Ransomware attacks pose a significant threat to primary storage, as they can encrypt and hold data hostage, rendering it inaccessible until a ransom is paid. Regular backups have been the go-to strategy for data restoration to deal with ransomware attacks that break through preventative cyber defenses, allowing for the recovery of primary data from the most recent unaffected backup.
However, a newer option is to use the features built into primary storage arrays to detect and recover from a ransomware attack that damages data.
Point-in-time copies or storage snapshots have long been a mainstay of primary storage to create a history of data images for disaster recovery. These enhanced snapshots are now being used to restore data in a fail-safe way in the event of a ransomware attack that corrupts data.
Lines of Defense
The first line of defense in cybersecurity is networking and access controls. However, those in charge of the data center have quickly realized that having up-to-date, ransomware-free, versioned data copies is a crucial fallback for data recovery if frontend defenses are breached.
In addition to protecting data against corruption and accidental loss, storage array snapshots inside primary storage are now playing a crucial role in thwarting malicious activity and recovering data during a data-damaging attack.
Despite claims made by some storage vendors that their array snapshots may be used for ransomware attack data recovery, simple snapshots fall far short of being the complete cybersecurity solutions required to truly secure mission-critical data. In addition, with ransomware data thefts and data ransoming on the rise, stored data should always be encrypted with well-thought-out key management to protect against theft and the threat of exposing company information for ransom. This includes all company secret data, data that contains a competitive advantage, or data that might just be embarrassing if released to the public.
Mission-critical data must have at least two immutable copies made by two different backup processes to guarantee that at least one ransomware-protected copy would survive a ransomware assault, given the increased sophistication of cyber-attacks observed by Omdia in 2022.
A layered protection strategy should also be considered to move the recovery closer to the data inside the storage system, allowing for a speedy shutdown in the event of an attack and quick data recovery afterward.
Storage Array Snapshots
Inside a primary storage system is a great place to deploy other important capabilities that can thwart ransomware attacks. The latest storage system software can instantly recognize and respond to abnormally stored system data being written to it. It can then respond to these occurrences with automatic procedures to ensure the stored data is affected as little as possible. Comprehensive solutions can also scan the storage for data protection security gaps and misconfigurations that ransomware software tries to exploit by changing configuration settings to shut down data recovery measures.
Centralized monitoring for and timely notifications of any ransomware activity are essential components of any complete security plan. Since immutable backups remain a crucial component of any layered protection strategy, Omdia advises that storage-level protection be coupled with the broader backup vendor technology to obtain centralized monitoring and possible integrated application recovery management.
Keeping Copies Under Lock and Key
Last year, data centers experienced increasingly sophisticated cyberattacks, so it is now a must-have requirement to have immutable data copies as a fallback against such attacks. Immutably stored data copies cannot be altered by writing to them. They are locked in time and cannot be deleted through typical administrative actions. Thus, they are great for recovering data.
Omdia analysts have increasingly witnessed companies develop capabilities embedded into primary storage to recover compromised data from immutable copies. These mechanisms often involve snapshots that cannot be altered.
An acceptable initial step for primary storage is simply making array-based immutable recovery copies, especially if an excellent backup procedure intended to guard against ransomware also protects the storage. Beyond that, the following list of key capabilities must be considered to resist ransomware in primary storage completely:
- Recovery as a feature of storage software: Careful thought should be given to whether the offering provides complete ransomware protection or is merely a checkbox item that is minimally effective when recovering ransomware-attacked data.
- Immutable volumes and file copies: Two important considerations of snapshot capabilities are how many can be held at one time and how often snapshots can occur.
- Solution hardening and protected controls: Administrative controls must be secured, and the storage operating software must be updated to the latest versions to neutralize these attackers’ efforts. Requiring two administrator approvals for major configuration modifications and copy deletions is a good idea.
- Attack detection and its containment: An important feature of a complete ransomware data solution is the proactive detection of ransomware operating on a stored dataset and then taking automated actions to freeze the attack before it does further damage.
- Centralized detection alerting and status: Monitoring for incidents with immediate alerting and reporting to a centralized dashboard are essential for any ransomware solution.
- Fail-safe ransomware attack data recovery: Using primary storage snapshots taken in the context of the storage environment is highly helpful for speedy restoration and can be easily verified before use for simpler data recovery.
- Assisted recovery point selection: Ransomware recovery solutions must assist businesses in recovering with the least amount of damage. Numerous data copies are stored by storage systems, and the best solutions help operators locate the optimal ransomware-free recovery point for each stored data set.
- Automated and quick data recovery: Given that the recovery time for a complete data center environment can be lengthy, the system should be able to prioritize recoveries of the most crucial systems first and then help guide those recoveries.
Organizations should always have a strong detection and prevention aspect to their cybersecurity counter-offensive. However, when those security measures eventually fail, guaranteed remediation from an attack is critical for not incurring data loss.
Guaranteed recovery requires organizations to use a layered approach to recover attacked mission-critical data. Array-based solutions for ransomware data recovery are good examples of this layering and provide advantages over just using backups to provide protection.
Storage snapshots have historically been a valuable tool in disaster recovery plans and have been used to successfully recover data from unintentional file deletions. However, simple snapshots are not particularly effective in preventing deliberate attacks on data.
To provide a foolproof ransomware solution, enhanced capabilities added to simple snapshotting are crucial for ransomware recovery features in mission-critical storage.
Originally appeared as a free-to-download analyst’s opinion: Primary storage cyber protection solutions to thwart ransomware from Omdia's Cloud Storage subscription service. Omdia is an Informa property.