Woon Jung: [00:00:00] While AWS will do a great job the 11 nines of durability, if you make an accidental deletion, that deletion is also 11 nines deletable. What's gone is gone.

Ashish: If I was to do that with AWS native feature, even that would not happen.

Woon Jung: If you have a bucket with billions of objects, it's gonna take you days, maybe weeks for you to recover.

If I have root level access in that account, there's no versioning that can help you. There's no snapshot that can help you. Think of this being your bunker account. It is. Isolated. No matter what happens in any of your accounts, your backup is safe here.

Ashish: I was at Amazon's largest conference for 2025 AWS re:Invent and had a conversation about cloud native resilience, what does that mean?

And is cloud native backup enough? Lemme tell you, I didn't realize some of the gaps that exist today. So for this particular conversation, I had one Jang from Commvault and Clumio. who came spoke about some of the challenges that cloud native presents that most of us probably don't even realize. For example, cloud native solutions do a great job of backup and recovery, but when it comes to restore [00:01:00] and talking about RTO and RPOs, that is a lot more complex conversations today than it was six, seven years ago, where it was as simple as me trying to just back up a single S3 bucket or Azure block storage.

But these days, one single bucket could have billions of objects. Yes. I'm not kidding. That has happened More on that with the episode with Woon. If you know someone who is working on building a backup and recovery program for next year or uplifting an existing one, definitely share this with them. And as always, if you have been listening or watching an episode of Cloud Security Podcast for some time and have been enjoying it, I would really appreciate if you could take a quick second to drop that follow subscribe button, whichever platform you're listening or watching this on, whether it's Spotify, LinkedIn, YouTube, on Apple Podcast.

Thank you so much for taking that moment and helping us grow. Enjoy this episode with one and I'll talk to you soon. Hello and welcome to another episode of Classically Podcast. I've got Woon with me. Hey man. Thanks for coming on the show.

Woon Jung: Thank you.

Ashish: Thank you for having me. Maybe to kick things off, if you could just share a bit about yourself, your experience, where you are these days, man.

Woon Jung: Yeah. So, uh, my name is Woon Jung. I'm the co-founder and [00:02:00] CTO at Clumio.

Ashish: Yeah.

Woon Jung: Uh, which got acquired last year around October by Commvault. So transitioned over, uh, to Commvault as part of the acquisition. And at Commvault I lead the, the Clumia team. Yeah. Basically I lead both product and engineering and related to Clumio of course.

Ashish: Oh, of course. I think you and I were talking about, before we started recording, we were talking about cloud native resilience. Yeah. And it's a, I think now with ransomware and so many other conversations that are floating around. What's the 2025 or 2026 definition of cloud native resilience?

'cause it evolved so much now that AI and everything is there as well. How do you define cloud native resilience today?

Woon Jung: Yeah, so, uh, I would say, well, first of all, I think there's a couple of questions. I think you, you talked about AI then the cloud resiliency

Ashish: Yeah.

Woon Jung: On the cloud. Uh, okay. Well let's tackle the first question first, which is kind of the, the AI related stuff.

So. 'Cause everybody talks about gene AI these days. Yeah. So, from A-J-I-J-I perspective, what I think is, you know, it changes the [00:03:00] behavior, how the, the applications behaves.

Ashish: Yeah.

Woon Jung: Uh, you know, it goes from having like list of rules. An application is just basically a long list of what structure rules

Ashish: Yeah.

To

Woon Jung: something like an LLM, which is a lot more dynamic and is, you know, it has, it's more autonomous.

Ashish: Yeah.

Woon Jung: Having said that though when it comes to data protection, yeah. A lot of the stuff is still the same. So, you know, a high level of garbage engine garbage out.

Ashish: Yeah.

Woon Jung: So the fact that you have to go ahead and protect the data, it really doesn't change that much because, you know, because of the gene ai.

Now the second part is you talked about the cloud resiliency aspect of it. Yeah. Like cloud

Ashish: data resilience is too, what does that mean today? Yeah.

Woon Jung: I think that that aspect has been evolving over time quite a bit. Mm-hmm. You know. Yes. Uh, Lumio got acquired, uh, last year by Commvault, but we've been around Lumio got acquired on the seventh year.

You know, just kind of for the last eight years, been looking at the cloud, cloud data resiliency for some time now. Uh. At the very beginning, like let's say if you go five, six years ago, [00:04:00] people used to tell us, you know, why do we even back up anything in S3? Right? Because, AWS will go ahead and replicate everything.

They'll make sure the infrastructure is there really in place and, you know, all those 11 nine so dur abilities and why you needed, yeah, 99.999,

Ashish: whatever the thing was. Yeah,

Woon Jung: Yeah, yeah. So then. That was then, and then like I've been coming at re:Invent quite a bit. Yeah. Uh, and then every year just talking to the customers and you kind of see the questions kind of evolving.

Ashish: Okay.

Woon Jung: And these days, uh, the, it, uh, it had matured quite a bit. Now the, people are asking the right questions and they understand the concept of, you know, the, the shared responsibility.

Ashish: Yeah.

Woon Jung: So while AWS will do a great job in, you know, securing the infrastructure Yeah. And, and all that stuff for you.

Ashish: Yeah.

Woon Jung: Uh, it is your job to go ahead and utilize all those tools to protect your data. 'cause really the, you know, the 11 nines of durability. If you make an accidental deletion, that deletion is also 11 nines deletable. So [00:05:00] what's gone is gone.

