Follow

Overview

The Data Protection market is struggling to address new challenges beyond simply accessing copies of data for the purposes of restoring application services. As Cyber attacks and Ransomware continue to haunt business applications as a real, imminent threat, both small and large enterprises are looking for methods to protect their backups and disaster recovery centers.

Vendors are addressing this threat in different ways with tools such as WORM-based Shares, Air Gap replication, etc.. InfiniGuard's initial entry in defending our clients from Cyber attack will make use of tools already available to the underlying InfiniBox storage. This approach uses existing snap-lock (snapshot immutability) protection on the DDE volumes.

This document will discuss the features, limitations and integration.

The InfiniGuard Solution

InfiniGuard's Cyber Protection has the goal of providing customers with the confidence that the data and PBBA appliance services can recover from attacks without compromising the data integrity. 

Stored backup data can get corrupted directly or indirectly. Human error, technical malfunction, and cyber attack are the main causes of data loss or data unavailability.  Cyber Recovery solves these issues by taking snapshots (including immutable snapshots) of the entire DDE environment, with the ability to restore to a point-in-time.

The solution is based on taking periodic snapshots of all DDE volumes (grouped into a consistency group), keeping them for a configured time period, allowing for the ability to restore  the entire DDE to a point-in-time. Should an attacker attempt to delete, encrypt, or corrupt the backup data, the immutable snapshots are safe and can be used to restore both backups and source data.

Cyber attacks can target the data at the source and indirectly corrupt the backups, most of the time the attackers will encrypt the data. Backups taken will be unusable. To mitigate such an event, taking snapshots of the backup environment is critical and can help both restore the data and even identify an attack. 

Customers can choose to activate this solution during initial system installation - this solution cannot be added later on.

Prerequisites

The InfiniGuard system must be pre-installed with capacity allocated to accommodate the Cyber Recovery snapshots. Consult your TA or Sales representative for more information.

The capacity allocation for the Cyber Recovery snapshots is set during InfiniGuard installation with the following options:

  • 1PB system: 1 - FULL, 2- 300TB, 3 - 400TB
  • 2PB system 1 - FULL, 2- 500TB, 3 - 700TB

The minimum supported version is InfiniGuard version 3.5 with capacity allocated for snapshots. 

The capacity for snapshots can only be allocated during the initial installation of the InfiniGuard system.

Cyber Recovery Snapshots

The heart of the Cyber Recovery solution is the Snapshots Engine. Based on predefined policies, the engine takes snapshots of the entire system for each DDE. The snapshot configuration policies are configured per DDE and include the following options:

  • when to take a snapshot
  • how long to keep each snapshot (lifespan)
  • the immutability property of the snapshot

The snapshot manager also deletes expired snapshots. 

Immutability

Immutable snapshots are snapshots that are locked for their life span. These snapshots cannot be deleted, changed, encrypted, or edited in any way.

As such, immutable snapshots can help with Cyber attacks, ransomware, or technical malfunction. 

Snapshot types

There are several types of snapshots. See the following table for the details on each:

Snapshot TypeDetails
System Snapshot

System snapshots are immutable and cannot be deleted or changed. Configuring system snapshots policy is available only via Infinidat support. Contact your TA or Infinidat technical support for more information. 

User Snapshot User snapshots are not immutable, and their policy can be configured by the InfiniGuard admin user. These snapshots can be used the same way as System Snapshots for any recovery operation.
Manual SnapshotManual Snapshots can be generated by clicking Take Snapshot at the snapshot table. 
Pre Recovery SnapshotPre Recovery Snapshots are automatically created by system policy before a recovery operation is performed. You can use this snapshot to go back and recover to the point of time before the last recovery operation. 

Pre-recovery snapshots grow in size after the recovery is complete.

Infinidat recommends deleting this snapshot after validating the recovery.

Snapshot Policies

InfiniGuard Cyber Recovery provides two policy types, System and User.  

System snapshot policy

System policy creates snapshots that are locked and immutable to changes. When a System policy creates a snapshot, it is of type 'System'.

The System policy is defined, enabled, and updated with the assistance of technical support. This provides a layer of defense against honest mistakes, such as disabling the snapshots and even against attackers with access to the system. 

The System policy defines the following:

  • Frequency - The time interval between snapshots, in hours. The default is 1hour, and the range is 1-12 hours (once an hour, up to twice a day). The snapshots begin at the next round hour.
  • Retention - Time to keep each snapshot. The default is 7 days, and the range is 4-14 days. After the retention period, the snapshot will be deleted.
  • Immutable - Always yes, and the default is yes.

