If your company’s data is like gold, then Pure Storage is your vault. It’s your last line of defense after an attacker has already breached several layers of security. But how do you ensure your vault is locked and has the proper security measures in place?
If you’re like me and aren’t sure whether you locked the front door when you left the house this morning, then it’s not unheard of to turn around and drive several miles back home to double-check. However, there’s a much better way to have confidence in your storage configuration whether you have one array or many.
The newly introduced Pure1® Security Assessment, alongside the Data Protection Assessment in Pure1, will help ensure your FlashArray™ and FlashBlade® configurations meet Pure Storage’s leading security and protection practices.
Integrated Surveillance of Your Pure Storage Platform
The security assessment offers insights into your operational security and compliance.
The Pure1 Security Assessment scans your Pure Storage infrastructure for vulnerabilities that could put your data at risk, such as using default passwords or publicly accessible storage buckets. Furthermore, it also includes behavioral analysis that looks for signs of irregular activity. For example, unexpected changes in permissions, a sudden reduction in volume and snapshot counts, or an increase in alert notifications.
Keep up to date with changes in your environment.
Additionally, the Security Assessment provides a dynamic security score that gives a clear, ongoing evaluation of your security health, offering a tangible metric to gauge improvements over time. As you implement recommended changes and enhance your security measures, you’ll get instant feedback on your security advancements.
While the Security Assessment is all about ensuring that your storage infrastructure is safeguarded against vulnerabilities and external threats, the Data Protection Assessment focuses on maintaining the integrity and resiliency of your data through practices like SafeMode™ Snapshots and replication.
What Are Pure Storage’s Leading Practices for Data Resiliency?
Leading practices establish a baseline configuration that can be improved upon depending on several factors. Pure’s leading practices for data resiliency are to take snapshots at least once per day and retain those snapshots for seven days.
SafeMode is then layered on top of this to prevent manual eradication of these snapshots. We recommend at least a seven-day eradication delay or duration (depending on FlashArray or FlashBlade). Increasing the number of snapshots of course will give you more time points to recover your data and can mean that only a few minutes’ or hours’ worth of data is lost rather than an entire day’s worth.
Longer retention periods can buy you time for situations that may take days before anyone notices there’s a problem. It’s up to your organization to determine the ideal configuration which also needs to be balanced against the capacity requirements of such snapshot configurations. Thankfully, Pure1 provides capacity planning that will help give you an idea of these requirements.
Simulate snapshot policy changes.
Snapshots are great, but they’re subject to one major flaw: They can be deleted, or in Pure Storage terms, destroyed. A destroyed snapshot will be recoverable for a period of time but can also be eradicated, meaning it’s no longer recoverable. Think of eradication as manually emptying the recycle bin or trash on your desktop. This can happen by accident or maliciously by a ransomware attacker trying to ensure your data can’t be recovered and that the ransom is paid.
Pure//Launch Fall 2024 Webinar
Meet Real-time Enterprise File on the Pure Storage Platform
SafeMode: An Added Layer of Protection
That’s why FlashArray and FlashBlade offer another layer of protection with SafeMode. SafeMode prevents the manual eradication of your snapshots, which means they cannot be deleted by accident or by malicious wrongdoers until the eradication delay has lapsed. Not even an administrator can bypass SafeMode once it’s enabled. Multiple validations are required by Pure Storage’s support teams to disable or reduce your eradication delay.
Our leading practice with SafeMode is to set an eradication delay of at least seven days, but we recommend fourteen days or more. The reason for such a long eradication delay is that it’s possible for several days to lapse before a problem is detected. That could be because the system is infrequently used or the operator is out over the weekend or on vacation. The longer the eradication delay is set, the better your chances are for recovering your data. Thanks to the granularity of SafeMode, you can enable this protection for your entire array or per protection group or object.
Not only can Pure1 help understand the storage implications of these data protection measures, but it can also help ensure that your data is protected per these leading practices.
The data protection assessment helps you to deliver a consistent security configuration across your storage fleet.
Whether you have one array or an entire fleet, the new Pure1 Data Protection Assessment will give you a detailed breakdown of your data resiliency. This includes ensuring that your snapshots and SafeMode configurations meet or exceed our leading practices and even considers replication for added resiliency.
Watch a demo of the new Data Protection Assessment in action.
How the Pure1 Data Protection Assessment Works
The Data Protection Assessment is broken down into two different sections – The Data Resiliency Score and the Data Protection Assessment. The Data Resiliency Score rates the adoption of data protection features such as snapshots, SafeMode, and replication. Based on a scale of 0-5, customers get a measuring stick of what features are in use. Learn more about the Data Resiliency Score. The other part of the Data Protection Assessment looks at the configuration of these features and helps customers align to leading practices recommended by Pure. All Pure Storage appliances are categorized based on the level of protection in place.
The criteria used to calculate your data protection score
Caution means that snapshot policies don’t meet our leading practices (or don’t exist), and therefore, data on these arrays should be considered at risk. Even if SafeMode is enabled, there are no snapshots to protect. Optimizable arrays have basic protections in place such as local snapshots or replication through ActiveDR™, ActiveCluster™, protection group replication, or policy. Good indicates arrays that either have local snapshots with SafeMode or replication to another array with SafeMode enabled. The advanced category is reserved for high achievers that have both local and replicated snapshots or ActiveCluster enabled with SafeMode protections in place. Consider this configuration for your most critical data. Arrays not requiring additional protection can be excluded from the assessment.
If your arrays fall into the first two categories, then don’t worry. The Pure1 Data Protection Assessment will provide actionable recommendations to help you configure data protection policies. Recommendations include freeing up additional capacity for snapshots, upgrading Purity to a version that supports SafeMode, as well as the configuration of snapshot policies and SafeMode eradication delay.
Get actionable insights to improve your security posture.
Recommendations in the Data Protection Assessment
For customers who want to be selective about what gets protected, the Pure1 Data Protection Assessment also grants insight into your FlashArray and FlashBlade objects.
Get granular insights into individual objects.
Per-object SafeMode in FlashArray can give you the control you need to better balance capacity requirements with data resiliency but at the cost of additional management. The Pure1 Data Protection Assessment reduces the operational overhead by giving you a breakdown of your volumes, file systems, directories, and buckets. That way, you can quickly identify your most important objects and ensure they’re configured to your data resiliency needs. Plus, this data can be exported from Pure1, including object-level details for further reporting, analysis, or project planning.
Anomaly detection scans your environment for significant changes in data reduction, performance, and volume & snapshot counts.
The Data Protection and Security Assessments will also highlight when anomalies are detected on an array. Pure1 constantly analyzes a suite of metrics across all your FlashArray appliances, including data reduction ratios, latency, and changes in volume and snapshot counts, to ensure comprehensive monitoring. For example, significant and sudden changes such as the encryption of several volumes by ransomware, spikes in latency indicating possible network issues, or unexpected changes in the number of volumes and snapshots can be detected. Although these anomalies may be detected after an incident has begun, Pure1 serves as a crucial tool to pinpoint which volumes have been affected. In addition to detecting anomalies, Pure1 will also show when your most recent snapshots were taken to quickly recover to an ideal time point.
Learn more about Pure1 anomaly detection.
The Security and Data Protection Assessments are now available in Pure1. All customers who are currently sending phone home data to Pure Storage can simply log in to pure1.purestorage.com and start taking action toward protecting your organization’s most valuable asset at no additional charge. For more information, check out the Pure1 documentation (login required) or visit the Pure1 product page.
Written By:
Rethink Infrastructure
Don’t miss our webinar on July 10, 2024, to see our latest innovations for AI, cyber resiliency, and application modernization.