Ashish: Oh wait, so what do people misunderstand about? Because I think it's a good point because a lot of people had come from that AWS shared responsibility model.

I. I had these conversations about security before where oh AWS has my security cover. Don't worry about security. And the same way. So do you find that the evolved conversation became more like Amazon is doing backup to, I'm using S3 bucket for backup, but now S3 bucket's not enough? Or are people still, do you find people still use that as the backup source?

Being cloud native backup source is enough.

Woon Jung: No. So what we do is like, uh, from a kuia perspective, we back up AWS native data sources, right? Yeah. Essentially we back up RDS S3 E, C two EB smo, and three buckets and so on, right? So that's kind of what we do. So in the past it has been things like, you know, I have version enabled in my bucket, right?

So then once version is enabled, essentially all the updates and [00:06:00] deletions are not done in place, but essentially, you know, updates are done, uh, by what's called, you know, creating new version stacks. Yeah, yeah. So when you basically have an object A and you put another OB object with the same name, instead of overriding it, it will actually put a newer version of that object A.

Okay. And then it would just basically have a long chain of version stacks. So technically then what that means is that, you know, even the case of, accidental updates or deletions, the data's still there.

Ashish: Oh, right. You can go back to the older version. Yeah. You

Woon Jung: can always go back to the older versions.

Yeah. And then that gives you a sense of security, which is, you know, the data is there. Yeah. But then that was at the very beginning. But as time progresses, uh, people do realize that, you know, sometimes it's not enough. Like if there's an accident that happens at the account level, at the bucket level where the entire bucket is destroyed.

Either accidentally or malicious tax or whatever.

Ashish: Yeah.

Woon Jung: Then essentially no version is gonna help you, 'cause it gets deleted with it. Oh, oh, right. Okay. Yeah. '

Ashish: cause your previous versions are gone as well now.

Woon Jung: [00:07:00] Yeah. Yeah. So basically you're deleting the whole thing.

Ashish: Yeah.

Woon Jung: So then it goes away.

And then the, the, the other thing that people should ask is about things like, you know, Hey, I have a bucket. Yeah. With, you know, billions of billions of objects and every object has, let's say, you know, 10, 20 versions. Right? Yeah. Because you've been updating it. And then what happens is that, let's say we roll out a, you know, a software bug or there's an attack and something bad happens and then which ends up corrupting, let's say, you know, few hundred millions of objects.

Ashish: Yeah.

Woon Jung: Now you have to go back. So yesterday at 5:00 PM Yeah, so that's where you wanna go. Now what happens is that you have to identify which versions of, of, for each of the objects, you have to find the right version and roll them back one at a time. So you gotta do that hundreds of millions of times in know billions of times.

So then while the data is there, when it is time to recover is not practical. It's close to impossible for you to actually do it on the spot [00:08:00] then. Those things will actually, you know, uh, lead people to think about, not just about, Hey, well, is version just good enough? Or, you know, in when an accident happens you know, how do I recover, how do I use those versions and, and stuff like that.

So it's, it's been an evolving story for us. Interesting.

Ashish: And now with people scaling their companies, like the hyperscalers of the world who go multi-cloud and stuff as well. Uh, does the conversational resilience evolve even more? Because I, I, I've been in conversations with banks where we had a regulatory requirement that, oh, because I am primarily AWS I should have my backups in Azure or GCP.

Or whatever other, insert another cloud provider here. Has that kind of conversation evolved as well, or, I mean, 'cause actually to what you said I think it's the, it's the risk appetite of the organization for whether you're okay for something to go wrong at AWS and not having a backup. Mm-hmm.

Woon Jung: So, uh, well, I don't think [00:09:00] it's about multi-cloud so much. Okay. So, uh, what has happened was okay, so then we do encounter customers with that are using more than one cloud. Yeah. Let's say, you know, AWS and they'll use GCP for different projects. Right. But it is very the case where a customer will ask us to actually back up the stuff in AWS into gcp.

Mm-hmm. Right. It's just. It's not very often that you hear that. And then one of the reason is also because of things like res fee, right? Because today what we do, in the case of Lumio, we back up your AWS resources within AWS, and if the customer chooses to be within the same region, we'll do it within the same region.

Ashish: Mm.

Woon Jung: So then what happens is there's no transfer fee. There's egress fee whatsoever,

Ashish: right? Right.

Woon Jung: So if you're backing up petabytes of data, you're not paying for the egress fee. But then the moment that you actually take that and you back it up into, let's say a GCP or a different cloud provider Yeah. Then you have to, you know, consider that egress fee that, so more often, instead [00:10:00] of a new cloud, a a different cloud provider, what we get at is about can you actually back it up into a different AWS region, right?

So. I'm using Oregon. Can you back it up to Virginia or vice versa?

Ashish: Oh, right. Multi-region backups rather than Okay. Oh right, okay. Fair.

Woon Jung: And then, uh, we do support that and then we actually, you know, it's part of the product. Yeah. So customers can choose to back it up within the same region or back it up to a different region.

Ashish: But I guess to your point, resilience, it's more than backup though, right? It's not just the fact that I can have my backup spot recovery as well.

Woon Jung: Yeah. Correct. Yes.

Ashish: So to, I guess. And going back to the AWS shared responsibility model, does natively, can, can I do multi-region backups and can natively, can I restore because I, there's, there is that to be said.

