Using Per Protection Group SafeMode with Pure Cloud Block Store

Per Protection Group SafeMode is a new feature that enables you to lock down data in a way that takes away many of the common attack vectors cybercriminals use today.


4 minutes

Disaster recovery—whether it’s in response to a ransomware attack or an on-premises data center failure—is an ever-present consideration on the minds of many IT teams today. To recognize its importance, you only need to look at the multibillion-dollar industry that has been built up around it or read the news to observe the near-daily outages of major businesses or ransoms paid to bad actors.

An important advancement in the fight against ransomware has been Pure Storage® SafeMode™, which helps to prevent a cybercriminal from eliminating, encrypting, or otherwise manipulating your backup data to their advantage. The value proposition of SafeMode extends across our product lines and includes on-premises FlashArray™ devices, as well as FlashBlade® systems—but for this post, we’ll focus specifically on Pure Cloud Block Store™ for our example scenarios.

Mitigating Risks with Pure Cloud Block Store

With Pure Cloud Block Store, you have another tool to help mitigate the risks if an on-premises attack should occur. By replicating mission-critical data to Amazon S3 or Azure Blob Storage with Purity CloudSnap™, you have a low-cost, built-in option for restoring and running production workloads in the public cloud when minutes and seconds count. 

A Pure Cloud Block Store array can be deployed quickly. The S3 or Blob snapshot data is then copied to the Pure Cloud Block Store instance, snapshot data is then copied to a volume near-instantaneously, and lastly, it’s attached to the VM or workload. And just like that, you’re operational again. 

While there are a few steps involved here, they can be easily scripted and set to run automatically if a condition is met, for example, if a replication link or site is detected as offline. The Per Protection Group SafeMode option can just as easily be applied to your public cloud Pure Cloud Block Store instance as it can for any on-premises Pure Storage offering to keep your most mission-critical data safe.

SafeMode

With the release of Purity 6.3.0 and above, we’ve taken SafeMode a step further and extended its capabilities to a more granular level. Storage administrators can now turn it on per protection group (PGroup), rather than at an entire array level. This is a significant advancement, as the storage administrator now can choose which data receives enhanced protection. It also gives storage admins the flexibility to save time and possibly cost and capacity by not using it across the entire array. To sum it up, PGroup SafeMode provides the option to select a specific volume or groups of volumes for enhanced protection instead of the previous “all-or-none” paradigm.

Per Protection Group SafeMode Uncomplicates Data Protection

Applying SafeMode is simple. You create a protection group, add one or more volumes to the protection group, set your snapshot schedule, (optionally) set up replication, and then turn it on. That’s it.  

SafeMode

SafeMode is designed to make enhanced protection easy and tampering with data difficult. Once SafeMode has been activated for a protection group, the only way to turn it off is to contact Pure Support. Customer identity has to be confirmed with Pure Support before it can be disabled. 

With SafeMode for a protection group turned on, bad actors have the following attack vectors taken away from them:

  • The protection group cannot be deleted
  • Member volume(s) cannot be removed from the protection group
  • Snapshots cannot be eradicated
  • Snapshot and replication cannot be disabled
  • Snapshot/replication frequency cannot be reduced
  • Replication target cannot be removed

Low-Cost Disaster Recovery Meets Granular Ransomware Mitigation

In summary, this solution really checks two important boxes for customers: It effectively provides a low-cost disaster recovery (or even test-dev) site via the public cloud and our new granular SafeMode enhancement gives the ability to lock down that data in a way that takes away many of the common attack vectors used by cybercriminals today. That, combined with the ease of use and fast performance our customers love about Pure, makes us excited about this use case today and the potential ways we can make it even better in the future. 

To learn more, check out this demo video where we simulate recovering and protecting your on-premises data in Azure with the combination of Pure Cloud Block Store and SafeMode.