For decades, backups have protected us primarily from physical equipment failure and accidental data corruption. A good backup system (BS) should have survived a fire or flood, and then quickly allowed the business to resume normal operations. But another problem has emerged, one that is far more likely than a flood and against which fireproof ceilings and physical dispersal of sites across different cities are no protection.
Ransomware is a nightmare for almost every company. Attackers are increasingly encrypting data, causing large organizations downtime, significant financial losses, and reputational damage. And as it often turns out, having a backup alone doesn't protect a business from such threats if the backup itself is poorly designed or doesn't take modern threats into account.
The purpose of this post is to discuss existing methods and technologies for data storage and backup systems that can reduce the damage caused by ransomware and minimize data loss during attacks. Remember: it's not enough to just make a backup — you need to make a proper backup. So, welcome to the cut!
Every company has four key areas of focus: technology, processes, personnel, and adherence to key information security regulations. Each area requires a comprehensive set of measures aimed at minimizing the impact of attacks and quickly restoring data. We'll discuss each area separately.
Before we delve into the details, we'll share some truths that should not only be observed, but also known to everyone, like the multiplication table. Here's a list of methods that are proven to work:
— Adherence to the advanced multi-level backup strategy (3-2-1-1), which states that to ensure reliable data storage, it is necessary to have:
What is WORM?
WORM (write once, read many) — storage media that can be written once and read multiple times.
— Storing backup copies (RC) on non-production disk arrays (devices that provide access to production data). Backups should be stored on separate devices.
— Regular and accurate creation of the advertising campaign, without errors and according to the established schedule.
— Create consistent backups not only at the file system level, but also at the DBMS and application level. It's necessary to back up not only the database, but the entire IT system landscape.
— Implementing network segmentation. Since the primary attack vector typically occurs through the Ethernet network, it's best to separate network segments (preferably those that don't overlap at the physical hardware level):
— Isolated storage of backup copies (air-gapped backups) in offline environments that do not have a permanent connection to the main network, as well as the use of removable media (tapes, external hard drives) stored in secure locations.
— Regular backup of the centralized deduplication database and the RK catalog and/or the management server with its database.
— Setting up built-in protection against ransomware.
Directory protection
A crucial point is ensuring the protection of the backup software metadata: the backup database or backup catalog. Having a backup copy of the backup software metadata will allow you to quickly restore backup functionality and avoid losing information about which backup is located on which media.
All advanced CRM software can create a standalone catalog backup system and deploy it from scratch on a new server, which, for example, could be in cold standby mode (prepared, but powered down and disconnected from the network). In this case, it's necessary to configure regular (at least once a day) full backups of the catalog backup system to the backup storage. Typically, during this procedure, the CRM software stores service information, such as which tape to search for the required catalog copy. This data can be sent via email and/or saved as text files. Furthermore, the catalog backup system can be duplicated onto tapes and uploaded for off-site storage.
Built-in ransomware protection mechanisms in the SRK software
Almost every backup software already has built-in monitoring of backup clients, such as detecting abnormal changes in backup volumes, blocking system files from modification, and so on. We've reviewed the most popular and current backup software in terms of the protection options they offer. Although many overlook these features, we recommend enabling and using them, as they provide additional, and quite effective, layers of protection against intruders.
Cyberprotect Cyber Backup
These features have been available since version 16. Incidentally, Acronis CyberBackup has similar modules.
RuBackup (Astra Group)
Commvault B&R
General protection recommendations are available on the documentation website in the Ransomware Protection section (valid for version 11.20; more recent releases require expert approval).
Veritas NetBackup
Veeam Backup & Replication
Vinchin Backup & Recovery
Vinchin's primary protection is protection against third-party modifications to the backup storage (which works with built-in disks or block devices on external storage) connected to Vinchin servers. This option is called Storage Security.
Protection at the backup storage device level
Option 1. Storage system with block access to data
As one of the means of protection, you can consider the option of regularly creating instant snapshots on production arrays and replicating the snapshots to a dedicated storage system for backup copies.
