is another solution, the precautionary solution. With the use of our service SOC and thanks to the use of latest generation analysis systems, it is possible to immediately identify a malware or an attack ransowmare and block it before it does damage.
Whether it is adopting best practices for backup and storing them remotely, or adopting a SOC to protect this aspect and many others in the field of IT security , SOD is available to discuss the situation and find a solution tailored to the needs of your company.
Contact us to ask for information, we will be happy to answer any questions.
Estimated reading time: 8 minutes
Looking to up the ante and earn more money with the ransomware , i Cybercriminals are increasingly using a tactic known as double extortion ransomware . Not only do they encrypt data and demand a ransom from the victim to regain access. They also threaten to upload them online if their conditions are not met.
Let’s take a step back, ransomware is one of the most common types of malware. It targets a company every 14 seconds and it cost $ 11.5 billion in 2019 alone . Typically, hackers who carry out these attacks break into a system to steal data and delete it if the victim doesn’t pay a ransom.
Why do hackers prefer double-extortion ransomware?
The rise of double extortion ransomware proves that cybercriminals are constantly expanding their arsenal. Paolo Passeri, director of cyber intelligence at the software firm Netskope , says these attacks they have become popular because they are the easiest way for hackers to make money.
Passeri Says: “With double extortion ransomware attacks, even if a backup is available, attackers can put more pressure on the victim to pay the ransom . The increased pressure comes from the potentially serious consequences of a data leak, for example economic and reputational damage. Groups like REvil are even more creative: they don’t just leak data, they monetize it by auctioning it on the dark web and putting even more pressure on their victims. “
When conducting a double extortion ransomware attack, hackers start spending more time on the overall strategy . Sparrows warns that scammers are no longer taking an opportunistic approach. Instead, they are carefully selecting their target and method of attack to increase the ransom money they make . He explains: “ the threat actors select their victims, choosing organizations whose businesses could be affected by a data leak “.
The spear phishing is the primary means of distributing double extortion ransomware, but cybercriminals are also by exploiting vulnerabilities in on-premises devices such as VPN concentrators. “In the past few months, nearly all major VPN technologies have suffered severe vulnerabilities that have been exploited for similar attacks,” says Passeri.
“This is unfortunate given the current situation with forced telework where these remote access technologies play a crucial role in ensuring business continuity during Covid-19. These systems are directly exposed to the Internet, so threat actors can scan them and then exploit any vulnerabilities discovered “.
Risks of Doxing : diffusion of private data
Double extortion ransomware provides more opportunities for cybercriminals, allowing them to extort victims twice. They can ask for a first payment to decrypt the files and a second payment not to make them public.
This technique, also known as doxing , is been used by an increasing number of ransomware groups over the past year. The consequences of doxing are more severe for the victim, so they often come down to demands. This means more money in the pockets of cybercriminals to fund new strains of ransomware and support other criminal activities.
Improvements in malware and financial incentives for hackers have led to the growth of double extortion ransomware attacks. In the past, ransomware encrypted files and hackers stole data, but it was rare to do both.
We now have bots that can scan the web for unprotected data, steal it, encrypt it or delete it, and leave a ransom note for the owner, all in one automated attack. The hacker can then collect a ransom for the data and sell the data to other criminals, playing double-crosses with minimal effort .
There has been an influx of double extortion ransomware attacks in the past year. Hackers gained traction in late 2019 when high-profile groups like Maze began exploiting aggressively this tactic.
In these particularly aggressive cases, the hacker would extract a copy of the data before encrypting it . This way the attacker not only prevents the victim from accessing her data, but also keeps a copy of the data for himself.
To claim responsibility and put pressure on the victim during the negotiation process, the attacker often released small chunks of data online. If the deals are blocked or failed, the attacker publishes all the stolen data or sells it to third parties . This creates a significant violation against the victim.
What to do
To defend against these attacks, there are several steps companies should take . For example, keeping systems updated to ensure that known vulnerabilities are resolved. It is also imperative that organizations have a layered security approach that includes the use of data loss prevention tools . An example is the service offered by SOD Acronis Cyber Protect Cloud . The system can stop the extraction or encryption of the data which initiates these double extortion attacks.
But what can organizations do if they can’t successfully mitigate one of these attacks?
