Hitachi Data Protection Suite (HDPS) powered by Commvault
Greater ransomware protection with data isolation and air gap technologies
Protecting your data and ensuring its availability is your top priority. Like a castle in medieval times, you must always defend it and have built-in defense mechanisms. It is under attack from external and internal sources, and you do not know when or where it will come from. Vigilance is required and you want multiple levels of safeguards for greater data protection. The same is true for your organization; a single event can threaten the bottom line or define a career. So how do you prepare? By making sure you’re recovery ready.
Intelligent data recovery for ransomware with data isolation and air gap
With cyber threats becoming increasingly sophisticated, having a layered approach to securing your data greatly reduces the risk and impact to your organization. HDPS utilizes Commvault® Software, which includes several layers and tools to protect and restore your data and applications. Two proven techniques for reducing the attack surface on your backup data are data isolation and air gapping.
The goal of isolating backup data with HDPS is to have secondary and/or tertiary copies of backup storage targets segmented and unreachable from the public portions of the environment using virtual LAN (VLAN) switching, next generation firewalls, or zero trust technologies. If your organization is infiltrated by ransomware, or a malicious attacker, the cyber threat will have a limited attack surface. The public portions of the environment may get infected, but the isolated data will not because it cannot be accessed. To be most effective, isolated environments should not be accessible to public networks of the organization as well as the internet. Physical access to isolated resources should be secured and heavily controlled. All inbound network communication is blocked, and only restricted outbound access is allowed. HDPS will then securely tunnel from the isolated storage targets to the HDPS resources and source storage targets for data replication.
Air Gapping is another technique that complements data isolation. Traditionally, air gapped networks have absolutely no connectivity to public networks. Tape is a traditional medium for air gapped backups because tape can be removed from the tape library and stored offsite. To air gap secondary backup targets on disk, or cloud, some access is needed, but when it is not needed, communication is severed. Air gapping works like a medieval castle. The castle is surrounded by a moat with water, and the walls are impenetrable. The only access allowed to the castle is the drawbridge that is let down periodically to bridge the gap. When the isolated data does not need to be accessed, communication is severed either by turning communication ports off, disabling VLAN switching, enabling next gen firewall controls or turning systems off. This process is fully orchestrated and automatic using the HDPS workflow engine.
HDPS provides secure replication of data to an isolated environment with air gap capabilities. The isolated environment is completely blocked from all incoming connections. Outgoing connections are restricted, which greatly reduces the attack surface of cyber threats. Once data is fully replicated, the connection can be severed, and the secondary data becomes air gapped until data needs to replicate again or recovered.
Key advantages and value of Hitachi Data Protection Suite (HDPS) powered by Commvault plus Hitachi Content Platform
HDPS with data isolation and air gap provides organizations the following advantages against ransomware:
Communication is initiated from the isolated site
All access to the isolated data is blocked. Only restricted outbound connections are allowed from the isolated data to the source data for replication. This can be referred to as a pull configuration (as opposed to push), where HDPS manages data protection and retention, but communication initiates from the secured isolated side.
Air gap ready
Replicated data can be air gapped by severing the encrypted tunnel initiated from the isolated site. The HDPS automation framework makes it simple to customize this functionality as required.
Industry leading security controls
HDPS powered by Commvault’s AAA Security Framework (Authentication, Authorization, Accounting), provides a suite of security controls to harden the HDPS platform. Additionally, HDPS uses end-to-end encryption, and certificate authentication protecting against malicious data access, man-in-the-middle attacks and spoofing.
Harden the HDPS platform foundation using industry leading CIS Level-1 benchmarks.
Utilizing layered security controls, write once read many (WORM) capabilities as well as built-in ransomware protection for backup data, HDPS locks backup data from unauthorized random changes. This also helps prevent intentional and unintentional bad actors from modifying or deleting backup data in order to preserve the integrity of backups.
HDPS validates data integrity during backup, when data is at rest, and during data copy operations. When data is backed up for the first time, CRC checksums are computed for each data block on the source client. These signatures are used to validate the initial backup data and are stored with the backup. Verification operations run automatically utilizing the signatures to validate the backup data at rest. When copying the data, the signatures are used to validate the blocks of data during the copy operation.
Cyber/ransomware attack protection
Backup data is locked and can only be modified by HDPS processes. Any ransomware, application, or user that attempts to delete, change or modify backup data from the data mover (media agent), will be rejected within the I/O stack unless it is an authorized HDPS process. Additionally, HDPS uses machine learning algorithms to detect file-based anomalies that may indicate a ransomware attack on a HDPS resource.
HDPS supports a variety of disk, cloud and object storage vendors. When using HDPS for an air gap solution, any supported storage vendor can be used. HDPS also supports WORM, and immutable locks used with third-party storage devices.
Hitachi Data Protection Suite powered by Commvault software integration
HDPS features such as indexing, analytics and deduplication are all part of the data isolation and air gap solutions.
The power of object storage in the fight against ransomware
Immutable object storage is a key component for the most effective ransomware strategy. With Hitachi Content Platform you can:
Maintain business continuity
Leverage HCP’s versioning capabilities to access the most recent version of any file in the event your organization is victim of a ransomware attack.
Leverage the benefits of the most secure object store in the industry
With HCP, content is continually checked throughout its retention period for integrity, with proactive data repair. Furthermore, deletions or accidental changes before a file retention period expires are prevented by object versioning protection, which also provides a history of how the data has changed over time.