'cause there's always this tussle between the cloud native world as well as the, Hey, why do I need another product to solve this particular problem? I think to, to your point, is there a, is there a native capability in Amazon or Azure that I can use to do multi-region, multi account backup, all of that. [00:11:00] And, uh, or is there a gap there?

Because I imagine people who are trying to build like a resilience program for 2026, right? Mm-hmm. We are a WAW re:Invent day. People are already working on what their program would look like next year, whether they're uplifting a resilience program. I almost feel is that a resilience gap that they are not aware of that is natively available?

Woon Jung: No. So, yeah. So. They do have the native solutions, have features and solutions that would actually help the customers to actually do, to protect their data. Yeah. Right. So I would say what, what we should do is we should actually, think about it from starting from something that is, uh, basic.

Ashish: Yeah.

Woon Jung: To, something that is good. Yeah. And something that is, you know. Absolutely the best I say, and depending on what type of data. 'cause you know, if you have hundreds of, you know, let's say you have a hundred buckets, right? Yeah.

Ashish: Yeah.

Woon Jung: For some of the buckets, maybe, uh, version is, is good enough.

Mm-hmm. That's all you need. And you don't need anything else. 'cause you know, that's it. [00:12:00] Yeah. Uh, what version gives you is operational recovery for accidental mistakes and stuff like that. But there's gonna be a subset of the buckets where, a second copy is required. Yeah. Yeah. Because those are truly important.

And there will be even a smaller subset of those bucket that is not only a second copy, but you want a second copy in a different region. Mm. So then you'll just have to go ahead and, you know, pick the right flavors. Yeah. And then protect the, you know, the data with the right tool, given the importance of the data.

But now coming back to your question about, you know, whether the native tools offers that or not, is that. No, frankly. Yes. AWS uh, the platform itself, they have a lot of, good features that you can actually use and leverage to solve some of those problems.

Ashish: Yeah.

Woon Jung: You know, you have things like snapshots, and I think they're great.

Uh, you know, in the case of DynamoDB, they have something called, uh, pitter mm-hmm. Which is attached to the DynamoDB table, uh, which is a built-in solution. It's AWS Solutions, which is a great solution that everybody should just enable it. [00:13:00] What that allows you to do is that if a corruption were to happen in that DynamoDB table, uh, you can actually create a new table.

Ashish: Mm. At

Woon Jung: any specific point in time. Let's say, you know, I'm gonna go back to yesterday at 3:00 PM

Ashish: Yeah.

Woon Jung: So then I create a table of the same table as of 3:00 PM yesterday. I can create a new one using Peter. Oh, right. Which is great. So people you should use that. Yeah. It gives them the ability to do things like operational recovery and stuff like that.

Now. The next thing is, since we talked about the, the different faces, is the next thing that you wanna do is that, you know, let's say that table is you have a table that is extremely important and then you can't afford to lose it no matter what.

Ashish: Yeah.

Woon Jung: The downside with pitter is that it is attached to the DynamoDB table.

Then what that means is that if you lose that table, you lose the pitter and. It's like a data, you know the, the SQL Databases transaction log? Yeah. It's very much similar to that. Right. They're attached right. With the database. So the service is

Ashish: not there. It's

Woon Jung: not there. [00:14:00] Right. Yeah. So, so it's attached to the table and somebody can actually go ahead also disable that Peter, in which case you lose all the 30 or 45 days of history Oh, wow.

In one shot. But you know, for the large majority Yeah. Of your table, maybe that's good enough and that's where you start.

Ashish: Yeah. But does that change with some of the newer data lake, data warehouses, all of that's coming up as well?

Woon Jung: I think they all have similar flavors where you have, you know, the data lakes will have something called, it's not gonna be called pitter, but then they call it snapshots.

Yeah. Okay. But then snapshots, again, at the same time, it is with the database attached to it. So data formats, like, you know, Apache Iceberg they have what's called snapshots. Yeah. So you can create those snapshots, but then those snapshots are within the same bucket. It's just basically within the same database.

Right.

Ashish: So you reckon it's probably not a good idea to have your production backup rely just on snapshots?

Woon Jung: If it's a

Ashish: critical database. Yeah,

Woon Jung: exactly. So yeah, so basically snapshots have their place. Yeah. [00:15:00] It's a, it is a great tool and everybody should leverage it the right way. But then, uh, people should also understand what are the limitations, right.

What you're getting into. Yeah. Yeah. And then, make your decision like this is important.

Ashish: Yeah.

Woon Jung: Then snapshot is not good enough. Then you have to create that second copy. And then that's kind of a lot of times when backup comes into the picture, right? Mm-hmm. So

Ashish: I think you were referring to, we kind of touched on the whole, uh, restore part as well.

'cause these days, uh, obviously there, there is an understanding that I have version control on my S3 bucket. I have versioning on ib. Even I think even RDS has a version control now these days. Mm-hmm. Uh, or I have backup snapshots, whatever the insert, another backup option that I run. Is the conversation of restore also evolved the same way Cloud native resilience has evolved.

To your point, you today as someone who is concerned about backup to protect from ransomware or whatever the other, yeah. Threat may be you have the option to use a cloud native feature or you have the an option to go, now this is really [00:16:00] critical. I can't. I can't hope that AWS was always there, and we have seen recent examples where DNS does go down and or whatever the example there was trying to, I think I'm mixing CloudFlare and AWS issues, but whatever the, there's an incident where AWS went down, and that could be critical for your business to have that much of a downtime, but the bigger piece over here is the restore part as well.