Organizations should try to include a last line of defense that isolates and stops illegitimate encryption immediately . This mitigates the risk when traditional prevention-based security has been compromised or bypassed. Robust backup processes, including air-gap backups, should also be considered to make it more difficult for criminals to encrypt or disable critical data stores.
If an organization falls victim to a double extortion ransomware attack, there are often dire consequences. Criminal groups are increasingly blatant, even dystopian names like Maze, Netwalker and REvil, are an indication of this inclination. Their pride leads them to display exfiltrated data as online trophies and even sponsor clandestine hacking contests to display their malware. In a kind of cyber show-off . < / p>
For the victims, the consequences can be devastating. Travelex, a currency exchange service, went into receivership with the loss of 1,300 jobs in the UK following a ransomware attack . During the heist, the cyber gang REvil asked the company to pay $ 6 million in 48 hours. The company has faced the threat of publishing credit card information, national insurance numbers and birth dates of its customers.
It is clearly critical that companies do everything they can to identify and stop these attacks before they cause more damage. Preventing these attacks proactively is much better than mitigating their effects, with all the financial costs and reputational damage they entail .
Most attackers gain access through human error . For this, together with technical measures such as internal data access management and back-up, staff training and supervision are key elements in an organization’s defenses .
Victims essentially have two choices, both of which are costly: if they refuse to pay, they face a catastrophic data breach with exposure to painful regulatory fines and civil demands; if they pay the ransom, they still have no guarantee that the data will be returned.
Handle double-extortion ransomware
While getting hit by ransomware can deal a severe blow to any business, companies should be cautious when asked to pay a ransom. Doing so could involve even greater risks . There is no certainty that these hackers will not ask for more money without releasing the data anyway.
It is important for companies to secure their networks and conduct mock test < / a> to mitigate the ransomware threat . Such simulated attacks will help spot vulnerabilities within the organization without the risk of facing serious financial problems and having to answer very difficult questions from customers.
Implementing strong resilience measures is the best way to prevent double extortion ransomware. Ransomware is often a secondary infection. Threat actors seek to exploit known vulnerabilities, particularly in relation to remote access protocols and applications that are critical for working from home.
Critical to mitigating this is ensuring that vulnerabilities are patched in a timely manner and that network data logs are monitored for any unusual activity or data exfiltration. < / strong> There is therefore a potential window of opportunity to remedy any primary infection (which precedes the ransomware) and thus prevent the ransom note process from developing.
Organizations need to educate staff about the risks of double extortion ransomware and how it is executed . Individual users can also be of great help by being aware of the potential of unsafe attachments. They should also be cautious about clicking any email links received in any communication , particularly with the recent resurgence of Emotet , a known malware.
There are two defense strategies for dealing with double extortion ransomware. First, robust backups, to make sure you don’t your hands tied if hackers gain control of your data. Then, encryption, to make sure that if an attacker threatens to expose your data, it’s protected too.
These approaches should then be incorporated into a broader strategy: careful monitoring of the network that could allow attackers to be cut off, and promoting employee IT education not to fall victim to phishing attacks which are often the main cause of a ransomware incident.
The threat of double extortion ransomware is undeniable, with cybercriminals carefully targeting and creating these attacks in an attempt to increase the size of ransom.
Organizations often feel they have no choice but to pay the ransom to avoid the leak of sensitive data. But it’s actually a Russian roulette game and the stolen information can still find its way online. Therefore the focus must be on prevention and risk mitigation .
Small and medium-sized businesses have little room for maneuver when it comes to investment. Precisely for this reason, every step that involves an expense is weighed and evaluated in every aspect before being carried out. We know the fears that underlie such reasoning, and for this reason we have decided to dedicate an article precisely to the advantages that SOD services can offer to small and medium-sized enterprises. The adoption of cloud services for small businesses is an important step that requires some study.
Services available in the cloud
Cloud computing means, in practice, that it is not necessary to store your data. The data are stored and accessible online. The cloud is a highly secure physical location – called the Datacenter – located outside the corporate headquarters, which hosts many servers on the network that serve all users. By taking advantage of the support of a provider such as SOD, it is possible to relocate hardware and software resources in a datacenter and take advantage of the benefits that derive from it.
Cloud solutions for small businesses
Cloud computing naturally has different implications for small businesses than individuals or large companies. This is due to the fact that the user’s needs vary considerably. Both as a type of infrastructure required and as a specific service.
In fact, various main cloud computing options are available to meet various needs: infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS) and backup as a service (BaaS).
