Ransomware is quickly becoming a major issue for many businesses and industries. According to Symantec, in 2016, ransomware accounted for 95% of extortion malware attacks. In Part I of our series on Combating Ransomware with Traditional Backups, we discussed the value of traditional backups to combat ransomware. In Part II, we discuss different backup paradigms.
Data protection and storage management solutions have advanced rapidly in the past decade. What some refer to as “backup” actually may not be a traditional backup that copies and stores data. Mixing up this terminology could be dangerous and could leave vital resources unprotected.
Protecting your data
There are a wealth of data protection and storage management solutions available today to help protect business data. Traditionally, backups make copies of data to restore files when an incident occurs. In the modern data center, though, there are many strategies at play to protect and recover data. Data centers are inundated with concepts such as replication, duplication, and continuous data protection (CDP)–all with a smattering of cloud, bring your own device (BYOD), big data, and the Internet of Things (IoT). To top off the mix, an outer layer of ransomware, spear phishing, and viruses are all jockeying for entry into the IT environment to wreak havoc. Referring to data protection in the modern data center as complex is truly an understatement.
Backup Paradigms–Is Your Backup a Real Backup?
While there are many ways to make additional copies of data, there are three general paradigms that underlie many data protection strategies: traditional backup, replication, and CDP. Each of these approaches will protect your data, but only one is a functional backup that will retain copies of everything you’ve generated in case of loss. The other two are most often high availability concepts.
Backup Versus High Availability
Backup refers to making point-in-time copies of your system data on a recurring cycle, generally daily, weekly, or monthly, to enable restore activities when an outage occurs. Backup does not provide the systems and infrastructure to restore on, only the copy functionality. A new server or file location can be created or designated for a restore or data can be restored to the existing machine where it was created or stored. In many cases, a partial restore is requested for a single file or file system rather than the entire contents of a machine being restored. Restore requests are answered over a period of time; they are not usually immediate.
Backups make copies of data at a given to another location.
High availability refers to eliminating single points of failure by providing redundant infrastructure components, such as computing infrastructure, cloud services, storage, and data repositories, for immediate use should an outage occur. High availability systems have little or no service interruption when an incident occurs. The redundant systems kick in quickly, and operations continue. High availability systems are much more expensive than traditional backup systems because they feature redundant components and the specialized nature of purpose-built components.
Rather than copying data directly, high availability eliminates single points of failure with redundant equipment.
Two common tools to enable high availability are replication and CDP.
Replication refers to replicating data to a remote location, either immediately or with a short delay. Replication creates an exact copy of the source data rather than updating changes over time, as backups do. Often, replication only keeps a single copy of the data. This means that any data corruption, file deletion, or ransomware encryption will be immediately replicated to the second copy.
CDP is a variant of replication that refers to taking quick snapshots of the source data and tracking changes as they occur, and then taking additional snapshots to remain current. This strategy facilitates quick restoration in the event of an incident. However, capturing and storing all these snapshots can consume large of amounts of space on the CDP system, which often has expensive storage. The volume of these snapshots can quickly overwhelm the storage space on a CDP system.
Ransomware Exposure with High Availability Systems Used as Backups
All three data protection strategies can offer immediate restores in short period. However, only traditional backup keeps multiple versions of data over time, as well as the ability to restore deleted files over a long period time. Often, high availability solutions involving replication and CDP systems are set up for critical time-based business needs. The danger with them is that it’s easy to assume these solutions are a form of backup when, in fact, they are not. If you use replication as your backup and delete a critical file or directory, it will be immediately deleted on the replication target–and the data will be gone. If your critical business data becomes encrypted, the data on the replication target will become encrypted as well–and therefore unusable.
CDP can perform versioning, but the snapshots consume large amounts of CDP storage, which is expensive. Usually, CDP is set up to support short-term high availability objectives. As discussed in Part I of the series on Combating Ransomware with Traditional Backups, multiple time-delineated versions of source data are required to fully protect a system from ransomware to facilitate a restore to the system state before infection.
How to Determine if Your Backups Protect Your Data from Ransomware
Does my backup . . .
- keep multiple versions, both existing and deleted data?
- allow me to recover system state for longer periods of time, such as months or years?
- allow me to recover in the events of corruption, deletion, and encryption?
These basic questions can enable business leaders to facilitate meaningful discussions with data protection teams on how well critical data are protected from ransomware attacks.
In future releases of the Combating Ransomware with Traditional Backups series, we will explore the ransomware process, the evolution of ransomware, and purpose-built backup solutions.
How can businesses better protect themselves against ransomware threats? Do you have any advice that might help? Please share your thoughts and comments.
Thank you for reading this article. Please connect with me here on LinkedIn.
Jason Thomas is the COO of The Collective Group in Austin, TX.
The Collective Group specializes in remote managed backup operations using proprietary RAMP automation technology that solves 70% of recurring enterprise backup problems without human intervention and uses special algorithms to detect ransomware infection prior to ransom notification.
This article was originally published on linkedIN here.
PhD, CISM, CISSP