According to Sophos, The State of Ransomware 2023 report, the average cost to recover from a ransomware attack excluding any ransoms paid is $1.82M and this number is only going to go up in the future. In today's data-centric landscape, an important line of defense against ransomware and cyber threats is the implementation of immutable and indelible backups. Far from being just standard backups, these are robust and secure solutions, engineered to be unchangeable and non-erasable. Immutable backups guarantee that your data remains intact and protected, providing a reliable safeguard for your digital assets.
Essential Data Security
Imagine Azure NetApp Files (ANF) snapshots as secure checkpoints for your data. These snapshots are point-in-time, read-only copies of your data, securely stored within the ANF volume. While inherently immutable, they can still be deleted. The goal is to protect these snapshots by copying the "daily" snapshot to a protected Azure blob space, which is configured to be both immutable and indelible.
This Azure blob space is not just any storage location; it is safeguarded by a data protection policy that prevents any changes or deletions of the snapshot until its predetermined retention period has expired. Immutable backups provide a range of benefits:
Ransomware Protection: Immutable backups are protected against ransomware attacks that attempt to encrypt or delete your data.
Threat Prevention: These backups guard against both internal and external threats that might try to compromise or destroy your backup data.
Regulatory Compliance: Immutable backups help ensure compliance with data regulations that mandate the maintenance of data integrity and authenticity.
Reliable Disaster Recovery: In the event of data loss, immutable backups enable a quick and accurate restoration of data.
The Scenario: Ensuring Data Durability
The process begins with the creation of an ANF snapshot in your production environment. This snapshot is a recorded state of your data at a specific moment in time. ANF Cross Region Replication (CRR) then replicates the volume, including the snapshots, to a secondary Disaster Recovery (DR) region.
In the DR region, NetApp BlueXP takes over, automatically copying the ./snapshot directory to a WORM (Write Once, Read Many) Azure blob, ensuring the immutability and indelibility of the backup. The defined lifecycle of this Azure Blob dictates the duration for which the backup will be retained. See the NetApp BlueXP screen shot below.
In summary, the key to securing your data's future is through the use of immutable, indelible backups. Azure NetApp Files and NetApp BlueXP not only allow you to create backups but ensure that your data remains unaltered and secure, prepared for any potential data threats. Your data is well-protected, providing peace of mind and operational continuity. Would you like to see for yourself how BlueXP can protect your data in Azure NetApp Files? Try this guided demo.
... View more
In the rapidly evolving landscape of Generative AI, the Retrieval Augmented Generation (RAG) framework is a game-changer, enabling foundation models to integrate private, contextual data for more informed responses. However, this innovation is not without its challenges. Data privacy, synchronization, and management complexity are just the tip of the iceberg. Companies must navigate the intricacies of data security, cost optimization, and scalability—all while ensuring compliance with regulations like GDPR and HIPAA. As we push the boundaries of Generative AI, addressing these challenges is critical for successful RAG implementation.
... View more
Hey there, dear cloud storage super stars…
Are you dealing with the most sought-after treasure in this world today?
Some refer to it as the new oil, other call it precious old gold—whatever the name, data commands respect!
The primary way to respect data is by giving it the necessary protection that it deserves, no matter where it is.
In the ever-evolving landscape of cloud computing, data protection remains a top priority for businesses.
Data is omnipresent, spread across the edge, core, and public cloud, driving the need for an overarching data protection suite that is seamless across all endpoints, enabling a fully secure hybrid cloud.
The approach to building a data protection strategy can start from any of these endpoints. In this blog, we’ll look at how NetApp, the world’s leading intelligent data infrastructure management company, comes together with Google Cloud to provide an array of options to protect your data with Google Cloud NetApp Volumes. It’s just our way of respecting data.
Google Cloud NetApp Volumes is a fully managed cloud-based storage service that delivers the rich data management features of NetApp ® ONTAP ® data management software by combining with Google's robust infrastructure backbone and network delivery services. It’s available in all Google Cloud regions catering to a wide spectrum of workloads, ranging from shared files, databases, VMs, SAP, and GenAI.