In this case, it's important to understand the risk of uncontrolled volume growth, which may impact performance (depending on the technology used—Copy-on-Write or Redirect-on-Write). This may significantly increase storage costs (for example, if a separate license is required). The main advantage is the ability to restore data in a relatively short time.
Industrial storage management software (Veeam, Commvault) successfully integrates with productive disk arrays (e.g. Huawei, Netapp) to create snapshots, which can then be used for operational or long-term storage (as the first storage tier).
Snapshots can be created without SRK software, using only the storage system, thanks to CDP (Continuous Data Protection) technology in disk arrays from leading manufacturers (Huawei, Dell, NetApp, Pure). This technology allows for the creation of a large number of snapshots at specified intervals (down to minutes) and their rotation. However, in this case, all snapshots will be inconsistent, and restoring them will be similar to turning on the server after a power outage. Domestic manufacturers do not offer CDP technology, but several players (Yadro Gen2, Aerodisk Engine, Baum) offer the ability to create snapshots via the command line or API.
You can use delayed asynchronous replication, lagging behind production data by, say, X hours/days. However, not all disk array vendors offer this feature.
Option 2. Storage system with file access to data
Using external file systems with retention locks can significantly complicate the lives of attackers, especially when it comes to deleting or corrupting them. Immutable storage technologies protect backup data from changes after it's created.
In this case, support from both the storage system (NetApp SnapLock, Huawei Hyperlock) and the backup management software is required. Otherwise, the backup management software may malfunction, as the management components (master server, media servers) will not be able to correctly handle write-locked backup files. The simplest option is to use file systems in WORM mode only for full backups.
Option 3. Specialized applications (deduplicators)
In the context of ransomware protection, deduplicators are basically a special case of “file-based storage”.
Immutable storage solutions are available in different vendor names, including standalone hardware-based Purpose-Built Backup Appliances (PBBAs)—NetBackup Flex Appliance, StoreOnce, DataDomain, Quantum DXi, and Tatlin Backup (functionality under development).
The use of proprietary protocols for interaction between the SRK software and PBBA (DDBoost, Catalyst) will significantly complicate the risk of compromising the RK data, since they will not be clearly present in the system, as they use non-standard methods of interaction between the SRK software and storage devices.
The main difference between these PBBAs is that they don't use the same authentication methods or, most importantly, the same instruction set as other file share technologies (CIFS, NFS, SMB) that rely on OS tools. Storage devices connected via PBBAs will not be accessible from the OS without the appropriate APIs.
Option 4. Tape libraries with LTO cartridges
Tape media is the most secure against ransomware attacks. Even if the master server is completely lost, backups on tape can still be imported—as a rule, all backup software can do this. However, this is time-consuming, as each tape must be re-read. The time required depends on the size, type, and speed of the tape. We recommended backing up the backup software catalog above—this will significantly reduce the time it takes to restore the backup if it is completely destroyed during an attack.
For the most critical systems, backup copies should be made to separate tape drives, removed from tape libraries, and stored off-site in a fireproof safe. This way, even if an attacker gains access to the backup system and attempts to delete data from the tapes in the library, accessing the tapes in the off-site storage will be more difficult. However, this does not rule out the possibility of a targeted, long-term attack using an insider (a company employee with access to the backup system and the ability to carry out covert sabotage).
Using WORM tapes is advisable for backups with a fixed, long-term retention period, as required by regulatory requirements (3-5-10 years of protection against intentional data modification by administrators), or in cases where access to the tape library is physically limited. Otherwise, this is an expensive option, as WORM tapes are not rewritten. The write-once capability prevents accidental or intentional data deletion, for example, in the event of a ransomware attack or human error.
WORM cartridges are virtually identical to RW cartridges of the same generation, except that the chip (Linear Tape-Open Cartridge Memory, LTO-CM) identifies them as WORM. Minor changes also affect the servo tracks, which are necessary to verify that the data on the tape has not been modified. The bottom of the cartridge is usually gray and may be equipped with tamper-resistant screws. Drives that support WORM mode automatically recognize WORM cartridges and include a unique identifier (WORM ID) with each data set written to the tape.