If you think of cloud service models as a pyramid, the IaaS is at the base, because it allows the existence of remote infrastructures. PaaS is the next or intermediate level, which allows users to create infrastructure-based applications. SaaS and BaaS are at the top level providing end users with complete and immediately functional products and services.
Cloud solutions for small businesses are typically SaaS and BaaS solutions.
Common examples of SaaS cloud solutions for small businesses
SaaS-type online solutions include professional versions of apps also used by private individuals, such as Hootsuite, Shopify, Mailchimp, G suite and many others. But of course, specific cloud solutions for small and medium-sized businesses go beyond these familiar examples, and help increase productivity or facilitate marketing and sales.
Other rather important solutions for small and medium-sized enterprises are cloud backup and online storage. This is because, regardless of their size, companies today must manage an ever larger amount of data, and they must also do it securely.
In terms of security, it is also good to specify that a backup is not simply a synchronized folder. In fact, it often happens that online storage services are misunderstood and considered a backup method.
Professional tip: to protect your data you should have backup functions that allow you to restore everything you need to pick up where you left off before a data loss occurs.
Our advice is always to contact professionals not only for the purchase, but also for advice. In fact, the available solutions are manifold and offer functionality that may not be necessary. This is where a managed service provider (MSP) comes in, such as Secure Online Desktop. We can help you in choosing and setting up the ideal infrastructure for your specific case.
Why choose us
Small businesses are often challenged to understand and manage the complexity of IT systems, with the risk of finding themselves stuck because they are out of their knowledge. An MSP can help, thanks to the experience gained in the field. But it’s better if the company is local.
In fact, if it is true that small businesses can easily access many cloud solutions, adoption is not always easy. Being able to turn to professionals who are based in their own territory offers that additional level of tranquility for those who deal with local professionals. The initial setup, the specific choice of functionality and the initial size of the service, are all variables that are easily misrepresented by non-professionals.
An overview of the key solutions
The services we offer give greater value to small businesses. Not only because they are customized solutions, but also because we have clear what their needs will be in the future, thanks to our experience. We can therefore advise in advance how to move when the company starts to grow.
By contacting us, the customer will be able to concretely plan the growth of his company and infrastructure. Starting from the immediately necessary solutions, up to the planning of the specific ones based on the expected growth and possible unexpected events.
Modern Data Protection
How to Completely Safeguard Businesses – with Ease
Simplify is often a valuable mantra of success. Yet in a complex and ever-evolving IT environment, it isn’t necessarily the go-to approach for service providers. In the case of data protection, simplification may not only seem unlikely, but potentially unwise. Fortunately, certain innovative cloud technologies now make it simple for companies to scale their infrastructure and defend that growth with efficient backup and recovery solutions.
Human error is as damaging as ever and natural threats such as fire and flood still persist. Meanwhile, cyber threats are growing in number and complexity. Whatever the cause might be, if the lights go out for even an hour, companies are at risk.
43% of ransomware
attacks are aimed at SMBs (1)
$8,58 1per hour
is the average cost of downtime (2)
(1) Small Business Trends (2) The Aberdeen Group
The best defenses are usually based on a layered data protection strategy. First, you start with standard approaches, like passwords and encryption, traditional anti-virus protection and mobile wipe.
Then you secure everything, from emails and endpoints to servers, with a backup solution that actively protects against ransomware – so even customer backups are safe.
Secure cloud backup provides the last line of defense by protecting a business’ bottom line. Following the 3-2-1 rule of backup (creating three copies of your data, on two types of storage, with one located off-site) keeps your files safe and avoids the worst-case scenario – bankruptcy – should a disaster strike and destroy your local copies.
With the emergence of the cloud, today there are even more solutions available to enhance business productivity. While that means you also have more systems and data to protect, it doesn’t need to be a problem. When it comes to data protection, the cloud can streamline and strengthen defenses without crippling your customer’s budget.
With the right backup solution, it’s easy to ensure complete data protection – including protecting virtual and mobile systems – so you no longer need to independently monitor and secure data across multiple environments. Modern solutions also let you:
1. Support more customers with centralized backup and recovery management
2. Experience unprecedented flexibility to choose any solution for any customer need
3. Protect all data seamlessly and remotely, in any location and any environment
4. Rest easy knowing the entire infrastructure, across multiple business locations, remains secure
The cloud can offer a complete defense that scales as your customers’ businesses do. Just add-on cloud-based disaster recovery services and you can have businesses running again instantly. It’s that simple.