Woon Jung: Mm-hmm.

Ashish: In terms of being able to restore. What I have is what I have backed up for the critical applications that are running. Uh, my organization has a conversation about restore evolved as well, the same way it evolved for backups now that, hey, I have cloud native backup. I've has people mature a bit more about from I can back up in cloud to now.

Oh, recovery is not just about building whatever is there in my cloud now.

Woon Jung: Yeah, no. So yes the, the, the a the short answer Yes. The, the, the, a lot of the stuff evolved over time, uh, before it used to be like the DR test. Yes. They used to [00:17:00] be very rudimentary. They used to say, Hey, can I recover my table, yes or no?

And then they would take a small table and they would just recover it, pointing them. Yeah. And then essentially it's done, right? So I have a table here and I recovered it, and it's done. But it's a lot more complicated 'cause you know, when, either attacked or accidental deletions or these things like that happens, then the accidents that do not happen, they're not that simple.

They're a lot more complex. So then you do have to worry about the different modalities or how you can actually restore. Mm-hmm. Like restoring entire table. As an entirety, as a new table is one mode of restore. Yeah. So the me saying the accidents are a lot more complex. Mm. When they do happen and they're not as simple as, Hey, I wanna take the whole table and restore it back.

Mm. Right. I mean, restore it as a new table. So then. Different solutions. And then Lumio definitely is one of them that actually, uh, delivers, I would say the most flexibility when it comes to the modalities of the different resource. Right. Let [00:18:00] me just give you one example and maybe Yeah, that'd be great.

Yeah. Thank you. Might actually, uh, better to understand. So let's say we have a Dynamo DB table. Yeah. And. You know, you and I are running a company, and then essentially we have a bunch of customers coming to us, and then every customers have their own data. So then what we're gonna do is we're gonna use a single dynam o TB table to organize all the data for, you know, the hundreds of customers that we have.

Right. So then Dynam O DB has a concept of partitions and stuff like that. Yeah. So. Let's say that, you know, you and I decide that, you know, for customer one, we're gonna put all the customer one's data into partition one.

Ashish: Yeah.

Woon Jung: Customer two into partition two, and so on and so forth, right? Yeah. So one table with all the hundreds of customers data in different partitions.

Ashish: Yeah.

Woon Jung: So that's the right way to do it. 'cause then what's the alternative? Would you create hundreds of. DynamoDB tables, you wouldn't, you will create a single DynamoDB table and you would have, your hundreds of users using different partitions of the table. Table. So then now we go on our own business.

And then let's say an accident happens, and let's say [00:19:00] customers, you know, one and one through 10, let's say, gets impacted with something.

Ashish: Yeah.

Woon Jung: So customer one got impacted at 1:00 PM, customer two got impacted at 2:00 PM and so on and so forth. And this is technically, you know, usually happens because a lot of the companies, they do what's called a rolling update.

Ashish: Yeah.

Woon Jung: So they'll roll, you know, they'll update the software or the service for the customer, one at 1:00 PM they'll do the same at 2:00 PM for the customer, two, and so on and so forth. But let's say at 10:00 PM we realized that what we rolled out was a bug.

So what happens was one through 10 now has data that it is not good.

Ashish: Yeah.

Woon Jung: We have to go back, we have to restore that. We undo that accident. Now, if the, uh, if. The backup solutions, which a lot of the solutions do, including some of the native solutions. And also pitter allows you to remember, restore full tables. Yeah. So then what you're forced to do is, Hey, I can get the entire table as of 1:00 PM I can get you that.

Yeah. And then, then you may say, okay, well I have that, so then I'm gonna point the application to use. The new table is [00:20:00] done. Right? Yeah. It's not that easy because what you've done is that. Out of the hundreds of customers, only 10 customer got impacted. Right.

Ashish: But you've back everyone. Now you are

Woon Jung: taking everybody back in time to yesterday, 1:00 PM or whatever.

But you don't want that. Like why would you do that?

Ashish: Yep. Yep.

Woon Jung: So then, okay, well then what do you need to do then? I need to do a full restore as of 1:00 PM and copy the partition one into partition one. And then make sure I delete it because you know, everything in the cloud costs you so delete it.

Ashish: Yeah.

Woon Jung: Well, okay, now we fix customer one, right? So then for customer two, guess what? The accident happened at 2:00 PM right? So we have to do another one as of 2:00 PM Copy partition two into partition two. And you gotta do that 10 times.

Ashish: Yeah.

Woon Jung: Well then by the time you're done. It's basically time consuming, resource intensive and very complex.

So that's where the, the modalities and the flexibilities when it comes to the restore operation is very important.

Ashish: Yeah.

Woon Jung: So in case of [00:21:00] Kuo, we launched what's called DynamoDB backtrack. Uh, I think it's about now five months ago.

Ashish: Yeah. Okay.

Woon Jung: So what that allows you to do is to do, it combines a couple of features, actually.

Uh, it combines Peter mm-hmm. Which allows you to pick any point in time. Combines granular Restore allows you to restore specific partitions or even specific items, and it combines the fact that you can actually restore it in place. So if you combine these three features, and what it allows you to do is with Lumia is that, Hey, I wanna restore, I, I wanna undo partition two.

As of 2:00 PM is one API call and it's done. And basically, instead of making hundreds of full restores and copying and deleting stuff. You make 10 API calls one through 10 with different point in time, and then the, the table, uh, gets restored. Interesting.