LTO cartridge with WORM
LTO cartridge without WORM
One alternative is to write-protect full tapes in the library. Ideally, at the end of each workday, the on-duty SRK administrator comes to the library, switches the write-protect flag on full tapes, and unflips it on tapes whose retention period has expired. Compliance with this policy at unpredictable times is verified by an information security officer or the service organization.
To simplify handling large quantities of tapes, you can use barcoded cassettes. Before starting work, check the barcodes for damage and ensure their reader is ready for use. If you have multiple libraries, ensure barcodes are unique.
Option 5. Storage with object access to data (S3), cloud storage
To store the RK, you can use S3 storage, which is available in several options:
The backup backup software must manage and support the core functions (methods) of the S3 protocol. In the standard S3 protocol, this is the Object Lock mechanism with Compliance Mode, Governance Mode, and Legal Holds. If the backup backup software does not support integration with the S3 protocol, it is necessary to prepare and configure the settings at the bucket level where the backup data will be stored in advance.
It's important to remember that when using the Object Lock mechanism, the backup management software will also be unable to delete copies, including rotating them according to retention periods. Therefore, the placement of unmodifiable backup copies must be considered at the design stage.
An on-premise solution will require additional investment in its design, implementation, operation, support, and may not be a very reliable option, as it will be an additional point of failure in terms of potential access to the cluster nodes that implement the S3 protocol itself (remote access, OS, and FS).
From this perspective, a public cloud appears more secure, as it only provides access to storage devices (buckets) using an access key/secret key pair. This means it prevents access to the servers hosting
S3 storage using standard tools and protocols. However, depending on the services provided by the provider, it's important to remember that this will incur additional costs. Additional charges may apply:
A typical enterprise SRKiVD architecture might look like the image below. Want something similar? Come see us!
To ensure efficiency, all work must be carried out through requests (RFCs) with the responsible persons indicated.
To prepare the above-mentioned documents, it is necessary to audit all information systems, define the RTO and RPO requirements for each system, which are necessary for selecting a data protection method (a data protection system can protect against logical errors, but may not always ensure recovery speed for large volumes), and determine retention periods based on internal regulations or regulatory recommendations. To select a data backup scheme and the feasibility of implementing disaster recovery/clustering at the application level, a cost/criticality assessment of each information system's unavailability (including using a BIA) is typically performed.
Test recoveries
To ensure that the SRKiVD operates correctly, it will be useful to conduct regular exercises on restoring the information system from backup copies in an environment that is as isolated as possible from the production circuit.
This helps to understand several important things:
Monitoring
A unified monitoring and alerting system is an important tool that allows for both prompt response to any incidents in the IT infrastructure and proactive monitoring of the status of the IMS itself and its individual components.
Key personnel (ideally, responsible groups of people) should be promptly notified of unsuccessful backup attempts and any anomalies by all possible means (mail, SMS, Telegram bots, calls from on-duty engineers, etc.).
At a minimum, it is necessary to fully utilize the monitoring system built into the SRK software and configure monitoring of its hardware components (media servers, storage devices).
What might raise suspicion?
What can help?
To limit attackers' access to important company resources, you can follow these key rules:
Some of the security measures we've discussed are designed to ensure faster and more painless recovery in the event of intentional data corruption. When choosing specific methods, it's important to understand both the budget for their implementation and the current IT staffing level.
In this post, we've covered the full range of issues and solutions that must be considered when designing an information security system (ISS) that effectively protects data from encryption and allows for recovery in the event of a hack. The more measures you implement, the more secure your backup will be. Some of the proposed methods do require significant investment, such as switching to tape libraries, separate storage systems, or isolated ISS environments if you haven't used such solutions before. However, some measures focus on properly configuring your existing ISS and building backup processes, as well as generally ensuring information security within your perimeter.
Choose what suits you, keep your feet warm, your head cool, and your backups safe!
This post was prepared by the Data Storage and Information Disclosure Center team at Infosystems Jet's Infrastructure Solutions Center.
With the participation of: Andrey Yankin, Director of the Information Security Center at Infosystems Jet.
(с) Source
Ransomware is a nightmare for almost every company. Attackers are increasingly encrypting data, causing large organizations downtime, significant financial losses, and reputational damage. And as it often turns out, having a backup alone doesn't protect a business from such threats if the backup itself is poorly designed or doesn't take modern threats into account.