Modern Data Protection
Tempo di lettura: 8 min
Che cos’e’ il regolamento generale sulla protezione dei dati (GDPR) dell’Unione Europea (UE)?
♦ Il GDPR è un nuovo regolamento UE che non riguarda solo le aziende con sede nell’Unione Europea!
♦ Il GDPR riguarda i dati personali e in generale prevede norme più severe di gran parte delle altre leggi a tutela della privacy
♦ Il GDPR riguarda tutte le aziende che:
◊ Abbiano dipendenti nell’UE
◊ Offrano beni o servizi a cittadini dell’UE
◊ Monitorino il comportamento di cittadini dell’UE (ad es. pubblicità mirata)
♦ Il rispetto del GDPR non comporta solo la formulazione e l’attuazione di politiche e processi, ma anche un impegno permanente per tutelare la privacy
Il GDPR è urgente e imminente
ENTRA IN VIGORE IL
25 MAGGIO 2018!
10.000.000 di €
o il 2% del fatturato mondiale totale annuo, se superiore
Esempi: mancata tenuta di un registro scritto delle attività di trattamento; mancata adozione di misure tecniche/organizzative proporzionate al rischio o mancata nomina di un responsabile della protezione dei dati ove richiesto
20.000.000 di €
o il 4% del fatturato mondiale totale annuo, se superiore
Esempi: mancato rispetto dei requisiti per il trasferimento transfrontaliero dei dati, delle limitazioni speciali relative ai dati sensibili (minori, stato di salute, ecc.) o dei diritti dei singoli di controllare i loro dati personali
Concetti base del GDPR
Chiunque sia identificabile (direttamente o indirettamente) in base ai suoi dati personalinell’UE.
Titolare del trattamento
“La persona fisica o giuridica, l’autorità pubblica, il servizio o altro organismo che, singolarmente o insieme ad altri, determina le finalità e i mezzi del trattamento di dati personali.”
Responsabile del trattamento
“La persona fisica o giuridica,l’autorità pubblica, il servizio o altroorganismo che tratta dati personali per conto del titolare del trattamento.”
“Qualsiasi informazione riguardante una persona fisica identificata o identificabile.” Si considerano
dati personali: nome, indirizzo e-mail, informazioni sullo stato di salute, ubicazione, dati bancari, indirizzo IP, cookie, identità culturale, ecc.
Trattamento dei dati
“Qualsiasi operazione o insieme di operazioni compiute su dati personali.” Sono considerate trattamento tutte le attività di raccolta, conservazione, archiviazione, riproduzione, uso, accesso, trasferimento, modifica, estrazione, comunicazione, cancellazione o distruzione dei dati.
Che cosa significa conformita’ al GDPR?
Il GDPR è un impegno permanente!
Come dimostrare la conformità al GDPR:
♦ Trattare i dati secondo i principi del GDPR: in modo lecito, corretto, sicuro, limitato alle finalità, ecc.
♦ Eseguire valutazioni periodiche del rischio per la sicurezza
♦ Monitorare il trattamento dei dati per rilevare le violazioni
♦ Mantenere aggiornate le politiche e le procedure aziendali
♦ Adottare misure tecniche e organizzative adeguateper attenuare i rischi ai dati personali
Obblighi del titolare e del responsabile del trattamento
Titolari e responsabili del trattamento sono soggetti al GDPR e, ai sensi del regolamento, hanno i seguenti obblighi:
• Garantire la sicurezza del trattamento
• Trasferire i dati all’estero in modo lecito
Il titolare del trattamento è tenuto a stipulare un contratto dettagliato per il trattamento con ogni responsabile del trattamento. Il contratto deve prevedere che il responsabile del trattamento agisca solo secondo le istruzioni del titolare e rispetti le disposizioni del GDPR (oltre ad altri obblighi).
Esempio: il ruolo del service provider (Secure Online Desktop)
Un soggetto residente nell’UE (interessato) ottiene un prestito dalla banca del suo paese. La banca raccoglie i dati personali dell’interessato e determina le finalità e le modalità per il loro trattamento.