Ashish: So do you feel like the world we are moving towards the backup and restore is not, and I've, I've been in organizations where it's always been about a point [00:22:00] in time disaster recovery check.

I've been in organizations where recovery is like, let's do a percentage, let's not just. Restore the entire database. Let's just restore one table or one particular thing. Right. So the, and to your point, it's al it's almost seems like we are moving into a world where that's not good enough anymore.

You almost need to be continuous. Is that where you're leaning on as well?

Woon Jung: Yeah. So that's what I meant. Like the, the accents are a lot more complex than like, you know, the traditional, you know, restore, swap, the whole thing. Yeah. That just doesn't work. And then customers are continuously moving to shorter and shorter RPOs.

Yeah. Okay. Wow. They're asking us to do, you know, uh, one hour, sometimes 15 minute RPOs. That happens all the time. And then as we move to the cloud, one of the things that also changed quite a bit is, uh, is the scale. Essentially, in the S3 bucket, you could have billions and billions and billions of objects.

You could go as big as you want. S3 is [00:23:00] scalable and

Ashish: you Oh, almost like get like a data, uh, data lake kind of a thing.

Woon Jung: Yeah. No data lake. Or you can put logs, you can put your, any object thumbnail, you can put anything in it. Yeah, yeah. Uh, but we've seen customers with, 30, 60 billions of objects in a single bucket.

In a single bucket, in a single bucket. And then they're asking us to actually protect that same bucket with a one hour RPO. If not, it's 15 minute RPO. Oh, wow. And that's massive. Yeah, yeah, yeah. That is at any scale, that's massive. Yeah, that is pretty massive. And then in designing basically a backup solution or data recovery solution that can handle that scale is also a quite a bit of an effort, because then what happens is that, hey, you know.

Here's the way that I put it. Like in reality, you know, maybe, yeah, maybe that bucket should have been organized differently. Okay. Maybe. Yeah. But the, the structure of how the bucket is organized, like how many objects they put and all that stuff is many times driven by the application time. Uh, team.

Ashish: Yeah.

Woon Jung: The application owner writes the [00:24:00] software in a way that, you know. Aligns well with the application and which is I think, the right thing to do, but not all the time. They will actually think about, the backup and recovery aspects when they're start designing it. But after many years of that practice, you now have a bucket with, you know, whatever.

Hundred billions of objects. Yeah. What are you gonna do? You have what you have?

Ashish: Yeah, yeah, yeah.

Woon Jung: So then it, the thing is that the backup solution or backup, you know, the service has to handle that scale. And if you can't, then you end up the secondary end up being the bottleneck of the whole thing. Right.

So

Ashish: actually, yeah. 'cause you are now, you are the reason why they can't back up.

Woon Jung: Yeah. Yeah. So that's another area where, you know, in the whole resiliency in the cloud. That's one area where K Lumio spent a ton of effort and energy to actually get to those, uh, scale. And today even if you see across the market, I don't think there's a solution that can actually scale higher than what K Lumio can.

Interesting.

Ashish: I guess to your point, if there are billions, and going back to the whole cloud [00:25:00] native thing as well. Mm-hmm. If there is an organization, and you rightly said, it's just the evolution of time and the maturity of the organization as well. Sometimes that's what, that's the reason why there are billions of objects in an S3 bucket.

If I was to do that with AWS native feature mm-hmm. Restore version update, even that would not have been one. Our RPO.

Woon Jung: Yeah, I know the, the. Know the, the version stuff on those three buckets with the billions of object, you will be able to hit the R um, RPO, let's call it RPO. Yeah. Yeah. You know, every updates you create new, new versions on top of it.

That's right. Idea. That would be no problem. That will keep up with you. Oh, okay. Right. Okay. That's, that's okay.

Ashish: Yeah.

Woon Jung: But then now your question is RTO.

Ashish: Yeah. Oh

Woon Jung: yes. Okay. So let's say something bad happened, uh, and then you want to create, you, let's say you wanna time travel that bucket a couple hours.

Yeah. Do that. 400 billions of objects. So it's going to take you forget hours. I think it's gonna take you days, if not maybe [00:26:00] weeks for you to recover. Yeah. Yeah. So that's kind of where, you know. Starts failing.

Ashish: So is the R-T-O-R-P-O conversation also need to evolve with this modern world we are moving towards because most organizations are looking at some kind of a data lakehouse.

And so you point Apache iceberg earlier, dynamo db, these are more normal. And I guess obviously, uh, these are just one cloud, this multi-cloud as well. So people would've gone Apache iceberg on Azure, wherever is the requirements that people have for RTO and RPO. Is that keeping up to how cloud native have kept and maybe the gap isn't.

'cause I guess where I'm going with this is that I wonder if there's a resilience gap that people don't even realize that exists with the RPO and the RRPO and RTO that they have to what you said, I don't know. However, however many billions of objects and you're expecting an RTO of 24 hours, that's probably unrealistic.

Mm-hmm. Just using native. So does that conversation about RTO and RPO also need to [00:27:00] evolve in this new world? That a lot, there's a lot more data than me just having, I don't know, my cloud trail logs in my S3 bucket.

Woon Jung: Yeah. So, RPO is somewhat simpler Okay. To check because, uh, you know, once you configure the policy

Ashish: Yeah.

