- Some chilling dystopia before going into data protection
- What are ONTAP Snapshot copies and for what they are frequently used?
- Snapshot IMMUTABILITY:
- Snapshot INDELIBILITY:
- Conclusion
Some chilling dystopia before going into data protection
I love the idea that, in general, there are no perfect synonyms. Every single word has the power to capture different nuances and express slightly different definitions of things, sentiments, flavors, etc. The richer one person’s vocabulary is the more precisely he or she can understand and describe the world. The best-seller 1984 is a dystopian novel written by the English writer George Orwell that perfectly describes the importance of the language and the risks and implications of consolidating the vocabulary into a smaller group of words that can be multipurposed.
But, wait! How does this relate to the subjects we will explore on this post? Well, let me explain. The term snapshot immutability is sometimes used in a way that it does not express its real purpose and definition. The purpose of this blog post is to provide you with the right understanding of snapshot immutability and indelibility attributes. Are they the same thing? If not, are they mutually exclusive? What are their definitions and use cases? Keep reading to discover…
What are ONTAP Snapshot copies and for what they are frequently used?
Snapshots are one of the NetApp`s crown jewels. They work like a time machine so that you can rewind your entire file system or application to a specific recovery point. Those copies can provide a very cost-effective way to meet the local protection needs of your 3-2-1 data protection strategy, to provision instantaneous space-efficient clones that can be used to accelerate innovation, to test and validate disaster recovery strategies and more recently to be used as a way to respond to AI regulations by providing model traceability.
Because ONTAP Snapshot uses a very efficient technique to create point-in-time copies, you can be very granular so that you minimize data loss as you restore to a prior point in time. Also, you may want recovery points that go back far into the past in the event that ransomware is undetected for an extended period of time. For this, ONTAP supports more than 1,000 Snapshot copies per volume (1,023 Snapshot copies to be more precise).
All of this blended together can provide you with a lot of nearly instantaneously created recovery points that do not impact the performance of your environment and just consume a negligible additional space, especially if you compare with traditional methods that require entire data set duplication everytime you create a point-in-time copy. The benefits of this feature can be extended when you integrate with other NetApp technologies, like SnapCenter, SnapMirror, and SnapRestore and even with 3rd party backup softwares to offload the recovery point creation and make the whole backup process much more efficient.
Snapshot IMMUTABILITY:
By definition, ONTAP Snapshot copies are always immutable since its conception in the 1990’s. While these efficient point-in-time copies are available so that end-users can navigate in the file system hierarchy, use the content for data analytics to get insights out of this data or even make self-restoration of some lost/corrupted data, everything is read-only, meaning that integrity is guaranteed and the data is protected against modification and deletion. In other words, if some malware gets access to that data it cannot be encrypted or purged.
Below you can see what a Snapshot copy looks like from the end-user perspective. You can see that some recovery points were automatically created by the schedule set on the Snapshot Policy of this specific volume and there is even a snapshot that was automatically created by ONTAP just after some potentially nefarious activity was detected by Autonomous Ransomware Protection (ARP).
This operational snapshot folder aggregates all the Snapshot copies and then presents them in the form of subfolders from where the users can navigate through the hierarchy and copy file(s) back to their original folder or to alternate locations in situations where this can become necessary. However, even though everything is visible, the users are not allowed to delete or modify any content. See below that the operation was denied when I tried to delete a PDF file from an immutable snapshot copy:
This is what immutability is all about. Protecting the contents of the snapshot copies.
Snapshot INDELIBILITY:
This really means what the term implies. If someone gets administrative access to ONTAP and either accidentally or intentionally tries to delete your point-in-time data protection copies, the operation will be denied by the system. The action is blocked, even if the user was authenticated with Multi-Factor Authentication (MFA) and/or even if a group of approvers have allowed the action via the Multi-Admin Verification (MAV) process. Snapshots can be made indelible manually or automatically based on a retention period set by the administrator and before this retention period expires the snapshots are locked to prevent deletion, even by authenticated and verified administrators, thereby protecting against accidental or malicious deletion.
Now, let’s see this in practice…
Of course, it is necessary to specify some retention period in order to lock the snapshots that are created either manually or automatically. For the scheduled Snapshot copies, the retention period can be set on the Snapshot policies. For example:
In addition to specifying the retention period on the Snapshot copies, the administrator must also initialize the SnapLock compliance clock for the volumes where tamper-proof snapshots will be created. Otherwise, the retention period specified will not take any effect. Initializing SnapLock compliance clock is a mandatory step to ensure the integrity of the retention period and this important setting prevents any tampering that try to poyse the system clock in order to anticipate the expiration of the retention period. This can be done when the volume is being created or after the fact. In this example, the volume already existed when the snapshot locking was enabled and the SnapLock compliance clock was initialized. After this clock is initialized, it can't be stopped or modified.
The Snapshot policy of this volume already had some retention period set but they were not taking any effect because the previously changed attribute on the volume was disabled. Since having some extended retention period can potentially collaborate to the storage space usage because no one will be able to delete the snapshots before their retention period expires, ONTAP System Manager provides a notification so the administrator can acknowledge the potential impact. Just review, accept and click OK to proceed.
From this point on, every snapshot that has the retention period specified will be locked until this retention period expires and the compliance clock can be always verified from the Volumes page on ONTAP System Manager.
Now if I try to delete a Snapshot copy that was created *AFTER* the Snapshot locking was enabled and compliance clock was initialized on this particular volume, this operation will be denied and ONTAP System Manager will show a toast notification.
There are also internal guardrails to protect against a tentative on reduction of the retention period. Even if the attacker tries to anticipate the expiration date/time, ONTAP will deny this operation as you can see below:
As you’ve observed, indelibility is an additional attribute on top of immutability that can protect your last line of defense (i.e. your recovery points – both on primary and secondary storage) against rogue admins, compromised administrative accounts or accidental Snapshot copy deletion.
Conclusion
While the terms immutability and indelibility can look like interchangeable, they have totally different meanings in the context of data protection. Also, they are not mutually exclusive. They actually complement each other and harden the security posture of your intelligent data infrastructure to provide more layers of defense and protect against different attack vectors. In the context of ransomware protection, immutability means that Snapshot copies cannot be encrypted by some malware whereas indelibility means that Snapshot copies cannot be undesirably deleted by a rogue admin. At NetApp we always look from different angles to make sure your data is secured against malwares and bad actors.
To have a glimpse on the security features that are infused on NetApp ONTAP data management software you can always take a look at the DATASHEET - Security features in ONTAP.