This post is coauthored by Toby Reid

The world of data protection solutions is noisy with various vendors’ promises about preventing, detecting, and recovering from ransomware attacks. One company has even announced a $5M ransomware recovery warranty, claiming to cover data recovery and restoration expenses. However, none of these solutions provides you with the most important elements of a ransomware offering, namely:

  • The ability to protect data with immutable, indestructible, and sequestered snapshots
  • The ability to rapidly restore large volumes of data at restore rates that are 10X faster than traditional purpose-built backup appliances (PBBAs)

Cyber threats, including the current wave of ransomware attacks, have changed the data protection landscape forever—evolving the discussion from “time to back up” (to meet backup windows and retention policies) to “time to recover” (to restore business service and comply with regulatory requirements).

US National Security Agency (NSA) Director Paul Nakasone predicted that not only will the rate of ransomware attacks not slow down, but that in the next five years, the US will face multiple ransomware attacks “every single day.” Meanwhile, industry analyst firm Gartner has recently stated that the “threat of new ransomware models is the top emerging risk facing organizations” and correspondingly published its “Top 8 Cybersecurity Predictions for 2021-2022.”

All organizations, across all commercial and government endeavors, need to protect their key systems from attacks. Even more importantly, in the event of an attack, they need to be prepared to restore critical systems back to normal operation as quickly as possible.

Sign up for email

For organizations that are prepared, the benefits are obvious. The cyber-insurance firm Corvus states that the “improved preparedness and resiliency among customers of its cyber-insurance policies” have resulted in fewer ransomware claim payouts, despite an increase in the frequency of ransomware claims in CY2021 over CY2020. This is a clarion call to action for organizations to take proactive steps to mitigate the threat of ransomware. Ironically, despite the rising risk of cyber threats, a recent survey indicates that 14% of C-suite executives surveyed have no plans to implement defense and incident response initiatives. That 14% was among the 98% of surveyed executives who indicated that they have come across at least one cybersecurity event in the past year.

The risks are urgent and obvious. However, legacy backup solutions don’t address them because they’re rooted in a legacy world where the focus was on just that, i.e., backing up data. In contrast, some newer solutions focus on eliminating infrastructure altogether and making data resilient and persistently available, instead of restoring it.

With respect to cyber-attacks, Pure Storage takes an entirely modern and innovative approach with the focus on “always-on encryption,” replication, and unmatched ransomware remediation. Secured by two-factor authentication, Pure customers benefit from the proactive expert guidance of Pure Technical Support through the entire process of planning, scheduling, and configuring immutable, indestructible SafeMode™ snapshots, which prepare them to restore their data at industry-leading speeds in the event of a ransomware attack. Pure’s approach to ransomware recovery restores business operations quickly and effectively.

In this blog post, we’ll highlight the categories of solutions that fail to proactively protect you from the consequences of inevitable cyber-attacks (including ransomware) and arm you with the means for delivering data resiliency to your organization.

Category #1: Legacy PBBAs

The first category is traditional “purpose-built backup appliances (PBBAs).” PBBAs were originally architected as cost-effective disk-based solutions to replace tape drives as a backup target. They leveraged the use of deduplication to make disk-based backup storage cost-effective compared to tape. Disk-based systems delivered higher performance, with more simultaneous backup operations than multi-tape drive and robotic tape libraries and consumed a fraction of the space in a data center.

PBBAs were originally backup-source agnostic and could serve as a backup target for all the leading backup applications. Adding proprietary vendor protocols between backup clients/backup servers and PBBA devices, combined with offloading deduplication from the PBBA to the client, made backups faster.

The weakness of disk-based PBBAs is their speed for restores (i.e., their restore rates). Restore performance from these backup-dedicated disk-based systems is, at best, 50% of the performance of their backup/ingest performance. And real-world restore performance is frequently a fraction of that restore rate. While adding use of proprietary vendor protocols and local deduplication increased backup performance, they did nothing to increase restore performance. In short, PBBAs were primarily architected for fast and efficient backups with data restoration as a literal afterthought.

Customers have learned, firsthand, from weather-related natural disasters to purposeful ransomware attacks, that the priority of modern data protection is enabling rapid recovery and restoring data, not faster backups.

Contrasting Pure FlashBlade with PBBAs

Pure Storage® FlashBlade® delivers industry-leading backup and restore speeds (up to 270TB/hr). Our SafeMode snapshots are immutable and resilient and can’t be encrypted or deleted by administrators, including ransomware hackers with compromised storage or backup administrator credentials. This combination of snapshot protection and high performance makes FlashBlade a superior choice for recovery-focused modern data protection compared to legacy PBBAs.

As a high-performance restore source, FlashBlade is an “open” data protection solution that enables immutable, sequestered SafeMode snapshots and industry-leading rapid recovery across an ecosystem of leading data protection Technology Alliance Partners, including Commvault, Veeam, Cohesity, and Veritas.

Category #2: Disaster Recovery as a Service (DRaaS)

The next category of solutions is DRaaS, which includes journalized continuous data protection (CDP). These solutions are targeted at protecting and restoring virtual machines (VMs), VMware vSphere, and/or Microsoft Hyper-V. They have a protection focus on “flexible recovery and granular recovery point times. They define successful data protection as the capability to take very frequent snapshots or, via CDP, to be able to choose “any point in time” (APIT) as a recovery point. One vendor even states that ”the key to effectively recovering from ransomware is granularity.”[1]

These solutions promise the ability to rapidly recover to a point just seconds before an attack, followed by recovery of all your critical systems, within the space of a few minutes, with only a few clicks of a button. Another vendor claims a “near-instantaneous” recovery time of just a few minutes for even large numbers of VMs with large amounts of data.