Woon Jung: Whether the backup finishes with time or not, that does you kind of, the, you know, the recovery points. You got it right. Yeah. So it's once a day, once an hour or something. Or if you do pitter, it's continuous, right?

Ashish: Yeah.

Woon Jung: So that's relatively okay. 'cause you asked about things that P folks are not aware of.

Yeah. Yeah. So I think RPO is easier because, you know, if something starts, you know, back upstairs failing, then you know it's glaring, right? Yeah. Yeah. Things are not happy. What's a little bit hidden is the RTO, because then, and then the scale becomes also an issue, right? Yeah, yeah. Like you mentioned, uh.

If my business requirement is to have a, you know, bring back the whole thing, let's say within, let's just call it within 12 hours. Yeah, yeah. Right. That's much more challenging, right? Because then I mean, one is the [00:28:00] scale. Right? It is the humongous scale. Can you actually deliver that? Yeah. Within those two 12 hours of, the RTO window, the, the business requirement, can you deliver on that business requirement?

And then the scalability makes things a lot more challenging. And that's kind of one of the areas that, you know, clum, Lumia shines as compared to, let's say the native solutions. Yeah. One way. Then to go back with the modality. Remember that I was telling you about the different modalities of this store?

Yeah, yeah. Well that's another area that is not at all about, uh, speed. Speed, speed, speed. Which we're good at, great at. But the other aspect is, let's just not do work that it is not needed. Right. Because then be more efficient.

Ashish: Yeah. Cherry picking.

Woon Jung: Yeah. If I can cherry pick exactly what was broken and I can fix exactly.

That part.

Ashish: Yeah.

Woon Jung: Then that's another way for me to actually save you time and allow you to achieve that RTO interesting actually,

Ashish: because. A lot of people who probably don't work a lot in this backup and recovery world even as a CISO as well. I just remember it to be a point in time thing [00:29:00] that, uh, we do because compliance requirement or whatever thing may be, you are really actively looking at backups every single day.

But it's quite crucial, like especially with the ransomware conversation that's been top of mind for a lot of people. 'cause especially cloud or no cloud. 'cause I definitely find since we covered the gaps over there, I'm curious for people who may have been naive, like the old issues used to be where, uh, I was just thinking it's a point in time thing.

Uh, now that I, I have cloud, I, it'll be all fine. I have native features. We've discovered, as you said, RTO is that, that's the time travel pieces where the tricky trickiness is in terms of building a resilience program today. What would be your recommendation to CSOs? Who building it and what are some of the stage gates or maturity stages they should look at in terms of, it's very unlikely.

Most people don't have a program. I'm sure they have a program. It's a, it's more uplifting a program. What do you recommend normally people do now that we are moving into this world of, I was primarily cloud native. [00:30:00] Now I've heard June saw us talk about all these, uh, gaps that I have. I'm gonna go investigate what are some of the, things you recommend to CSOs when they're thinking about recovery as a uplift program? And you can assume things if you want to. 'cause obviously I'm making up a scenario here.

Woon Jung: Yes, basically based on some of the customer conversation that I've been having Oh yeah. For the last, uh, few years I would say number one, double click and go to the next level of, you know, the details.

Yeah, yeah. Because those do matter. It's not as simple as just, you know, I enable that policy and move on. You know, like you said, Hey, you know, my compliance officer is happy. Yeah. Because I have the backup policy enabled and you walk away. Yeah. That's like, yes, it'll get you the check mark, but when accidents do happen, then you know what happens.

Yeah. Yeah. What's the RTO and all that stuff? Like you have to ask those questions. Think about when, like, think about, because you have different type of data. Mm-hmm. So then think about the type of data where, you know, fine snapshot is good enough. That's it. Yeah. But then I am sure that you'll have data.

That snapshot is [00:31:00] not good enough that you need that air gap copy. Then think about what type, what part of your data, let's say estate requires a second copy and air gap copy. So then think about that as well is not all data is the same. Mm-hmm. So it's not, it is don't do the easy button, which is enable Snapchat, say web everywhere and just say, I'm done.

Like, just don't do that. Yeah. Just go to the next little detail.

Ashish: Yeah.

Woon Jung: RTO. We talked about it at Plenty. Yeah. Like basically make sure that you do those, uh, DR exercises and they're not as simple as, Hey, I can restore that tiny table as a whole thing. You know? And that's what I call it as a DR test and move on.

Yeah. It's a lot more complicated. Think about it. Obviously, TCOI don't have to give them any recommendation 'cause everybody, you know, it's a different one. CEO is top of mind. Yeah. Yeah. I were to think what else. And then specifically in the AWS, uh, side of the house, I do encounter with a lot of the CISOs, uh, thinking about DIY solutions.

What what it means is like, you know, AWS they provide you [00:32:00] great APIs Yeah. And abilities for you to go implement your own thing. Yeah. Yeah. So then a lot of the CISOs they give in that temptation and say, okay, you know what? This seems like a easy enough thing to do, so then I'm gonna have these two guys to implement.

You know, the whole backup and recovery solution for me. Yeah, yeah. In-house. Okay. In-house, yeah. It starts easy. It's never easy. And then that's, it's a slope. It's, it's a, it's a slippery slope, right? For you to go down. So I would say, you know, think twice, think carefully.

And then.

That I think that kind of sums it up. Yeah.

