Over recent years, the popularity of immutable storage is ever-growing - however, in this blog, we look at why a wider approach needs to be considered along with its implementation.
Immutability or immutable storage is a very popular phrase right now and regularly combined into ‘ransomware protection’ discussions, but while current forms of cyber-attacks are relatively new, the whole concept of ‘immutability’ has been with us for many decades. Write Once Read Many (WORM) devices have been available and designed into data protection strategies for many years now - for example, traditional magnetic tape, which COOLSPIRiT has supplied to customers since our inception in 1998 is very much considered as an immutable storage device – and much trusted, due to its true 'off-line' nature. In more recent years, cloud and physical storage providers offer 'S3 compatible' technology to address our modern 'on-line' requirements - known as object storage.
If we look at what ‘immutability’ is, at a basic level, immutability describes a position where an 'object' is fixed and cannot be changed. In the context of data, this immutability is being used to describe a data repository or file system that is unchangeable once it is written to - essentially, providing a 'tamper-proof' storage location for data to be stored on. When considering this in the context of data protection and the backup and recovery of files, applications and virtual machines, if these backups are written to an immutable storage location, this suggests that once written by the backup application, all of the data will be secured against any future attempts to change it - such as what would happen with an encryption-based cyber-attack which we discussed in our previous blog of this series. This is where an immutable repository is extremely valuable to any IT team… it doesn’t prevent the cyber-attack, but it should safeguard a copy of data for use in a restore scenario.
Considering the operation of immutability, we realise it needs to be time-bound or to put it another way - how long will this data repository be needed to be kept in a 'tamper-proof' mode - it might be measured in terms of weeks, months, or possibly years. Then along with this time thought pattern, we also need to consider the costs and impact of doing this. For example, if you're using a cloud-based immutable storage repository, such as Amazon AWS S3 with their object lock feature, then costs will keep on being incurred for the duration of the object lock, irrespective of whether you need the data or not.
However, when considering the length of time such ‘locks’ need to exist, we also need to remember that ransomware can lay dormant in an IT environment for a very long period of time. The danger here is if you back up data containing malicious code to immutable storage, you'll be in a position where you are preserving the bad code and can no longer remove or quarantine it - certainly not before the expiration date is reached, and then would you want to actually recover this data if this could set you back to square one? This then leads on to further consideration about how to scan your backup streams to see if they contain any infected code - do you have existing software that is capable of this, or will new software be required?
A final consideration we'd like to share about immutability is that you need to think about the wider environment and what the cyber attackers may actually do if they gain entry to your IT systems. While an immutable repository or immutable filesystem will certainly safeguard against cybercriminal activity and data contents being tampered with, it doesn’t necessarily mean that the host platform on which it is operating on can’t be compromised separately. Cyber attackers are constantly looking for more ways to compromise IT systems to force you into a corner of having to pay their ransom. If they can disable your data protection software and system by any means, they will develop a way if it benefits them...
Immutable storage is sometimes discussed as the cure-all for ransomware attacks, and while it can be truly excellent in safeguarding against an encryption-based attack, for example, it should be considered as one part of a much broader, multi-layered solution.
How can organisations ensure the security of their backup data at all layers? Unfortunately, as mentioned above, no one silver bullet can provide total protection. The deployment of a group of technologies should be considered when you're looking to improve your data protection system, including:
- Data protection software that not only protects your data but helps against cyber-threats - such as honeypot usage.
- Cybersecurity software which allows you to scan backup streams for bad data before it is stored down to a location.
- Immutable storage systems for a 'strengthened' and 'on-line' storage location for your data.
- Ensure a belt and braces approach, to protect against cybercriminal activities - which may include tape devices for that true 'off-line' and 'on a shelf' 3rd copy.
The protection of critical data against cybercriminals is a task which, unfortunately, has to be front of mind for all IT professionals today - but as the solutions and tactics we deploy advance, together we will fight this constant threat even stronger...
COOLSPIRiT would like to thank Paul Brunyee of Arcserve for his invaluable expert thoughts and insight - helping to create this blog.
If you would like to talk simply call our expert team on 01246 454 222 or email hello@coolspirit.co.uk
