With the September release, Cloud Backup has now introduced support for DataLock and Ransomware protection for cloud backups on StorageGRID versions 188.8.131.52 and above. With this feature, Cloud Backup provides a mechanism to lock the Cloud Snapshots replicated via SM-C and provides the ability to detect a ransomware attack and recover a consistent copy of the snapshot on the StorageGRID object-store. The solution uses both SM-C and ADC to achieve the above functionality. Currently, the feature is supported only for AWS and StorageGRID.
Scope of Cloud Backup DataLock and Ransomware Protection
Supported sources: On-prem and CVO, minimum ONTAP version 9.11.1
Applicable only for new backup activation (not applicable on existing backup copies)
Your clusters must running ONTAP 9.11.1 or greater
You must be using Cloud Manager 3.9.21 or greater
The Connector must be deployed on your premises (it can be installed in a site with or without internet access)
StorageGRID 184.108.40.206 and greater is required for full support of DataLock capabilities
How do I enable DataLock and Ransomware Protection?
To enable DataLock and Ransomware Protection, we have to choose the mode as “Compliance” under the “DataLock and Ransomware Protection” section of the “Define Policy” UI of the “Activate Backup for Working Environment” wizard as shown below. With “Compliance” mode, no users can overwrite or delete protected backup files during the retention period.
Please Note:- The StorageGRID S3 Object Lock feature provides a single DataLock mode that is equivalent to Compliance mode. An equivalent Governance mode is not supported, so no users have the capability to bypass retention settings, overwrite protected backups, or delete backups. Hence the "Governance" mode is not available with the DataLock and Ransomware Protection support for StorageGRID. The "Governance" option on the Policy UI will be disabled for StorageGRID.
Make sure that the “DataLock and Ransomware Protection” is set while enabling the Cloud Backup service on the Working Environments.
Please note that if you miss setting the “DataLock and Ransomware Protection” while enabling the Cloud Backup service on the Working Environments, you will not be able to enable the feature thereafter.
DataLock protection mode cannot be changed to normal after the policy is created.
Disabling or modifying DataLock and Ransomware Protection feature is not possible.
When “DataLock and Ransomware Protection” is enabled, the StorageGRID bucket that will be provisioned as a part of the backup activation process will have object locking and object versioning enabled. It will also have Auto-purging of non-current versions on the bucket will be enabled and set to 1 day.
Creating Compliance Policies
In this section, we will discuss Cloud backup policy behavior when Cloud Backup is enabled with the Compliance policy in the Working Environment.
If the policy used while enabling Cloud backup on the Working Environment is a Compliance policy, you cannot create normal policies thereafter.
If the volume is assigned a Compliance policy, it cannot be changed to a normal policy.
If the volume is assigned a normal policy, it cannot be changed to Compliance policy as the DataLock and Ransomware Protection feature cannot be enabled on an already CBS-enabled Working Environment.
If the initial policy is a Compliance policy, you can create a different Compliance policy and change the volume to a different Compliance policy.
How does Cloud Backup DataLock Work?
To lock an object, cloud providers provide a way to set the ‘Retention Until Date’ (RUD which is calculated based on the Snapshot Retention Period) in the object metadata during which the object version cannot be deleted or overwritten.
What is Snapshot Retention Period (SRP) and how is it calculated?
When “DataLock and Ransomware Protection” is enabled through the Cloud Backup policy, the Snapshot Retention Period’(SRP) is calculated as per the label and retention count defined by the user in the Cloud Backup policy. The minimum SRP that will be assigned would be 30 days.
Let's try to understand how the Snapshot Retention Period (SRP) is calculated:
If the user chooses the Daily label with Retention Count 20 ( The SRP is 20 days which defaults to 30 days.)
If the user chooses the Weekly label with Retention Count 4 (The SRP is 28 days which defaults to 30 days.)
If the user chooses the Monthly label with Retention Count 3 (The SRP is 90 days)
If the user chooses the Yearly label with Retention Count 1 (The SRP is 365 days)
DataLock on an object is set by applying a retention period to an object version explicitly by specifying a “Retain Until Date or RUD” for the object version. Amazon S3 stores the Retain Until Date setting in the object version's metadata and protects the object version until the retention period expires.
What is Retention Until Date (RUD) and how is it calculated?
The 'Retention Until Date' (RUD) is computed based on the SRP which is recorded in the metadata of the object while transferring using SM-C.
The 'Retention Until Date’ (RUD) is calculated by summing the SRP and the Buffer.
Buffer = Buffer for Transfer Time (6 days) + Buffer for Cost Optimization (8 days). Buffer is set as 14 days.
Minimum RUD will be 30 days + 14 days
If you create a Monthly backup schedule with 12 retentions, your backups are locked for 12 months (plus 14 days) before they are deleted (replaced by the next backup file).
If you create a backup policy that creates 30 daily, 7 weekly, 12 monthly backups there will be three locked retention periods. The "30 daily" backups would be retained for 44 days (30 days plus 14 days buffer), the "7 weekly" backups would be retained for 9 weeks (7 weeks plus 14 days), and the "12 monthly" backups would be retained for 12 months (plus 14 days).
If you create an Hourly backup schedule with 24 retentions, you’d think that Backups are locked for 24 hours. However, since that is less than the minimum of 30 days, each backup will be locked and retained for 44 days (30 days plus 14 days buffer).
