The Air-Gapped, Immutable Storage Future is Now
A growing number of businesses are falling prey to malware, with attackers increasingly targeting backups. Here’s how tape, immutability, and air gapping can protect your data.
Table of Contents
In today’s environment, most businesses know it’s only a matter of time before they will be hit with malware, including ransomware. More often than ever, these malicious attacks are targeting backups. A May 2022 report from Veeam, for example, found that 94% of attackers attempted to destroy backup repositories. In 72% of the cases, their efforts were at least partially successful.
With backups and storage clearly in the crosshairs, organizations need to address the risks head on. Yet, a 2022 survey by Pure Storage found that only 49% of organizations take extra measures of protection for their backup copies.
To combat this growing problem, proactive companies are turning to three basic solutions: tape, immutability, and air gapping. While none of these technologies are new, they can be effective, especially when combined.
Pros and Cons of Tape Storage and Backup
Tape is the oldest and most maligned method of data backup and storage. However, because it is offline, it is intrinsically air-gapped and immutable. What’s more, it’s often stored offsite. Tape also provides write-once-read-many (WORM) technology, so it can never be overwritten or deleted.
Some tape vendors have even upped the ante with additional protections. For example, Quantum Corp. now lets users of some of its Scalar tape libraries set tapes to eject partially, creating a physical air gap. That way, the tapes can’t be seen or chosen by a malicious bot.
Tape does have its drawbacks. A notable drawback is that tape only works for data that’s no longer used or used very infrequently.
Most businesses today don’t want the hassle or labor involved in tape storage and backup. They would much prefer cloud-based or at least data center-based technology – a combination of cloud, virtual, and physical.
Why Immutability Is Important
Keeping data safe in any environment requires immutability and/or air gapping.
Immutability means that files can’t be modified during a set retention time, making it ideal for data that must be preserved intact for long periods. Businesses can set immutability to expire or remain in place indefinitely. When the immutability does expire, the data can be accessed or deleted, according to the rules set.
Immutable backup and storage offer multiple benefits. In terms of security, immutability will protect data against malicious actors. However, immutability can also help avoid accidental file deletion or modification, improve compliance and data authenticity, speed up disaster recovery times, and protect backups against retention policy changes and deletion of restore points.
The immutability concept has been associated traditionally with object storage because object storage is intrinsically immutable. It’s also standard today for object storage to employ object locking, which is the same type of technology that most immutable technology use. Additionally, because object storage systems essentially split files up into thousands of encoded and encrypted pieces, object storage will usually stymie hackers.
While these capabilities are valuable, object storage doesn’t work in every scenario. File and block storage systems, for example, are much better suited for structured data. Production data isn’t a good candidate for immutability because users will probably want to modify it at some point.
But there’s good news: More vendors than ever are applying immutability to more than just object storage.
“It goes back to the evolution from hardware media-based WORM to software-based technology,” explained Paul Speciale, chief product officer at Scality, an object storage vendor. “Ultimately, all storage sits on top of underlying block storage, so immutability has to be enforced at the software layer managing the storage.”
How Air Gapping Works
Another way to improve data security is through air gapping, a technique that keeps a separate copy of backups disconnected from the network. The air-gapped copy is often stored at an offsite location.
There are two basic types of air gaps:
A physical air gap disconnects the backup from the network after it is written, then reconnects the network.
A logical air gap sends backups to a physically separate location. Backups, however, aren’t completely disconnected from the network. The backup software does the heavy lifting, preventing the backups from being overwritten or deleted.
An offshoot of the air-gapping method is the data vault or cybervault – an offline place that is physically and logically isolated from the production environment.
Despite the effectiveness of air gapping, relatively few organizations take advantage of the technology. An Enterprise Strategy Group survey found that only 30% of organizations have deployed an air gap that separates production and backup networks.
Immutability, Air Gapping, or Both?
So, how should you go about incorporating at least one of these data protection methods into your technology stack and processes? According to Christophe Bertrand, a practice director at Enterprise Strategy Group, it’s both an architecture- and business-driven decision.
“It depends on your objective. If it’s to strengthen or harden the backup infrastructure, you need backups that go on immutable storage of some type,” Bertrand said. “If you need archives for compliance purposes that you have to demonstrate can’t be adulterated, then which storage tier becomes another question. If you have to keep data for 30 years, you don’t want to put it on expensive disks.”
In addition to determining the best architectural option, there are, of course, economic considerations to make, said Oscar Arean, a technical director at Databarracks. “In some cases, one of these options might sound like a great idea at first, but, in reality, it could really increase your backup costs,” Arean explained. “It’s about balancing the additional cost with the potential risk and figuring out what makes sense for your particular case.”
If you can swing it, consider products that include both immutability and air gapping. Bertrand went as far as to say data protection isn’t complete without both, plus the right cybersecurity protections.
“It’s one thing to make the data immutable so it can’t be modified, but that doesn’t mean that somebody still couldn’t access it, read it, and exfiltrate something by gaining access to some intelligence,” Bertrand said. “It’s important also to air gap some of your data and make it immutable so it’s only connected to the network when it’s backing up or making a copy.”
What To Consider Before You Buy
Before blasting through your tech budget to achieve the right levels of immutability and air gapping, it makes sense to reevaluate what you already have. While it may be time for a refresh, especially if your technology is more than few years old or hardware-based, it pays to examine the features available in your existing technologies. Many vendors continue to upgrade their offerings with these features.
If you opt for a replacement, do your homework, Arean said. Make sure the new technology is compatible with existing or planned technology. In addition, the replacement should allow for layers of control to manage the storage over time.
Most importantly, organizations must understand that air-gapped and immutable backups and storage are the last line of defense, not the first.
“This does not replace network firewalls, network protection, or application protection,” Speciale stressed. “It’s just part of the stack and should be considered the last line of defense.”
About the Author
You May Also Like