La banca è il titolare del trattamento. La banca acquista dei servizi di backup su cloud da un provider di servizi gestiti (MSP) che esegue i backup per conto della banca. L’MSP usa i dati personali esclusivamente per le finalità indicate dalla banca. L’MSP è il responsabile del trattamento.
Sicurezza del trattamento
È necessario adottare controlli di sicurezza per garantire in modo permanente la riservatezza, l’integrità e la disponibilità dei sistemi e dei servizi per proteggere i dati personali da:
♦ Minacce esterne (ad es. pirati informatici).
♦ Minacce interne (ad es. dipendenti non adeguatamente formati).
♦ Elaborazione non autorizzata o illecita.
♦ Perdita, distruzione o danneggiamento accidentale.
I dati personali devono essere trattati secondo i principi del GDPR (Art. 5): sicurezza, liceità, trasparenza, limitazione delle finalità, esattezza, minimizzazione dei dati, integrità e riservatezza. I sistemi per il trattamento dei dati personali devono attuare la protezione dei dati fin dalla progettazione e per impostazione predefinita e prevedere garanzie quali la crittografia e la pseudonimizzazione.
Deve essere messo in atto un processo per valutare periodicamente l’efficacia delle misure tecniche e organizzative che garantiscono la sicurezza del trattamento su base permanente.
Il GDPR conferisce ai cittadini UE nuovi e più ampi diritti sui loro dati personali:
♦ Accesso ai dati personali (descrizione delle finalità del trattamento, informazioni sul titolare/responsabile del trattamento, periodo di conservazione, registri delle attività, ecc.).
♦ Rettifica dei dati personali: correzione di errori e aggiornamento.
♦ Limitazione del trattamento / Opposizione al trattamento in attesa di una verifica.
♦ Cancellazione dei dati personali (nota anche come “diritto all’oblio”).
♦ Portabilità dei dati: possibilità di esportare i dati personali in formato leggibile da dispositivo automatico.
♦ Trasparenza: possibilità di sapere quali dati personali vengono raccolti, conservati e trattati, nonché di conoscere modalità e luogo del trattamento e della conservazione.
Gli utenti possono esercitare i loro diritti tramite un titolare, un responsabile del trattamento oppure, ove disponibile, un meccanismo automatizzato. È necessario ottemperare alla richiesta entro 30 giorni.
Diritti dell’interessato / dell’utente I diritti degli interessati non sono assoluti! Ad esempio, il diritto alla cancellazione è valido solo se:
♦ i dati personali non sono più necessari rispetto alle finalità per le quali sono stati raccolti (e non sussistono nuove finalità lecite);
♦ il fondamento giuridico per il trattamento è il consenso dell’interessato, l’interessato revoca il consenso e non sussiste altro fondamento giuridico;
♦ l’interessato esercita il diritto all’opposizione, e il titolare non ha alcun motivo legittimo prevalente per continuare nel trattamento; • i dati personali sono stati trattati illecitamente; oppure
♦ la cancellazione dei dati personali è necessaria per adempiere a un obbligo legale previsto dal diritto dell’Unione o dello Stato membro.
Politica di notifica delle violazioni dei dati
Tutti i titolari del trattamento sono tenuti a informare l’autorità di controllo competente in caso di violazione dei dati personali entro 72 ore dal momento in cui abbiano avuto ragionevole certezza che la disponibilità, la riservatezza o l’integrità dei dati personali del cittadino EU sia stata compromessa. Se è probabile che la violazione presenti un rischio elevato per i diritti e le libertà delle persone fisiche, il titolare deve informare anche i soggetti interessati. Politica di notifica delle violazioni dei dati I titolari del trattamento devono controllare che gli eventuali responsabili e subincaricati del trattamento abbiano a loro volta messo in atto adeguate politiche per la notifica delle violazioni dei dati. Il responsabile del trattamento deve informare il titolare del trattamento senza ingiustificato ritardo dopo essere venuto a conoscenza di una violazione dei dati personali.
Trasferimento transfrontaliero dei dati
♦ Il trasferimento di dati personali di cittadini EU/SEE a destinatari al di fuori dell’UE/SEE è in genere vietato a meno che:
◊ la giurisdizione in cui si trova il destinatario sia ritenuta in grado di offrire un livello adeguato di protezione dei dati
◊ chi esporta i dati fornisca garanzie adeguate (ad es. norme vincolanti d’impresa, clausole tipo di protezione dei dati, uno strumento giuridicamente vincolante e avente efficacia esecutiva fra titolare o responsabile del trattamento nel paese terzo)
◊ valgano deroghe o esenzioni
♦ Titolari e responsabili del trattamento devono adottare meccanismi leciti di trasferimento dei dati personali che prevedano fra l’altro il consenso dell’interessato, clausole tipo, il rispetto del Privacy Shield in vigore tra UE e Stati Uniti e norme vincolanti d’impresa.