Keep data encrypted, no matter where it lives
In the event you decide to send data into the cloud, HCP’s encryption capabilities ensures it stays protected before, during and after its journey.
How it works
The HDPS network topology and workflow engine provide the basis for configuring data isolation and air gap solutions. The flexibility of the platform allows seamless integration with most topology or security profiles that organization have deployed.
Direct connection for data isolation
The Figure 1 diagram represents the overall high-level functionality of HDPS data isolation using direct connections. Site A represents the public portion of the production backup environment. Site B is a segmented portion of the environment, isolated logically and physically. Site B communicates through the firewall over a single outbound port. Everything else is blocked. The tunnel supports HTTPS encapsulation using the TLS 1.2 protocol. The tunnel will only connect once certificate authentication is successful. This protects against man-in-the-middle and spoofing attacks.
Data transfer is multi-streamed through the tunnel to ensure the fastest backup possible. Data residing on HCP on Site B is protected from ransomware and accidental deletion by utilizing the HDPS security controls, encryption, WORM and native ransomware locks for immutable storage. Data replication is deduplicated to further optimize bandwidth and storage considerations.
Once data transfer is complete, connectivity can be severed by turning off routing, enabling firewall rules, or shutting systems down. Severing the connection can be scheduled around VM power management, or blackout windows.
Proxy/network gateway connection
Proxy-based configuration (Figure 2) has the same ransomware and encryption benefits as Direct Connection. Proxy-based isolation differs from Direct Connection in that both sites communicate between each other using a proxy located between the isolated and public networks (possibly DMZ). All inbound connectivity is blocked between the sites providing isolation capabilities on both sites. Proxy-based configurations are very common especially when data is moving between remote geographic locations across the internet.
Utilizing Hitachi Content Platform as the storage target:
Being hardware agnostic is one of the HDPS key advantages. Object storage targets can be another strategic way of isolating backup data. The Hitachi Content Platform, is one of the most secure object stores in the industry and its versioning capabilities enrich and complement any existing ransomware strategy. Hitachi Data Ingestor extends these capabilities to remote/branch offices.
Learn more about HCP Portfolio and how it protects against ransomware.
HCP has its own WORM and immutable locks built within the hardware platform. HDPS seamlessly integrates with those capabilities, while still managing retention, data encryption and software application security controls. HCP uses authenticated API calls over HTTPS for reading and writing data. This allows common protocols frequently used by ransomware to be turned off reducing the attack surface. The REST API interface also provides more on-demand access compared to other protocols. The data backed up to the object storage device is not exposed when not in use. Only authenticated API calls can read and write to the storage target.
Learn more by checking out the Gartner Report for Object Storage.
Utilizing cloud storage
HDPS supports the most common cloud platforms, while applying source side encryption, deduplication, data management and analytic capabilities. Using the immutability locks provided by cloud providers and role-based security will protect backup data while also supplying a remote isolated offsite data copy.
Severing the connection and air gapping
In a lot of cases, a properly isolated and segmented data center, in combination with the security controls built into HDPS is enough to reduce risks. Air gapping is another control, which further limits the ability to access backup data when not in use. The downside to air gapping is planning around recovery point objectives (RPOs), because when resources are turned off, data replication will not run. Depending on the environment, resources and service level requirements data replication will queue when destination targets are offline. To help reduce the effects of this downside, HDPS incorporates multi-streaming within the one-way encrypted tunnel to maximize backup performance.
The simplest method of air gapping is to use VM power management. VM power management is a capability within HDPS to automatically shut down media agent virtual machines (data mover virtual machines) when not in use. The VM will then start up, when needed. This method requires a hypervisor in the isolated environment and does not need additional scripts.
Another method of air gapping is to use blackout windows, scripts and workflows. Blackout windows define what time frames backups and administrative tasks are not allowed to run. During blackout windows, the isolated resources are set offline and made inaccessible using scripts or HDPS workflows. When blackout windows are not in effect, the resources are brought online again using scheduled scripts included on the air gapped resource such as the media agent. This method does not require a hypervisor for the VM power management air gap method, because any storage target, or network device can be shutdown to air gap the isolated site.
Here are some examples of using scripts to orchestrate air gapping:
- Stop and start HDPS services on the isolated media agents/storage targets
- Disable/enable network interfaces on media agents around blackout windows
- Disable/enable VLAN routing policies around blackout windows
- Disable/enable firewall policies around windows using scripts
Any combination of the above will properly disconnect the resources and air gap the data. In the above examples the HDPS workflow framework executes and controls the scripts, API requests, or command line operations to orchestrate air gapping. The workflow framework provides a manageable, yet customizable platform to fulfill any air gap orchestration needs. Additionally, scripts can be hosted within the isolated environment, and executed using other scheduling tools such as Microsoft Windows Task Scheduler, or Unix cron.
Just as a castle has multiple layers of protection both to ward off external and internal threats, so must your backup data. Taking a layered approach to securing backup data is the best way to ensure its security and availability. Using the HDPS existing security controls and immutable locks (ransomware protection, WORM, and encryption), in combination with Data Isolation and Air Gapping techniques provides a well-protected solution. With HDPS you are recovery ready.
Hitachi Data Protection Suite powered by Commvault delivers a layered approach for securing your data and applications.