Tech ONTAP Blogs
Tech ONTAP Blogs
With the September release, Cloud Backup has now introduced support for DataLock and Ransomware protection for cloud backups on StorageGRID versions 11.6.0.3 and above. With this feature, Cloud Backup provides a mechanism to lock the Cloud Snapshots replicated via SM-C and provides the ability to detect a ransomware attack and recover a consistent copy of the snapshot on the StorageGRID object-store. The solution uses both SM-C and ADC to achieve the above functionality. Currently, the feature is supported only for AWS and StorageGRID.
To enable DataLock and Ransomware Protection, we have to choose the mode as “Compliance” under the “DataLock and Ransomware Protection” section of the “Define Policy” UI of the “Activate Backup for Working Environment” wizard as shown below. With “Compliance” mode, no users can overwrite or delete protected backup files during the retention period.
Please Note:- The StorageGRID S3 Object Lock feature provides a single DataLock mode that is equivalent to Compliance mode. An equivalent Governance mode is not supported, so no users have the capability to bypass retention settings, overwrite protected backups, or delete backups. Hence the "Governance" mode is not available with the DataLock and Ransomware Protection support for StorageGRID. The "Governance" option on the Policy UI will be disabled for StorageGRID.
Important:-
When “DataLock and Ransomware Protection” is enabled, the StorageGRID bucket that will be provisioned as a part of the backup activation process will have object locking and object versioning enabled. It will also have Auto-purging of non-current versions on the bucket will be enabled and set to 1 day.
In this section, we will discuss Cloud backup policy behavior when Cloud Backup is enabled with the Compliance policy in the Working Environment.
To lock an object, cloud providers provide a way to set the ‘Retention Until Date’ (RUD which is calculated based on the Snapshot Retention Period) in the object metadata during which the object version cannot be deleted or overwritten.
What is Snapshot Retention Period (SRP) and how is it calculated?
When “DataLock and Ransomware Protection” is enabled through the Cloud Backup policy, the Snapshot Retention Period’(SRP) is calculated as per the label and retention count defined by the user in the Cloud Backup policy.
The minimum SRP that will be assigned would be 30 days.
Let's try to understand how the Snapshot Retention Period (SRP) is calculated:
DataLock on an object is set by applying a retention period to an object version explicitly by specifying a “Retain Until Date or RUD” for the object version. Amazon S3 stores the Retain Until Date setting in the object version's metadata and protects the object version until the retention period expires.
What is Retention Until Date (RUD) and how is it calculated?
Example:-
Please Note:-
How do we set Retention Until Date (RUD) on the cloud backups?
Ransomware Scan
In this section, we will examine how Ransomware detection scans are run by Cloud Backup. As soon as you enable Cloud Backup in the Working environment and configure "DataLock and Ransomware Protection," the ransomware scans are initiated. The Ransomeware scans are run in the below-mentioned scenarios.
How does the scan work?
Now let's try to understand how the Ransomware scans work.
How does the Recovery process work?
When a Ransomware attack is detected, Cloud Backup uses the Active Data Connector Integrity Checker REST API to start the recovery process. The oldest version of the data objects is the source of truth and is made into the current version as part of the recovery process.
Let's see how this works:-
Please Note:-
• DataLock and Ransomware Protection feature scans only backups on StorageGRID bucket. It does not support scanning local snapshots, Ransomware attacks on local snapshots cannot be detected.
In this section, we will look into the various Cloud Backup UI changes that were introduced to show the status and results of the DataLock and Ransomware Scan run on the cloud backups stored in the Cloud object store
Backup Volume Page
A new “Ransomware Scan” column has been introduced on the Backup Volume Page. It displays the different status of the Ransomware scans on a Volume level like potential ransomware identified, tool-tip showing the last scan time, and successful ransomware scan with scan time.
Backup Details Page
A new “Ransomware Scan” column has been introduced on the Backup Details Page. It displays the different status of the Ransomware scans on the backup level like potential ransomware identified, tool-tip showing the last scan time, ransomware scan failure with scan time, and successful ransomware scan with scan time.
Canvas Page
Notifications have been included on the Canvas Page which notifies that a potential ransomware attack has been identified on a backup copy of a specific volume related to a specific Working Environment.
Notifications have been included on the Canvas Page which notifies that a potential ransomware attack has been identified on a backup copy during the restore of a specific volume related to a specific Working Environment. It will also highlight that Cloud Backup reverted to the last good known version of the backup copy.
Browse and Restore Pages
A new “Ransomware Scan ” column has been introduced on the Selected Backup Details Page. It displays the different status of the Ransomware scans on the backup level like potential ransomware identified, tool-tip showing the last scan time, ransomware scan failure with scan time, and successful ransomware scan with the scan time.
Browse and Restore Pages – Restore Message
A “Ransomware Scan” UI will be shown upon selecting a snapshot to restore the backup. This restore confirmation message shows the details of the DataLock mode, and last run scan time information and also includes a recommendation to run a ransomware scan before proceeding with the scan. This is an optional scan, the user can uncheck to skip the ransomware scan.
Search and Restore Page
More details about the ransomware scan have been provided on the “Backup Details” right navigation pane UI. It displays the different status of the ransomware scans on the backup level like potential ransomware identified, tool-tip showing the last scan time, ransomware scan failure with scan time, and successful ransomware scan with the scan time
Search and Restore Page- Restore UI
The “Restore Location for Selected File” UI under the Search and Restore feature, also now display the information of the backup DataLock Mode and the status of the ransomware scan run.
Clicking the “Next” button will bring up a “Ransomware Scan” UI, which displays the “DataLock” mode, the previous scan time, and the result of the ransomware scan. It also shows a recommendation to run a ransomware scan before proceeding with the restore process. This is an optional scan, the user can uncheck to skip the ransomware scan.
Please try it out and let us know. In this blog , we haven’t covered every possible scenario, and we know that you’ll have questions and concerns, so please contact us on Teams Group.