After being hit by ransomware, a business often has two options: pay the ransom or restore from backup. But with recent cybersecurity trends indicating an increase in attacks targeting backup data, it’s imperative to protect backup data copies. How can you ensure your ransomware recovery capabilities are protected?
NetApp Cloud Backup can help. In addition to its existing safety features—ransomware protection and the dark site deployment option—Cloud Backup’s new DataLock feature allows your backup copies to remain immutable in the destination object storage. In this blog we’ll take a deep dive into DataLock’s capabilities, the deployment options available, and the use cases for the technology.
Read on below or use these links to jump down:
DataLock integrates the WORM (Write Once Read Many) capabilities of the cloud provider’s object storage services with NetApp Cloud Backup, making it possible to lock backup data as WORM in the destination storage service.
DataLock uses NetApp’s proprietary technologies to implement this functionality. DataLock also supports Cloud Backup’s integration with SnapLock®, which means you can replicate WORM volumes created by SnapLock to an object storage repository that will remain WORM. This means your backup data will stay immutable and protected end to end from ransomware attacks, both at source and in the destination.
DataLock is supported for use in the cloud and on-prem with NetApp StorageGRID® appliances. It currently offers full integration with Amazon S3 and StorageGRID, with Azure Blob and Google Cloud Storage support coming around December 2022. DataLock leverages the native object lock capabilities of these services.
Amazon S3 object lock helps store objects in the WORM format so that it is not deleted or overwritten. The StorageGRID S3 Object Lock feature emulates the WORM capabilities of Amazon S3 storage on-premises, where WORM storage buckets can be created to make any data stored in them immutable. Azure Blob storage supports immutability policies that help create time-based retention policies or create a legal hold where data is stored until the hold is cleared by an administrator. Cloud Storage Bucket Lock in Google Cloud Storage also provides the same capabilities.
There are three retention modes for Cloud Backup DataLock for WORM storage: None, Enterprise, and Compliance.
The three modes offer flexibility for users to choose the protection level that best fits their businesses’ backup requirements.
DataLock offers an added layer of protection for your backup copies from malware infection. Let’s look at some of the use cases that the feature supports:
Using NetApp DataLock, it is possible to make an immutable backup copy that is logically air-gapped. When using Cloud Backup, your copies are stored in a different format (object storage). This backup copy provides the additional security layer with WORM storage using DataLock. It also augments the ransomware protection of organizations with 3-2-1 backup strategy, where one copy of the backup is stored in an immutable remote object storage.
Without DataLock, it’s possible for backup data copies at the destination storage to be changed, deleted, or corrupted—either by malware infection or through human error. This could impact the recovery timelines should the backup data ever need to be restored or give ransomware victims no choice but to pay the attackers to recover the data. With immutability enabled by DataLock, this risk can be eliminated, fully securing your backup data copy and creating a failsafe against ransomware.
Organizations with very strict compliance requirements might be required to store the backup data safely for longer periods of time. This data could be accessed during audits and hence should always remain available. To meet this requirement, users can rely on DataLock’s Compliance mode. Using this mode, data cannot be removed during the retention period, which helps meet these high compliance standards.
NetApp SnapLock is a feature built into ONTAP storage systems that allows immutable data volumes to be created at the source. With DataLock, Cloud Backup can replicate SnapLock protected volumes to destination object storage environments that are also enabled for WORM. The backup data remains immutable with end-to-end protection over the course of its entire lifecycle.
In the software-only mode offered by Cloud Backup, it’s possible to back up your data to object storage without any external internet connectivity. In this dark-site deployment mode Cloud Backup leverages StorageGRID as the backup destination, which fully supports the DataLock immutability feature.
Compatibility
DataLock currently offers full integration with Amazon S3 and StorageGRID, with Azure Blob and Google Cloud Storage support coming around December 2022.
The supported sources for Cloud Backup DataLock are for data created using on-prem ONTAP devices and Cloud Volumes ONTAP. You will also need to be running ONTAP 9.11.1 or later to configure DataLock for Cloud Backup. DataLock is applicable to new backup activations, so any existing backup copies created by Cloud Backup will remain in standard object storage. It is also not interoperable with archival policy.
Your mission-critical business data is protected by an additional layer of security, thanks to DataLock-enabled WORM volumes in Cloud Backup. DataLock provides true ransomware protection, where backup copies cannot be changed, modified, or deleted. It also provides the flexibility required in modern day enterprises, where the WORM protection can be controlled and managed by administrators and the target storage can either be in the cloud or on-premises.
Ransomware protection is the need of the hour and backup copies protected by DataLock help address this requirement head-on. It enables enterprises to ensure business continuity and meet the defined SLAs in the unforeseen event of a ransomware attack. Read more on how to increase your cyber resilience here.