The purpose of this post is to discuss existing methods and technologies for data storage and backup systems that can reduce the damage caused by ransomware and minimize data loss during attacks. Remember: it's not enough to just make a backup — you need to make a proper backup. So, welcome to the cut!
Every company has four key areas of focus: technology, processes, personnel, and adherence to key information security regulations. Each area requires a comprehensive set of measures aimed at minimizing the impact of attacks and quickly restoring data. We'll discuss each area separately.
Technologies
Basic hygieneBefore we delve into the details, we'll share some truths that should not only be observed, but also known to everyone, like the multiplication table. Here's a list of methods that are proven to work:
— Adherence to the advanced multi-level backup strategy (3-2-1-1), which states that to ensure reliable data storage, it is necessary to have:
- three copies of data;
- two copies on different types of storage (for example, two different disk arrays, an array and tape, or an array and cloud);
- one copy outside the main site (for example, a “bunker” outside the main data center);
- one copy on immutable storage, WORM media, or offline.
What is WORM?
WORM (write once, read many) — storage media that can be written once and read multiple times.
— Storing backup copies (RC) on non-production disk arrays (devices that provide access to production data). Backups should be stored on separate devices.
— Regular and accurate creation of the advertising campaign, without errors and according to the established schedule.
— Create consistent backups not only at the file system level, but also at the DBMS and application level. It's necessary to back up not only the database, but the entire IT system landscape.
— Implementing network segmentation. Since the primary attack vector typically occurs through the Ethernet network, it's best to separate network segments (preferably those that don't overlap at the physical hardware level):
- data transmission network;
- control network;
- storage area network;
- backup network.
— Isolated storage of backup copies (air-gapped backups) in offline environments that do not have a permanent connection to the main network, as well as the use of removable media (tapes, external hard drives) stored in secure locations.
— Regular backup of the centralized deduplication database and the RK catalog and/or the management server with its database.
— Setting up built-in protection against ransomware.
Directory protection
A crucial point is ensuring the protection of the backup software metadata: the backup database or backup catalog. Having a backup copy of the backup software metadata will allow you to quickly restore backup functionality and avoid losing information about which backup is located on which media.
All advanced CRM software can create a standalone catalog backup system and deploy it from scratch on a new server, which, for example, could be in cold standby mode (prepared, but powered down and disconnected from the network). In this case, it's necessary to configure regular (at least once a day) full backups of the catalog backup system to the backup storage. Typically, during this procedure, the CRM software stores service information, such as which tape to search for the required catalog copy. This data can be sent via email and/or saved as text files. Furthermore, the catalog backup system can be duplicated onto tapes and uploaded for off-site storage.
Built-in ransomware protection mechanisms in the SRK software
Almost every backup software already has built-in monitoring of backup clients, such as detecting abnormal changes in backup volumes, blocking system files from modification, and so on. We've reviewed the most popular and current backup software in terms of the protection options they offer. Although many overlook these features, we recommend enabling and using them, as they provide additional, and quite effective, layers of protection against intruders.
Cyberprotect Cyber Backup
- The Active Protection module monitors processes running on the protected server. When a third-party process attempts to encrypt files or mine cryptocurrency, Active Protection generates an alert and performs additional actions, if specified in the settings.
In addition, Active Protection prevents unauthorized changes to its own processes, registry entries, executable and configuration files, and backup copies located in local folders. - The Vulnerability Assessment module scans computers protected by the backup and recovery system (BRS) for vulnerabilities, checks whether operating systems and installed applications are up-to-date, and ensures they are functioning correctly. Vulnerability assessment scanning is only supported for Windows-based computers.
These features have been available since version 16. Incidentally, Acronis CyberBackup has similar modules.
RuBackup (Astra Group)
- Scheduled replication (export/import) of selected backups to another independent RuBackup installation. Since the second domain is completely independent from the attacked infrastructure, ransomware will be unable to damage the backups on it. This feature is available starting with version 2.1.
- Digital signature of backup copies allows you to control the integrity and authenticity of the RK.
