Commvault enhances security, recoverability for AWS workloads

By Jason Giza

We’ve all seen the news stories – companies with their data held hostage by attackers, trying to decide whether to pay the ransom fee to potentially regain control of their environment or refuse negotiation and accept data loss and downtime. Cyber threats are nothing new, but recent ransomware attacks are now so commonplace and devastating that organizations are making significant investments to ensure both prevention of these attacks and the ability to recover from them.

Cloud workloads are not exempt from these security concerns. In fact, some attacks may proliferate more quickly in cloud environments due to stored credentials being used across a wide array of services.  Once the credentials are compromised, unprepared organizations are at risk of their entire infrastructure being exposed to malicious software.

At Commvault, security is always at the forefront of whatever we do. We have security features built into the core of our products, as well as key integrations into AWS security mechanisms – so you can prevent attacks from happening and recover quickly if your data is impacted.

Commvault security helps prevent attacks

Foundationally, Commvault’s AAA Security Framework (Authentication, Authorization, Accounting), provides a suite of security controls to harden the Commvault platform. Additionally, Commvault uses end-to-end encryption and certificate authentication protecting against malicious data access, man-in-the-middle attacks and spoofing.

Commvault integration into Amazon Security Token Service (STS) is one of the newer cloud security features, available in Feature Release 18 and above, allowing the backup infrastructure to access AWS resources without the need to store secret keys or provide permanent access to IAM user accounts.

With this integration, Amazon STS generates temporary security credentials that allow Commvault to access the resource it needs to protect (EC2 instances, S3 buckets, etc.), but only for a specified amount of time. When that window closes, the credentials expire and the resource is no longer accessible. These just-in-time credentials help keep those cloud resources secure in two ways – not only by limiting the amount of time that they’re exposed for external access, but also eliminating the need for secret keys (that enable full access to the resource) to be stored on the backup infrastructure.

Another key security feature that Commvault offers to keep organizations safe is comprehensive ransomware protection including monitoring, alerting and remediation capabilities. Machine learning aides Commvault software in doing advanced anomaly detection to determine if abnormal activity is related to a potential attack. Honeypot files – hidden, dummy files that are made to appeal to potential hackers – are monitored for changes in another method Commvault uses to recognize if there is an immediate threat.

Using these methods, Commvault alerts administrators as soon as an attack is identified and then gives them the tools needed to remediate any damage caused. Learn more about Commvault ransomware protection capabilities.

Recoverability to minimize the impact of attacks

While preventative measures like the ones described above are critical in the fight against ransomware, the only way to be certain that your organization is not at risk of losing data is to have a backup plan. Or backup copies, to be more precise. Multiple data copies (especially immutable, write-once, read many (WORM) versions) are an excellent safety net to make sure you’re always ready to recover from any catastrophic event – whether it’s a malicious attack, a natural disaster, or something in between.

Commvault provides many different options to enable these secondary and tertiary copies, including file-level backups, block-level backups and different replication options copies depending on cost and RPO objectives. We can also automate management of how these copies are stored – with air gapping being one key storage feature that can be automated during the copy process.  Air gapping limits exposure to an attack by removing all potential access points once data is written.

Amazon Simple Storage Service (S3) enables air gapping with something called S3 Object Lock (or S3 Glacier Vault Lock).  S3 Object Lock gives administrators the ability to apply retention settings to individual objects within an S3 bucket, or to all objects contained within a given bucket. There are options like “governance mode” and “compliance mode,” which limit the amount of access select (administrative) users have. But for this application (ransomware protection) best practice would be to use “compliance mode” so that the data is truly immutable, even with root credentials.

Commvault automates the process of writing these data copies to S3 buckets (with our native AWS integration) and then applying the S3 Object Lock to ensure the copy is immutable (and virtually air gapped) as soon as the transfer of data is complete.

Summary

Commvault has many features to help make the protection of your data and workloads in AWS secure from hackers and safe from the threat of ransomware. With STS integration to allow temporary, just-in-time credentials via AssumeRole, you no longer need to store secret keys or risk a compromised IAM identity having full access to your IaaS or PaaS resources in AWS.

Additionally, comprehensive ransomware protection combined with immutable storage with S3 Object Locking provide preventative protection against potential threats and recovery readiness across all your on-premises and AWS workloads.

In short, you can rest easy: Commvault can help ensure your data is safe, so you can be weekend ready.

Jason Giza is a Senior Marketing Manager at Commvault.