Ashish: Is there a KPI that you normally think of that's a good measurement for the resilience maturity of an organization that a CSO can think of as a, Hey, that's a good metrics to have as if I'm re resilient in this new world that we are going to towards

Woon Jung: Like I said, right. Do you understand the different type of data that you have? Mm. And do you think you have adequate level of protections for the different types of data? Or are you just doing blanket snapshots everywhere and just calling it at [00:33:00] done? Yeah.

I'm pretty sure that a lot of organizations, they have their business calls in terms of RTO.

Ashish: Yeah,

Woon Jung: there is four hours, 12 hours or two days or whatever. Yeah. But are you sure that you can actually hit them?

Ashish: And

Woon Jung: what's your strategy for you to hit them?

Ashish: Yeah.

Woon Jung: That would be, I think those would be the two good metrics.

Yeah. Awesome. Yeah.

Ashish: And I guess you mentioned AGA earlier.

Woon Jung: Mm-hmm.

Ashish: Uh, what, what does a gap look like in a cloud world? 'cause a lot of people, to your point, we, we are talking about cloud native resilience. Is. What is your definition of air gapped, backups or air gapped solutions for this in the cloud environment?

Woon Jung: Yeah, so then I'll tell you, Clumio definition? Yeah. Which, you know, obviously bias, but I think that's the right definition is that, uh. So whenever a customer onboards with Clumio Yeah. Let's say, you know, customer A or customer B, what we do is that we create an AWS account Yeah. That is dedicated for that one customer.

Customer A. Okay.

Ashish: Yeah.

Woon Jung: And then customer B will get their own account,

Ashish: like isolated from that. Yeah. It's completely isolated. Yeah.

Woon Jung: Uh, uh, step one. [00:34:00] And then, then next thing is that all the data that belongs to customer A gets stored in that dedicated account and it gets processed within that dedicated account.

And basically that's how we protect it. Now the source account. Yeah. Which is a customer's account where the data's coming from. Uh, we install what's called an IAM role. Okay. So for you to onboard kuo, all you need to do is just kind of install one IAM role. That's all we need to extract the data so that we can actually back it up into that dedicated account.

Now, the definition of the air gap, which number one is that, let's assume for a moment that the source account, the customer's account got compromised at the root level, that it just basically is completely taken over by. Some bad actor.

Ashish: Yeah.

Woon Jung: What that means is that the IAM role that Lumia installed to extract the data compromise and do backup, even that thing is compromised.

Yeah. So then you should be able to look at the policy document of that IAM role and say, it doesn't matter, even if the bad guy were to get a hold of this policy or, then the bad actor would not be [00:35:00] able to corrupt the data, delete the corrupt the backup, or delete the backup. Your backup is always secure.

In that dedicated account, oh, no matter what happens on the source account. Interesting. So many times you cannot say the same thing.

Ashish: Yeah.

Woon Jung: For things like, you know, we talked about Peter or Snapshots or even some of the native solutions. Yeah. You cannot say the same thing. Yeah. Because they live in the same account.

Ashish: Yeah.

Woon Jung: If I have root level access in that account. There's no versioning that can help you. Like there's no snapshot that can help you. Yeah, because you know I'm root level, I can go, yeah, yeah. I can delete whatever I need to delete. That's right. And I will do it. Yeah. But in this model, even if this is compromised at the root level, which means I got handle of that lumal role,

Ashish: yeah.

Woon Jung: There isn't anything that role can do to delete or corrupt the backups. So that's how the backups are secured.

Ashish: Interesting. I, and I think to your point, you're also. This is the evolution of the architecture of how people build backups and restore as well. A lot of people, I [00:36:00] think, 'cause as you said that, the first thought that I was like, oh, most people just send it to S3 bucket.

Has snapshots locally in that same region. We spoke, we touched on multi-region earlier. Mm-hmm. Mm-hmm. But we didn't talk about the air gap kind of a thing as well. 'cause technically people may assume that multi-region is kind of air gap because it's a different data center or whatever. But having a separate account and like Yeah.

There's so many, so many ways to build backup and recovery as a, as a strategic advantage to have a, I mean, I guess have not a wide blast radius, for lack of a better word.

Woon Jung: Yeah. So basically you are, when I talk to the, when I talk to the customers, the way I explain it is think of this being your bunker account.

Yeah. It is isolated. It is a bunker account no matter what happens in any of your accounts or whatever.

Ashish: Yeah.

Woon Jung: Your backup is safe here. Yeah. So just kinda what we do. And then, uh. Which is ties back to DIY, right? Yeah. Because then at a surface level, everything seems so easy. How hard could it [00:37:00] be?

Right? Just take a snapshot, copy it over, and do all of those things. Yeah. But then if you actually double click and triple click, you are giving up on the, you know, the different modalities of restores because you know Yeah, yeah. Snapshot here. Snapshot here. You can bring it back as a whole, but you can't do anything else.

Yeah. The whole air gap nest also kind of suffers, uh, there a little bit. Yeah. TCO will also suffer because you're not doing any optimizations.

Ashish: No. Yeah.

Woon Jung: So yeah,

Ashish: I, I think I also, as you mentioned, that the one thing that. Going back to what we said earlier about having cloud native solutions, if your entire account is compromised, technically your backups are compromised as well.

Yeah. If you're just doing native backups.

Woon Jung: Yeah. The native backups will sit right there, uh, with you. Yes. Yeah.

Ashish: And if the root account is compromised, technically your backup is compromised as well.