Commvault B&R
- Enable Ransomware Protection, a standalone app from the Commvault store, lets you manage and monitor the File Anomaly Activity alert and Ransomware Protection options on all CommCell media agents.
Ransomware Protection functionality prevents any processes not related to Commvault from modifying local backup files, including those located on file shares (this requires detailed configuration of access rights to the share).
Additionally, it's now possible to receive reports on abnormal activity. In addition to analyzing typical file activity on clients, it's possible to place a decoy file (the Honeypot or Canary File) on them. If it's encrypted, Commcell will send a notification.
Additionally, it is possible to set up a warning if the SRK client is unavailable. - The system automatically analyzes historical data on its own operation, the deduplication database, events, and the operation of RK tasks, and also searches for anomalies.
General protection recommendations are available on the documentation website in the Ransomware Protection section (valid for version 11.20; more recent releases require expert approval).
Veritas NetBackup
- The AIR (Auto Image Replication) feature allows you to replicate backup data to another NetBackup installation (domain). This is accomplished using dedicated SLP (Storage Lifecycle Policy) policies and an import command in the domain receiving the backups. Because the second domain is completely independent from the attacked infrastructure, ransomware cannot damage the backups on it. This technology has been designed and implemented repeatedly by a number of our customers.
- The use of specialized NetBackup Appliance hardware also enhances the security of the data protection and data management system (DDR) system, given the use of the specialized OST (OpenStorage Technology) data transfer protocol. This protocol also enables storage in an immutable WORM format.
- Built-in analytics for abnormal activity using ML tools and historical data analysis for RK tasks and other Veritas Anomaly Detection metrics. Available starting with version 9.1.
Veeam Backup & Replication
- Using Immutable storage, as well as configuring the Hardened Repository on the server with disks. This is a set of settings that enhance storage security on a Veeam Linux server, including restricting access to modifying backup data.
- Integration with HPE StoreOnce Deduplicator creates a secure, dual-sign-on experience and enables immutable storage without the complexity of setting up immutable storage for seven days after placement.
- An additional tool is the Veeam ONE monitoring system (a separate product, part of the Availability Suite, along with B&R). Without it, effective monitoring of Veeam B&R is impossible.
Vinchin Backup & Recovery
Vinchin's primary protection is protection against third-party modifications to the backup storage (which works with built-in disks or block devices on external storage) connected to Vinchin servers. This option is called Storage Security.
| Function | Cyberbackup | RuBackup | Veritas NetBackup | Veeam | Commvault |
| Snapshots on the production array | Yes. There is integration with Huawei Dorado, and YADRO is planned. | Yes. It is planned with YADRO. | Yes | Yes | Yes |
| Immutable storage | In plans for 2025 | In plans for 2025 | Yes | Yes | Yes |
| Integration via S3 protocol (object lock) | In plans for 2025 | In plans for 2025 | Yes | Yes | Yes |
| Support for GOST encryption | In plans for 2025 | Yes | No | No | No |
Protection at the backup storage device level
Option 1. Storage system with block access to data
As one of the means of protection, you can consider the option of regularly creating instant snapshots on production arrays and replicating the snapshots to a dedicated storage system for backup copies.
In this case, it's important to understand the risk of uncontrolled volume growth, which may impact performance (depending on the technology used—Copy-on-Write or Redirect-on-Write). This may significantly increase storage costs (for example, if a separate license is required). The main advantage is the ability to restore data in a relatively short time.
Industrial storage management software (Veeam, Commvault) successfully integrates with productive disk arrays (e.g. Huawei, Netapp) to create snapshots, which can then be used for operational or long-term storage (as the first storage tier).
Snapshots can be created without SRK software, using only the storage system, thanks to CDP (Continuous Data Protection) technology in disk arrays from leading manufacturers (Huawei, Dell, NetApp, Pure). This technology allows for the creation of a large number of snapshots at specified intervals (down to minutes) and their rotation. However, in this case, all snapshots will be inconsistent, and restoring them will be similar to turning on the server after a power outage. Domestic manufacturers do not offer CDP technology, but several players (Yadro Gen2, Aerodisk Engine, Baum) offer the ability to create snapshots via the command line or API.