User snapshot policy

User policy creates snapshots that are not locked and are not immutable to changes. When a User policy creates a snapshot, it is of type "User".

The User policy is defined, enabled, and updated by the admin user.  

The User policy defines the following:

  • Frequency - The time interval between snapshots, in hours. The default is 1hour, and the range is 1-12 hours (once an hour, up to twice a day). The snapshots begin at the next round hour.
  • Retention - Time to keep each snapshot. The default is 7 days, and the range is 4-14 days. After the retention period, the snapshot will be deleted.
  • Immutable - Always no, and the default is no.

Snapshot Limitations

The maximum number of snapshots is:

  • DDE - 1000 snapshots
  • System - 2000 snapshots

Snapshot Policies Configuration

For each of the snapshot types (System or User) the table will show the following information:

  • Current Status which (Active/Inactive) 
  • Frequency
  • Immutability
  • Retention 

Click Configure to open the snapshot policy configuration dialog.

System snapshots can be configured only by Infinidat support.

Suspending the snapshot deletion:

On the lower part of the Snapshot Configuration tab, the Suspend Deletes switch allows you to suspend snapshot deletes. Under normal circumstances, the snapshot engine regularly deletes expired snapshots. If f you need to retain the snapshots, you can disable this option. This allows you to keep the snapshots if a cyber attack was detected, and have more time to analyze the information. 

Keep in mind that while the snapshots are not deleted, you need to keep in mind the capacity, and avoid suspending deletes for an extended period of time. If you suspect a cyber attack, Infinidat recommends stopping all system backups and isolate the InfiniGuard from the network until the data is proven to be safe.

Once the deletes are re-enabled, all snapshots that would have been deleted will be deleted at the next round hour. A warning will be displayed, letting you know that mass deletion will take place.



Cyber Recovery Snapshots

This tab lists all available snapshots for each of the DDE and provides management and recovery operations. 

The table columns:

Snapshot ID - Each snapshot will have a unique ID (this column is hidden by default)

Created - The date and time timestamp of the snapshot 

Retention - time to keep each snapshot. The value is in days can be set to 4-14. Default is 7 days. 

Immutability - If the snapshot is immutable or not. Immutable snapshots are locked and cannot be deleted, they are read only.

Expiration - The date and time set for the expiration of the snapshot. Expired snapshots are deleted by the snapshot engine unless the 'suspend deletes' switch is switched on.

Originated by - This can be one of the following values: 

  1. System - automatically created by the system policy
  2. Recovery - automatically created before recovery
  3. User - automatically created by the user policy
  4. Manual - taken when user click the "take snapshot" button

Size - Size of the snapshot. The size of the snapshot represents the difference between the current data and the data at the time when the snapshot was taken. The more changes made to the data the more snapshots will grow in size. When a snapshot is taken its size zero and as more data added/backed up to the Infiniguard the snapshot will grow in size. 

label - Free text describing the snapshot. This can help with marking snapshots before or after important events.  For example, when taking a snapshot just before an upgrade or after an important backup operation.

Filtering the snapshot table

The snapshot table can be filtered by the following fields: Created, Retention, Expiration Size, and Label.

Sorting

The table can be sorted by ID, Created, Retention, Expiration Size

Operations

The available operations are Recover, Delete and Take Snapshot. 

Recover - this operation will recovery the DDE to the selected snapshot. In effect, after a successful recovery, the DDE will be operational and all data is set to the snapshot time and date. The operation is final and cannot be undone. The system will take a snapshot right before the recovery allowing the user to revert back to the time before the recovery.

After recovery, it's recommended to validate the system and data as quickly as possible and delete the snapshot taken before the recovery as it is expected to grow in size significantly.  

As part of the recovery process, the system will reboot and will return online with the data and settings representing the time of the snapshot.

In order to recover from snapshot, user must first select a snapshot from the list and press the Recover button. The following dialog will open:


Delete - Delete the selected snapshot. Only unlocked snapshots can be deleted. Select a snapshot and press Delete. This operation is final and cannot be undone.

Take Snapshot - Users can take a snapshot at any time. Note the total number of snapshots is XXX. The following dialog will open:

Limits and Limitations

Cyber Recovery - The maximum amount of Cyber Recovery Snapshots

The system supports up to 1000 Cyber recovery snapshots per DDE, the amount is total for all types of snapshots (system, user, manual).










Was this article helpful?
0 out of 0 found this helpful

0 out of 0 found this helpful

Last edited: 2021-03-25 16:39:32 UTC

Comments