Oh wow. Okay. I do, it sounds like we can talk about, uh, restoring backup for a long time, but, uh, those are all the technical questions I had.

Okay. But, uh, three fun questions for you as well.

Woon Jung: Fun. Okay.

Ashish: First one being, where do you spend most time on when you're not trying to solve the backup and recovery problems of [00:38:00] the world?

Woon Jung: Well, like, just fun. Well, yeah, fun professional. Yeah. Yeah. You man. I do a lot of running. Oh, right. Like, how many Ks are you talking?

Uh, I probably run about, uh, I would say. A hundred miles. About a month. In a month. A hundred miles in a month? Yes. You like a marathon runner? No, I, not a marathon, but, uh, it, I think it's, uh, one obviously, you know, helps you be healthy. Yeah, fair. So, uh, I like to think when I'm running. Oh, when I'm pacing. So that's your release?

Yeah. Okay. I just go out every day. I go to a, a local school where they have a track, so Yeah. I don't have to worry about cars or anything, so just, you know, kind of. Get on the track and start running and thinking. And that's a hundred, a hundred

Ashish: miles, man.

Woon Jung: Yeah, I think about a hundred miles every month.

Ashish: Wow. Okay. Good. I mean, yeah, I don't think I can do a hundred miles, but Good. Good for you. Uh, second question what is something that you're proud of that is not on your social media?

Woon Jung: First of all, I don't have many things in the social media. Oh, that's, that's perfect. Everything else you're of, I'm not a, I'm [00:39:00] not a big, big, kinda not the.

I'm very introverted. Oh yeah. So I don't down, I don't have very much a lot of stuff in the social media. Yeah, yeah. Uh, I don't know, man. Just a lot of stuff. Oh, you

Ashish: say family a lot. Piece of friends. Uh Oh yeah, of course. Family,

Woon Jung: kids and yeah. Super proud of, I have a 18-year-old Oh, nice.

Uh, is going to college. This next year. Oh wow. Okay. Yeah.

Ashish: Yeah. Fair. I mean, that's a good answer as well. Final question. Uh, what's your favorite cuisine or restaurant that you can share with us?

Woon Jung: Oh, that's very hard.

Ashish: Oh, are you a foodie as well?

Woon Jung: That's very hard. I like all type of food. Oh, yeah.

I mean, I'm Korean or origin. Yeah. So I was, I was born in Korea, but I actually, uh, grew up in Argentina. Oh. So, uh, those would be, uh, my two favorite cuisines. Interesting.

Ashish: Is there like a fusion as well? I'm curious, is there, is there ever an argent? It's like a. South American and Korean fusion cuisine, fusion food.

Have you everyone mixed the, would it like No, I don't think [00:40:00] steak with the Korean barbecue? Nah,

Woon Jung: no, I've not, I've not seen that. I dunno, maybe my families will, will cook something, but No, not seen that. But I mean, I like, I love Korean food. I like the, you know, I love the Argentinian steak. Yeah. I love the Argentinian steak.

Ashish: Oh yeah. Steak. The steak's pretty good, man. I think, uh, yeah, I did not realize how different they were from a regular steak until I had those, I'm like, oh, there is a bit of a difference here. But yeah. Um, I've, I've been a bit big fan of that as well, but it's, uh. It's harder one to pick between Korean food.

Woon Jung: It's, uh, it's hard. But then if I have to put all that aside, right? Yeah, yeah.

Ashish: You're stuck on an island. You can only have one meal.

Woon Jung: No, not that. But if I have to put the, the, whatever the origin, like the Korean and where I live, then yeah, just have to pick a third cuisine. Maybe, uh, Thai food. I like Thai food.

Oh, really? Okay. Quite a bit.

Ashish: Awesome. All right. Uh, well thank you for sharing that. So I guess first of all, thank you for coming on the show. Uh, where can people connect with you, learn more about the work you're doing at Clumio and Commvault and everything else. Where can people find more information [00:41:00] about what you guys are doing and where can they connect with you?

Woon Jung: What I told you, I'm not the social person, but I, so I would not put that yet. So just, but

Ashish: I'm in LinkedIn, so you can find me on LinkedIn. Oh my God. You, you still got into the LinkedIn trap?

Woon Jung: Yeah. So you just, you know, on LinkedIn obviously, you know, you know clumio Yeah, yeah. Is of course, is there combo to covers it?

Yeah.

Ashish: Awesome. All right. Now, thank you so much for sharing that. I'll put the links for both Commvault and Clumio in the show notes and your LinkedIn as well, so if people wanna connect and talk to you more about

Woon Jung: Sure.

Ashish: Yeah. The backup and recovery world as well. But thank you so much for coming me on the show, man.

No worries. All good. Thank you. Thank you. Thanks very for tuning in as well. Thank you for listening or watching this episode of Cloud Security Podcast. This was brought to you by Tech riot.io. If you are enjoying episodes on cloud security, you can find more episodes like these on cloudsecuritypodcast.tv our website, or on social media platforms like YouTube, LinkedIn, and Apple, Spotify.

In case you are interested in learning about AI security as well, to check out our podcast called AI Security Podcast, which is available on YouTube, LinkedIn, Spotify, apple as well, where we talk. To other CISOs and practitioners about what's the [00:42:00] latest in the world of AI security. Finally, if you're after a newsletter, it just gives you top news and insight from all the experts we talk to at Cloud Security Podcast.

You can check that out on cloud security newsletter.com. I'll see you in the next episode, please.

‍