You can use delayed asynchronous replication, lagging behind production data by, say, X hours/days. However, not all disk array vendors offer this feature.
Option 2. Storage system with file access to data
Using external file systems with retention locks can significantly complicate the lives of attackers, especially when it comes to deleting or corrupting them. Immutable storage technologies protect backup data from changes after it's created.
In this case, support from both the storage system (NetApp SnapLock, Huawei Hyperlock) and the backup management software is required. Otherwise, the backup management software may malfunction, as the management components (master server, media servers) will not be able to correctly handle write-locked backup files. The simplest option is to use file systems in WORM mode only for full backups.
| Function/Manufacturer | YADRO | Aerodisk | Baum | Huawei | NetApp / Lenovo | DellEMC |
| Snapshots | Yes | Yes | Yes | Yes | Yes | Yes |
| CDP | No. Only via API and CLI. | No. Only via API and CLI. | No | Yes | Yes | Yes |
| Immutable storage | N/A | N/A | N/A | Yes | Yes | Yes |
Option 3. Specialized applications (deduplicators)
In the context of ransomware protection, deduplicators are basically a special case of “file-based storage”.
Immutable storage solutions are available in different vendor names, including standalone hardware-based Purpose-Built Backup Appliances (PBBAs)—NetBackup Flex Appliance, StoreOnce, DataDomain, Quantum DXi, and Tatlin Backup (functionality under development).
The use of proprietary protocols for interaction between the SRK software and PBBA (DDBoost, Catalyst) will significantly complicate the risk of compromising the RK data, since they will not be clearly present in the system, as they use non-standard methods of interaction between the SRK software and storage devices.
The main difference between these PBBAs is that they don't use the same authentication methods or, most importantly, the same instruction set as other file share technologies (CIFS, NFS, SMB) that rely on OS tools. Storage devices connected via PBBAs will not be accessible from the OS without the appropriate APIs.
| Function | YADRO Tatlin Backup | HPE StoreOnce | Netbackup Flex Appliance | DellEMC DataDomain |
| Proprietary protocol | Yes. Implementation of T-Boost via FC is in the plans. | Yes | Yes | Yes |
| Deduplication at the source | Yes. Implementation of T-Boost via FC is in the plans. | Yes | Yes | Yes |
| Global deduplication | Yes | Yes | Yes | Yes |
| Possibility of connection to the SRK software via file protocols | Yes | Yes | Yes | Yes |
| Immutable storage (Retention lock) | In plans for 2025 | Yes | Yes | Yes |
Option 4. Tape libraries with LTO cartridges
Tape media is the most secure against ransomware attacks. Even if the master server is completely lost, backups on tape can still be imported—as a rule, all backup software can do this. However, this is time-consuming, as each tape must be re-read. The time required depends on the size, type, and speed of the tape. We recommended backing up the backup software catalog above—this will significantly reduce the time it takes to restore the backup if it is completely destroyed during an attack.
For the most critical systems, backup copies should be made to separate tape drives, removed from tape libraries, and stored off-site in a fireproof safe. This way, even if an attacker gains access to the backup system and attempts to delete data from the tapes in the library, accessing the tapes in the off-site storage will be more difficult. However, this does not rule out the possibility of a targeted, long-term attack using an insider (a company employee with access to the backup system and the ability to carry out covert sabotage).
Using WORM tapes is advisable for backups with a fixed, long-term retention period, as required by regulatory requirements (3-5-10 years of protection against intentional data modification by administrators), or in cases where access to the tape library is physically limited. Otherwise, this is an expensive option, as WORM tapes are not rewritten. The write-once capability prevents accidental or intentional data deletion, for example, in the event of a ransomware attack or human error.
WORM cartridges are virtually identical to RW cartridges of the same generation, except that the chip (Linear Tape-Open Cartridge Memory, LTO-CM) identifies them as WORM. Minor changes also affect the servo tracks, which are necessary to verify that the data on the tape has not been modified. The bottom of the cartridge is usually gray and may be equipped with tamper-resistant screws. Drives that support WORM mode automatically recognize WORM cartridges and include a unique identifier (WORM ID) with each data set written to the tape.
