Once again, IBM TechU live event is virtual. The COVID-19 pandemic has not been kind to the IT Conference industry. This is a 4-day live event October 25-28, with the option to watch replays until December 28. Here is my summary for Day 3.
- [s204162] IBM Spectrum Protect Blueprint - 2021
Jason Basler presented this session.
The IBM Spectrum Protect blueprints combine a reference configuration with automation to build the solution, including configuration validation and performance tests. Sizing guidance is offered in "tee-shirt sizes": extra small, small, medium, and large.
Configurations are available to deploy servers on AIX, Linux x86_64, Linux on Power, and Microsoft Windows. There are also blueprints for deployment to the Public Cloud, including Amazon Web Services, Microsoft Azure, and IBM Cloud.
As new features are introduced in the software, and new hardware models are available to deploy with, these blueprints have to be kept up-to-date. The latest blueprints v4.3 support Lenovo SR650 and IBM POWER9 servers with IBM FlashSystem 5000 and Elastic Storage models. A new feature in Spectrum Protect 8.1.12 allows you to tune the minimum deduplication extent size on a per-node basis, at 50KB, 250KB or 750KB sizes.
If your existing deployment was not done with a blueprint, consider using the blueprint to perform a healthcheck. Do you have a large amount of ingest, but your database and storage pools are too small? You can download the latest at the following links:
- [s204098] Setting up IBM Spectrum Protect and IBM Spectrum Protect Plus in a Multi-tenant Architecture
Thomas Bak, CEO of Auwau, presented.
The company name "Auwau" is derived from automation with a "Wow!" factor, an independent software vendor (ISV) produces the Cloutility software. It is designed for Cloud Service Providers (CSP) and Managed Service Providers (MSP) to provide a cloud "as-a-service" utility for IBM Spectrum Protect and Spectrum Protect Plus deployments.
The multi-tenancy can also apply to virtual machines using IBM Spectrum Protect for Virtual Environments (SP4VE). Reporting can be done at various department levels of granularity. For login security, Cloutility adds single-sign-on via CAC and 2-factor-authentication (2FA/MFA).
- [s204158] Survey of IBM Spectrum Protect cloud capabilities and solutions
Jay Calder, IBM Senior Software Engineer for IBM Spectrum Protect server development, presented this session.
Object Storage is highly scalable storage architecture for unstructured data, using HTTP protocols like GET, PUT and POST. Object Storage can be on-premises such as the IBM Cloud Object Storage solution, or off-premises public cloud provider, such as Amazon Web Services, IBM Cloud, Google Cloud Platform, or Microsoft Azure. Amazon S3 is an example de facto standard for these HTTP protocols.
Spectrum Protect has created two kinds of container storage pools: directory and cloud. Data can be deduplicated, compressed and encrypted. You can backup directly to the cloud container pool, or backup to directory container pool on flash or disk first, and then later tier to the cloud container pool.
The disk-to-cloud method provides an on-premises copy for "operational recovery". The tiering can be done by age, or by inactive state. However, since deduplication keeps a single copy of a chunk of unique data, it is possible that the same chunk will exist in both the directory container pool, and again in the cloud container pool. In other words, if a backup copy is "tiered" from one pool to the other, many of its extents may be left behind if they are common with other backup copies.
Extents, typically 50-300KB in size, are combined into containers, about 1GB each, which improves GET/PUT performance. Cloud container reclamation squeezes out extents no longer needed, so that containers are more "valid-data" dense. The process is controlled by the PCTUNUSED parameter on the STGRULE ACTIONTYPE=RECLAIM. Beware, there is a price trade-off, you may need to pay for GET/PUT traffic to the Cloud Storage Provider to reduce your residency cost.
Cloud container pools can have an on-premises "cloud read cache" to improve restore performance. All of the restores are scanned, and if there are 10 or more extents from a single container that will be needed in the next 2 minutes, then Spectrum Protect will GET the entire 1GB container down to the local read cache, rather than issuing 10 separate GET commands for individual extents. The Cloud Read Cache is best for doing large restores from a Cloud that has high bandwidth, such as 10 Gbps or higher.
Spectrum Protect's own Db2-based inventory database can also be backed up directly to cloud object storage.
The Spectrum Protect server can emulate an S3 storage endpoint. Spectrum Protect Plus (SPP), as well as any S3 object agent or other backup software, can now PUT backups directly to IBM Spectrum Protect server. Once the data arrives to the Spectrum Protect server, it can then be stored to either a directory container pool or cloud container pool, emulating S3 Standard, or to a tape storage pool, emulating S3 Glacier.
Lastly, you can also run the Spectrum Protect server itself in the cloud. IBM Spectrum Protect blueprints are available to provide guidance.
- [s203992] Hardening your Spectrum Protect Environment Against Cyber-Attacks
Dan covered a lot of different tips and techniques to protect your backup infrastructure.
Protecting the Spectrum Protect servers can be done by hardening the machines they run on, including operating system options, and to protect them against ransomware or other malware. Backup servers are often a popular target for hackers, so Dan recommends not putting Spectrum Protect server on a Windows operating system.
Protect communication pathways, these are the networks that connect clients to servers, admins to servers, and servers to other servers. Security enhancements introduced in Spectrum Protect 7.1.8 and 8.1.2 releases. This includes Secure Sockets Layer (SSL) transport layer security (TLS) encryption of the communications between administrator and server.
Don't share the same userid/password across all of your admins. Each admin should have their own userid and password. Spectrum Protect's Command Approval feature will require a second administrator's approval for certain destructive commands. LDAP or Active Directory can be used to enforce complex password rules.
Protect the Spectrum Protect client nodes. Each client should have its own password, and only access its own backups. Client-side audit logging can be used as well.
Consider using all of the support and alerting tools available to you, follow strong testing and software currency policies. Subscribe and read IBM Flash emails and install critical emergency updates. If using Spectrum Scale, File Audit Logging and SEIM automation can also be helpful. Monitor your workloads with ServerMon, the IBM Spectrum Protect monitor that is built-in and always on by default.
Dan recommends simplifying the server and client infrastructure, using consistent naming conventions, release levels, and policies. Keeping all of the servers on the same operating system and Spectrum Protect version/release level, and standardizing Spectrum Protect client levels for each operating system type. Keep client options on the server (Clopts) that override individual client settings for key parameters. These steps help reduce mistakes and simplify administration.
Lastly, as a bonus topic, Dan covered Data Spill recovery. A data spill is when secret, confidential, or sensitive data is accidentally written to storage that is not at the correct level of security. For example, a file containing birthdates and social security numbers written out to a shared file space. If this data is then backed up, we need to clean up not just the source file, but any backups that contain this data. To learn more, read NIST 800-88 publication that explains both shredding and cryptographic erase data sanitization techniques.