Minimize the Impact of a Cyberattack with Commvault and Pure Storage

A new integration of Pure Storage FlashBlade with Commvault introduces S3 Object Lock along with SafeMode Snapshots to help minimize the impact of a cyberattack.

Commvault

7 minutes
image_pdfimage_print

We’re pleased to announce a new integration of Pure Storage® FlashBlade//S™ and FlashBlade//E™ with Commvault to introduce S3 Object Lock. Together with Pure’s SafeMode™ retention lock, this creates a resilient multilayered protection to safeguard against ransomware data destruction or encryption of backups. 

In addition, Pure Storage and Commvault have developed a workflow, downloadable from the Commvault Store, which simplifies the configuration of Object Storage on FlashBlade® storage with Commvault. 

Increased Resilience in Case of an Attack

According to the FBI’s Internet Crime Report, potential losses from cyber crimes increased by 64% from 2018 to 2021, totaling $6.9 billion. Cyberattacks are constantly evolving, too. A quick web search will show that experts agree a breach of your defenses is a question of when, not if

When an attacker does get through, they can do a lot of damage, even if you detect and stop them quickly. Attack prevention is critical, of course, but you also need to be prepared for large-scale recovery.

The Pure Storage FlashBlade lines, combined with Commvault, provide a rapid restore experience like no other. Features like Object Lock, Freeze Objects, and Pure Storage’s SafeMode Retention Lock ensure your data is ready and waiting after an attack. You can start rapid recovery immediately, from your most recent clean backups, following familiar day-to-day processes. 

To top it all off, you have the speed and simplicity you’ve come to expect from Pure Storage to get you back online faster than you might think possible. 

Available Commvault features like Metallic ThreatWise, hardened MediaAgents, file change monitoring, and anomaly reporting can further limit or prevent attacks to both your backup and production systems, detect an attacker before they can damage your data, and proactively monitor your backups so you can be confident you’re not restoring malware.

Tamper-proofing Data with Object Lock

Object Lock provides tamper-proofing by safeguarding objects from accidental or malicious deletion for a set time period. When you lock an object or object version, FlashBlade stores the lock information in the metadata for the object. However, the S3 specification doesn’t prevent someone from creating newer versions of the same object or logically deleting a locked version—hiding your data from default views. 

With Pure’s own Freeze Locked Objects feature enabled on a bucket, FlashBlade will block any attempt to delete or overwrite a locked object in that bucket.   

SafeMode Retention Lock—Uniquely Pure—(Because OL Isn’t)

FlashBlade provides SafeMode Retention Lock to support more granular bucket-level operations. SafeMode Retention Lock has two modes: Ratcheted (locked) Mode and Unlocked Mode (default mode). 

With SafeMode Retention, the storage administrator will be able to control:

  • When a bucket can be destroyed: Default behavior is to allow the bucket to be destroyed—logically deleted with a countdown timer–even when it is not empty. When SafeMode Retention Lock is set to Ratcheted Mode, it allows bucket destruction only when it is empty.
  • When a bucket can be eradicated: When SafeMode Retention Lock is set to Ratcheted Mode, manual eradication–permanent deletion–is not allowed.  
  • Changes to bucket-level Retention Mode properties: When SafeMode Retention Lock is set to Ratcheted Mode, FlashBlade will not allow changes from Compliance Mode to Governance Mode or reduction in the default object retention period.

We recommend using object storage over S3 when you store Commvault data on FlashBlade. FlashBlade fast object storage reduces backup and restore times to collect and secure your data sooner. The simplicity of object storage means easier deployment and management. Commvault’s Storage Accelerator component more fully utilizes your available network bandwidth by distributing storage access across your protected systems rather than funneling it through a small number of MediaAgent data movers, letting you protect and restore more data in parallel.

Object Lock on FlashBlade seamlessly adds object-level immutability, managed by Commvault. The SafeMode Retention Lock and Freeze Locked Objects features add extra protection against direct attacks on the object buckets and their contents. With these features enabled, locked objects cannot be destroyed or overwritten, and the bucket itself cannot be deleted, even if credentials are compromised.

CommServe DR backups can leverage File SafeMode protection when using an SMB share on FlashBlade, protecting against a worst-case scenario that requires recovery of Commvault itself. File SafeMode will create and preserve immutable snapshots of your DR backups that an attacker cannot destroy.

object lock
Figure 1: Reference architecture for the solution. 

How it Works

When you’re deduplicating backup data, you’re building up references to the same unique data. It’s great for saving space and time, since your backups from last night can share data you backed up weeks ago. But when you need those backups protected against attackers, you have to freeze that weeks-old data long enough to cover last night’s backups—and tomorrow’s, and the next day’s, and so on. You eventually end up looking at infinite retention, which defeats the purpose of deduplication.

To solve this problem, Commvault and Pure use a layered data vaulting concept. A “vault” is a self-contained set of data for a specific period, with no deduplication references outside the vault. Commvault periodically “closes” the vault against any new data to limit the dependencies. Within each vault, Commvault leverages its dynamic locking technology and FlashBlade Object Lock to align the immutability for the entire vault to expire at the same time.

The layered vaulting system protects your data for the entire SLA period. Data is protected immediately as it is written and does not require any periodic point-in-time snapshots. You can get your production systems online sooner after an attack since your backup data is immediately available to start recovery without first having to roll anything back to an earlier recovery point. With hourly recovery costs ranging up to millions of dollars, this faster, simpler recovery can have a huge impact when it matters most.

For example, consider a vault with a 14-day retention requirement. The last backups, taken on day 14, will need to exist until day 28 to meet the SLA. The earliest data in the vault must also be protected until day 28 to ensure that an attacker can’t invalidate the last backups by destroying the oldest data. To accomplish this, Commvault sets the object locks for the first day’s backups to expire after 28 days. 

On the second day, locks are set to expire after 27 days. This continues until the 14th day, when locks are set to expire after 14 days—also on day 28. Commvault then closes the vault on the 15th day and starts the cycle over. 

This approach brings a balance between immutability and capacity, preserving benefits of deduplication and keeping granular control of backup scheduling. It allows Commvault to delete each entire vault at the same time once it’s no longer needed, which frees up capacity as quickly as possible.

Over time, you’ll have two vaults at any given time: the active vault, with new data being written to it; and the most recently sealed vault. The previous sealed vault expires when the new open vault is being created. Having two vaults ensures you meet your immutability SLA: There will be dependencies going back to the oldest data in the sealed vault, and both vaults are fully protected. 

The immutability figure below illustrates the vaulting timeline and the immutability window, which covers the backups that must be immutable to meet your SLA.

Commvault
Figure 2: Layered data vaulting timeline. 

Recovering from a Cyber Event

Object Lock and SafeMode Retention Lock prevent ransomware, rogue administrators, or other cyberattacks from affecting your backup data, so you can focus on getting affected systems back online faster. You don’t need to take any action on the FlashBlade system since your immutable data remains available and uncompromised. 

Clean Room Recovery

As part of the recovery, you should use a “clean room” or “sandbox” approach to restore systems and data in an isolated space. You can then remove any malware before reintroducing the systems to the production environment. Pure Storage can help you determine what changes are needed.

Conclusion

Pure Storage FlashBlade and Commvault minimize the impact of a cyber event, reducing the risk to your organization if you get hit by ransomware or other cyberattacks. You can be confident that your backups are intact and protected from an attacker by employing a combination of Object Lock and SafeMode, and that you can recover systems as fast as you need to.

For more information, check out our new white paper, “Minimizing the Impact of Cyberattack Recovery.”