LTO cartridge with WORM
LTO cartridge without WORM
One alternative is to write-protect full tapes in the library. Ideally, at the end of each workday, the on-duty SRK administrator comes to the library, switches the write-protect flag on full tapes, and unflips it on tapes whose retention period has expired. Compliance with this policy at unpredictable times is verified by an information security officer or the service organization.
To simplify handling large quantities of tapes, you can use barcoded cassettes. Before starting work, check the barcodes for damage and ensure their reader is ready for use. If you have multiple libraries, ensure barcodes are unique.
Option 5. Storage with object access to data (S3), cloud storage
To store the RK, you can use S3 storage, which is available in several options:
- Public cloud (Mail.ru, Yandex Cloud and others);
- On-premise solution (based on Open Source Ceph, Minio or in the form of proprietary solutions Hitachi Content Platform, NetApp StorageGrid, Tatlin Object, etc.).
The backup backup software must manage and support the core functions (methods) of the S3 protocol. In the standard S3 protocol, this is the Object Lock mechanism with Compliance Mode, Governance Mode, and Legal Holds. If the backup backup software does not support integration with the S3 protocol, it is necessary to prepare and configure the settings at the bucket level where the backup data will be stored in advance.
- Governance (the least restrictive, managed lock). A user with permission to upload objects can set a lock. The Object Storage manager can bypass the lock (delete or overwrite the object version), change the lock duration, or release it. These actions must be explicitly acknowledged: for example, when requesting through the Amazon S3-compatible REST API, using the X-Amz-Bypass-Governance-Retention: true header.
- Compliance (the most stringent, strict lock). A user with permission to upload objects can set a lock. The Object Storage manager can only extend the lock. It is impossible to bypass, reduce, or remove the lock before it expires.
- Legal hold (permanent lock). A user with permission to upload objects can set and remove the lock. It cannot be bypassed.
It's important to remember that when using the Object Lock mechanism, the backup management software will also be unable to delete copies, including rotating them according to retention periods. Therefore, the placement of unmodifiable backup copies must be considered at the design stage.
An on-premise solution will require additional investment in its design, implementation, operation, support, and may not be a very reliable option, as it will be an additional point of failure in terms of potential access to the cluster nodes that implement the S3 protocol itself (remote access, OS, and FS).
From this perspective, a public cloud appears more secure, as it only provides access to storage devices (buckets) using an access key/secret key pair. This means it prevents access to the servers hosting
S3 storage using standard tools and protocols. However, depending on the services provided by the provider, it's important to remember that this will incur additional costs. Additional charges may apply:
- organization of communication channels from the customer’s infrastructure to the provider;
- the volume required to store the RK;
- number of input-output operations;
- volume of outgoing traffic.
A typical enterprise SRKiVD architecture might look like the image below. Want something similar? Come see us!
Processes
All data backup and recovery processes must be described in the information system documentation and agreed upon with management and information system owners. Documented processes must be updated every six months, regardless of the company's size. Approved documents must include:- Unified regulations for data backup and recovery;
- Recovery plans for each information system (including the IRS itself);
- Backup system update regulations;
- Regulations for working with alienated copies.
To ensure efficiency, all work must be carried out through requests (RFCs) with the responsible persons indicated.
To prepare the above-mentioned documents, it is necessary to audit all information systems, define the RTO and RPO requirements for each system, which are necessary for selecting a data protection method (a data protection system can protect against logical errors, but may not always ensure recovery speed for large volumes), and determine retention periods based on internal regulations or regulatory recommendations. To select a data backup scheme and the feasibility of implementing disaster recovery/clustering at the application level, a cost/criticality assessment of each information system's unavailability (including using a BIA) is typically performed.
Test recoveries
To ensure that the SRKiVD operates correctly, it will be useful to conduct regular exercises on restoring the information system from backup copies in an environment that is as isolated as possible from the production circuit.
This helps to understand several important things:
- How long will it take to restore data in case of an emergency?