♦ I service provider che utilizzano i servizi Acronis Cloud (backup, disaster recovery, Files Cloud) possono specificare l’area geografica in cui saranno archiviati i dati dei clienti (ad es. in un data center situato nell’UE). I service provider devono sempre tenere presente che l’accesso remoto ai dati è considerato trasferimento.
In che modo Acronis Cloud Backup puo’ aiutare i service provider a rispettare quanto disposto dal GDPR
Sicurezza del trattamento
♦ Crittografia in transito (SSL/TLS) e a riposo (Acronis Storage con AES).
♦ Registri di audit per rilevare comportamenti sospetti e raccogliere registrazioni sul trattamento dei dati.
♦ Accesso basato sui ruoli per garantire la riservatezza e proteggere da trattamenti non autorizzati
♦ Dashboard con avvisi e report per migliorare controllo e monitoraggio.
♦ Regole di conservazione personalizzabili per il principio di minimizzazione dei dati.
Diritti dell’interessato / dell’utente
. ♦ Accesso ai dati, navigazione negli archivi per trovare i dati richiesti.
♦ Configurazione dei dati di profilo dell’account per facilitare la rettifica dei dati personali.
♦ Esportazione dei dati personali.
♦ Eliminazione degli archivi.
Trasferimento transfrontaliero dei dati
♦ Controllo dell’ubicazione dell’archivio dati.
♦ Data center ubicati nella UE.
Corrispondenza tra i requisiti del GDPR e Acronis Backup Cloud
|REQUISITO||FUNZIONI CHE LO SUPPORTANO|
|Protezione dei dati personali|
Crittografia in transito e a riposo
Accesso basato sui ruoli e gestione degli accessi in base ai privilegi
Protezione attiva contro le minacce ransomware
|Accesso / controllo agevole dei dati personali su richiesta degli interessati|
Consultazione degli archivi
Rettifica agevole dei dati personali
Esportazione dei dati personali (in formato zip)
Regole di conservazione personalizzabili
|Controllo dell’ubicazione dei dati|
Controllo dell’ubicazione dell’archivio dati
Data center ubicati nella UE
|Monitoraggio / notifica delle violazioni|
Registri di audit per rilevare comportamenti sospetti e prevenire le minacce
Dashboard con avvisi e report per migliorare controllo e monitoraggio
Subscription is a convenient way to receive updates, products or services on a regular and ongoing basis. This business model has stood the test of time. Over the years, satisfied customers have used regular services by subscribing news, magazines, CDs, wine and even opera tickets. And then the cloud arrived. The cloud has made IT complex easy and cheap, thanks to the familiar service delivery subscription model.
Today, public cloud computing services have revenues of $ 246.8 billion. By 2020, Gartner says, cloud adoption strategies will affect over 50% of IT outsourcing contracts. Service providers are rushing to get on board.
The subscription is an agreement to regularly receive products or services by paying in advance. It has become a default business model for service providers. Even those service integrators who have made their name by selling individual software licenses are currently switching to a subscription or a software-as-a-service service delivery method to stay alive and grow their customer base.
For customers, the subscription is based on practicality, scalability and economy. The consumption model of the OpEx-based subscription service beats the traditional CapEx model in all ways. Instead of spending hundreds and often thousands of euros on hardware devices and software licenses (and therefore worry about maintenance and upgrades), companies pay a manageable monthly fee just for what they use and only for the service they need.
There are two popular subscription models designed to attract new customers allowing them to try the service before engaging in a full subscription.
A freemium business model offers a free basic service and additional paid features. This has become one of the dominant business models in the mobile app market and is widely adopted by cloud-based service providers. LinkedIn, Dropbox, Yammer and millions of other vendors have adopted this model, using free features as a powerful marketing tool. Users are more likely to direct the service to others when it’s free and easy to use. There are also signs that the freemium model is even more successful than the 30-day trial because it relieves customers from the cumbersome cancellation process when they are trying out the service for the first time.
