If your company’s data is like gold, then Pure Storage is your vault. It’s your last line of defense after an attacker has already breached several layers of security. But how do you ensure your vault is locked and has the proper security measures in place?
If you’re like me and aren’t sure whether you locked the front door when you left the house this morning, then it’s not unheard of to turn around and drive several miles back home to double-check. However, there’s a much better way to have confidence in your storage configuration whether you have one array or many.
What Are Pure’s Leading Practices for Data Resiliency?
Leading practices establish a baseline configuration that can be improved upon depending on several factors. Pure’s leading practices for data resiliency are to take snapshots at least once per day and retain those snapshots for seven days.
SafeMode™ is then layered on top of this to prevent manual eradication of these snapshots. We recommend at least a seven-day eradication delay or duration (depending on FlashArray or FlashBlade). Increasing the number of snapshots of course will give you more timepoints to recover your data and can mean that only a few minutes’ or hours’ worth of data is lost rather than an entire day’s worth.
Longer retention periods can buy you time for situations that may take days before anyone notices there’s a problem. It’s up to your organization to determine the ideal configuration which also needs to be balanced against the capacity requirements of such snapshot configurations. Thankfully, Pure1 provides capacity planning that will help give you an idea of these requirements.
Snapshots are great, but they’re subject to one major flaw: They can be deleted, or in Pure Storage terms, destroyed. A destroyed snapshot will be recoverable for a period of time but can also be eradicated, meaning it’s no longer recoverable. Think of eradication as manually emptying the recycle bin or trash on your desktop. This can happen by accident or maliciously by a ransomware attacker trying to ensure your data can’t be recovered and that the ransom is paid.
SafeMode: An Added Layer of Protection
That’s why FlashArray and FlashBlade offer another layer of protection with SafeMode. SafeMode prevents the manual eradication of your snapshots, which means they cannot be deleted by accident or by malicious wrongdoers until the eradication delay has lapsed. Not even an administrator can bypass SafeMode once it’s enabled. Multiple validations are required by Pure’s support teams to disable or reduce your eradication delay.
Our leading practice with SafeMode is to set an eradication delay of at least seven days, but we recommend fourteen days or more. The reason for such a long eradication delay is that it’s possible for several days to lapse before a problem is detected. That could be because the system is infrequently used or the operator is out over the weekend or on vacation. The longer the eradication delay is set, the better your chances are for recovering your data. Thanks to the granularity of SafeMode, you can enable this protection for your entire array or per protection group or object.
Not only can Pure1 help understand the storage implications of these data protection measures, but it can also help ensure that your data is protected per these leading practices.
Whether you have one array or an entire fleet, the new Pure1 Data Protection Assessment will give you a detailed breakdown of your data resiliency. This includes ensuring that your snapshots and SafeMode configurations meet or exceed our leading practices and even considers replication for added resiliency.
How the Pure1 Data Protection Assessment Works
The Data Protection Assessment is broken down into two different sections – The Data Resiliency Score and the Data Protection Assessment. The Data Resiliency Score rates the adoption of data protection features such as snapshots, SafeMode, and replication. Based on a scale of 0-5, customers get a measuring stick of what features are in use. Learn more about the Data Resiliency Score. The other part of the Data Protection Assessment looks at the configuration of these features and helps customers align to leading practices recommended by Pure. All Pure Storage® appliances are categorized based on the level of protection in place.
Caution means that snapshot policies don’t meet our leading practices (or don’t exist), and therefore, data on these arrays should be considered at risk. Even if SafeMode is enabled, there are no snapshots to protect. Optimizable arrays have basic protections in place such as local snapshots or replication through ActiveDR™, ActiveCluster™, protection group replication, or policy. Good indicates arrays that either have local snapshots with SafeMode or replication to another array with SafeMode enabled. The advanced category is reserved for high achievers that have both local and replicated snapshots or ActiveCluster enabled with SafeMode protections in place. Consider this configuration for your most critical data. Arrays not requiring additional protection can be excluded from the assessment.
If your arrays fall into the first two categories, then don’t worry. The Pure1 Data Protection Assessment will provide actionable recommendations to help you configure data protection policies. Recommendations include freeing up additional capacity for snapshots, upgrading Purity to a version that supports SafeMode, as well as the configuration of snapshot policies and SafeMode eradication delay.
For customers who want to be selective about what gets protected, the Pure1 Data Protection Assessment also grants insight into your FlashArray and FlashBlade objects.
The Data Protection Assessment will also highlight when anomalies are detected on an array. By constantly analyzing the data reduction ratios on every volume across all your FlashArray appliances, Pure1 can detect when significant and sudden changes are made to your data. For example, if several volumes were to be encrypted by Ransomware, Pure1 will detect this anomaly and provide an indicator in the Data Protection Assessment. Because anomalies are detected after encryption has started, this is not meant as an early warning but rather a tool that you can use to identify what volumes need to be recovered and identify an ideal recovery timepoint. Learn more about Pure1 Anomaly Detection.
The new Data Protection Assessment is now available in Pure1. All customers who are currently sending phone home data to Pure Storage can simply log in to pure1.purestorage.com and start taking action toward protecting your organization’s most valuable asset at no additional charge. For more information, check out the Pure1 documentation (login required) or visit the Pure1 product page.