(This article was written by Stéphane Estevez and first appear on veeam.com)
Encryption is a great way to keep data secure, but sometimes it can be used against us. Yes, we’re talking about ransomware.
When ransomware enters your systems, usually through a PC, it begins to encrypt your data and can target network-attached storage (NAS), virtualization, online collaboration tools, and even your online backups to render them unusable.
Because backup is your first line of defense, more hackers are now trying to encrypt them to make sure you don’t have a Plan B before targeting your production servers (for a real-life example, read this case study).
Quantum and Veeam have been partnering to secure your backups. Veeam proxy servers are now talking to Quantum’s DXi inline deduplication appliances using a “Veeam-to-Veeam” protocol (DXi appliances are running Veeam Data Mover Service – VDMS).
VDMS manages the tasks required to perform full, incremental, and synthetic full backups, freeing up resources for Veeam backup servers and network while maximizing data reduction with a “Veeam-ready repository” variable-length deduplication appliance.
By using VDMS instead of a standard NAS presentation, you are “hiding” your backups from ransomware, and if you use replication to a remote target (another DXi or the cloud), you now have your second line of defense. With DXi running VDMS, you’re not only improving your data protection, you’re also improving your backup infrastructure.
DXi doesn’t require a gateway server to be integrated in your Veeam environment, it simplifies your architecture design, and it can generate synthetic fulls without round-trip traffic with the proxies. All this while providing a global deduplication and reducing the storage required for your backups.
But what if your admin credentials have been compromised? What if a hacker has taken control of your admin laptop to use other techniques to reach your Plan B? Then your last line of defense becomes tape. Tape is a completely offline media and cannot be deleted or otherwise modified remotely.
Of course, you can create an isolated data center environment disconnected from the network and restricted to personnel with the proper clearance. Sounds complex and difficult to manage. Why not just get one backup copy on tape? Fully manage via your Veeam GUI?
It has never been so easy to use tape with Veeam and Quantum. Quantum’s Scalar Tape libraries can now run a Veeam tape server inside the library. No need for an external physical Windows tape server. You’re saving space and creating a ransomware-free zone at the same time with a few clicks!
Once done, why not archive data on your tape library as well? It still has the best $/TB in the industry. LTO Ultrium tapes are rated with at least 30 years archival warranty life, and with the new LTO-8 format, a single cartridge offers a compressed storage capacity of 30TB (12TB native) and a compressed transfer rate of 750 MB/sec.
Let’s say you want to leverage tape for ransomware protection but wonder if the new “right to be forgotten” obligation in the EU General Data Protection Regulation (GDPR) will make the removal of individual personal data from a historical backup challenging.
The “right to be forgotten” gives an individual (a EU resident) the right to order a business to erase his or her personal data. Organizations will have to erase all copies or links to personal data where the data subject (the EU resident) withdraws consent, and there is no legal ground for processing it.
The GDPR is open to interpretation, so I asked an EU Member State supervisory authority (CNIL in France) for clarification. CNIL confirmed that you’ll have one month to answer to a removal request, and that you don’t need to delete a backup set in order to remove an individual from it. Organizations will have to clearly explain to the data subject (“using clear and plain language”) that his or her personal data has been removed from production systems, but a backup copy may remain, but will expire after a certain amount of time (organizations will have to indicate the retention time in any communication with the data subject). Backups should be used only for restoring a technical environment, and data subject personal data should not be proceeded again after restore (and deleted again).
As we saw earlier, it can be challenging to delete individual entries to meet the “right to be forgotten” requirements, and this is even more true for tape. A pragmatic approach can be to keep one copy of data on tape for ransomware protection, with a retention policy sufficient to have the data available for as long as the law forces you. This way organizations can be protected against ransomware and deal more easily with the right to be forgotten.
As a conclusion, using Veeam and Quantum can help organizations not only protect against ransomware, but be fully compliant with the 3-2-1 backup rule (3 copies, using 2 different media, 1 copy offsite… and offline with tape). Applying the 3-2-1 rule doesn’t have to be complex, all the integration work has already been done by Veeam and Quantum.
If you’d like to learn more about backup best practices and protecting your environment against ransomware, please check out my recorded session from VeeamON Tour Virtual 2017, the biggest online Availability event in EMEA.
Leave a comment!