- Bottlenecks in the data recovery process itself (the next step is to correct them);
- How correctly the backup copy is made (for example, will the restored database be in a consistent state);
- Are all the data required for a specific IS backed up and can be restored from the RK (checking the completeness of the RK from the point of view of the applied IS);
- Is it possible to restore the data of the SRK itself (catalog) using the backup methods used?
Monitoring
A unified monitoring and alerting system is an important tool that allows for both prompt response to any incidents in the IT infrastructure and proactive monitoring of the status of the IMS itself and its individual components.
Key personnel (ideally, responsible groups of people) should be promptly notified of unsuccessful backup attempts and any anomalies by all possible means (mail, SMS, Telegram bots, calls from on-duty engineers, etc.).
At a minimum, it is necessary to fully utilize the monitoring system built into the SRK software and configure monitoring of its hardware components (media servers, storage devices).
What might raise suspicion?
- Abnormally large volumes of incremental/differential copies;
- Unusual file/LUN load (e.g. increasing number of sequential reads);
- Manual deletion of backup files;
- Unauthorized access of personnel to the SRK.
Staff
A key component of countering any attack is staff training and awareness. And this is usually one of the most difficult tasks.What can help?
- Regularly train employees on cybersecurity. Another important topic is recognizing phishing attacks and other malware distribution methods.
- Agreeing on a role model for access to both the IMS software and its components.
- Assigning persons responsible for data recovery and/or clearly defined boundaries (for example, in the case of critical and large databases, the participation of both the SRK administrator and the DBA in the recovery process is required).
- Regular test data recovery from backups.
Information security of the SRK
Access to resourcesTo limit attackers' access to important company resources, you can follow these key rules:
- The most vulnerable to ransomware are disk storage devices accessible to the OS as file systems, i.e., those created on the server's internal drives; drives connected from external disk arrays as block devices; or network drives connected via CIFS/NFS file protocols. For a storage area network (SAN), it's preferable to use Fibre Channel rather than Ethernet, as it's less vulnerable to external attacks.
- To avoid loss of access to the entire infrastructure (for example, if Active Directory accounts are compromised), it is recommended to use local accounts with a strict password policy and regular password changes for the management/DC/SDS segments.
- It is important to ensure physical security at the location of the hardware components of the IRS (for example, through access control systems, video surveillance, etc.).
- Install OS patches in a timely manner on both your production and security infrastructure. This especially applies to updates that patch zero-day vulnerabilities.
- Regularly update your backup system software and apply all available security patches.
- Monitor security updates and respond to vulnerabilities immediately.
- Use firewalls to restrict network traffic between different segments. It is not recommended to route backup traffic through firewalls due to the impact on production and limited firewall performance.
- Use the minimum required set of ports (non-standard ones if possible) to ensure the operability of the IRS as a whole and the interaction of its individual components.
- Provide backup of configuration files of network devices (FC, Ethernet).
- Implement access restriction to the administrative console of the SRK software and its individual components only from a dedicated terminal server with a hardware USB token.
- Provide access control and authentication by restricting access rights to the SRK and using multi-factor authentication (MFA).
Conclusions
The SRKiVD framework is the company's last line of information security, ensuring recovery in the event of damage to key production data. The most guaranteed way to recover from ransomware is to adhere to the "3-2-1-1" rule.Some of the security measures we've discussed are designed to ensure faster and more painless recovery in the event of intentional data corruption. When choosing specific methods, it's important to understand both the budget for their implementation and the current IT staffing level.
In this post, we've covered the full range of issues and solutions that must be considered when designing an information security system (ISS) that effectively protects data from encryption and allows for recovery in the event of a hack. The more measures you implement, the more secure your backup will be. Some of the proposed methods do require significant investment, such as switching to tape libraries, separate storage systems, or isolated ISS environments if you haven't used such solutions before. However, some measures focus on properly configuring your existing ISS and building backup processes, as well as generally ensuring information security within your perimeter.
Choose what suits you, keep your feet warm, your head cool, and your backups safe!
This post was prepared by the Data Storage and Information Disclosure Center team at Infosystems Jet's Infrastructure Solutions Center.
With the participation of: Andrey Yankin, Director of the Information Security Center at Infosystems Jet.
(с) Source