Be aware that old backups are deleted after the DataLock Retention Period expires, not after the backup policy retention period.
The DataLock retention setting overrides the policy retention setting from your backup policy. This could affect your storage costs as your backup files will be saved in the object store for a longer period of time.
How do we set Retention Until Date (RUD) on the cloud backups?
Cloud Backup uses the snapshot list REST API in Active Data Connector (ADC) to determine all the snapshots that are yet to be locked based on the SnapMirror Policy.
For each of these snapshots, it uses ADC to stamp the RUD in all the objects belonging to the snapshot. This guarantees that the snapshot is locked until the RUD expires.
How does Ransomware Protection Work?
In this section, we will examine how Ransomware detection scans are run by Cloud Backup. As soon as you enable Cloud Backup in the Working environment and configure "DataLock and Ransomware Protection," the ransomware scans are initiated. The Ransomeware scans are run in the below-mentioned scenarios.
The scans on the cloud backup objects are initiated soon after they are transferred to the cloud object store. The scan is not performed on the backup file when it is first written to cloud storage, but when the next backup file is written
The Ransomware Scans can be initiated when the backup is selected for the restore process.
The scan can also be done on-demand as required by the user.
How does the scan work?
Now let's try to understand how the Ransomware scans work.
Before the Ransomware scans are initiated, Cloud Backup checks to make sure that the snapshot is stamped.
Cloud backup employs the Active Data Connector Integrity Checker REST API to start Ransomware scanning as necessary.
The detection of ransomware attacks is performed using checksum comparison.
The Active Data Connector Integrity Checker REST API triggers a Ransomware scan of the cloud backup objects on the cloud object store by verifying the checksum of the different backup object versions.
Based on the result of the scan Cloud Backup initiates the recovery process. Snapshots can be scanned on an on-demand basis for any ransomware attacks if necessary.
How does the Recovery process work?
When a Ransomware attack is detected, Cloud Backup uses the Active Data Connector Integrity Checker REST API to start the recovery process. The oldest version of the data objects is the source of truth and is made into the current version as part of the recovery process.
Let's see how this works:-
In the event of a ransomware attack, the Ransomware tries to overwrite/ delete the object in the bucket.
Since the AWS S3 buckets are versioning-enabled it automatically creates a new version of the backup object. If an object is deleted with versioning turned on, it is only marked as deleted but is still retrievable. If an object is overwritten, previous versions are stored and marked.
When a Ransomware scan is initiated, the checksums are computed for both object versions and compared, If the checksums are inconsistent, potential ransomware has been detected.
The recovery process involves reverting to the last known good copy. V3 is created (duplication of V1)
• DataLock and Ransomware Protection feature scans only backups on StorageGRID bucket. It does not support scanning local snapshots, Ransomware attacks on local snapshots cannot be detected.
Understanding the UI for DataLock and Ransomware Protection
In this section, we will look into the various Cloud Backup UI changes that were introduced to show the status and results of the DataLock and Ransomware Scan run on the cloud backups stored in the Cloud object store
Backup Volume Page
A new “Ransomware Scan” column has been introduced on the Backup Volume Page. It displays the different status of the Ransomware scans on a Volume level like potential ransomware identified, tool-tip showing the last scan time, and successful ransomware scan with scan time.
Backup Details Page
A new “Ransomware Scan” column has been introduced on the Backup Details Page. It displays the different status of the Ransomware scans on the backup level like potential ransomware identified, tool-tip showing the last scan time, ransomware scan failure with scan time, and successful ransomware scan with scan time.
Notifications have been included on the Canvas Page which notifies that a potential ransomware attack has been identified on a backup copy of a specific volume related to a specific Working Environment.
Notifications have been included on the Canvas Page which notifies that a potential ransomware attack has been identified on a backup copy during the restore of a specific volume related to a specific Working Environment. It will also highlight that Cloud Backup reverted to the last good known version of the backup copy.
Browse and Restore Pages
A new “Ransomware Scan ” column has been introduced on the Selected Backup Details Page. It displays the different status of the Ransomware scans on the backup level like potential ransomware identified, tool-tip showing the last scan time, ransomware scan failure with scan time, and successful ransomware scan with the scan time.
Browse and Restore Pages – Restore Message
A “Ransomware Scan” UI will be shown upon selecting a snapshot to restore the backup. This restore confirmation message shows the details of the DataLock mode, and last run scan time information and also includes a recommendation to run a ransomware scan before proceeding with the scan. This is an optional scan, the user can uncheck to skip the ransomware scan.
Search and Restore Page
More details about the ransomware scan have been provided on the “Backup Details” right navigation pane UI. It displays the different status of the ransomware scans on the backup level like potential ransomware identified, tool-tip showing the last scan time, ransomware scan failure with scan time, and successful ransomware scan with the scan time
Search and Restore Page- Restore UI
The “Restore Location for Selected File” UI under the Search and Restore feature, also now display the information of the backup DataLock Mode and the status of the ransomware scan run.
Clicking the “Next” button will bring up a “Ransomware Scan” UI, which displays the “DataLock” mode, the previous scan time, and the result of the ransomware scan. It also shows a recommendation to run a ransomware scan before proceeding with the restore process. This is an optional scan, the user can uncheck to skip the ransomware scan.
Let us know…
Please try it out and let us know. In this blog , we haven’t covered every possible scenario, and we know that you’ll have questions and concerns, so please contact us on Teams Group.