It’s time to traverse the data protection landscape of NetApp Volumes. By leveraging features like NetApp Snapshot ™ copies, backups, and cross-region replication independently or together, the data in NetApp Volumes can be fortified at various levels based on need.
Hop on the data protection ride for a full tour now.
Snapshot copies
One of the core data protection features of NetApp Volumes is the ability to create Snapshots -read-only copies of the volume at a specific point in time. They provide a way to recover data if it’s accidentally deleted or becomes corrupted.
With NetApp's advanced Snapshot technology, users can :
Create frequent Snapshot copies. Schedule regular Snapshot copies to capture changes in your data so that you have up-to-date recovery points. They can be scheduled at reoccurring time intervals and with configurable retention policies as per business needs.
Optimize storage utilization. Snapshot copies are space efficient, only storing changes made since the last Snapshot copy, which minimizes storage overhead.
Recover data instantly. Quickly revert to a previous state or spin up a new volume with the data present in the Snapshot copy.
Backup
While snapshot copies play a key role in instant recovery of data, they are locally present on the same production system. There are several mantras to a data protection strategy, the first is to eliminate single points of failure. A step toward this goal is to maintain a full copy of the data in a second location that will ensure recovery if the production data is unavailable.
With NetApp Volumes, the data can be backed up to a backup vault (which is independent of the primary storage system) at a predefined cadence. These vaults are provisioned in the region where the production data resides. The recovery points are "incremental forever" to optimize the storage used by backups, contributing to a sustainable approach. This approach leads to a higher impact, especially when backups are being created for long-term retention.
The standard approach is to set up automated backups using a schedule so that the data is consistently protected without manual intervention.
To create a backup policy, you provide the retention count for each backup recurrence: daily/ weekly/monthly.
Then you can assign the policy to one or more volumes to kick-start the autopilot for protection.
Volume replication
The second mantra for data protection: “Expect the unexpected and always have a plan B.”
Although it’s unlikely, it’s possible for a region to go down unexpectedly or enter a degraded state. If the applications can’t be switched to another region so that operations can resume within a reasonable time, the outcome can be disastrous to the business.
Data is always the focal point of a business continuity and disaster recovery (BCDR) plan. With NetApp Volumes, data can be asynchronously replicated across different geographic locations—that is, regions in Google Cloud—at a predefined interval, such as a recovery point objective (RPO) as low as 10 minutes.
By implementing a BCDR plan with NetApp Volumes, a copy of data is always available in the DR region when it’s needed the most:
Disaster recovery. Maintain a replica of your data in a separate region, so that data is available even if one region experiences issues.
Business continuity. Minimize the impact of regional outages or data center failures by enabling instantaneous failover to replicated volumes.
A business continuity plan can be brought into effect by using an automated workflow with the following inputs from the end user -
Source volume
RPO interval
Storage pool in the destination
DR region
Volume name for the DR volume and the name of the share
The volume is automatically created in the destination region and the replication is initiated per the specified RPO window.
The DR drill can start right away, allowing failover to the DR region, resynchronizing data back with a region that was down, and finally reversing the roles of the regions after complete recovery.
Regional volumes
Another fault domain for consideration is within a region, where a zone could encounter an outage leading to business downtime.
With the Flex service level, the storage pools can be configured with regional availability, by selecting two zones in a region for data availability.
The production volume is hosted in the active zone, and a cross-zone synchronous replication is established to the replica zone to provide high-availability across zones.
If the active zone is down, the volume will automatically fail over, and data will continue to be served from the replica zone.
The same setup can also be used to enforce a manual zone switch, in which all the data access switches over to the replica zone (the new active) and the former active zone takes the back seat as the new replica zone.
A typical day with NetApp Volumes
Now that we’ve taken a look at the foundational data protection features of Google Cloud NetApp Volumes, let’s see how a financial institution such as a bank can leverage these capabilities to safeguard their business-critical data.