Let’s examine what they mean when they say that their recovery capability is “near-instantaneous.” They mean that point-in-time versions of VMs (and their data) are merely rapidly available, not rapidly restored to their original location, and subsequently migrated back to the original vSphere (e.g., via vMotion) or Hyper-V cluster. At best, this means that the data is restored and “available” on premises, external to its original home location VM cluster. Alternatively, for cloud-based DraaS, this means that the restored VMs and their data are “available” to be used in the cloud but not on the original VM cluster.

What these vendors fail to discuss, or count as part of the restore time, is the time to recover back to the original location, via VM migration functions (e.g., vMotion in vSphere), which could be hours or even days. Of course, requiring days to return to normal operation as defined by VMs and their data running normally in their original cluster location is not rapid recovery. In fact, it’s not even modern data protection.

What they also fail to discuss is the risk of an attack on their own software-based solution by a hacker’s use of compromised administrator credentials to destroy the point-in-time backups or the journaling. The purpose of these backup platforms and solutions is to have a copy of data that can be recovered to a point in time using a catalog or journal of the data.  Data protection software systems offer no protection for data nor the compute and storage platforms on which they run. Recently, ransomware attacks have begun targeting the backup systems themselves. One ransomware attack group has been discovered developing and using novel tactics to demolish backups.

The real measure of restore time isn’t merely how quickly VMs and data can be made available somewhere; it’s how quickly the VMs and data can be restored to their normal operation in their original location. FlashBlade Rapid Restore excels in this regard, enabling the restoration of petabytes of VMs to the original location in hours.

As for ransomware attacks that target backup systems and backup storage itself, note that Pure SafeMode snapshots can’t be expired or destroyed. Since they’re sequestered from storage administrators’ domains, ransomware hackers who compromise or acquire customer administrative credentials can’t destroy SafeMode snapshots. With FlashBlade, SafeMode snapshots are immutable and secured from intentional or accidental destruction.

Category #3: Cloud Backup/Cloud-Native Backup

The next category is cloud backup vendors. These include “cloud-based” and “cloud-native backup” offerings. “Cloud-based” refers to solutions that offer a customer-managed product that includes a software component and possible use of an on-site “cloud edge” or “cloud access” hardware appliance(s). “Cloud-native backup and recovery” is offered as a service, with the customer only deploying backup agents in the devices to be protected.

These solutions deliver the capability to protect data on premises, without the use of any on-premises hardware or software infrastructure or minimal on-premises hardware and software. Backups of data on premises, including VMs, are stored in the cloud and managed as a data protection service.

Cloud backup solutions offer infrastructure-free, easy-to-use self-service, pay-as-you-go as-a-service data protection. Cloud backup has been an appealing option for small and medium businesses (SMBs), remote office/branch office (ROBO) use cases, and test/dev data mobility.

Cloud backup vendors have taken aim at protecting on-premises enterprises and enterprise data centers, with a focus on ransomware protection and recovery. Their pitch to you is that you can have enterprise data protection capabilities that cost less, are easier to manage, are more reliable, and require little or no on-premises hardware and/or software. They now, conveniently, include ransomware detection and related monitoring and analytics capabilities.

They also promote the capability to deliver a low recovery time objective (RTO) and fast recovery. Similar to DRaaS solutions, however, it’s important to understand where that low RTO to restore is located. Cloud-based and cloud-native backups are located in the cloud and data restoration also occurs in the cloud. It can take days or weeks to return to normal operations on premises with VMs and data restored back to their original location.

Again, the real measure of restore time isn’t just how fast VMs and data can be made available somewhere. It is, rather, how quickly the VMs and data can be restored to their normal operation in their original location. FlashBlade Rapid Restore enables the restoration of petabytes of VMs and their data to the original location in mere hours.

Pure SafeMode snapshots are immutable and secured from intentional or accidental destruction on premises, where the source data being protected is actually located. Many Pure partner data protection solutions that utilize FlashBlade for rapidly restoring SafeMode snapshots now also include ransomware detection and remediation capabilities.

Conclusion: Ransomware Recovery Is a Mission Critical Priority

The bottom line is this: It’s no longer a question of if your organization will suffer from a cyber attack but when. This is the new reality; a reality best addressed by a “recovery-focused” modern data protection strategy, and Pure has you covered…er, recovered, rapidly.

With SafeMode snapshots enabled and FlashBlade Rapid Restore, Pure customers are already very well prepared to recover from a ransomware attack. Pure FlashBlade is purpose-built for the rapid recovery of data that is protected via Pure’s Technical Support. Sequestered and immutable SafeMode snapshots can’t be deleted, destroyed, or expired by a ransomware hacker.

Our rapid ransomware recovery capability isn’t simply a storage feature. It’s an all-inclusive support capability enabled through an Evergreen™ subscription. Pure’s exceptional customer support is reflected in our Net Promoter Score (NPS) of 83.5, which is in the top 1% of industry B2B scores. Pure customers have spoken. You too can experience, and directly benefit from, Pure’s rapid recovery approach to modern data protection in this era of pervasive and persistent ransomware attacks.

To learn more, please contact us. We’d love to share our modern take on how you can rapidly recover your operations from inevitable ransomware attacks.

Like this article and want to read more? Sign up for our monthly Perspectives email today. And we promise not to spam you, just inform and inspire you!

  1. https://www.zerto.com/wp-content/uploads/2019/09/ransomware-mitigating-the-threat-of-cyber-security-attacks.pdf