As with the Acronis Cloud Backup service, the Freemium option allows you to have a free plan for a computer with local backup storage and then charge a fee for additional services such as cloud storage and other devices.
Bait and Hook
This subscription business model offers to offer a basic service at a low price, or even free, and to charge the full price for additional resources. The origin of this subscription method is often attributed to Gillette, a razor company that is known for selling cheap razor kits and expensive blade refills. Today this model is widely used by mobile phone companies (free telephone with a long-term service plan), printer manufacturers (cheap printers, expensive ink) and many other companies where most of the revenue comes from consumables .
With the Acronis Cloud Backup service, on the other hand, you have a free plan with a limited amount of storage space in the Cloud. This will allow customers to register and try the fully functional service before purchasing additional Cloud storage to meet their needs. In this section you can consult the complete list of demo services that Secure Online Desktop makes available to its customers.
Acronis Cloud Backup
The Acronis Cloud Backup service is specifically designed to meet the ever-increasing needs of customers oriented to the above-mentioned subscription models.
BaaS (Backup as a Service) is the service that allows your company to save a copy (off-site copy) of data in Cloud. In this way, you can store your information in a safe place and then restore it at any time in case of disaster.
BaaS is one of the ways to implement backup 3-2-1 rule.
Secure Online Desktop provides its customers with two different ways to implement BaaS to offer a range of different options based on different business needs.
Backup as a Service
The first BaaS (Backup as a Service) solution uses the well-known Veeam technology, widely used by millions of customers around the world, to extend its Veeam local installation to Secure Online Desktop Cloud. The related service is called Veeam Cloud Connect and allows Veeam users to select Secure Online Desktop as a cloud service provider directly from the Veeam console via the “BACKUP INFRASTRUCTURE -> ADD SERVICE PROVIDER” panel or by searching it with the “FIND SERVICE PROVIDER” link.
Pros and cons of the Veeam Cloud Connect solution
1) No installation – No additional software or hardware devices are needed in the company;
2) Simplicity – The customer can turn on Cloud Provider functionality from the Veeam Backup & Replication console with a simple click;
3) No new console – You will not need to use a new tool or access additional consoles because all Cloud backups are perfectly visible within the already existing Veeam Backup & Replication console;
4) No VPN – There is no need to establish any additional encrypted channel between the client and the Secure Online Desktop as communications are encrypted through SSL during transit and are encrypted to the source with AES algorithm.
5) WAN Accelerator – With Veeam’s WAN accelerator capability, you can optimize backup communications to reduce time and optimize Internet bandwidth usage.
1) It is necessary to have the Veeam solution already in the company;
2) Only the devices supported by the Veeam solution can be protected from backup.
The second BaaS solution uses instead of Acronis technology and its Anydata engine. Similarly to the first, this service allows you to have an off-site copy on our Cloud and to perform full recovery (the entire virtual machine in case of virtualized environments) or partial (the single file or folder) of your data with a simple click.
Pros and cons of the Acronis Cloud Backup solution
1) No other backup software is required – Within the service, the software agents needed to operate with Cloud Backup System will be provided. This way the service can also be used for local copies;
2) Full Protection – Acronis Cloud Backup covers many types of devices, applications, and operating systems including mobile devices;
3) No limit on systems to be protected – The service is billed only on the basis of the storage size in Cloud without any limit on the number of systems to be covered by backup;
4) Local backups – The software agents provided by the service and its backup policies allow you to keep backup over even on any local storage at your site without any additional cost.
1) It is necessary to install or distribute agents on all systems that you want to cover from the service.
Security Awareness, la sicurezza aziendale parte dai dipendenti. L'ingegneria sociale fa spesso leva sull'ignoranza… https://t.co/nGAs70Ofn5
Torna all'inizio Scopri i nostri servizi di Cyber SecurityTroverai sicuramente quello che fa al caso tuo Se vuoi m… https://t.co/Emm5kUfFc4
Estimated reading time: 6 minutes Today we see one of the latest additions to our SOCaaS, the Autonomous Threat… https://t.co/QNvHnKbEqq
Estimated reading time: 6 minutes The Security Code Review (SCR) service is increasingly used by companies l… https://t.co/rJmYXr1oCj
Estimated reading time: 6 minutes Il servizio di Security Code Review (SCR) è sempre più utilizzato dalle aziende… https://t.co/g2ho2C8FYh