On a regular business day, the data that’s being created, stored, and retrieved for bank operations holds the highest importance. To safeguard the bank’s interest as well as that of its customers, multiple levels of protection need to be put in place for the business-critical data.
With NetApp Volumes, a volume that contains customer information and associated financial records is provisioned as a regional volume that provides data availability even if a zone fails, addressing the standard near-DR objective. As an added measure, this volume is replicated to another volume in a different region, addressing the far DR measures.
For high-speed recovery, the production volume is configured with a Snapshot schedule that maintains point-in-time representations of data for every business hour in a day. These Snapshot copies will be retained for 7 business days or more as needed, and they can be used for instantaneous recovery if data is accidentally deleted or becomes corrupted.
For compliance and long-term retention, the bank implements a backup program, where a copy of the data in the volume will be backed up to a backup vault at the end of every business day, week, and month. These backups will be retained for 7 days, 12 weeks, and 60 months respectively, providing the bank a compliance coverage period of 5 years.
In this way, the bank can meet its data protection objectives in a few clicks by using the built-in capabilities of NetApp Volumes.
How about a second line of defense?
The defending power of a fort is only as strong as its weakest wall. Likewise, the smallest loophole in securing data is all that it takes for a breach.
Considering that, NetApp Volumes also delivers a host of additional features aimed at strengthening the walls to our data fort.
Encryption
Data encryption is crucial for protecting data both at rest and in transit. With NetApp Volumes, the data is encrypted with Google’s built-in, default encryption scheme that’s based on AES-256.
Alternatively end users can take control and encrypt their data by integrating with customer-managed encryption keys (CMEK). In either case, the settings are handled at the storage pool level, and the encryption scheme applies to all the volumes contained within the pool.
For a deeper dive, please refer to - https://community.netapp.com/t5/Tech-ONTAP-Blogs/Customer-managed-encryption-keys-with-Google-Cloud-NetApp-Volumes/ba-p/455107
Access controls and audit logging
Integrating with Google Cloud’s audit logs service, you can enable the collection of audit logs for the operations in NetApp Volumes by navigating to the logs explorer and providing the following parameters in the query builder:
resource.type="audited_resource" resource.labels.service="netapp.googleapis.com"
That’s all that it takes—now every activity corresponding to NetApp Volumes will be logged and reported.
For role-based access control (RBAC), NetApp Volumes provides two predefined identify and access management (IAM) roles in Google Cloud—admin and viewer—that can be assigned to users. If there is a need, administrators can also configure a custom user role with a specific set of permissions and assign it to a user.
Compliance and regulatory support
For organizations subject to regulatory requirements, NetApp Volumes has bagged multiple certifications:
SOC 1 Type 2
SOC 2 Type 2
SOC 3
HIPAA
The service goes through regular third-party audits that include comprehensive testing of the design, security standards, and operating effectiveness of the controls within each audit period.
Conclusion
Google Cloud NetApp Volumes delivers a comprehensive suite of features designed to protect the integrity, availability, and confidentiality of data. With capabilities such as Snapshot copies, integrated backup solutions, volume replication for BCDR, encryption, and robust access controls, businesses can confidently leverage cloud storage while maintaining stringent data protection standards. By using these features, organizations can effectively safeguard their data against loss, corruption, and unauthorized access, supporting a resilient and secure cloud infrastructure.
The power to protect is always in your hands—and with Google Cloud NetApp Volumes, it’s a superpower!
... View more
Getting started with BlueXP is easier than you think. Learn what you can do with a simple login, and how you can tap into BlueXP's full potential by deploying a Connector in your environment of choice.
... View more
BlueXP Alerts is a service designed to help you stay informed about issues and potential risks in your NetApp ONTAP environment. Whether you're managing on-premises NAS or SAN storage, BlueXP Alerts provides a consolidated view and drill down into storage issues.
... View more