What do I start with for Cyber Resiliency? Start small, take Safeguarded Copies!

So, that’s a big broad topic, but it’s a really good question.  It’s actually one that comes up more times than you might think.  There’s also a lot behind that question, if I start to “unpack it”, a lot of discussion emerges:

• What are the most important applications you have to recover?
• How do they relate to each other, and to the business when you recover them?
• What ‘runs’ the business that needs to be recovered to be operational again?

Are you sensing a theme yet?  For me, it starts with recovery, how am I going to recover the data in the event of a ransomware or some other type of malicious activity.  So, how am I going to recover that data then helps me set the foundation.  Once I’ve got a handle on that, then we can get to some really interesting questions around augmenting detection, validation, integrating with Security and more.  We’ll dive into more of these topics in the next couple weeks. 

Now, back to recovery; I look at recovery across my different data ‘at rest’ resources, so that could be primary storage like a FlashSystem or backup storage like Defender Data Protect or archive copies or other repositories like S3 buckets.    

There are two types of attacks that I think are worth considering at the outset, these aren’t the only ones but they are worth thinking about when you get started.

• The first one is a data corruption attack, meaning the host or whatever is writing the data to the storage system is being used to corrupt the data.  Say, like a ransomware attack.
• The other attack vector, if you will, is an infrastructure attack, meaning what happens if a malicious actor gets access to my storage system and tries to remove the backups, or delete the LUNs or something like that. This second attack vector I’ll come back to in a subsequent blog.  

Now, I know I want to recover, and yes, my backup platform is a great source for recovery, but its not the only one!  Being able to use a primary storage system, like the IBM FlashSystem, gives me a couple of advantages if I’m able to use it as an additional recovery option.  Wait, what?  Here’s why I like the option to recover a workload from a FlashSystem;

• I have the potential to get closer to an RPO goal with it; if I’m able to recover the application from a snapshot, one I’ve taken say every few hours, then I might be able to minimize my potential loss of transactions
• I have the potential to get back to production speed faster; since I’m using an IBM FlashSystem, for example, I can revert the snapshot within 60 seconds and mount the volume to the host. How long would it take if I had to restore from a backup?  Well, if we take the example of a 45TB DB and an 10GbE network, I posed that question to an AI tool, I’ve done the math before, but I was curious what would come out.

AI Final estimate

Turns out, it was pretty close to my math.

What does that mean?  Well, that means I’m waiting for say 12 hours to see if that copy was good, or if I was able to test it off the backup system, and I knew it was good, that means I’m waiting around 12 hours to get back to production level speed for a workload that might be supporting key transactions for my business.

• Validate?  Yes, that’s my other step, how do I validate the workload, well if I can mount the volume in 60 seconds, that means I can test if that copy of the data is valid or victimized at production storage speed.  As @Matt Key might say, IBM 5^th Generation FlashCore modules have a “lot of read in them”, so I get to put that to use.   Eventually, I could get to the point where I’m doing that proactively but remember, let’s start small.

So, how do I start small?

• Start with creating Immutable Copies of your volumes on your IBM FlashSystem.  That’s my first step. 

Why?  Well, you get to do a couple things;

• You get to have a copy that’s in addition to your backup.
• You get to have a copy that might be more frequently taken than your backup.

Wait what? That’s right, you can have the IBM FlashSystem take more frequent copies than you might run backups. 

What’s a good frequency to start?

• How about every 4 hours?  That’s a place to start, just to set a first policy and then you can try a practice test recovery.  Do that for a couple volume groups and well, now you have active recovery points throughout the day.

So, if you haven’t guessed by now, IBM FlashSystem includes the ability to take policy governed immutable snapshots that can’t be deleted, only expired by policy metrics. Those Safeguarded Copies can’t even be addressed in the system, if you want to use them, you can take a snapshot of that Safeguarded Copy to test and work from. Or, you could just ask IBM FlashSystem.ai.

Now, you’ve got 6 copies in a day, and they are all thin provisioned and you can keep them for a couple days and you have a place to start in terms of recovery.

So, what’s a good resource on IBM Safeguarded Copy?  I have an IBM FlashSystem and I want to start small and take Safeguarded Copies?  Here’s my top resource – it’s an IBM Redpaper - Data Resiliency Designs: A Deep Dive into IBM Storage Safeguarded Snapshots.

What’s an easy way to start small, well if you don’t know if you have a Safeguarded Copy policy attached to anything yet, well what about this – Hey IBM FlashSystem, “Can you create a table for me of all the hosts and the Volume mappings; include which have  a Safeguarded snapshot policy attached?”

Now the answer! (I expanded the window) and I can download the table if I want to!

Then how about Hey IBM FlashSystem “can you show me the steps in the GUI to create a safeguarded snapshot for a volume group”

Getting started with cyber resilience doesn’t require a complete transformation overnight. By introducing immutable recovery points with IBM FlashSystem Safeguarded Copies, you can take a practical and impactful first step toward faster recovery, reduced risk, and greater operational confidence. As you build on this foundation, you’ll be better equipped to strengthen your overall resilience strategy and protect your most critical data.

Learn more about how IBM FlashSystem can help you accelerate cyber recovery and strengthen resilience by visiting www.ibm.com/flashsystem and clicking “Take the cyber resilience assessment”.